No reported ATA suspicious activity RRS feed

  • Question

  • Hello everyone,

    I installed the ATA light gateway on 4 DCs. I successfully setup the smtp server for notifications and added my email address to receive health and suspicious activity alerts. I can search for any users in the ata center and see their recent activities.  However, I don't see any reporting of suspicious activities in ATA center. I ran the nslookup ls -d domain command twice and it generated two ata suspicious alerts but when my coworkers ran the same command ata didn't report any suspicious activity for them.  Any idea? your help would be greatly appreciated.

    Tuesday, April 7, 2020 9:22 PM

All replies

  • Are those 4 DCs a 100% coverage for your network?

    If your co workers are hitting another DC that is not monitored yet, ATA will be blind to it.

    Tuesday, April 7, 2020 10:32 PM
  • Yes, those 4 DCs cover our entire network and my co workers are hitting the same DCs. I ran the nslookup ls  -d domain a few more times again but they didn't generate anymore ATA alerts.
    Tuesday, April 7, 2020 11:06 PM
  • Running those attakcs from the same computer again will update the existing SA , not create new ones.

    Are the co workers attacking from the same machines as you did ?

    Also, by any chance are those source machines running a DNS service ?

    Thursday, April 9, 2020 8:57 PM
  • My coworkers are attacking from their own desktop PCs and none of those machines are DNS servers. The ATA server is also not a DNS server. I hope it answers your questions since I'm not sure what you mean by source machines.
    Friday, April 10, 2020 8:47 PM
  • Any health alerts in the console ?
    Friday, April 10, 2020 11:25 PM