ATA event ID reference
Applies to: Advanced Threat Analytics version 1.9
The ATA Center event viewer logs events for ATA. This article provides a list of event IDs and provides a description of each.
The events can be found here:
ATA health events
Event ID | Alert name |
---|---|
1001 | Center running out of disk space |
1003 | Center overloaded |
1004 | Center certificate about to expire / Center certificate expired |
1005 | MongoDB is down |
1006 | Read-only user password to expire shortly / Read-only user password expired |
1007 | Domain synchronizer not assigned |
1008 | Some or All of the capture network adapters on a Gateway are not available |
1009 | A capture network adapter on a Gateway no longer exists |
1010 | Some domain controllers are unreachable by a Gateway / All domain controllers are unreachable by a Gateway |
1011 | Gateway stopped communicating |
1012 | Some forwarded events are not being analyzed |
1013 | Some network traffic is not being analyzed |
1014 | Failure sending mail |
1015 | Failure connecting to the SIEM server using Syslog |
1016 | Gateway version outdated |
1017 | No traffic received from domain controller |
1018 | Gateway service failed to start |
1019 | Lightweight Gateway reached a memory resource limit |
1020 | Gateway is not processing Radius events |
1021 | Gateway is not processing Syslog events |
1022 | Geolocation service is unavailable |
ATA security alert events
Event ID | Alert name |
---|---|
2001 | Suspicion of identity theft based on abnormal behavior |
2002 | Unusual protocol implementation |
2003 | Reconnaissance using account enumeration |
2004 | Brute force attack using LDAP simple bind |
2006 | Malicious replication of Directory Services |
2007 | Reconnaissance using DNS |
2008 | Encryption downgrade activity |
2009 | Encryption downgrade activity (potential golden ticket) |
2010 | Encryption downgrade activity (potential overpass-the-hash) |
2011 | Encryption downgrade activity (potential skeleton key) |
2012 | Reconnaissance using SMB session enumeration |
2013 | Privilege escalation using forged authorization data |
2014 | Honeytoken activity |
2016 | Massive object deletion |
2017 | Identity theft using Pass-the-Hash attack |
2018 | Identity theft using Pass-the-Ticket attack |
2019 | Remote execution attempt detected |
2020 | Malicious data protection private information request |
2021 | Reconnaissance using Directory Services queries |
2022 | Kerberos Golden Ticket activity |
2023 | Suspicious authentication failures |
2024 | Abnormal modification of sensitive groups |
2026 | Suspicious service creation |
ATA auditing events
Event ID | Alert name |
---|---|
3001 | Change to ATA configuration |
3002 | ATA Gateway added |
3003 | ATA Gateway deleted |
3004 | ATA license activated |
3005 | Log in to ATA console |
3006 | Manual change to health activity status |
3007 | Manual change to suspicious activity status |
See Also
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for