Troubleshooting ATA using the ATA database

Applies to: Advanced Threat Analytics version 1.9

ATA uses MongoDB as its database. You can interact with the database using the default command line or using a user interface tool to perform advanced tasks and troubleshooting.

Interacting with the database

The default and most basic way to query the database is using the Mongo shell:

  1. Open a command-line window and change the path to the MongoDB bin folder. The default path is: C:\Program Files\Microsoft Advanced Threat Analytics\Center\MongoDB\bin.

  2. Run: mongo.exe ATA. Make sure to type ATA with all capital letters.

How to... Syntax Notes
Check for collections in the database. show collections Useful as an end-to-end test to see that traffic is being written to the database and that event 4776 is being received by ATA.
Get the details of a user/computer/group (UniqueEntity), such as user ID. db.UniqueEntity.find({CompleteSearchNames: "<name of entity in lower case>"})
Find Kerberos authentication traffic originating from a specific computer on a specific day. db.KerberosAs_<datetime>.find({SourceComputerId: "<Id of the source computer>"}) To get the <ID of the source computer> you can query the UniqueEntity collections, as shown in the example.

Each network activity type, for example Kerberos authentications, has its own collection per UTC date.
Make advanced configuration changes. In this example, change the send queue size for all ATA Gateways to 10,000. db.SystemProfile.update( {_t: "GatewaySystemProfile"} ,
{$set:{"Configuration.EntitySenderConfiguration.EntityBatchBlockMaxSize" : "10000"}})

The following example provides sample code using the syntax provided earlier. If you are investigating a suspicious activity that occurred on 20/10/2015 and want to learn more about the NTLM activities that "John Doe" performed on that day:

First, find the ID of "John Doe"

db.UniqueEntity.find({Name: "John Doe"})
Take a note of the ID as indicated by the value of _id For example, assume the ID is 123bdd24-b269-h6e1-9c72-7737as875351
Then, search for the collection with the closest date that is before the date you are looking for, in the example 20/10/2015.
Then, search for John Doe's account NTLM activities:

db.Ntlms_<closest date>.find({SourceAccountId: "123bdd24-b269-h6e1-9c72-7737as875351"})

See Also