Troubleshooting ATA using the ATA database
Applies to: Advanced Threat Analytics version 1.9
ATA uses MongoDB as its database. You can interact with the database using the default command line or using a user interface tool to perform advanced tasks and troubleshooting.
Interacting with the database
The default and most basic way to query the database is using the Mongo shell:
Open a command-line window and change the path to the MongoDB bin folder. The default path is: C:\Program Files\Microsoft Advanced Threat Analytics\Center\MongoDB\bin.
Run:
mongo.exe ATA
. Make sure to type ATA with all capital letters.
How to... | Syntax | Notes |
---|---|---|
Check for collections in the database. | show collections |
Useful as an end-to-end test to see that traffic is being written to the database and that event 4776 is being received by ATA. |
Get the details of a user/computer/group (UniqueEntity), such as user ID. | db.UniqueEntity.find({CompleteSearchNames: "<name of entity in lower case>"}) |
|
Find Kerberos authentication traffic originating from a specific computer on a specific day. | db.KerberosAs_<datetime>.find({SourceComputerId: "<Id of the source computer>"}) |
To get the <ID of the source computer> you can query the UniqueEntity collections, as shown in the example. Each network activity type, for example Kerberos authentications, has its own collection per UTC date. |
Make advanced configuration changes. In this example, change the send queue size for all ATA Gateways to 10,000. | db.SystemProfile.update( {_t: "GatewaySystemProfile"} , {$set:{"Configuration.EntitySenderConfiguration.EntityBatchBlockMaxSize" : "10000"}}) |
` |
The following example provides sample code using the syntax provided earlier. If you are investigating a suspicious activity that occurred on 20/10/2015 and want to learn more about the NTLM activities that "John Doe" performed on that day:
First, find the ID of "John Doe"
db.UniqueEntity.find({Name: "John Doe"})
Take a note of the ID as indicated by the value of _id
For example, assume the ID is 123bdd24-b269-h6e1-9c72-7737as875351
Then, search for the collection with the closest date that is before the date you are looking for, in the example 20/10/2015.
Then, search for John Doe's account NTLM activities:
db.Ntlms_<closest date>.find({SourceAccountId: "123bdd24-b269-h6e1-9c72-7737as875351"})
See Also
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for