Applies to: Advanced Threat Analytics version 1.7

Working with ATA Detection Settings

The Detection configuration page lets you set a list of IP addresses and subnets that have unusual circumstances and should be handled slightly differently than other entities on your network.

Setting up detection

In the Detection section you can define the following items:

  • Honeytoken account SIDs – This is a user account that should have no network activities. This account will be configured as the ATA Honeytoken user. If someone attempts to use this user account ATA will create a suspicious activity and is an indication of malicious activity. To configure the Honeytoken user you will need the SID of the user account, not the user name.

You can find the SID of the user on the Account Info tab of the user's profile in the ATA console.

ATA detection settings honeytoken

Detection Exclusions - You can exclude IP addresses from the following detections. If you enter an IP address in one of these lists, ATA will exclude that IP address from this specific type of detected activity.

  • DNS Reconnaissance IP address exclusions

  • Pass-the-Ticket IP address exclusions

ATA detection settings exclusions

See Also