During a recent proof of concept implementation of Microsoft Advanced Threat Analytics the customer reported a large number of workstations suddenly displaying a notification from Symantec Endpoint Protection.
The notification was indicating unusual traffic with packets originating from the ATA Gateway we had just implemented. An example screenshot is shown below:
As the main purpose of the ATA Gateway is to capture and inspect network traffic from the domain controller, the customer was unsure whether this was legitimate traffic or not. Why would an ATA Gateway send packets to a large number of workstations on the network?
Luckily we could confirm it is legitimate activity – and the rules for Symantec Endpoint Protection could safely be adapted to avoid have these popups again.
Some more background
Next to capturing the Domain Controller network traffic one of the other functions of the ATA Gateway is to perform resolution of network entities. When we inspect the ATA Gateway log files we clearly see the resolution steps taking place. It is the RPC NTLM resolution that actually triggered the alerts on the endpoints.
Backing up our statement above is a note which can be found in the ATA Prerequisites documentation.
Conclusion : make sure to check your other security solutions in place when implementing Advanced Threat Analytics. Without implementing and/or tweaking some rules you may accidently trigger some alerts on a large number of systems and make some security folks nervous.
Until next time!
Tim
