The ATA Health Center lets you know when there's a problem with the ATA deployment, by raising a health alert.
This article describes all the health alerts for each component, listing the cause and the steps needed to resolve the problem.
ATA Center Issues
Center running out of disk space
Alert
Description
Resolution
Severity
The free space on the ATA Center machine drive that is used for storing the ATA database is getting low.
This means that the hard drive has less than 200 GB of free space or that there is less than 20% free space, whichever is smaller. When ATA recognizes that the drive is running low on space, it starts to delete old data from the database. If it cannot delete old data because it still needs the data for the detection engine, you receive this alert. When you receive this alert, ATA stops keeping track of new activities.
Increase the drive size or free up space from that drive.
High
Failure sending mail
Alert
Description
Resolution
Severity
ATA Failed to send an email notification to the specified mail server.
No email messages are sent from ATA.
Verify the SMTP server configuration.
Low
Center overloaded
Alert
Description
Resolution
Severity
The ATA Center is not able to handle the amount of data being transferred from the ATA Gateways.
The ATA Center stops analyzing new network traffic and events. This means that the accuracy of the detections and profiles is reduced while this health alert is active.
The ATA Center certificate will expire in less than 3 weeks.
After the certificate expires: Connectivity from ATA Gateways to ATA Center will fail. The ATA Center process will crash and all ATA functionality will stops.
After the certificate expires: Connectivity from the ATA Gateways to the ATA Center fails. The ATA Center process crashes and all ATA functionality stops.
The ATA Gateway certificate will expire in less than 3 weeks.
Connectivity from the specific ATA Gateway to the ATA Center fails. No data from that ATA Gateway is sent.
The ATA Gateway certificate should have been renewed automatically. Read the ATA Gateway and ATA Center logs to understand why that Certificate did not renew automatically.
Medium
Gateway certificate expired
Alert
Description
Resolution
Severity
The ATA Gateway certificate expired.
There is no connectivity from this ATA Gateway to the ATA Center. No data from that ATA Gateway is sent.
No domain synchronizer is assigned to any ATA Gateway. This may happen if there is no ATA Gateway configured as domain synchronizer candidate.
When the domain is not synchronized, changes to entities might cause entity information in ATA to become out of date or missing but does not affect any detection.
All/Some of the capture network adapters on a Gateway are not available
Alert
Description
Resolution
Severity
All/Some of the selected capture network adapters on the ATA Gateway are disabled or disconnected.
Network traffic for some/all of the domain controllers is no longer captured by the ATA Gateway. This impacts the ability to detect suspicious activities, related to those domain controllers.
Make sure these selected capture network adapters on the ATA Gateway are enabled and connected.
Medium
Some domain controllers are unreachable by a Gateway
Alert
Description
Resolution
Severity
An ATA Gateway has limited functionality due to connectivity issues to some of the configured domain controllers.
Pass the Hash detection might be less accurate when some domain controllers can't be queried by the ATA Gateway.
Make sure the domain controllers are up and running and that this ATA Gateway can open LDAP connections to them.
Medium
All domain controllers are unreachable by a Gateway
Alert
Description
Resolution
Severity
The ATA Gateway is currently offline due to connectivity issues to all the configured domain controllers.
This impacts ATA's ability to detect suspicious activities related to domain controllers monitored by this ATA Gateway.
Make sure the domain controllers are up and running and that this ATA Gateway can open LDAP connections to them.
Medium
Gateway stopped communicating
Alert
Description
Resolution
Severity
There has been no communication from the ATA Gateway. The default time span for this alert is 5 minutes.
Network traffic is no longer captured by the network adapter on the ATA Gateway. This impacts ATA's ability to detect suspicious activities, since network traffic will not be able to reach the ATA Center.
Check that the port used for the communication between the ATA Gateway and ATA Center service is not blocked by any routers or firewalls.
Medium
No traffic received from domain controller
Alert
Description
Resolution
Severity
No traffic was received from the domain controller via this ATA Gateway.
This might indicate that port mirroring from the domain controllers to the ATA Gateway is not configured yet or not working.
On the ATA Gateway capture NIC, disable these features in Advanced Settings:
Receive Segment Coalescing (IPv4)
Receive Segment Coalescing (IPv6)
Medium
Some forwarded events are not being analyzed
Alert
Description
Resolution
Severity
The ATA Gateway is receiving more events than it can process.
Some forwarded events are not being analyzed, which can impact the ability to detect suspicious activities originating from domain controllers being monitored by this ATA Gateway.
Verify that only required events are forwarded to the ATA Gateway or try to forward some of the events to another ATA Gateway.
Medium
Some network traffic is not being analyzed
Alert
Description
Resolution
Severity
The ATA Gateway is receiving more network traffic than it can process.
Some network traffic is not being analyzed, which can impact the ability to detect suspicious activities originating from domain controllers being monitored by this ATA Gateway.
This can also happen if you are using domain controllers on VMware virtual machines. To avoid these alerts, you can check that the following settings are set to 0 or Disabled in the virtual machine:
- TsoEnable
- LargeSendOffload(IPv4)
- IPv4 TSO Offload
Also, consider disabling IPv4 Giant TSO Offload. For more information, consult your VMware documentation.
Medium
Gateway version outdated
Alert
Description
Resolution
Severity
The ATA Center is newer than the version installed on the ATA Gateway. This is causing the ATA Gateway to stop functioning as expected.
This can impact the ability to detect suspicious activities originating from domain controllers being monitored by this ATA Gateway.
Update the ATA Gateway to the latest version automatically by enabling automatic update in the ATA Console or by downloading the latest ATA Gateway package available in the ATA Console.
High
Gateway service failed to start
Alert
Description
Resolution
Severity
The ATA Gateway service failed to start for at least 30 minutes.
This can impact the ability to detect suspicious activities originating from domain controllers being monitored by this ATA Gateway.
Lightweight Gateway reached a memory resource limit
Alert
Description
Resolution
Severity
The Lightweight ATA Gateway stopped itself and will restart automatically to protect the domain controller from a low memory condition.
The Lightweight ATA Gateway enforces memory limitations upon itself to prevent the domain controller from experiencing resource limitations. This happens when memory usage on the domain controller is high. Data from this domain controller is only partly monitored.
Increase the amount of memory (RAM) on the domain controller or add more domain controllers in this site to better distribute the load of this domain controller.