Contributor

Hello, We are implementing Azure ATP and we have deployed sensors on our DCs. We want to test that the solution work by doing some network-mapping DNS reconnaissance activity (with nslookup) described in the lab testing documentation available here: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-playbook-reconnaissance#networ...

 

Unfortunately, we cannot see these activities on the Timeline page during the 8-day learning period as explained in the documentation. However, from what I read in the same documentation, we should be able to see the activities in the "Logical Activities timeline". However, we are not getting this information. I did the same test in another tenant and the result is the same. I even looked in the local ATP sensor log files that is in the DC and there's no information about these events.

 

  1. Am I missing something or is there an issue with this?
  2. Also, is there a way to change the learning period for some of the alerts to possibly reduce the duration?

PS: we are getting some other activities in the Timeline page (activities that doesn't require a learning period)

 

Thanks

We support Ukraine and condemn war. Push Russian government to act against war. Be brave, vocal and show your support to Ukraine. Follow the latest news HERE