Sep 11 2019 11:12 AM
Sep 11 2019 11:12 AM
Hello, We are implementing Azure ATP and we have deployed sensors on our DCs. We want to test that the solution work by doing some network-mapping DNS reconnaissance activity (with nslookup) described in the lab testing documentation available here: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-playbook-reconnaissance#networ...
Unfortunately, we cannot see these activities on the Timeline page during the 8-day learning period as explained in the documentation. However, from what I read in the same documentation, we should be able to see the activities in the "Logical Activities timeline". However, we are not getting this information. I did the same test in another tenant and the result is the same. I even looked in the local ATP sensor log files that is in the DC and there's no information about these events.
- Am I missing something or is there an issue with this?
- Also, is there a way to change the learning period for some of the alerts to possibly reduce the duration?
PS: we are getting some other activities in the Timeline page (activities that doesn't require a learning period)
Sep 11 2019 11:45 PM
Hi @Chuck99 ,
The DNS activities supposed to be displayed in the computer timeline, not in the general alert timeline. Are you looking at the source computer profile you originated the DNS activities from. and there are no such activities? You can use the filter to look only at DNS queries. If this is the case please contact me privately with your tenant details so we can look at it.
The learning period are not configurable.
Sep 11 2019 11:51 PM
Hi @Tali Ash
That's exactly right. I don't see the DNS activity in the source computer timeline. When I search for the source computer from where I did the DNS reconnaissance tests (pointing nslookup to the DC on which the ATP sensor is installed), I see other activities like logins or even SMB activities but not the DNS activities. Same thing if I run other reconnaissance commands like "net user /domain" or "net group "domain admins" /domain".
I'll send you a private message with our tenant info. Thank you very much for your help with this.
Oct 17 2019 04:45 AM
Oct 17 2019 04:57 AM
Hi, I opened a support case and it was raised to the Product Group who was able to reproduce the issue. They are working on a fix that should soon be available.
Oct 17 2019 05:04 AM
Thanks Chuck. Glad to know it's not just me and something related to my setup!
Did you start receiving the alerts in the timeline view after 8 days?
Oct 17 2019 05:08 AM
Some of them but not all. All I know is that the issue seems to be related to the AXFR process that is drove by the TCP protocol instead of the UDP protocol.