Occasional Contributor



I have successfully deployed the ATP Sensors on my environment today. I am trying to test the setup using the Reconnaissance Playbook but unfortunately, I am not receiving any alerts pertaining to Reconnaissance (Network-mapping or Directory-services).


When I read through to the document, it says that the Azure ATP suppresses the alerts from the suspicious activity log for a learning period of 8 days (Network-mapping) and 30 days (Directory-services), post which, the portal would start invoking those alerts that it suppressed. But in my case, I do not find any Reconnaissance alerts getting either suppressed or even generated at all (I checked on both the general timeline and source user/machine timeline).


Hence wanted to check, if there is something that I am missing or should I wait for a period of minimum 8 days to start my testing.


FYI, I tested the Honeytoken account activity and I received the alert for the same on the Azure ATP console while accessing my PC using that Honeytoken account.


Thank you.