DNS Reconnaissance activity not getting logged

%3CLINGO-SUB%20id%3D%22lingo-sub-917578%22%20slang%3D%22en-US%22%3EDNS%20Reconnaissance%20activity%20not%20getting%20logged%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-917578%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20successfully%20deployed%20the%20ATP%20Sensors%20on%20my%20environment%20today.%20I%20am%20trying%20to%20test%20the%20setup%20using%20the%26nbsp%3BReconnaissance%20Playbook%20but%20unfortunately%2C%20I%20am%20not%20receiving%20any%20alerts%20pertaining%20to%26nbsp%3BReconnaissance%20(Network-mapping%20or%20Directory-services).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20read%20through%20to%20the%20document%2C%20it%20says%20that%20the%20Azure%20ATP%20suppresses%20the%20alerts%20from%20the%20suspicious%20activity%20log%20for%20a%20learning%20period%20of%208%20days%20(Network-mapping)%20and%2030%20days%20(Directory-services)%2C%20post%20which%2C%20the%20portal%20would%20start%20invoking%20those%20alerts%20that%20it%20suppressed.%20But%20in%20my%20case%2C%20I%20do%20not%20find%20any%20Reconnaissance%20alerts%20getting%20either%20suppressed%20or%20even%20generated%20at%20all%20(I%20checked%20on%20both%20the%20general%20timeline%20and%20source%20user%2Fmachine%20timeline).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHence%20wanted%20to%20check%2C%20if%20there%20is%20something%20that%20I%20am%20missing%20or%20should%20I%20wait%20for%20a%20period%20of%20minimum%208%20days%20to%20start%20my%20testing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFYI%2C%20I%20tested%20the%20Honeytoken%20account%20activity%20and%20I%20received%20the%20alert%20for%20the%20same%20on%20the%20Azure%20ATP%20console%20while%20accessing%20my%20PC%20using%20that%20Honeytoken%20account.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-917578%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDNS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDNS%20Reconnaissance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Elogging%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EReconnaissance%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

Hi,

 

I have successfully deployed the ATP Sensors on my environment today. I am trying to test the setup using the Reconnaissance Playbook but unfortunately, I am not receiving any alerts pertaining to Reconnaissance (Network-mapping or Directory-services).

 

When I read through to the document, it says that the Azure ATP suppresses the alerts from the suspicious activity log for a learning period of 8 days (Network-mapping) and 30 days (Directory-services), post which, the portal would start invoking those alerts that it suppressed. But in my case, I do not find any Reconnaissance alerts getting either suppressed or even generated at all (I checked on both the general timeline and source user/machine timeline).

 

Hence wanted to check, if there is something that I am missing or should I wait for a period of minimum 8 days to start my testing.

 

FYI, I tested the Honeytoken account activity and I received the alert for the same on the Azure ATP console while accessing my PC using that Honeytoken account.

 

Thank you.

3 Replies

@Karthik1600 ,

 

DNS Reconnaissance alert require learning period of 8 days.

Therefore no alert will be triggered during 8 days after the deployment.

 

Thanks,

Tali

@Tali Ash 

Hi Tali,

 

Thank you for the response. I will test the setup post 8 days of learning period.

 

--

Regards,

Karthik

www.000webhost.com