Oct 17 2019 06:14 AM - last edited on Nov 30 2021 02:05 PM by Allen
I have successfully deployed the ATP Sensors on my environment today. I am trying to test the setup using the Reconnaissance Playbook but unfortunately, I am not receiving any alerts pertaining to Reconnaissance (Network-mapping or Directory-services).
When I read through to the document, it says that the Azure ATP suppresses the alerts from the suspicious activity log for a learning period of 8 days (Network-mapping) and 30 days (Directory-services), post which, the portal would start invoking those alerts that it suppressed. But in my case, I do not find any Reconnaissance alerts getting either suppressed or even generated at all (I checked on both the general timeline and source user/machine timeline).
Hence wanted to check, if there is something that I am missing or should I wait for a period of minimum 8 days to start my testing.
FYI, I tested the Honeytoken account activity and I received the alert for the same on the Azure ATP console while accessing my PC using that Honeytoken account.
Oct 18 2019 02:20 AM
This seems to be a common issue
Oct 21 2019 11:33 PM
DNS Reconnaissance alert require learning period of 8 days.
Therefore no alert will be triggered during 8 days after the deployment.
Oct 22 2019 05:28 AM
Thank you for the response. I will test the setup post 8 days of learning period.