DNS reconnnaissance tests cannot be seen during the 8-day Learning Period

%3CLINGO-SUB%20id%3D%22lingo-sub-849331%22%20slang%3D%22en-US%22%3EDNS%20reconnnaissance%20tests%20cannot%20be%20seen%20during%20the%208-day%20Learning%20Period%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-849331%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%20We%20are%20implementing%20Azure%20ATP%20and%20we%20have%20deployed%20sensors%20on%20our%20DCs.%20We%20want%20to%20test%20that%20the%20solution%20work%20by%20doing%20some%20network-mapping%20DNS%20reconnaissance%20activity%20(with%20nslookup)%20described%20in%20the%20lab%20testing%20documentation%20available%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-playbook-reconnaissance%23network-mapping-reconnaissance-dns%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-playbook-reconnaissance%23network-mapping-reconnaissance-dns%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUnfortunately%2C%20we%20cannot%20see%20these%20activities%20on%20the%20Timeline%20page%20during%20the%208-day%20learning%20period%20as%20explained%20in%20the%20documentation.%20However%2C%20from%20what%20I%20read%20in%20the%20same%20documentation%2C%20we%20should%20be%20able%20to%20see%20the%20activities%20in%20the%20%22Logical%20Activities%20timeline%22.%20However%2C%20%3CU%3Ewe%20are%20not%20getting%20this%20information.%3C%2FU%3E%20I%20did%20the%20same%20test%20in%20another%20tenant%20and%20the%20result%20is%20the%20same.%20I%20even%20looked%20in%20the%20local%20ATP%20sensor%20log%20files%20that%20is%20in%20the%20DC%20and%20there's%20no%20information%20about%20these%20events.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3EAm%20I%20missing%20something%20or%20is%20there%20an%20issue%20with%20this%3F%3C%2FLI%3E%3CLI%3EAlso%2C%20is%20there%20a%20way%20to%20change%20the%20learning%20period%20for%20some%20of%20the%20alerts%20to%20possibly%20reduce%20the%20duration%3F%3C%2FLI%3E%3C%2FOL%3E%3CP%3EPS%3A%20we%20are%20getting%20some%20other%20activities%20in%20the%20Timeline%20page%20(activities%20that%20doesn't%20require%20a%20learning%20period)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-850542%22%20slang%3D%22en-US%22%3ERe%3A%20DNS%20reconnnaissance%20tests%20cannot%20be%20seen%20during%20the%208-day%20Learning%20Period%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-850542%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F395196%22%20target%3D%22_blank%22%3E%40Chuck99%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20DNS%20activities%20supposed%20to%20be%20displayed%20in%20the%20computer%20timeline%2C%20not%20in%20the%20general%20alert%20timeline.%20Are%20you%20looking%20at%20the%20source%20computer%20profile%20you%20originated%20the%20DNS%20activities%20from.%20and%20there%20are%20no%20such%20activities%3F%20You%20can%20use%20the%20filter%20to%20look%20only%20at%20DNS%20queries.%20If%20this%20is%20the%20case%20please%20contact%20me%20privately%20with%20your%20tenant%20details%20so%20we%20can%20look%20at%20it.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20learning%20period%20are%20not%20configurable.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3ETali%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-850555%22%20slang%3D%22en-US%22%3ERe%3A%20DNS%20reconnnaissance%20tests%20cannot%20be%20seen%20during%20the%208-day%20Learning%20Period%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-850555%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F104809%22%20target%3D%22_blank%22%3E%40Tali%20Ash%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat's%20exactly%20right.%20I%20don't%20see%20the%20DNS%20activity%20in%20the%20source%20computer%20timeline.%20When%20I%20search%20for%20the%20source%20computer%20from%20where%20I%20did%20the%20DNS%20reconnaissance%20tests%20(pointing%20nslookup%20to%20the%20DC%20on%20which%20the%20ATP%20sensor%20is%20installed)%2C%20I%20see%20other%20activities%20like%20logins%20or%20even%20SMB%20activities%20but%20not%20the%20DNS%20activities.%20Same%20thing%20if%20I%20run%20other%20reconnaissance%20commands%20like%20%22net%20user%20%2Fdomain%22%20or%20%22net%20group%20%22domain%20admins%22%20%2Fdomain%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'll%20send%20you%20a%20private%20message%20with%20our%20tenant%20info.%20Thank%20you%20very%20much%20for%20your%20help%20with%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-917519%22%20slang%3D%22en-US%22%3ERe%3A%20DNS%20reconnnaissance%20tests%20cannot%20be%20seen%20during%20the%208-day%20Learning%20Period%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-917519%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F395196%22%20target%3D%22_blank%22%3E%40Chuck99%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F104809%22%20target%3D%22_blank%22%3E%40Tali%20Ash%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20seeing%20the%20exact%20same%20behaviour%20in%20my%20lab%20setup.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20you%20get%20to%20the%20bottom%20of%20this%20issue%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hello, We are implementing Azure ATP and we have deployed sensors on our DCs. We want to test that the solution work by doing some network-mapping DNS reconnaissance activity (with nslookup) described in the lab testing documentation available here: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-playbook-reconnaissance#networ...

 

Unfortunately, we cannot see these activities on the Timeline page during the 8-day learning period as explained in the documentation. However, from what I read in the same documentation, we should be able to see the activities in the "Logical Activities timeline". However, we are not getting this information. I did the same test in another tenant and the result is the same. I even looked in the local ATP sensor log files that is in the DC and there's no information about these events.

 

  1. Am I missing something or is there an issue with this?
  2. Also, is there a way to change the learning period for some of the alerts to possibly reduce the duration?

PS: we are getting some other activities in the Timeline page (activities that doesn't require a learning period)

 

Thanks

6 Replies

Hi @Chuck99 ,

 

The DNS activities supposed to be displayed in the computer timeline, not in the general alert timeline. Are you looking at the source computer profile you originated the DNS activities from. and there are no such activities? You can use the filter to look only at DNS queries. If this is the case please contact me privately with your tenant details so we can look at it.

 

The learning period are not configurable.

 

Thanks,

Tali

Hi @Tali Ash 

 

That's exactly right. I don't see the DNS activity in the source computer timeline. When I search for the source computer from where I did the DNS reconnaissance tests (pointing nslookup to the DC on which the ATP sensor is installed), I see other activities like logins or even SMB activities but not the DNS activities. Same thing if I run other reconnaissance commands like "net user /domain" or "net group "domain admins" /domain".

 

I'll send you a private message with our tenant info. Thank you very much for your help with this.

@Chuck99 @Tali Ash 

 

I am seeing the exact same behaviour in my lab setup.

 

Did you get to the bottom of this issue?

@PJR_CDF 

Hi, I opened a support case and it was raised to the Product Group who was able to reproduce the issue. They are working on a fix that should soon be available. :smile:

@Chuck99 

 

Thanks Chuck. Glad to know it's not just me and something related to my setup!

 

Did you start receiving the alerts in the timeline view after 8 days?

 

Paul

@PJR_CDF 

 

Some of them but not all. All I know is that the issue seems to be related to the AXFR process that is drove by the TCP protocol instead of the UDP protocol.

We support Ukraine and condemn war. Push Russian government to act against war. Be brave, vocal and show your support to Ukraine. Follow the latest news HERE