After installing Azure ATP Sensor on a domain controller for testing, I see a number of failed connection attempt to external IPs (specifically our public DNS IPs) on ports 3389, 135, 137 from that domain controller. Ticket# 119080724001601

archedmeerkat No sure what you mean by "source on the network". We inspect the packets and look on the source IP of the packet.If the name appears in the packet as well we sometime use it too (we call it a "hint") and also rely on it to a degree as it can't always be trusted. Anyway, knowing the IP alone we can't tell for sure if it's public or private or vpn etc... so we check anyway.

gd-29 This is expected communication and is part of the NNR process AATP uses to resolve the IP address in the network traffic to a computer name. https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-prerequisites#portshttps://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-nnr-policy BestGershon

Gerson Levitz this makes sense for private IPs, i don't see why it would try to connect public IPs. that also generates a lot of noise on our firewalls / SIEM. it would be ideal to be able to select the IP ranges that i would want the agent to interrogate for this additional info.

gd-29 Do you have a domain controller with the sensor installed that have public IP addresses?

Gerson Levitz no. But after the agent installation i see these connection attempts to our public dns provider (configured on our domain controller dns for dns forwarding).

Azure ATP Sensor tries to connect to public IPs

13 Replies

AzureGuineaPig
Copper Contributor
Mar 15, 2023
If we block outbound traffic from the domain controllers to ports 135, 137, & 3389 to our public DNS resolvers, will this cause an issue or generate any alerts for the Azure ATP sensor. We're looking to harden firewall traffic and only permit 53 outbound from the DC to trusted DNS servers.
- EliOfek
  Microsoft
  Mar 15, 2023
  AzureGuineaPig As long as the FW will refuse connection immediately and not act as a sink hole it should be fine.
Gerson Levitz
Iron Contributor
Aug 07, 2019
gd-29

This is expected communication and is part of the NNR process AATP uses to resolve the IP address in the network traffic to a computer name.

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-prerequisites#ports
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-nnr-policy

Best
Gershon
- gd-29
  Brass Contributor
  Aug 07, 2019
  Gerson Levitz this makes sense for private IPs, i don't see why it would try to connect public IPs. that also generates a lot of noise on our firewalls / SIEM. it would be ideal to be able to select the IP ranges that i would want the agent to interrogate for this additional info.
  - Gerson Levitz
    Iron Contributor
    Aug 07, 2019
    gd-29
    
    Do you have a domain controller with the sensor installed that have public IP addresses?

Forum Discussion

Azure ATP Sensor tries to connect to public IPs

13 Replies

Resources