Forum Discussion
Azure ATP Sensor tries to connect to public IPs
This is expected communication and is part of the NNR process AATP uses to resolve the IP address in the network traffic to a computer name.
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-prerequisites#ports
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-nnr-policy
Best
Gershon
Gerson Levitz this makes sense for private IPs, i don't see why it would try to connect public IPs. that also generates a lot of noise on our firewalls / SIEM. it would be ideal to be able to select the IP ranges that i would want the agent to interrogate for this additional info.
- Gerson LevitzAug 07, 2019Iron Contributor
- gd-29Aug 07, 2019Brass Contributor
Gerson Levitz no. But after the agent installation i see these connection attempts to our public dns provider (configured on our domain controller dns for dns forwarding).
- Gerson LevitzAug 08, 2019Iron Contributor
Is it possible that the public DNS server is communicating to the domain controller for some reason?
As described in the articles I previously linked to, the Sensor will attempt to communicate on these ports after it sees traffic from an IP address in the traffic of the domain controller.