Forum Discussion

gd-29's avatar
gd-29
Copper Contributor
Aug 07, 2019

Azure ATP Sensor tries to connect to public IPs

After installing Azure ATP Sensor on a domain controller for testing, I see a number of failed connection attempt to external IPs (specifically our public DNS IPs) on ports 3389, 135, 137 from that d...
Gerson Levitz's avatar
Gerson Levitz
Iron Contributor
Aug 08, 2019

gd-29 

 

Is it possible that the public DNS server is communicating to the domain controller for some reason? 

 

As described in the articles I previously linked to, the Sensor will attempt to communicate on these ports after it sees traffic from an IP address in the traffic of the domain controller. 

gd-29's avatar
gd-29
Copper Contributor
Aug 12, 2019

Gerson Levitz 

 

support provided this doc: 

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-nnr-policy

 

but i still think this is a noisy behavior. 

 

Is it possible that the public DNS server is communicating to the domain controller for some reason? 

-- the public DNS server is replying for the forwarded  public DNS lookup.

 

being that the agent is sized based on packets/sec, i would assume any noisy traffic wouldn't help.

 

Resources