Forum Discussion
Azure ATP Sensor tries to connect to public IPs
After installing Azure ATP Sensor on a domain controller for testing, I see a number of failed connection attempt to external IPs (specifically our public DNS IPs) on ports 3389, 135, 137 from that d...
EliOfek
Microsoft
Microsoftarchedmeerkat , For this reason (among others) DNS based resolution is only a fallback, and even than it's considered in the system as "low certainty".
We probably tried using netbios , NtlmRPC & TLS, and failed for all 3, then falled back to DNS as last resort.
The detections are considering this, so in some cases, since this is low certainty, it might affect the result of we decide to alert or not.
EliOfek- So network name resolution is done on information in the packet, rather than what the source was on the network? Or is it a combination of both?
Knowing that the IP or name might be from the packet can at least assist in investigations so you don't go down the wrong rabbit hole.
EliOfek- Thanks, this answers my questions (specifically the "hint").
Sorry I wasn't clear by "source on the network", was just trying to specify between the source ip and any ip/name that would be inside the packet.
- EliOfek
archedmeerkat No sure what you mean by "source on the network".
We inspect the packets and look on the source IP of the packet.
If the name appears in the packet as well we sometime use it too (we call it a "hint") and also rely on it to a degree as it can't always be trusted.Anyway, knowing the IP alone we can't tell for sure if it's public or private or vpn etc... so we check anyway.