Forum Discussion

Copper Contributor

Jul 14, 2020

Azure ATP syslog events - Firewall settings ???

Hi, what is/are the range(s) to open (on our perimeter firewall) towards our internal syslog proxy (that forwards to the internal SIEM), that is to receive AATP syslog events ?? I didn't find an...

PhilippeA

Copper Contributor

Jul 15, 2020

Eli Ofek, Thanks for your feedback.

I'm not an ATP expert, but from what I've been told, there's a way to have AATP send alerts to our internal SIEM, and that goes over Internet, and it can only be an inbound connection (from our perspective)... the doc indeed talks about a 'sensor', but also mentions the FQDN, incl. port, of the 'service endpoint', i.e. the (internal) syslog server, so at some point, we'll have to open the perimeter firewall to allow that traffic, and my question is : what IPs are we supposed to allow (inbound) ?? While TLS is supported (so we could use an F5 VIP with an SSL profile to filter, but that's already behind the FW... we can't allow the whole world to get into the DMZ, even if we can use TLS to filter out potential rogue traffic...

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/setting-syslog

PhilippeA

Copper Contributor

Jul 15, 2020

or should I understand you reply as " syslog notifications are always sent from AATP to a sensor that is inside your network, and de facto acts as a syslog proxy" ???

EliOfek
Microsoft
Jul 15, 2020
PhilippeA yes, with one correction, the notifications are not sent/pushed, they are pulled by the sensor from the backend (when available) .
- PhilippeA
  Copper Contributor
  Jul 15, 2020
  OK, that makes more sense now... 😉
  (the techs are gonna be happy, they were freaking out... :-))
  
  Any idea whether the 'pull' approach induces any delay, and if yes, how much (+-) ?
  
  And btw, many, many thanks !!!
  - EliOfek
    Microsoft
    Jul 15, 2020
    PhilippeA I can estimate 1-30 sec delay.