DNS reconnnaissance tests cannot be seen during the 8-day Learning Period

Question

Hello, We are implementing Azure ATP and we have deployed sensors on our DCs. We want to test that the solution work by doing some network-mapping DNS reconnaissance activity (with nslookup) described in the lab testing documentation available here: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-playbook-reconnaissance#network-mapping-reconnaissance-dns

Unfortunately, we cannot see these activities on the Timeline page during the 8-day learning period as explained in the documentation. However, from what I read in the same documentation, we should be able to see the activities in the "Logical Activities timeline". However, we are not getting this information. I did the same test in another tenant and the result is the same. I even looked in the local ATP sensor log files that is in the DC and there's no information about these events.

Am I missing something or is there an issue with this?
Also, is there a way to change the learning period for some of the alerts to possibly reduce the duration?

PS: we are getting some other activities in the Timeline page (activities that doesn't require a learning period)

Thanks

tali ash · Answer

Hi&nbsp;Chuck99&nbsp;,
&nbsp;
The DNS activities supposed to be displayed in the computer timeline, not in the general alert timeline. Are you looking at the source computer profile you originated the DNS activities from. and there are no such activities? You can use the filter to look only at DNS queries. If this is the case please contact me privately with your tenant details so we can look at it.
&nbsp;
The learning period are not configurable.
&nbsp;
Thanks,
Tali

chuck99 · Answer

Hi Tali Ash&nbsp;&nbsp;That's exactly right. I don't see the DNS activity in the source computer timeline. When I search for the source computer from where I did the DNS reconnaissance tests (pointing nslookup to the DC on which the ATP sensor is installed), I see other activities like logins or even SMB activities but not the DNS activities. Same thing if I run other reconnaissance commands like "net user /domain" or "net group "domain admins" /domain".&nbsp;I'll send you a private message with our tenant info. Thank you very much for your help with this.

chuck99 · Answer

PJR_CDF&nbsp;&nbsp;Some of them but not all. All I know is that the issue seems to be related to the AXFR process that is drove by the TCP protocol instead of the UDP protocol.

pjr_cdf · Answer

Chuck99&nbsp;Tali Ash&nbsp;&nbsp;I am seeing the exact same behaviour in my lab setup.&nbsp;Did you get to the bottom of this issue?

chuck99 · Answer

PJR_CDF&nbsp;Hi, I opened a support case and it was raised to the Product Group who was able to reproduce the issue. They are working on a fix that should soon be available.&nbsp;

Forum Discussion

DNS reconnnaissance tests cannot be seen during the 8-day Learning Period

6 Replies

Resources