Forum Discussion

Brass Contributor

Sep 11, 2019

DNS reconnnaissance tests cannot be seen during the 8-day Learning Period

Hello, We are implementing Azure ATP and we have deployed sensors on our DCs. We want to test that the solution work by doing some network-mapping DNS reconnaissance activity (with nslookup) describe...

Tali Ash

Former Employee

Sep 12, 2019

Hi Chuck99 ,

The DNS activities supposed to be displayed in the computer timeline, not in the general alert timeline. Are you looking at the source computer profile you originated the DNS activities from. and there are no such activities? You can use the filter to look only at DNS queries. If this is the case please contact me privately with your tenant details so we can look at it.

The learning period are not configurable.

Thanks,

Tali

Chuck99
Brass Contributor
Sep 12, 2019
Hi Tali Ash

That's exactly right. I don't see the DNS activity in the source computer timeline. When I search for the source computer from where I did the DNS reconnaissance tests (pointing nslookup to the DC on which the ATP sensor is installed), I see other activities like logins or even SMB activities but not the DNS activities. Same thing if I run other reconnaissance commands like "net user /domain" or "net group "domain admins" /domain".

I'll send you a private message with our tenant info. Thank you very much for your help with this.
- PJR_CDF
  Iron Contributor
  Oct 17, 2019
  Chuck99 Tali Ash
  
  I am seeing the exact same behaviour in my lab setup.
  
  Did you get to the bottom of this issue?
  - Chuck99
    Brass Contributor
    Oct 17, 2019
    PJR_CDF
    Hi, I opened a support case and it was raised to the Product Group who was able to reproduce the issue. They are working on a fix that should soon be available.