Home

Azure Advanced Threat Protection

27 Conversations

Latest Activity

Custom List Message Item

We wanted to let you know that we’ve updated Azure ATP to Version 1.12 and we’ve made a few visible changes:

 

We added some new detections (you can find details of all of these detections in our ATA Suspicious Activity Guide):

  • Reconnaissance using SMB S
... Read More
13 Views
0 Reply

Thanks to the awesome Andrew Harris from our CxP team, we now have an updated "playbook" on how to simulate security alerts in Azure ATP (Limited Preview)!

Note this will be updated as Azure ATP gets to feature parity with ATA detections.

Read More
93 Views
0 Reply

Here are the answers to a number of Frequently Asked Questions for the Azure ATP preview!

102 Views
0 Reply

We wanted to let you know that we’ve updated Azure ATP to Version 1.12 and we’ve made a few visible changes:

 

We added some new detections (you can find details of all of these detections in our ATA Suspicious Activity Guide):

  • Reconnaissance using SMB S
... Read More
13 Views
0 Reply

I have been trying to test Azure ATP Playbook attached here in the link.

I am only able to see DNS Reconnaissance events but no Overpass-the Hash or Identity theft using pass-the-ticket-attack ?

I also don't see no Sensitive Group Modification , even if I

... Read More
30 Views
1 Reply

For anyone else who is seeing this issue - we had a few delays with processing events last week which prevents alerts from showing in a timely manner. They should show up

... Read More

We've flipped the toggle to link WDATP and Azure ATP - but haven't seen reports from WDATP showing up yet in the console. Is there a delay, post integration, on having these work together?

25 Views
1 Reply

Hi Reed, We are still working on completing the integration between Windows Defender ATP and Azure ATP. We expect to have this working via an update in January.

Is there a way to restrict who can access ATP?  I am just onboarding and I've found any user can access it - which could be a bit of a problem.

 

 

34 Views
3 Replies
Hi, in my experience only a Global Administrator can access the content of the Azure ATP.

I have sensors installed on 3 domain controllers and 2 of them are now saying "Some network traffic is not being analyzed. Sensor, $hostname, is receiving more network traffic than it can process. A portion of the network traffic is not analyzed." 

 

This

... Read More
20 Views
1 Reply

Hi Robert, Are these DCs running under VMWare? If so, then it's not a problem with the resource allocated to the DC, but you will need to make a change to the NIC configu

... Read More

With ATA we were using our built in administrator account (domain\Administrator renamed to domain\DomainAdmin) as our honeytoken account. When I try to add that account to Azure ATP it doesn't show as available. As a side note I noticed I noticed I can't

... Read More
62 Views
4 Replies
After waiting a few more days our honeytoken account finally showed up in the list.

No, this is not expected. If you can't search for the account then there's probably a sync issue. A few questions to help with the troubleshooting:

- Have you assigned on

... Read More

We are planning to onboard in a week. According to the FAQ the only locations are Europe and United States.   We are located in New Zealand and I'm wondering if the distance will cause any issues in data transfer?   

 

Read More
36 Views
1 Reply

Hi Darren, Europe and United States are the only two locations we have deployed Azure ATP. We have a number of customers already deployed in NZ and Australia and we have

... Read More
Best Response confirmed by Darren Joyce (New Contributor)

If you try to dump the DNS reverse lookup zone ATP will not raise an issue. If you execute the following command for your IP Subnet it is undetected by ATP and an attacker will have all your IP Address and Servername combinations:

for /L %i in (1,1,255) d
... Read More
33 Views
1 Reply

Thanks for the feedback Stefan.

Don't forget however, that even failed DNS recon attempts generate alerts, and we do see attackers attempting these types of queries wheth

... Read More

I've found out that Azure ATP has some problems recognizing aadconnect activities.

azure atp dirsync.PNG

Is it happening to you, too?

 

Read More
31 Views
1 Reply

This is a known false positive for this detection. You can find more information about all the alerts (including what night generate a false positive) in the Suspicious A

... Read More
Best Response confirmed by Paolo Heuer (New Contributor)

Hi,

 

I’ve found that issues regarding unencrypted LDAP authentications are not reported in the Azure ATP Timeline. If I generate the corresponding Report I see a lot of these issues.

 

We have also deployed ATA before Azure ATP and ATA will Report these issu

... Read More
50 Views
4 Replies
Hi Stefan, Yes this is expected. We moved this particular detection from an alert to a report to make it more useful to customers. For most customers the alert was too ... Read More

We onboarded a domain controller today (well, actually tried with two), and everything seemed fine, but the domain controllers never started the AATP services. When I try to start the services manually, neither will start.

Tries to start the AATPSensorUpda

... Read More
51 Views
2 Replies

We believe this may be similar to an issue we have seen with the on-prem ATA gateways related to the performance counters. Are you able to try using this KB to reset the

... Read More

Here are the answers to a number of Frequently Asked Questions for the Azure ATP preview!

102 Views
0 Reply

Thanks to the awesome Andrew Harris from our CxP team, we now have an updated "playbook" on how to simulate security alerts in Azure ATP (Limited Preview)!

Note this will be updated as Azure ATP gets to feature parity with ATA detections.

Read More
93 Views
0 Reply

On step 5 (page 18) of the most recent ATA playbook, I noticed that Azure ATP is not alerting on the NetSess activity.

Let's say for sake of argument that this falls into the category of being inside the 4 week learning period, so we aren't going to alert

... Read More
73 Views
9 Replies

There are a number of detections which have not yet been implemented in Azure ATP, Reconnaissance using SMB session enumeration is one of those detections. We are working

... Read More

I too have onboarded Azure ATP, compromised the credentials of the admin, went through all of the various scenarios of the ATA Playbook as well as a handful of other thin

... Read More

We are looking forward to the public release of the Azure ATP playbook. We should be able to onboard shortly after it's available.

23 Views
0 Reply

Hopefully I'll be able to keep editing this as I find documentation that needs changes...  For the ATA Playbook:

... Read More
65 Views
4 Replies

Hey Rand,

 

Thanks for the feedback on the Playbook.  Will fix that link issue.

 

As for Windows fixing "holes", yes, that is correct.  Now when you logoff, within 5 seco

... Read More
wow - Rand Morimoto! We are guaranteed to have excellent feedback on this product now.
-Joe Stocker (from the infrastructure partner advisory council a long time ago =)
Read More

Hello @ll,

 

First: thanks a lot for the preview program, appreciated to join! I deployed Azure ATP in our environment today. I already have some XP of ATA, some of our customers are using this technology successfully.

 

Here some questions from my site:

  1. Is AT
... Read More
43 Views
1 Reply

Karsten Hentrup wrote:

Hello @ll,

 

First: thanks a lot for the preview program, appreciated to join! I deployed Azure ATP in our environment today. I already have some X

... Read More

Hello,

 

I'm just joining the APT program, but I have an issue during the setup.

 

I have a problem during the setup of the agent,

On my first Domain Controller  ( Win 2008 R2 ) , I have installed .NET 4.7 before start the setup.

The setup is successful.

The ser

... Read More
44 Views
2 Replies
Hi Nicolas,
We support a Forest Functional Level (FFL) of Windows 2003 and above. So this should not be a problem.

Error 82 usually mean we are having troubles binding wit... Read More

I've been able to get the sensor installed on a few DCs, but on others I just get the error "The Sensor failed to register due to connectivity issues."  I don't see anything obviously different about the DCs where the install works and where I am getting

... Read More
44 Views
5 Replies
Hi Eric, Check the sensor log directory under c:\program files\azure advanced threat protection sensor.

Hi all,

I've joined the program and deployed the first Sensor to my Primary domain Controller and done the first tests. Success.

 

Tested to deploy a sensor to a 2016 Core DC  i'm running. Is it supported?
command:
"Azure ATP Sensor Setup.exe" /q NetFrameworkC

... Read More
35 Views
3 Replies
Yes, you have to add some switches to the command line to get it to run. You can run Azure ATP Sensor Setup.exe /? to see them all, but what I used was \Azure ATP Sensor ... Read More

Hi.  Is there any error or pop up?  if not, can you check the install log file.  It will be under C:\users\<yourusername>\appdata\local\temp\ look for something with sens

... Read More

Well, so far so good!

 

I've created my workspace and onboarded a few DCs. Tried making a simple DNS AXFR against the DC DNS, and got rewarded with a nice alert. So far it feels pretty much exactly like ATA, which I guess is exactly the point!

 

The weak spot

... Read More
49 Views
5 Replies

I've done the same tests. email received..

now I'm wondering if the "Learning time" is the same as in ATA (3-4 weeks)

Hi Fredrik, Have you tried configuring the syslog notifications? Similar to ATA this is the alternate notification mechanism for alerts.

 

In terms of future plans, I'd l

... Read More
Have you actually received an e-mail alert?

Q: When I enable the Azure ATP Promocode - Do I use our corporate AAD tenant for the license enablement, but use a lab/test domain for the first test?  Or should the AAD tenant used also be a separate test tenant/user for the lab/test domain?

 

A: The pro

... Read More
36 Views
1 Reply

The workspaces limit will be raised to 5 - eta the 17th of november

Ran into this limit, and Amit talked to the team and agreed to raise it.

 

A: Check the sensor log directory under c:\program files\azure advanced threat protection sensor. If you see this error - "System.DirectoryServices.Protocols.LdapException: The supplied credential is invalid." - then you will need to review the user defin

... Read More
32 Views
0 Reply

We have not yet announced the pricing or licensing model for Azure ATP. This will be announced closer to the release date next year.

35 Views
0 Reply

Hi all,

 

I had this question myself and wanted to share to answer. You can't run but clients (Gateway, Sensor) together on one DC. 

25 Views
1 Reply
Thanks Johan. To provide some additional information on the answer - Azure ATP uses a different “Sensor” than the ATA Lightweight Gateways. If you are running ATA today a... Read More