Queries on Microsoft Azure ATP

Karthik1600 · ‎Sep 27 2019

Hi,

I am going to start a new deployment of Azure ATP for one of my customer. I am aware of how Microsoft ATA works but there are few things which are different in Microsoft Azure ATP when compared Microsoft ATA.

I have a few queries for which I am trying to get some answers. I tried searching the official documentation of Microsoft created for Azure ATP but I am unable to find the answers for my queries in it. Below are my queries pertaining to Azure ATP:

1) Can I modify the certificate used by Azure ATP to establish the secure connection between ATP portal and Sensor like in Microsoft ATA? If yes, where can I do so?
2) What is the certificate used for TLS (Secured Syslog) for Splunk integration with the Syslog server? I need to install the certificate on my Splunk for secured communication with the Dedicated Sensor.
3) What is the database used by Azure ATP? Like in Microsoft ATA, as we all know it is MongoDB. Likewise I would like to know what is used for Azure ATP? Is it the same DB?

4) How long are the alerts stored in the Azure ATP cloud service? When does the log/alerts start purging due to excessive logging? Incase of Microsoft ATA, the logs/alerts start purging when the dedicated storage for logging gets exhausted.

5) Under the Syslog settings, if I configure one Sensor for forwarding the alerts to Splunk, will it forward only the alerts generated on that specific ATP Sensor to the Splunk or will it forward all the alerts generated on all the ATP Sensors in my domain to the Splunk?

Would be nice if someone provide the answers for my above queries or share me the document which would contain the answer for my queries.

Astrid McClean · ‎Sep 27 2019

@Karthik1600

Hi Karthik,

Azure ATP is significantly different to ATA. More information about the architecture of Azure ATP can be found here: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-architecture

In answer to your specific questions ...

1) Can I modify the certificate used by Azure ATP to establish the secure connection between ATP portal and Sensor like in Microsoft ATA? If yes, where can I do so?

You do not need to configure a certificate to establish a secure connection between the Azure ATP service and the Sensor -- a secured HTTPS connection is automatically established when you connect the sensor to the service. Information about installing the sensor can be found here: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/install-atp-step4

If you use a proxy to connect the DCs to the service, information about how to set that up can be found here: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/configure-proxy

2) What is the certificate used for TLS (Secured Syslog) for Splunk integration with the Syslog server? I need to install the certificate on my Splunk for secured communication with the Dedicated Sensor.

The Azure ATP sensor does not enable you to select a specific certificate -- it checks the server certificate to ensure there are no SSL policy errors like chain errors or name mismatches.

3) What is the database used by Azure ATP? Like in Microsoft ATA, as we all know it is MongoDB. Likewise I would like to know what is used for Azure ATP? Is it the same DB?

The Azure ATP service uses a different backend database which is not accessible to customers.

4) How long are the alerts stored in the Azure ATP cloud service? When does the log/alerts start purging due to excessive logging? Incase of Microsoft ATA, the logs/alerts start purging when the dedicated storage for logging gets exhausted.

Since Azure ATP is a service, the logs/alerts are not purged int eh same way as ATA. Currently Azure ATP data is stored for at least 6 months.

5) Under the Syslog settings, if I configure one Sensor for forwarding the alerts to Splunk, will it forward only the alerts generated on that specific ATP Sensor to the Splunk or will it forward all the alerts generated on all the ATP Sensors in my domain to the Splunk?

The sensor will forward ALL alerts from your Azure ATP instance to your SIEM. Note that the alerts are generated by the Azure ATP service, not by each Sensor.

Hope that helps.

Regards,
Astrid

Karthik1600 · ‎Sep 27 2019

@Astrid McClean

Hi Astrid,

Thank you for the quick and descriptive response. I have a few follow-up queries.

1) Would I be able to modify the certificate used, based on my requirement, for the Azure ATP service and ATP Sensor communication and for Syslog integration with Splunk over TLS connection?

2) I understand logs don't purged in Azure ATP, but may I know what would happen to the logs after 6 Months?

Thank you.

Astrid McClean · ‎Sep 27 2019

@Karthik1600

Hi Karthik,

1) Would I be able to modify the certificate used, based on my requirement, for the Azure ATP service and ATP Sensor communication and for Syslog integration with Splunk over TLS connection?

No, you are not able to modify the certificate for the Azure ATP Service/sensor communications - I'd be interested in understanding what your specific requirements are not met by the current secured connection (feel free to Private message me with the information if you are able to share in this forum).

You also cannot modify the syslog certificate from the Azure ATP side.

2) I understand logs don't purged in Azure ATP, but may I know what would happen to the logs after 6 Months?

Our data management policies can be found here: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-privacy-compliance For information about Azure ATP trust and compliance, see the Service Trust portal and the Microsoft 365 Enterprise GDPR Compliance site.

Regards,

Astrid

Queries on Microsoft Azure ATP

Queries on Microsoft Azure ATP

Re: Queries on Microsoft Azure ATP

Re: Queries on Microsoft Azure ATP

Re: Queries on Microsoft Azure ATP

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Queries on Microsoft Azure ATP