Azure ATP network traffic

%3CLINGO-SUB%20id%3D%22lingo-sub-153340%22%20slang%3D%22en-US%22%3EAzure%20ATP%20network%20traffic%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-153340%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI'm%20planning%20on%20turning%20on%20Azure%20ATP%20but%20due%20to%20our%20network%20bandwidth%20and%20a%20little%20worried%20about%20the%20log%20size%20and%20amount%20of%20logs%20that%20will%20be%20generated.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ecan%20anyone%20who%20is%20already%20using%20this%20feature%20let%20me%20know%20your%20experience%20and%20the%20logs%20size%20and%20burden%20on%20the%20network.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThank%20you%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-157420%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20network%20traffic%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-157420%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Khaled%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20amount%20of%20data%20sent%20to%20Azure%20ATP%20is%20dependent%20on%20the%20amount%20of%20traffic%20your%20Domain%20Controllers%20receive.%20Typically%2C%20after%20we%20parse%20the%20traffic%2C%20we%20send%20only%201-3%25%20of%20the%20total%20traffic%20to%20the%20service%20for%20processing.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20terms%20of%20logs%2C%20these%20will%20be%20held%20on%20the%20DC%20which%20is%20running%20the%20Sensor%20and%20again%20the%20size%20will%20depend%20on%20how%20busy%20your%20environment%20is.%20We%20recommend%20that%2010GB%20of%20free%20space%20is%20available%20for%20Sensor%20logs.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%20us%20know%20if%20you%20have%20any%20further%20questions.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1444022%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20network%20traffic%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1444022%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70522%22%20target%3D%22_blank%22%3E%40Astrid%20McClean%3C%2FA%3E%26nbsp%3B%20%26nbsp%3BHi%20Astrid%2C%26nbsp%3B%3CBR%20%2F%3ECan%20you%20tell%20me%20if%20the%20capacity%20information%20%22%3CSPAN%3Ewe%20send%20only%201-3%25%20of%20the%20total%20traffic%20to%20the%20service%20for%20processing.%22%20is%20current%3F%26nbsp%3B%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20so%2C%20would%20I%20use%20the%20network%20performance%20data%20captured%20in%20the%20capacity%20planning%20tool%3F%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-capacity-planning%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-capacity-planning%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EWould%20I%20use%201-3%25%20of%20Max%20Packet%20%2Fsecs%20column%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20you%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1826323%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20network%20traffic%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1826323%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F173807%22%20target%3D%22_blank%22%3E%40Bryan%20Bishop%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70522%22%20target%3D%22_blank%22%3E%40Astrid%20McClean%3C%2FA%3E%26nbsp%3Bwould%20love%20to%20know%20the%20answer%20to%20the%20question%20above%20as%20well.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

Hi All,

 

I'm planning on turning on Azure ATP but due to our network bandwidth and a little worried about the log size and amount of logs that will be generated.

 

can anyone who is already using this feature let me know your experience and the logs size and burden on the network.

 

Thank you

3 Replies
Highlighted

Hi Khaled,

 

The amount of data sent to Azure ATP is dependent on the amount of traffic your Domain Controllers receive. Typically, after we parse the traffic, we send only 1-3% of the total traffic to the service for processing.

 

In terms of logs, these will be held on the DC which is running the Sensor and again the size will depend on how busy your environment is. We recommend that 10GB of free space is available for Sensor logs.

 

Let us know if you have any further questions.

Highlighted

@Astrid McClean   Hi Astrid, 
Can you tell me if the capacity information "we send only 1-3% of the total traffic to the service for processing." is current?  

If so, would I use the network performance data captured in the capacity planning tool?
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-capacity-planning

Would I use 1-3% of Max Packet /secs column?

Thank you

Highlighted

@Bryan Bishop 

@Astrid McClean would love to know the answer to the question above as well.