SOLVED

Azure ATP not detecting reconnaisance activities

%3CLINGO-SUB%20id%3D%22lingo-sub-797029%22%20slang%3D%22en-US%22%3EAzure%20ATP%20not%20detecting%20reconnaisance%20activities%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-797029%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20successfully%20installed%20the%20sensor%20on%20DC%20as%20the%20portal%20shows%20the%20number%20of%20LDAP%20objects%20registered%20in%20DC.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20I%20am%20not%20seeing%20any%20activities%20in%20neither%20devices%20nor%20users%20that%20conducted%20following%20reconnaissance%20playbooks%20in%20the%20test.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-playbook-reconnaissance%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-playbook-reconnaissance%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20strange%20thing%20is%20that%20some%20activities%20in%20DC%20installed%20with%20the%20sensor%20is%20showing%20some%20DNS%20related%20activities%2C%20and%20also%2C%20the%20device%20is%20showing%20some%20activities%2C%20but%20none%20of%20them%20are%20related%20with%20the%20reconnaissance%20playbook.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3BAny%20help%20is%20appreciated.%20Thanks%20in%20advance.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-797029%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eazure%20atp%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-798975%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20not%20detecting%20reconnaisance%20activities%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-798975%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F243217%22%20target%3D%22_blank%22%3E%40Kengo%20Suzuki%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIs%20it%20the%20only%20DC%20is%20the%20env%3F%20If%20there%20are%20more%20DCs%20maybe%20the%20traffic%20went%20to%20them%20and%20not%20to%20the%20one%20with%20the%20Sensor.%3C%2FP%3E%0A%3CP%3EDo%20you%20have%20any%20health%20alerts%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3ETali%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-802322%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20not%20detecting%20reconnaisance%20activities%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-802322%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F104809%22%20target%3D%22_blank%22%3E%40Tali%20Ash%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20response.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26gt%3B%26nbsp%3BIs%20it%20the%20only%20DC%20is%20the%20env%3F%20If%20there%20are%20more%20DCs%20maybe%20the%20traffic%20went%20to%20them%20and%20not%20to%20the%20one%20with%20the%20Sensor.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOk%2C%20I%20would%20try%20installing%20another%20sensor%20to%20other%20DC.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26gt%3B%26nbsp%3BDo%20you%20have%20any%20health%20alerts%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%2C%20I%20have%20some%20alerts%20which%20could%20impact%20the%20following%20settings.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-nnr-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-nnr-policy%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20just%20like%20attachment%2C%20the%20name%20is%20being%20resolved%20without%20a%20problem%20in%20the%20machine%20where%20I%20had%20an%20issue%20detecting%20the%20problem.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAgain%2C%20I%20might%20try%20installing%20the%20sensor%20to%20another%20DC%20for%20now.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-804493%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20not%20detecting%20reconnaisance%20activities%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-804493%22%20slang%3D%22en-US%22%3EHi%20%40Tali%3CBR%20%2F%3E%3CBR%20%2F%3EAfter%20I%20installed%20the%20sensor%20to%20DC%20with%20the%20most%20amount%20of%20traffic%2C%20it%20seems%20Azure%20ATP%20is%20raising%20alerts%20properly.%20Thanks!%3C%2FLINGO-BODY%3E
New Contributor

I have successfully installed the sensor on DC as the portal shows the number of LDAP objects registered in DC. 

 

However, I am not seeing any activities in neither devices nor users that conducted following reconnaissance playbooks in the test.

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-playbook-reconnaissance

 

The strange thing is that some activities in DC installed with the sensor is showing some DNS related activities, and also, the device is showing some activities, but none of them are related with the reconnaissance playbook.

 

 Any help is appreciated. Thanks in advance.

3 Replies
Best Response confirmed by Kengo Suzuki (New Contributor)
Solution

Hi @Kengo Suzuki ,

 

Is it the only DC is the env? If there are more DCs maybe the traffic went to them and not to the one with the Sensor.

Do you have any health alerts? 

 

Thanks,

Tali

Hi @Tali Ash 

 

Thanks for your response.

 

> Is it the only DC is the env? If there are more DCs maybe the traffic went to them and not to the one with the Sensor.

 

Ok, I would try installing another sensor to other DC.

 

> Do you have any health alerts? 

 

Yes, I have some alerts which could impact the following settings.

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-nnr-policy

 

However, just like attachment, the name is being resolved without a problem in the machine where I had an issue detecting the problem.

 

Again, I might try installing the sensor to another DC for now.

 

Hi @Tali

After I installed the sensor to DC with the most amount of traffic, it seems Azure ATP is raising alerts properly. Thanks!