Azure ATP running in Azure IaaS Environment

%3CLINGO-SUB%20id%3D%22lingo-sub-717943%22%20slang%3D%22en-US%22%3EAzure%20ATP%20running%20in%20Azure%20IaaS%20Environment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-717943%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20company%20has%20multiple%20different%20domains%20we%20are%20protecting%20with%20AATP.%26nbsp%3B%20All%20of%20the%20domains%20except%201%20are%20located%20on%20premise.%26nbsp%3B%20We%20have%20a%20single%20domain%20running%20on%20Windows%20VMs%20located%20in%20Azure%20IaaS.%26nbsp%3B%20This%20domain%20is%20not%20connected%20to%20anything%20on%20premise.%26nbsp%3B%20We%20are%20using%20AD%20DNS%20servers%20for%20name%20resolution%20within%20the%20domain.%26nbsp%3B%20I%20have%20full%20access%20open%20outbound%20in%20the%20network%20security%20groups%20from%20the%20DC%20subnet%20to%20all%20other%20subnets%20AND%20full%20access%20open%20inbound%20in%20the%20other%20subnets%20from%20the%20DC%20subnet.%26nbsp%3B%20I%20am%20able%20to%20ping%20the%20different%20Windows%20servers%20by%20their%20NetBIOS%20name%20from%20the%20DCs.%26nbsp%3B%20I%20am%20receiving%20the%20following%20health%20warning%20in%20the%20Azure%20IaaS%20environment.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELow%20success%20rate%20of%20active%20name%20resolution%20using%20NetBIOS.%3CBR%20%2F%3E2%20Sensors%20have%20low%20success%20rates%20of%20active%20name%20resolution%20using%20NetBIOS.%20Azure%20ATP%20may%20issue%20more%20false%20positive%20alerts%20and%20accurate%20detection%20capabilities%20may%20be%20affected.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20there%20known%20'issues'%20with%20using%20AATP%20in%20Azure%20IaaS%20environments%3F%26nbsp%3B%20Is%20there%20a%20place%20were%20AATP%20specifies%20which%20server(s)%20it%20is%20having%20issue%20resolving%20their%20NetBIOS%20names%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EBrian%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-718510%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20running%20in%20Azure%20IaaS%20Environment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-718510%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F358482%22%20target%3D%22_blank%22%3E%40Brian_Sutton%3C%2FA%3E%26nbsp%3B%20The%20sensor%20will%20try%20to%20contact%20endpoints%20that%20contacted%20the%20DC%20via%20port%20137%2FUdp.%3C%2FP%3E%0A%3CP%3EIf%20they%20failed%20to%20respond%2C%20this%20health%20alert%20will%20be%20generated.%3C%2FP%3E%0A%3CP%3Eit%20usually%20happens%20of%20for%20most%20machines%20this%20137%2Fudp%20port%20is%20not%20accessible%2C%20or%20fails%20to%20respond%20within%20500%20ms.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-719532%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20running%20in%20Azure%20IaaS%20Environment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-719532%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3BI%20double%20checked%20our%20Azure%20Network%20Security%20Group%20setup%20and%20the%20appropriate%20access%20is%20open.%20I%20also%20tested%20connecting%20to%20UDP%20137%20from%20our%20DCs%20using%20the%20Test-Port.ps1%20Powershell%20script%20and%20it%20returned%20Open%20%3D%20True.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20do%20have%202%20Linux%20firewalls%20in%20the%20environment%20but%20I%20don't%20believe%20AATP%20even%20knows%20that%20they%20exist.%26nbsp%3B%20UDP%20137%20access%20was%20already%20open%20from%20the%20DC%20subnet%20however%20name%20resolution%20wasn't%20working.%26nbsp%3B%20I%20temporarily%20patched%20the%20hosts%20file%20on%20the%20DCs%20and%20will%20see%20if%20the%20health%20warning%20returns%20tomorrow.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20have%20any%20other%20ideas%3F%26nbsp%3B%20The%20message%20states%20the%20sensors%20are%20having%20'low%20success%20rates'.%26nbsp%3B%20Is%20there%20a%20log%20somewhere%20that%20specifies%20which%20system(s)%20the%20sensors%20are%20having%20issues%20connecting%20to%3F%26nbsp%3B%20Is%20it%20the%20same%20message%20if%20the%20sensors%20can't%20connect%20to%20a%20single%20server%20vs.%20multiple%2Fall%20servers%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again%20for%20your%20input!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-720187%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20running%20in%20Azure%20IaaS%20Environment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-720187%22%20slang%3D%22en-US%22%3E%3CP%3EHost%20file%20would%20not%20work%20for%20this..%3C%2FP%3E%0A%3CP%3EThis%20is%20not%20a%20DNS%20based%20name%20resolution.%3C%2FP%3E%0A%3CP%3EThe%20idea%20is%20that%20if%20we%20see%20this%20IP%20on%20network%20traffic%2C%20we%20verify%20its%20identity%20using%20multiple%20methods.%3C%2FP%3E%0A%3CP%3EOne%20of%20these%20methods%20is%20sending%20a%20crafted%20payload%20to%20Udp%2F137%20that%20is%20expected%20to%20make%20the%20endpoint%20reply%20with%20it's%20netbios%20name....%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20alert%20will%20pop%20up%20if%20more%20that%2090%25%20of%20our%20tries%20failed.%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ethis%20could%20be%20due%20to%20blocked%20port%20or%20high%20latency%20to%20many%20endpoints%20or%20to%20few%20endpoints%20that%20responsible%20for%20most%20of%20the%20traffic.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20can%20turn%20on%20a%20trace%20for%20a%20few%20hours%20which%20will%20tell%20us%20which%20IPs%20are%20failing%2C%20but%20you%20need%20to%20contat%20support%20for%20that.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-731312%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20running%20in%20Azure%20IaaS%20Environment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-731312%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3BPer%20your%20recommendation%2C%20I%20opened%20a%20support%20ticket%20(6%2F26%20at%209%3A02%20AM%20ET)%20however%20I%20haven't%20received%20a%20single%20update%20from%20Microsoft%20support%20yet.%20I%20updated%20the%20case%20twice%20asking%20for%20an%20update%20but%20still%20haven't%20heard%20from%20anyone.%26nbsp%3B%20Can%20you%20assist%20with%20pushing%20this%20forward%20(ID%20%3D%20119062624001365)%3F%26nbsp%3B%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-731373%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20running%20in%20Azure%20IaaS%20Environment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-731373%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F358482%22%20target%3D%22_blank%22%3E%40Brian_Sutton%3C%2FA%3E%26nbsp%3B%2C%20Apologies%20for%20the%20delay%2C%20it%20seems%20that%20support%20are%20currently%20under%20heavy%20load%2C%3C%2FP%3E%0A%3CP%3EI%20will%20see%20what%20I%20can%20do%20to%20push%20this%20faster.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

My company has multiple different domains we are protecting with AATP.  All of the domains except 1 are located on premise.  We have a single domain running on Windows VMs located in Azure IaaS.  This domain is not connected to anything on premise.  We are using AD DNS servers for name resolution within the domain.  I have full access open outbound in the network security groups from the DC subnet to all other subnets AND full access open inbound in the other subnets from the DC subnet.  I am able to ping the different Windows servers by their NetBIOS name from the DCs.  I am receiving the following health warning in the Azure IaaS environment.

 

Low success rate of active name resolution using NetBIOS.
2 Sensors have low success rates of active name resolution using NetBIOS. Azure ATP may issue more false positive alerts and accurate detection capabilities may be affected.

 

Are there known 'issues' with using AATP in Azure IaaS environments?  Is there a place were AATP specifies which server(s) it is having issue resolving their NetBIOS names?

 

Thanks,

Brian

5 Replies
Highlighted

@Brian_Sutton  The sensor will try to contact endpoints that contacted the DC via port 137/Udp.

If they failed to respond, this health alert will be generated.

it usually happens of for most machines this 137/udp port is not accessible, or fails to respond within 500 ms.

Highlighted

@Eli Ofek I double checked our Azure Network Security Group setup and the appropriate access is open. I also tested connecting to UDP 137 from our DCs using the Test-Port.ps1 Powershell script and it returned Open = True. 

 

We do have 2 Linux firewalls in the environment but I don't believe AATP even knows that they exist.  UDP 137 access was already open from the DC subnet however name resolution wasn't working.  I temporarily patched the hosts file on the DCs and will see if the health warning returns tomorrow.

 

Do you have any other ideas?  The message states the sensors are having 'low success rates'.  Is there a log somewhere that specifies which system(s) the sensors are having issues connecting to?  Is it the same message if the sensors can't connect to a single server vs. multiple/all servers?

 

Thanks again for your input!

Highlighted

Host file would not work for this..

This is not a DNS based name resolution.

The idea is that if we see this IP on network traffic, we verify its identity using multiple methods.

One of these methods is sending a crafted payload to Udp/137 that is expected to make the endpoint reply with it's netbios name....

 

The alert will pop up if more that 90% of our tries failed. 

this could be due to blocked port or high latency to many endpoints or to few endpoints that responsible for most of the traffic.

 

We can turn on a trace for a few hours which will tell us which IPs are failing, but you need to contat support for that.

Highlighted

@Eli Ofek Per your recommendation, I opened a support ticket (6/26 at 9:02 AM ET) however I haven't received a single update from Microsoft support yet. I updated the case twice asking for an update but still haven't heard from anyone.  Can you assist with pushing this forward (ID = 119062624001365)?  Thanks!

Highlighted

@Brian_Sutton , Apologies for the delay, it seems that support are currently under heavy load,

I will see what I can do to push this faster.