Azure ATP syslog events - Firewall settings ???

%3CLINGO-SUB%20id%3D%22lingo-sub-1521255%22%20slang%3D%22en-US%22%3EAzure%20ATP%20syslog%20events%20-%20Firewall%20settings%20%3F%3F%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521255%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewhat%20is%2Fare%20the%20range(s)%20to%20open%20(on%20our%20perimeter%20firewall)%20towards%20our%20internal%20syslog%20proxy%20(that%20forwards%20to%20the%20internal%20SIEM)%2C%20that%20is%20to%20receive%20AATP%20syslog%20events%20%3F%3F%3C%2FP%3E%3CP%3EI%20didn't%20find%20any%20mention%20of%20this...%20%26nbsp%3BI%20hope%20it's%20NOT%20the%20entire%20Azure%20range%20%3F%3F%3C%2FP%3E%3CP%3EAnd%20if%20it%20is%2C%20does%20this%20also%20include%20non-Microsoft%20Azure%20ranges%20%3F%20(would%20be%20crazy%20!!!!!)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%20for%20any%20feedback.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1521703%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20syslog%20events%20-%20Firewall%20settings%20%3F%3F%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521703%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F728303%22%20target%3D%22_blank%22%3E%40PhilippeA%3C%2FA%3E%26nbsp%3B%20No%20syslogs%20are%20sent%20from%20Azure%20directly%20to%20the%20Intranet.%3C%2FP%3E%0A%3CP%3EIn%20the%20AATP%20portal%2C%20you%20need%20to%20designate%20one%20sensor%20to%20be%20the%20syslog%20sender%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eand%20this%20sensor%20will%20send%20the%20syslog%20messages%20to%20your%20syslog%20reciever.%3C%2FP%3E%0A%3CP%3Ehopefully%20there%20are%20both%20withing%20the%20same%20network%2C%20and%20don't%20need%20to%20cross%20network%20bounds.%3C%2FP%3E%0A%3CP%3EAnd%20you%20only%20need%20the%20syslog%20port%20open%20between%20the%20designated%20sensor%20and%20the%20syslog%20reciever.%3C%2FP%3E%0A%3CP%3EThe%20designated%20sensor%20pulls%20the%20data%20from%20the%20backend%20and%20then%20send%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1522698%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20syslog%20events%20-%20Firewall%20settings%20%3F%3F%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1522698%22%20slang%3D%22en-US%22%3E%3CP%3EEli%20Ofek%2C%26nbsp%3BThanks%20for%20your%20feedback.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20not%20an%20ATP%20expert%2C%20but%20from%20what%20I've%20been%20told%2C%20there's%20a%20way%20to%20have%20AATP%20send%20alerts%20to%20our%20internal%20SIEM%2C%20and%20that%20goes%20over%20Internet%2C%20and%20it%20can%20only%20be%20an%20inbound%20connection%20(from%20our%20perspective)...%20%26nbsp%3Bthe%20doc%20indeed%20talks%20about%20a%20'sensor'%2C%20but%20also%20mentions%20the%20FQDN%2C%20incl.%20port%2C%20of%20the%20'service%20endpoint'%2C%20i.e.%20the%20(internal)%20syslog%20server%2C%26nbsp%3B%3CSPAN%3Eso%20at%20some%20point%2C%20we'll%20have%20to%20open%20the%20perimeter%20firewall%20to%20allow%20that%20traffic%2C%20and%20my%20question%20is%20%3A%20what%20IPs%20are%20we%20supposed%20to%20allow%20(inbound)%20%3F%3F%20While%20TLS%20is%20supported%20(so%20we%20could%20use%20an%20F5%20VIP%20with%20an%20SSL%20profile%20to%20filter%2C%20but%20that's%20already%20behind%20the%20FW...%20we%20can't%20allow%20the%20whole%20world%20to%20get%20into%20the%20DMZ%2C%20even%20if%20we%20can%20use%20TLS%20to%20filter%20out%20potential%20rogue%20traffic...%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fsetting-syslog%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fsetting-syslog%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1522713%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20syslog%20events%20-%20Firewall%20settings%20%3F%3F%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1522713%22%20slang%3D%22en-US%22%3E%3CP%3ENo%20internet%20is%20involved%20in%20syslog%20transport.%3C%2FP%3E%0A%3CP%3Ein%20the%20doc%20linked%20%2C%20the%20sensor%20is%20the%20designated%20sensor%20you%20chose%20to%20send%20the%20syslog%20messages%20in%26nbsp%3B%20your%20internal%20network%20(the%20sensor%20itself%20will%20pull%20data%20from%20the%20backend%2C%20via%20it's%20normal%20channel).%3C%2FP%3E%0A%3CP%3EThe%20service%20endpoint%20is%20the%20FQDN%2Bport%26nbsp%3B%20of%20your%20SIEM%20%2F%20Syslog%20server%2Freceiver.%3C%2FP%3E%0A%3CP%3EI%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1522715%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20syslog%20events%20-%20Firewall%20settings%20%3F%3F%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1522715%22%20slang%3D%22en-US%22%3E%3CP%3Eor%20should%20I%20understand%20you%20replay%20as%20%22%20syslog%20notifications%20are%20always%20sent%20from%20AATP%20to%20a%20sensor%20that%20is%20inside%20your%20network%2C%20and%20de%20facto%20acts%20as%20a%20syslog%20proxy%22%20%3F%3F%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1522720%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20syslog%20events%20-%20Firewall%20settings%20%3F%3F%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1522720%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F728303%22%20target%3D%22_blank%22%3E%40PhilippeA%3C%2FA%3E%26nbsp%3Byes%2C%20with%20one%20correction%2C%20the%20notifications%20are%20not%20sent%2Fpushed%2C%20they%20are%20pulled%20by%20the%20sensor%20from%20the%20backend%20(when%20available)%20.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1522735%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20syslog%20events%20-%20Firewall%20settings%20%3F%3F%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1522735%22%20slang%3D%22en-US%22%3E%3CP%3EOK%2C%20that%20makes%26nbsp%3Bmore%20sense%20now...%20%26nbsp%3B%3B)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E(the%20techs%20are%20gonna%20be%20happy%2C%20they%20were%20freaking%20out...%20%26nbsp%3B%20%26nbsp%3B%3A-))%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20idea%20whether%20the%20'pull'%20approach%20induces%20any%20delay%2C%20and%20if%20yes%2C%20how%20much%20(%2B-)%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20btw%2C%20many%2C%20many%20thanks%20!!!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1522765%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20syslog%20events%20-%20Firewall%20settings%20%3F%3F%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1522765%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F728303%22%20target%3D%22_blank%22%3E%40PhilippeA%3C%2FA%3E%26nbsp%3BI%20can%20estimate%201-30%20sec%20delay.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi,

 

what is/are the range(s) to open (on our perimeter firewall) towards our internal syslog proxy (that forwards to the internal SIEM), that is to receive AATP syslog events ??

I didn't find any mention of this...  I hope it's NOT the entire Azure range ??

And if it is, does this also include non-Microsoft Azure ranges ? (would be crazy !!!!!)

 

Thanks in advance for any feedback.

7 Replies
Highlighted

@PhilippeA  No syslogs are sent from Azure directly to the Intranet.

In the AATP portal, you need to designate one sensor to be the syslog sender, 

and this sensor will send the syslog messages to your syslog reciever.

hopefully there are both withing the same network, and don't need to cross network bounds.

And you only need the syslog port open between the designated sensor and the syslog reciever.

The designated sensor pulls the data from the backend and then send it.

Highlighted

Eli Ofek, Thanks for your feedback.

 

I'm not an ATP expert, but from what I've been told, there's a way to have AATP send alerts to our internal SIEM, and that goes over Internet, and it can only be an inbound connection (from our perspective)...  the doc indeed talks about a 'sensor', but also mentions the FQDN, incl. port, of the 'service endpoint', i.e. the (internal) syslog server, so at some point, we'll have to open the perimeter firewall to allow that traffic, and my question is : what IPs are we supposed to allow (inbound) ?? While TLS is supported (so we could use an F5 VIP with an SSL profile to filter, but that's already behind the FW... we can't allow the whole world to get into the DMZ, even if we can use TLS to filter out potential rogue traffic... 

 

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/setting-syslog

Highlighted

No internet is involved in syslog transport.

in the doc linked , the sensor is the designated sensor you chose to send the syslog messages in  your internal network (the sensor itself will pull data from the backend, via it's normal channel).

The service endpoint is the FQDN+port  of your SIEM / Syslog server/receiver.

I

 

Highlighted

or should I understand you reply as " syslog notifications are always sent from AATP to a sensor that is inside your network, and de facto acts as a syslog proxy" ???

Highlighted

@PhilippeA yes, with one correction, the notifications are not sent/pushed, they are pulled by the sensor from the backend (when available) .

Highlighted

OK, that makes more sense now...  ;)

(the techs are gonna be happy, they were freaking out...    :-))

 

Any idea whether the 'pull' approach induces any delay, and if yes, how much (+-) ?

 

And btw, many, many thanks !!!

Highlighted

@PhilippeA I can estimate 1-30 sec delay.