Sep 27 2019 02:21 AM
Sep 27 2019 02:21 AM
I am going to start a new deployment of Azure ATP for one of my customer. I am aware of how Microsoft ATA works but there are few things which are different in Microsoft Azure ATP when compared Microsoft ATA.
I have a few queries for which I am trying to get some answers. I tried searching the official documentation of Microsoft created for Azure ATP but I am unable to find the answers for my queries in it. Below are my queries pertaining to Azure ATP:
1) Can I modify the certificate used by Azure ATP to establish the secure connection between ATP portal and Sensor like in Microsoft ATA? If yes, where can I do so?
2) What is the certificate used for TLS (Secured Syslog) for Splunk integration with the Syslog server? I need to install the certificate on my Splunk for secured communication with the Dedicated Sensor.
3) What is the database used by Azure ATP? Like in Microsoft ATA, as we all know it is MongoDB. Likewise I would like to know what is used for Azure ATP? Is it the same DB?
4) How long are the alerts stored in the Azure ATP cloud service? When does the log/alerts start purging due to excessive logging? Incase of Microsoft ATA, the logs/alerts start purging when the dedicated storage for logging gets exhausted.
5) Under the Syslog settings, if I configure one Sensor for forwarding the alerts to Splunk, will it forward only the alerts generated on that specific ATP Sensor to the Splunk or will it forward all the alerts generated on all the ATP Sensors in my domain to the Splunk?
Would be nice if someone provide the answers for my above queries or share me the document which would contain the answer for my queries.
Sep 27 2019 09:13 AM
Azure ATP is significantly different to ATA. More information about the architecture of Azure ATP can be found here: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-architecture
In answer to your specific questions ...
Sep 27 2019 10:06 AM
Thank you for the quick and descriptive response. I have a few follow-up queries.
1) Would I be able to modify the certificate used, based on my requirement, for the Azure ATP service and ATP Sensor communication and for Syslog integration with Splunk over TLS connection?
2) I understand logs don't purged in Azure ATP, but may I know what would happen to the logs after 6 Months?