Forum Discussion

Brian_Sutton's avatar
Brian_Sutton
Copper Contributor
Jun 24, 2019

Azure ATP running in Azure IaaS Environment

My company has multiple different domains we are protecting with AATP.  All of the domains except 1 are located on premise.  We have a single domain running on Windows VMs located in Azure IaaS.  Thi...
EliOfek's avatar
EliOfek
Icon for Microsoft rankMicrosoft
Jun 24, 2019

Brian_Sutton  The sensor will try to contact endpoints that contacted the DC via port 137/Udp.

If they failed to respond, this health alert will be generated.

it usually happens of for most machines this 137/udp port is not accessible, or fails to respond within 500 ms.

Brian_Sutton's avatar
Brian_Sutton
Copper Contributor
Jun 25, 2019

EliOfek I double checked our Azure Network Security Group setup and the appropriate access is open. I also tested connecting to UDP 137 from our DCs using the Test-Port.ps1 Powershell script and it returned Open = True. 

 

We do have 2 Linux firewalls in the environment but I don't believe AATP even knows that they exist.  UDP 137 access was already open from the DC subnet however name resolution wasn't working.  I temporarily patched the hosts file on the DCs and will see if the health warning returns tomorrow.

 

Do you have any other ideas?  The message states the sensors are having 'low success rates'.  Is there a log somewhere that specifies which system(s) the sensors are having issues connecting to?  Is it the same message if the sensors can't connect to a single server vs. multiple/all servers?

 

Thanks again for your input!

  • EliOfek's avatar
    EliOfek
    Icon for Microsoft rankMicrosoft
    Jun 25, 2019

    Host file would not work for this..

    This is not a DNS based name resolution.

    The idea is that if we see this IP on network traffic, we verify its identity using multiple methods.

    One of these methods is sending a crafted payload to Udp/137 that is expected to make the endpoint reply with it's netbios name....

     

    The alert will pop up if more that 90% of our tries failed. 

    this could be due to blocked port or high latency to many endpoints or to few endpoints that responsible for most of the traffic.

     

    We can turn on a trace for a few hours which will tell us which IPs are failing, but you need to contat support for that.

    • Brian_Sutton's avatar
      Brian_Sutton
      Copper Contributor
      Jul 01, 2019

      EliOfek Per your recommendation, I opened a support ticket (6/26 at 9:02 AM ET) however I haven't received a single update from Microsoft support yet. I updated the case twice asking for an update but still haven't heard from anyone.  Can you assist with pushing this forward (ID = 119062624001365)?  Thanks!

      • EliOfek's avatar
        EliOfek
        Icon for Microsoft rankMicrosoft
        Jul 01, 2019

        Brian_Sutton , Apologies for the delay, it seems that support are currently under heavy load,

        I will see what I can do to push this faster. 

Resources