Forum Discussion

Copper Contributor

Jul 09, 2020

empty timeline, no alerts detected

Hi all. After a good number of implementations with normal service account I tried the first one using gMSA. In the past, when AD Connect had the first sync after the sensor installations, I immedi...

EliOfek

Microsoft

Jul 15, 2020

Michele D'Angelantonio This line in the log is fine. it means you did not exclude any interfaces.

npcap can work without nic teaming.

Did you try to simulate attacks using the playbook and nothing showed up?

Any health issues in the console?

If not, I suggest to open a support ticket to diagnose possible causes.

Michele D'Angelantonio

Copper Contributor

Jul 15, 2020

thanks EliOfek for your reply

I imagined that the line on log was fine comparing it with my others implementations but thanks for the confirmation.

I have not any alert on the health console.

on the tri.sensor log I have this entry (once a day):

2020-07-14 09:54:39.3243 Error HttpResponseMessageExtension Microsoft.Tri.Infrastructure.ExtendedHttpRequestException: Response status code does not indicate success: 500 (Internal Server Error). ---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 500 (Internal Server Error).
at HttpResponseMessage System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
at HttpResponseMessage Microsoft.Tri.Infrastructure.HttpResponseMessageExtension.CheckHttpResponseMessage(HttpResponseMessage httpResponseMessage)
--- End of inner exception stack trace ---

but after that on the log I have other entries like:

2020-07-14 10:04:23.7554 Debug DirectoryServicesResolver UpdateDomainControllerIpAddressesAsync domain controller [DnsName=DC2.mylocaldomain.it IsReadOnly=False IpAddresses=10.0.0.182]
2020-07-14 10:04:23.7554 Debug DirectoryServicesResolver UpdateDomainControllerIpAddressesAsync domain controller [DnsName=DC1.mylocaldomain.it IsReadOnly=False IpAddresses=10.0.0.181]

so it seems that is all ok

I have two suppositions:

- a problem regarding the gMSA account permission (in the log is explicit that the DC can retrieve the password without problems)

- a network configuration that block traffic from the sensor to the cloud

tomorrow morning I will have a troubleshooting session with the customer, if I can't find a solution I will open a support ticket.

Thanks again

Mike

EliOfek
Microsoft
Jul 15, 2020
Michele D'Angelantonio The long entery you mentioned last indicates a communication issue , but if it indeed happens only once a day, it should not create the effect you are describing, so I don't think it's related.

As for your suspicions:

If the sensor would have failed to get the gmsa password, and it's the only ad account it has, it would have constantly crashed.

As for the blockage from cloud, if that would have happened, you would either experience startup issues, or a log full of communication errors.
- Michele D'Angelantonio
  Copper Contributor
  Jul 16, 2020
  Hi EliOfek
  I checked the implementation with the customer this morning.
  I've noticed that on the activity page of the AD Connect server is not presente any dc sync related activity. I was aspecting something like the picture attached (I always see this data in any other implementation):
  
  We installed the NPCAP driver but nothing is changed.
  I think the sensor is not alalyzing some data, but I can't understand why.
  Do you have any clue?
  I think we will open a support case on the next days.
  - Michele D'Angelantonio
    Copper Contributor
    Jul 17, 2020
    hi EliOfek
    we are opening a SR request to the support. Can I ask the engineer to add you to the email thread?
    thanks again
    Mike