Forum Discussion
Health Alert: Some network traffic could not be analyzed
Hello,
Seeing these alerts on two domain controllers on a regular 1-hour interval.
Back when we ran the sizing tool about 4 months ago they passed the analysis with flying colors (required CPU/RAM of 1 and 6 vs 24 and 64 available ). These are on-prem physical servers. No issues with other domain controllers.
Also how exactly is this alarm triggered? Is there a time threshold or any spike would cause it?
2 Replies
- Martin_Schvartzman
Microsoft
The alerts are generated when the sensors do not have enough resources to analyze the network traffic.
Things might have changed since you ran the sizing tool, such as more users being added to the environment or a change in the sites or subnets configuration that now cause more traffic to be sent to the domain controllers.
If the sensor is using the winpcap drivers (installed with the sensor in versions earlier than 2.184) we recommend you replace them with npcap. This is described in https://docs.microsoft.com/en-us/defender-for-identity/technical-faq#winpcap-and-npcap-drivers
This can also happen if you're using domain controllers on VMware virtual machines. To avoid these alerts, you can check that the following settings are set to 0 or Disabled in the virtual machine:
- TsoEnable
- LargeSendOffload(IPv4)
- IPv4 TSO OffloadYou should also consider adding additional processors and memory as required.
- Physical servers no VMware.
Npcap drivers.
Users have not grown significantly since running our sizing tool last April.
Most importantly I want to know the exact logic how this alarm is triggered? any filtering/averaging involved over a period of time or a spike/peak-traffic would do it?
Thanks!
