Forum Discussion
The Azure Advanced Threat Protection Sensor service terminated unexpectedly
- EliOfekMay 26, 2020Microsoft
ISEGOVIA . Telemetry shows this error happens on 5 sensors, all of them belonging to the same workspace (probably yours 🙂
This is unknown issue, and too complex to resolve over the forums as it will require exchanging sensitive info.
I strongly suggest to open a support ticket to handle it.
Eli.
- ISEGOVIAJun 05, 2020Copper Contributor
Hi EliOfek:
As you suggested, we put together a premier support case for analysis of the incident presented. I tell you that we were recommended to create and use a gMSA account in the environment. This account was generated according to the documentation, also, it was validated that all the communication ports necessary for the service will be open, the use of wireshark in DCs was ruled out and the sensor version was updated to 2.115.8077, however the Azure ATP service continues without starting.
Logs only show us the following errors:
Microsoft.Tri.Sensor.Updater
2020-06-03 19:34:27.1581 Error ServiceControllerExtension ChangeServiceStatus failed to change service status [name=AATPSensor status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
at Microsoft.Tri.Infrastructure.ServiceControllerExtension.ChangeServiceStatus(String name, ServiceControllerStatus status, TimeSpan timeout, Nullable`1 awaitedStatus)]Microsoft.Tri.Sensor-Errors
2020-06-03 19:38:08.2531 Error DirectoryServicesResolver+<CreateDomainAsync>d__130 System.NullReferenceException: Object reference not set to an instance of an object.
at async Task<Domain> Microsoft.Tri.Sensor.DirectoryServicesResolver.CreateDomainAsync(DistinguishedName distinguishedName, Guid domainControllerConfigurationGuid)
at async Task<IReadOnlyCollection<Domain>> Microsoft.Tri.Sensor.DirectoryServicesResolver.GetDomainsAsync()+(?) => { }
at async Task<IReadOnlyCollection<TDestinationItem>> Microsoft.Tri.Infrastructure.EnumerableExtension.SelectAsync<TSourceItem, TDestinationItem>(IEnumerable<TSourceItem> enumerable, Func<TSourceItem, Task<TDestinationItem>> selectorAsync)
at async Task<IReadOnlyCollection<Domain>> Microsoft.Tri.Sensor.DirectoryServicesResolver.GetDomainsAsync()
at async Task Microsoft.Tri.Sensor.DirectoryServicesResolver.OnStartAsync()
at async Task Microsoft.Tri.Infrastructure.Module.StartAsync()
at async Task Microsoft.Tri.Infrastructure.ModuleManager.OnStartAsync()
at async Task Microsoft.Tri.Infrastructure.Module.StartAsync()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)Thanks for your help.
- EliOfekJun 05, 2020Microsoft
ISEGOVIA I am working with the escalation engineer on this one. I got to take a look at the dumps collected today a few minutes ago and found an interesting insight about the possible root cause.
Since it involves specific domain information, support will elaborate on what was found and what to check next.