We are on version 1.9.7312.32791

We fixed an issue that looks very similar to what you describe in 1.9 update 1.

Please upgrade and see if it resolves the problem:

https://www.microsoft.com/en-us/download/details.aspx?id=56725

I installed Update 1 this morning and I still got the Failed to download error. However, in looking at the Microsoft.Tri.Center.log file I noticed an error that made me try filtering my results. After I did that the report downloaded fine. It seems that leaving the filter a the default of all activities resulted in the error when attempting to download.

Can yo share the error details from the log including the call stack (from the latest failure on 1.9.1) ?

2018-07-30 13:36:53.9187 8648 32 Error [StringExtension] [message=WebApi action failed [ActionArguments={
"id": "0389f57d-fff4-461d-b992-4b5a5840f665",
"endDate": "2018-07-30T00:00:00Z",
"startDate": "2018-07-16T00:00:00Z",
"localeId": "en-us",
"types": [
"AbnormalBehaviorSuspiciousActivity",
"AbnormalProtocolSuspiciousActivity",
"AbnormalSensitiveGroupMembershipChangeSuspiciousActivity",
"AbnormalVpnSuspiciousActivity",
"AccountEnumerationSuspiciousActivity",
"BruteForceSuspiciousActivity",
"DirectoryServicesReplicationSuspiciousActivity",
"DnsReconnaissanceSuspiciousActivity",
"EncryptionDowngradeSuspiciousActivity",
"EnumerateSessionsSuspiciousActivity",
"ForgedPacSuspiciousActivity",
"GoldenTicketSuspiciousActivity",
"HoneytokenActivitySuspiciousActivity",
"LdapBruteForceSuspiciousActivity",
"MaliciousServiceCreationSuspiciousActivity",
"MassiveObjectDeletionSuspiciousActivity",
"PassTheHashSuspiciousActivity",
"PassTheTicketSuspiciousActivity",
"RemoteExecutionSuspiciousActivity",
"RetrieveDataProtectionBackupKeySuspiciousActivity",
"SamrReconnaissanceSuspiciousActivity",
"CredentialsValidation",
"DirectoryServicesReplication",
"DnsQuery",
"FailedLogon",
"InteractiveLogon",
"LdapCleartext",
"PrivateDataRetrieval",
"RemoteDesktop",
"ResourceAccess",
"SamrQuery",
"ServiceCreation",
"SmbSessionEnumeration",
"TaskScheduling",
"VpnConnection",
"WmiExecution",
"DirectoryServicesChange"
]
}]] System.ArgumentNullException: Value cannot be null.
Parameter name: format
at Microsoft.Tri.Infrastructure.Extensions.StringExtension.FormatWithCulture(String format, CultureInfo cultureInfo, Object[] arguments)
at async Microsoft.Tri.Center.Translation.LogicalActivities.FailedLogon.GetDescriptionAsync(?)
at async Microsoft.Tri.Center.Data.EntityExporter.<>c__DisplayClass13_0`1.<CreateLogicalActivitiesTableAsync>b__0[](?)
at async Microsoft.Tri.Infrastructure.Extensions.EnumerableExtension.SelectAsync[](?)
at async Microsoft.Tri.Center.Data.EntityExporter.CreateLogicalActivitiesTableAsync[](?)
at async Microsoft.Tri.Center.Reports.LogicalActivitiesReport.CreateFileContentAsync(?)
at async Microsoft.Tri.Center.Data.Excel.CreateFileDataAsync(?)
at async Microsoft.Tri.Center.Reports.Reporter.CreateAsync(?)
at async Microsoft.Tri.Center.Management.Controllers.UniqueEntityController.DownloadLogicalActivitiesReportAsync(?)
at async System.Threading.Tasks.TaskHelpersExtensions.CastToObject[](?)
at async System.Web.Http.Controllers.ApiControllerActionInvoker.InvokeActionAsyncCore(?)
at async System.Web.Http.Controllers.ActionFilterResult.ExecuteAsync(?)
at async System.Web.Http.Filters.AuthorizationFilterAttribute.ExecuteAuthorizationFilterAsyncCore(?)
at async System.Web.Http.Filters.AuthorizationFilterAttribute.ExecuteAuthorizationFilterAsyncCore(?)
at async System.Web.Http.Controllers.ExceptionFilterResult.ExecuteAsync(?)

Thanks!

It's a new bug.

It happens when the report contains a logical activity of "failed logon" where the  user is unknown.

You managed to generate the report by "missing" this specific activity using the filter.

I opened a bug to track it down for a  future version.