cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Azure ATP connection closed errors

Alex Verboon
MVP

‎Jan 03 2019 10:04 AM

‎Jan 03 2019 10:04 AM

Azure ATP connection closed errors

Hello, 

 

I just deployed Azure ATP in a fresh demo environment. No errors during installation, also when I search for computers or users I do get details, however when I try to trigger an alert by running nslookup -ls -d or run mimikatz, I don't get any alerts in Azure ATP. 

 

The Sensor is installed on a domain controller server 2016 standard , sensor agent version is

2.59.6040.997

 

The domain controller runs in hyper-v and has two nics, one uses the default switch and the other is a private network for the lab. 

 

The Microsoft.Tri.Sensor-Errors log file contains the following errors. 

 

2019-01-03 17:38:50.3349 Error ExceptionDispatchInfo System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: A connection that was expected to be kept alive was closed by the server. ---> System.IO.IOException: Unable to read data from the transport connection: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond
   at int System.Net.Sockets.Socket.EndReceive(IAsyncResult asyncResult)
   at int System.Net.Sockets.NetworkStream.EndRead(IAsyncResult asyncResult)
   --- End of inner exception stack trace ---
   at int System.Net.Security._SslStream.EndRead(IAsyncResult asyncResult)
   at int System.Net.TlsStream.EndRead(IAsyncResult asyncResult)
   at void System.Net.Connection.ReadCallback(IAsyncResult asyncResult)
   --- End of inner exception stack trace ---
   at WebResponse System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
   at void System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
   --- End of inner exception stack trace ---
   at async Task<HttpResponseMessage> System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task<HttpResponseMessage> sendTask, HttpRequestMessage request, CancellationTokenSource cts, bool disposeCts)
   at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendAsync<TResponse>(byte[] requestBytes, int offset, int count)
   at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendAsync<TResponse>(IRequestWithResponse<TResponse> request)
   at async Task<TResponse> Microsoft.Tri.Sensor.Common.ServiceProxy<TWebClientConfiguration>.SendAsync<TResponse>(IRequestWithResponse<TResponse> request)
   at async Task Microsoft.Tri.Sensor.EntitySender.SendEntityBatchAsync(EntityBatch entityBatch, EntityBatch postponedEntityBatch)
   at async Task Microsoft.Tri.Sensor.EntitySender.SendEntityBatchesAsync()

 

Any hints where to look wuld be appreciated. 

4,976 Views
0 Likes
8 Replies
Reply
8 Replies
Eli Shlomo

‎Jan 05 2019 10:59 PM

‎Jan 05 2019 10:59 PM

Re: Azure ATP connection closed errors

from the tri logs, it looks like the sensor isn't stable and restarting, below a few points to check:

 

Make sure Azure ATP Prerequisites is

Did you saw outbound connection limit or network issues from DC's to AATP

Make sure your DC's are healthy and connected (on AATP console)

Do you've some SSL inspection or proxy to the internet?

 

To simulate an attack scenario with AATP, it will be better with two Windows client (one victim and one attacker).

0 Likes
Reply
Alex Verboon

‎Jan 06 2019 06:31 AM

‎Jan 06 2019 06:31 AM

Re: Azure ATP connection closed errors

Hi and thanks for your reply, I have checked all prerequisites. 

 

1. server is helathy

2. No Sensor errors in ATP portal

3. Sensor is listed

 

I deleted the ATP instance and created one from scratch.  however when I try to connect: https://m365x727487sensorapi.atp.azure.com/

 

Note: m365x727487 is the name of my demo tenannt, i get 

HTTP Error 503. The service is unavailable.

 

After I have setup the instance, I can browser domain specific objects, so it looks like some information is flowing up correctly. 

 

 

 

 

 

 

0 Likes
Reply
Eli Ofek

‎Jan 06 2019 06:51 AM

‎Jan 06 2019 06:51 AM

Re: Azure ATP connection closed errors

503 is normal when using a browser.

Something is blocking the connection.

Notice that the services are running under local service & local system,

so they might be getting a different policy compared to your logged in user...

Any chance they are getting some proxy settings via policy that keeps blocking it ?

0 Likes
Reply
Alex Verboon

‎Jan 06 2019 06:53 AM

‎Jan 06 2019 06:53 AM

RE: Azure ATP connection closed errors

meanwhile I found this threat, which might be the reason for my issue, however I was able to create an instance. https://techcommunity.microsoft.com/t5/Azure-Advanced-Threat-Protection/Full-Azure-ATP-Trial-for-tes...
0 Likes
Reply
Alex Verboon

‎Jan 06 2019 06:58 AM

‎Jan 06 2019 06:58 AM

Re: Azure ATP connection closed errors

Hi, there's no proxy in place, this is a very simple setup, the DC runs in a VM on my notebook that has direct internet connection via my home ISP connection. 

 

But meanwhile I found another article regarding the use of ATP for tenants created via demos.microsoft.com maybe that could be the issue? 

 

0 Likes
Reply
best response confirmed by Alex Verboon (MVP)
Eli Shlomo

‎Jan 06 2019 11:47 AM

‎Jan 06 2019 11:47 AM

Solution

Re: Azure ATP connection closed errors

you can work with a demo environment without any issues.

back to the log, you've some error with: the underlying connection was closed... and that means you've some issue with a connection from your local DC's to the AATP, it could be a connectivity issue, some SSL inspection or even firewall port.

 

 

0 Likes
Reply
Alex Verboon

‎Jan 07 2019 05:00 AM

‎Jan 07 2019 05:00 AM

Re: Azure ATP connection closed errors

Hello Eli & Eli, 

 

Thanks for both your responses, I ended u disabling the firewall on my UPC ISP router and suddenly packets where floating as expected. Strange, as this used to work previously, but at least I found the issue. Thanks for your feedback. 

 

Alex

0 Likes
Reply
Eli Shlomo

‎Jan 07 2019 05:11 AM

‎Jan 07 2019 05:11 AM

Re: Azure ATP connection closed errors

great news, and it makes sense because the log has many errors about connectivity with the AATP.

Now you can start with attack and simulate scenario on your DC's.

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Alex Verboon (MVP)
Eli Shlomo

‎Jan 06 2019 11:47 AM

‎Jan 06 2019 11:47 AM

Solution

Re: Azure ATP connection closed errors

you can work with a demo environment without any issues.

back to the log, you've some error with: the underlying connection was closed... and that means you've some issue with a connection from your local DC's to the AATP, it could be a connectivity issue, some SSL inspection or even firewall port.

 

 

View solution in original post

0 Likes
Reply