ATA download activities failed

Copper Contributor

I've searched on a user and would like to download a report of their activity, but when I click on the Download activities button I just get an error message "Failed to download". I can download the pre-defined reports successfully, just not user activities. I've tried both from a workstation and on the ATA Center server itself, as well as with different browsers. Not sure how to go about troubleshooting this.

7 Replies

On which ATA version?

We are on version 1.9.7312.32791

We fixed an issue that looks very similar to what you describe in 1.9 update 1.

Please upgrade and see if it resolves the problem:

https://www.microsoft.com/en-us/download/details.aspx?id=56725

I installed Update 1 this morning and I still got the Failed to download error. However, in looking at the Microsoft.Tri.Center.log file I noticed an error that made me try filtering my results. After I did that the report downloaded fine. It seems that leaving the filter a the default of all activities resulted in the error when attempting to download.

 

Can yo share the error details from the log including the call stack (from the latest failure on 1.9.1) ?

2018-07-30 13:36:53.9187 8648 32 Error [StringExtension] [message=WebApi action failed [ActionArguments={
"id": "0389f57d-fff4-461d-b992-4b5a5840f665",
"endDate": "2018-07-30T00:00:00Z",
"startDate": "2018-07-16T00:00:00Z",
"localeId": "en-us",
"types": [
"AbnormalBehaviorSuspiciousActivity",
"AbnormalProtocolSuspiciousActivity",
"AbnormalSensitiveGroupMembershipChangeSuspiciousActivity",
"AbnormalVpnSuspiciousActivity",
"AccountEnumerationSuspiciousActivity",
"BruteForceSuspiciousActivity",
"DirectoryServicesReplicationSuspiciousActivity",
"DnsReconnaissanceSuspiciousActivity",
"EncryptionDowngradeSuspiciousActivity",
"EnumerateSessionsSuspiciousActivity",
"ForgedPacSuspiciousActivity",
"GoldenTicketSuspiciousActivity",
"HoneytokenActivitySuspiciousActivity",
"LdapBruteForceSuspiciousActivity",
"MaliciousServiceCreationSuspiciousActivity",
"MassiveObjectDeletionSuspiciousActivity",
"PassTheHashSuspiciousActivity",
"PassTheTicketSuspiciousActivity",
"RemoteExecutionSuspiciousActivity",
"RetrieveDataProtectionBackupKeySuspiciousActivity",
"SamrReconnaissanceSuspiciousActivity",
"CredentialsValidation",
"DirectoryServicesReplication",
"DnsQuery",
"FailedLogon",
"InteractiveLogon",
"LdapCleartext",
"PrivateDataRetrieval",
"RemoteDesktop",
"ResourceAccess",
"SamrQuery",
"ServiceCreation",
"SmbSessionEnumeration",
"TaskScheduling",
"VpnConnection",
"WmiExecution",
"DirectoryServicesChange"
]
}]] System.ArgumentNullException: Value cannot be null.
Parameter name: format
at Microsoft.Tri.Infrastructure.Extensions.StringExtension.FormatWithCulture(String format, CultureInfo cultureInfo, Object[] arguments)
at async Microsoft.Tri.Center.Translation.LogicalActivities.FailedLogon.GetDescriptionAsync(?)
at async Microsoft.Tri.Center.Data.EntityExporter.<>c__DisplayClass13_0`1.<CreateLogicalActivitiesTableAsync>b__0[](?)
at async Microsoft.Tri.Infrastructure.Extensions.EnumerableExtension.SelectAsync[](?)
at async Microsoft.Tri.Center.Data.EntityExporter.CreateLogicalActivitiesTableAsync[](?)
at async Microsoft.Tri.Center.Reports.LogicalActivitiesReport.CreateFileContentAsync(?)
at async Microsoft.Tri.Center.Data.Excel.CreateFileDataAsync(?)
at async Microsoft.Tri.Center.Reports.Reporter.CreateAsync(?)
at async Microsoft.Tri.Center.Management.Controllers.UniqueEntityController.DownloadLogicalActivitiesReportAsync(?)
at async System.Threading.Tasks.TaskHelpersExtensions.CastToObject[](?)
at async System.Web.Http.Controllers.ApiControllerActionInvoker.InvokeActionAsyncCore(?)
at async System.Web.Http.Controllers.ActionFilterResult.ExecuteAsync(?)
at async System.Web.Http.Filters.AuthorizationFilterAttribute.ExecuteAuthorizationFilterAsyncCore(?)
at async System.Web.Http.Filters.AuthorizationFilterAttribute.ExecuteAuthorizationFilterAsyncCore(?)
at async System.Web.Http.Controllers.ExceptionFilterResult.ExecuteAsync(?)

Thanks!

It's a new bug.

It happens when the report contains a logical activity of "failed logon" where the  user is unknown.

You managed to generate the report by "missing" this specific activity using the filter.

I opened a bug to track it down for a  future version.