Forum Discussion

sayedhasan's avatar
sayedhasan
Copper Contributor
Jul 22, 2022

Health Alert: Some network traffic could not be analyzed

Hello, Seeing these alerts on two domain controllers on a regular 1-hour interval. Back when we ran the sizing tool about 4 months ago they passed the analysis with flying colors (required CPU/RAM ...
Martin_Schvartzman's avatar
Martin_Schvartzman
Icon for Microsoft rankMicrosoft
Jul 25, 2022

sayedhasan 

The alerts are generated when the sensors do not have enough resources to analyze the network traffic.

Things might have changed since you ran the sizing tool, such as more users being added to the environment or a change in the sites or subnets configuration that now cause more traffic to be sent to the domain controllers.

If the sensor is using the winpcap drivers (installed with the sensor in versions earlier than 2.184) we recommend you replace them with npcap. This is described in https://docs.microsoft.com/en-us/defender-for-identity/technical-faq#winpcap-and-npcap-drivers

This can also happen if you're using domain controllers on VMware virtual machines. To avoid these alerts, you can check that the following settings are set to 0 or Disabled in the virtual machine:
- TsoEnable
- LargeSendOffload(IPv4)
- IPv4 TSO Offload

You should also consider adding additional processors and memory as required.

sayedhasan's avatar
sayedhasan
Copper Contributor
Jul 25, 2022
Physical servers no VMware.
Npcap drivers.
Users have not grown significantly since running our sizing tool last April.
Most importantly I want to know the exact logic how this alarm is triggered? any filtering/averaging involved over a period of time or a spike/peak-traffic would do it?
Thanks!