Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Low success rate of active name resolution using NetBIOS

Brass Contributor

We have been using Azure ATP for about 5 months now and after 4 months we suddenly received the following health alert from all our sensors:

 

Low success rate of active name resolution using NetBIOS

 

We have disabled NetBIOS on all NICs on all client computers and servers. Even though Windows Firewall allows UDP 137.

 

I do not see any possibility to disable this check - so at the moment I do have an active health alert that is updated frequently from our sensor.

 

Anyone else who have seen this issue? I'm I doing something wrong? Or do I need to adjust something? :)

3 Replies

@bjarneabraham , This health alert was only recently added to the system, this is why you didn't get it before.

Currently there is no way for  you to configure the system to forever suppress this alert.

Generally, having netbios blocked from the sensors reduces the chances of AATP to successfully resolve IP addresses.

The system can probably work just fine without this if other resolution methods we use do a good job on this specific network...  

 

We did get this feedback lately from several channels , and product are aware of this issue.

For now all I can suggest is to ignore it (or make netbios accessible for the sensors)

 

Eli

Thank you for the answer.

We look forward to a "ignore for ever" or "disable netbios name resolution check" functionality in the future. For now we will ignore it as we will not enable NetBIOS again.
best response confirmed by bjarneabraham (Brass Contributor)
Solution

@bjarneabraham , You can contact support and ask them to request AATP's service engineering to disable netbios resolution completely from the backed for your workspace (provide your tenant id and workspace id).

This will prevent the sensors from even trying to do resolution over netbios, and since they won't even try, after some time the health alert will also go away...

But if at some point you will change your mind and want to bring netbios back, you will need to contact them again to turn it back on.

1 best response

Accepted Solutions
best response confirmed by bjarneabraham (Brass Contributor)
Solution

@bjarneabraham , You can contact support and ask them to request AATP's service engineering to disable netbios resolution completely from the backed for your workspace (provide your tenant id and workspace id).

This will prevent the sensors from even trying to do resolution over netbios, and since they won't even try, after some time the health alert will also go away...

But if at some point you will change your mind and want to bring netbios back, you will need to contact them again to turn it back on.

View solution in original post