SOLVED

Low success rate of active name resolution using NetBIOS

%3CLINGO-SUB%20id%3D%22lingo-sub-511109%22%20slang%3D%22en-US%22%3ELow%20success%20rate%20of%20active%20name%20resolution%20using%20NetBIOS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-511109%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20been%20using%20Azure%20ATP%20for%20about%205%20months%20now%20and%20after%204%20months%20we%20suddenly%20received%20the%20following%20health%20alert%20from%20all%20our%20sensors%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ELow%20success%20rate%20of%20active%20name%20resolution%20using%20NetBIOS%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20have%20disabled%20NetBIOS%20on%20all%20NICs%20on%20all%20client%20computers%20and%20servers.%20Even%20though%20Windows%20Firewall%20allows%20UDP%20137.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20do%20not%20see%20any%20possibility%20to%20disable%20this%20check%20-%20so%20at%20the%20moment%20I%20do%20have%20an%20active%20health%20alert%20that%20is%20updated%20frequently%20from%20our%20sensor.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%20else%20who%20have%20seen%20this%20issue%3F%20I'm%20I%20doing%20something%20wrong%3F%20Or%20do%20I%20need%20to%20adjust%20something%3F%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-511131%22%20slang%3D%22en-US%22%3ERe%3A%20Low%20success%20rate%20of%20active%20name%20resolution%20using%20NetBIOS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-511131%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F205276%22%20target%3D%22_blank%22%3E%40Bjarne%20Abraham%3C%2FA%3E%26nbsp%3B%2C%20This%20health%20alert%20was%20only%20recently%20added%20to%20the%20system%2C%20this%20is%20why%20you%20didn't%20get%20it%20before.%3C%2FP%3E%0A%3CP%3ECurrently%20there%20is%20no%20way%20for%26nbsp%3B%20you%20to%20configure%20the%20system%20to%20forever%20suppress%20this%20alert.%3C%2FP%3E%0A%3CP%3EGenerally%2C%20having%20netbios%20blocked%20from%20the%20sensors%20reduces%20the%20chances%20of%20AATP%20to%20successfully%20resolve%20IP%20addresses.%3C%2FP%3E%0A%3CP%3EThe%20system%20can%20probably%20work%20just%20fine%20without%20this%20if%20other%20resolution%20methods%20we%20use%20do%20a%20good%20job%20on%20this%20specific%20network...%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20did%20get%20this%20feedback%20lately%20from%20several%20channels%20%2C%20and%20product%20are%20aware%20of%20this%20issue.%3C%2FP%3E%0A%3CP%3EFor%20now%20all%20I%20can%20suggest%20is%20to%20ignore%20it%20(or%20make%20netbios%20accessible%20for%20the%20sensors)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEli%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-511331%22%20slang%3D%22en-US%22%3ERe%3A%20Low%20success%20rate%20of%20active%20name%20resolution%20using%20NetBIOS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-511331%22%20slang%3D%22en-US%22%3EThank%20you%20for%20the%20answer.%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20look%20forward%20to%20a%20%22ignore%20for%20ever%22%20or%20%22disable%20netbios%20name%20resolution%20check%22%20functionality%20in%20the%20future.%20For%20now%20we%20will%20ignore%20it%20as%20we%20will%20not%20enable%20NetBIOS%20again.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-511578%22%20slang%3D%22en-US%22%3ERe%3A%20Low%20success%20rate%20of%20active%20name%20resolution%20using%20NetBIOS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-511578%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F205276%22%20target%3D%22_blank%22%3E%40Bjarne%20Abraham%3C%2FA%3E%26nbsp%3B%2C%20You%20can%20contact%20support%20and%20ask%20them%20to%20request%20AATP's%20service%20engineering%20to%20disable%20netbios%20resolution%20completely%20from%20the%20backed%20for%20your%20workspace%20(provide%20your%20tenant%20id%20and%20workspace%20id).%3C%2FP%3E%0A%3CP%3EThis%20will%20prevent%20the%20sensors%20from%20even%20trying%20to%20do%20resolution%20over%20netbios%2C%20and%20since%20they%20won't%20even%20try%2C%20after%20some%20time%20the%20health%20alert%20will%20also%20go%20away...%3C%2FP%3E%0A%3CP%3EBut%20if%20at%20some%20point%20you%20will%20change%20your%20mind%20and%20want%20to%20bring%20netbios%20back%2C%20you%20will%20need%20to%20contact%20them%20again%20to%20turn%20it%20back%20on.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

We have been using Azure ATP for about 5 months now and after 4 months we suddenly received the following health alert from all our sensors:

 

Low success rate of active name resolution using NetBIOS

 

We have disabled NetBIOS on all NICs on all client computers and servers. Even though Windows Firewall allows UDP 137.

 

I do not see any possibility to disable this check - so at the moment I do have an active health alert that is updated frequently from our sensor.

 

Anyone else who have seen this issue? I'm I doing something wrong? Or do I need to adjust something? :)

3 Replies
Highlighted

@Bjarne Abraham , This health alert was only recently added to the system, this is why you didn't get it before.

Currently there is no way for  you to configure the system to forever suppress this alert.

Generally, having netbios blocked from the sensors reduces the chances of AATP to successfully resolve IP addresses.

The system can probably work just fine without this if other resolution methods we use do a good job on this specific network...  

 

We did get this feedback lately from several channels , and product are aware of this issue.

For now all I can suggest is to ignore it (or make netbios accessible for the sensors)

 

Eli

Highlighted
Thank you for the answer.

We look forward to a "ignore for ever" or "disable netbios name resolution check" functionality in the future. For now we will ignore it as we will not enable NetBIOS again.
Best Response confirmed by Bjarne Abraham (New Contributor)
Solution

@Bjarne Abraham , You can contact support and ask them to request AATP's service engineering to disable netbios resolution completely from the backed for your workspace (provide your tenant id and workspace id).

This will prevent the sensors from even trying to do resolution over netbios, and since they won't even try, after some time the health alert will also go away...

But if at some point you will change your mind and want to bring netbios back, you will need to contact them again to turn it back on.