SOLVED

Some network traffic is not being analzyed

%3CLINGO-SUB%20id%3D%22lingo-sub-164847%22%20slang%3D%22en-US%22%3ESome%20network%20traffic%20is%20not%20being%20analzyed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-164847%22%20slang%3D%22en-US%22%3E%3CP%3EI%20got%20a%20new%20configuration%20alert%20yesterday.%20Seems%20to%20be%20linked%20with%20the%20update%20of%20the%20sensor%20which%20happened%20around%20the%20same%20time.%20I%20got%20the%20alert%20for%20all%20of%20my%20domain%20controllers.%20And%20they%20are%20all%20physical%20with%20NIC%20Teaming.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3ESome%20network%20traffic%20is%20not%20being%20analyzed%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EThe%20machine%20that%20Sensor%20%5BServer%20name%5D%20is%20deployed%20on%20is%20configured%20with%20a%20NIC%20Teaming%20adapter.%20This%20requires%20additional%20configuration.%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EFor%20more%20information%2C%20refer%20to%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Faatp%2Fteamissue%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Faatp%2Fteamissue%3C%2FA%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20link%20offers%20no%20more%20information%20on%20the%20topic.%20It%20sends%20me%20to%20the%20ATA%20troubleshooting%20page%20which%20doesn't%20mention%20NIC%20Teaming.%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fadvanced-threat-analytics%2Ftroubleshooting-ata-known-errors%23ata-gateway-and-lightweight-gateway-issues%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fadvanced-threat-analytics%2Ftroubleshooting-ata-known-errors%23ata-gateway-and-lightweight-gateway-issues%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-164847%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Estefan.jonsson%40uddevalla.se%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-164926%22%20slang%3D%22en-US%22%3ERe%3A%20Some%20network%20traffic%20is%20not%20being%20analzyed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-164926%22%20slang%3D%22en-US%22%3E%3CP%3EWinpcap%20-%20the%20kernel%20driver%20we%E2%80%99re%20using%20to%20%E2%80%9Cparse%E2%80%9D%20the%20traffic%20doesn%E2%80%99t%20support%20NIC%20Teaming.%3C%2FP%3E%0A%3CP%3Eyou%20need%26nbsp%3Bto%20install%20Npcap%20driver.%20We%20are%20working%20to%20support%20it%20build-in%20in%20the%20Sensor.%3C%2FP%3E%0A%3CP%3EIn%20the%20meantime%20you%20can%20follow%20this%20instructions%3A%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20download%20npcap-0.98.exe%20from%20%3CA%20href%3D%22https%3A%2F%2Fna01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fnmap.org%252Fnpcap%252F%26amp%3Bdata%3D04%257C01%257Citargoet%2540microsoft.com%257C8ac76d51a49840427c4708d57d18ebff%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C636552468353860457%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%253D%253D%257C-1%26amp%3Bsdata%3DEKJaRSfCyS1ADaoxRbCGrgHGcOQTu6898sZ%252F%252FHDvnwQ%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fnmap.org%2Fnpcap%2F%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E2.%20Stops%20and%20Disable%20the%20Azure%20ATP%20Sensor%20services%3C%2FP%3E%0A%3CP%3E3.%20Backup%20the%20winpcap%20driver%20files%20-%20in%20case%20of%20an%20error%3C%2FP%3E%0A%3CP%3E4.%20Stops%20and%20delete%20the%20winpcap%20driver%3C%2FP%3E%0A%3CP%3E5.%20Install%20Npcap%20driver%3C%2FP%3E%0A%3CP%3E6.%20Re-enable%20and%20starts%20the%20Azure%20ATP%20services%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ealternately%20you%20can%20just%20do%20uninstall%20to%20the%20Sensor%2C%20Install%20Npcap%2C%20Install%20to%20the%20Sensor.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Regular Visitor

I got a new configuration alert yesterday. Seems to be linked with the update of the sensor which happened around the same time. I got the alert for all of my domain controllers. And they are all physical with NIC Teaming.

 

Some network traffic is not being analyzed
The machine that Sensor [Server name] is deployed on is configured with a NIC Teaming adapter. This requires additional configuration.
For more information, refer to https://aka.ms/aatp/teamissue

 

The link offers no more information on the topic. It sends me to the ATA troubleshooting page which doesn't mention NIC Teaming. https://docs.microsoft.com/en-us/advanced-threat-analytics/troubleshooting-ata-known-errors#ata-gate...

1 Reply
Highlighted
Best Response confirmed by Stefan Jonsson (Regular Visitor)
Solution

Winpcap - the kernel driver we’re using to “parse” the traffic doesn’t support NIC Teaming.

you need to install Npcap driver. We are working to support it build-in in the Sensor.

In the meantime you can follow this instructions: 

1. download npcap-0.98.exe from https://nmap.org/npcap/

2. Stops and Disable the Azure ATP Sensor services

3. Backup the winpcap driver files - in case of an error

4. Stops and delete the winpcap driver

5. Install Npcap driver

6. Re-enable and starts the Azure ATP services

 

alternately you can just do uninstall to the Sensor, Install Npcap, Install to the Sensor.