Forum Discussion
The Azure Advanced Threat Protection Sensor service terminated unexpectedly
The Azure ATP agent installation was performed on the domain controllers, the installation of the sensors is successful, however, we noticed that the Azure Advanced Threat Protection Sensor service does not start and remains in the status of Starting
Reviewing the System events shows us many errors of Service Control Manager ID 7031 The Azure Advanced Threat Protection Sensor service terminated unexpectedly. It has done this # times. The following corrective action will be taken in 5000 milliseconds. Restart the service.
Checking the Azure Advanced Threat Protection error logs we find the following:
Microsoft.Tri.Sensor-Errors:
2020-05-25 22:22:01.7532 Error DirectoryServicesResolver+<CreateDomainAsync>d__126 System.NullReferenceException: Object reference not set to an instance of an object.
at async Task<Domain> Microsoft.Tri.Sensor.DirectoryServicesResolver.CreateDomainAsync(DistinguishedName distinguishedName, Guid domainControllerConfigurationGuid)
at async Task<IReadOnlyCollection<Domain>> Microsoft.Tri.Sensor.DirectoryServicesResolver.GetDomainsAsync()+(?) => { }
at async Task<IReadOnlyCollection<TDestinationItem>> Microsoft.Tri.Infrastructure.EnumerableExtension.SelectAsync<TSourceItem, TDestinationItem>(IEnumerable<TSourceItem> enumerable, Func<TSourceItem, Task<TDestinationItem>> selectorAsync)
at async Task<IReadOnlyCollection<Domain>> Microsoft.Tri.Sensor.DirectoryServicesResolver.GetDomainsAsync()
at async Task Microsoft.Tri.Sensor.DirectoryServicesResolver.OnStartAsync()
at async Task Microsoft.Tri.Infrastructure.Module.StartAsync()
at async Task Microsoft.Tri.Infrastructure.ModuleManager.OnStartAsync()
at async Task Microsoft.Tri.Infrastructure.Module.StartAsync()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)
Reviewing the System events shows us many errors of Service Control Manager ID 7031 The Azure Advanced Threat Protection Sensor service terminated unexpectedly. It has done this # times. The following corrective action will be taken in 5000 milliseconds. Restart the service.
Checking the Azure Advanced Threat Protection error logs we find the following:
Microsoft.Tri.Sensor-Errors:
2020-05-25 22:22:01.7532 Error DirectoryServicesResolver+<CreateDomainAsync>d__126 System.NullReferenceException: Object reference not set to an instance of an object.
at async Task<Domain> Microsoft.Tri.Sensor.DirectoryServicesResolver.CreateDomainAsync(DistinguishedName distinguishedName, Guid domainControllerConfigurationGuid)
at async Task<IReadOnlyCollection<Domain>> Microsoft.Tri.Sensor.DirectoryServicesResolver.GetDomainsAsync()+(?) => { }
at async Task<IReadOnlyCollection<TDestinationItem>> Microsoft.Tri.Infrastructure.EnumerableExtension.SelectAsync<TSourceItem, TDestinationItem>(IEnumerable<TSourceItem> enumerable, Func<TSourceItem, Task<TDestinationItem>> selectorAsync)
at async Task<IReadOnlyCollection<Domain>> Microsoft.Tri.Sensor.DirectoryServicesResolver.GetDomainsAsync()
at async Task Microsoft.Tri.Sensor.DirectoryServicesResolver.OnStartAsync()
at async Task Microsoft.Tri.Infrastructure.Module.StartAsync()
at async Task Microsoft.Tri.Infrastructure.ModuleManager.OnStartAsync()
at async Task Microsoft.Tri.Infrastructure.Module.StartAsync()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)
Microsoft.Tri.Sensor.Updater-Errors:
2020-05-21 10:53:27.7922 Error ServiceControllerExtension ChangeServiceStatus failed to change service status [name=AATPSensor status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
at Microsoft.Tri.Infrastructure.ServiceControllerExtension.ChangeServiceStatus(String name, ServiceControllerStatus status, TimeSpan timeout, Nullable`1 awaitedStatus)]
2020-05-21 10:53:27.7922 Error ServiceControllerExtension ChangeServiceStatus failed to change service status [name=AATPSensor status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
at Microsoft.Tri.Infrastructure.ServiceControllerExtension.ChangeServiceStatus(String name, ServiceControllerStatus status, TimeSpan timeout, Nullable`1 awaitedStatus)]
- EliOfek
Microsoft
What is the exact version of the sensor? You can check by the name of the folder the binary is in...- EliOfek
ISEGOVIA . Telemetry shows this error happens on 5 sensors, all of them belonging to the same workspace (probably yours 🙂
This is unknown issue, and too complex to resolve over the forums as it will require exchanging sensitive info.
I strongly suggest to open a support ticket to handle it.
Eli.
