Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

The Azure Advanced Threat Protection Sensor service terminated unexpectedly

Copper Contributor
The Azure ATP agent installation was performed on the domain controllers, the installation of the sensors is successful, however, we noticed that the Azure Advanced Threat Protection Sensor service does not start and remains in the status of Starting
Reviewing the System events shows us many errors of Service Control Manager ID 7031 The Azure Advanced Threat Protection Sensor service terminated unexpectedly. It has done this # times. The following corrective action will be taken in 5000 milliseconds. Restart the service.
 
Checking the Azure Advanced Threat Protection error logs we find the following:
Microsoft.Tri.Sensor-Errors:
2020-05-25 22:22:01.7532 Error DirectoryServicesResolver+<CreateDomainAsync>d__126 System.NullReferenceException: Object reference not set to an instance of an object.
   at async Task<Domain> Microsoft.Tri.Sensor.DirectoryServicesResolver.CreateDomainAsync(DistinguishedName distinguishedName, Guid domainControllerConfigurationGuid)
   at async Task<IReadOnlyCollection<Domain>> Microsoft.Tri.Sensor.DirectoryServicesResolver.GetDomainsAsync()+(?) => { }
   at async Task<IReadOnlyCollection<TDestinationItem>> Microsoft.Tri.Infrastructure.EnumerableExtension.SelectAsync<TSourceItem, TDestinationItem>(IEnumerable<TSourceItem> enumerable, Func<TSourceItem, Task<TDestinationItem>> selectorAsync)
   at async Task<IReadOnlyCollection<Domain>> Microsoft.Tri.Sensor.DirectoryServicesResolver.GetDomainsAsync()
   at async Task Microsoft.Tri.Sensor.DirectoryServicesResolver.OnStartAsync()
   at async Task Microsoft.Tri.Infrastructure.Module.StartAsync()
   at async Task Microsoft.Tri.Infrastructure.ModuleManager.OnStartAsync()
   at async Task Microsoft.Tri.Infrastructure.Module.StartAsync()
   at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
   at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
   at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)
 
Microsoft.Tri.Sensor.Updater-Errors:
2020-05-21 10:53:27.7922 Error ServiceControllerExtension ChangeServiceStatus failed to change service status [name=AATPSensor status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
   at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
   at Microsoft.Tri.Infrastructure.ServiceControllerExtension.ChangeServiceStatus(String name, ServiceControllerStatus status, TimeSpan timeout, Nullable`1 awaitedStatus)]
7 Replies
What is the exact version of the sensor? You can check by the name of the folder the binary is in...

Hi @Eli Ofek 

 

The version of the sensor is 2.114.8044.7220.

 

Thanks for your support.

@ISEGOVIA . Telemetry shows this error happens on 5 sensors, all of them belonging to the same workspace (probably yours :)

This is unknown issue, and too complex to resolve over the forums as it will require exchanging sensitive info.

I strongly suggest to open a support ticket to handle it.

 

Eli.

Hi @Eli Ofek:

As you suggested, we put together a premier support case for analysis of the incident presented. I tell you that we were recommended to create and use a gMSA account in the environment. This account was generated according to the documentation, also, it was validated that all the communication ports necessary for the service will be open, the use of wireshark in DCs was ruled out and the sensor version was updated to 2.115.8077, however the Azure ATP service continues without starting. 

Logs only show us the following errors:

 

Microsoft.Tri.Sensor.Updater

2020-06-03 19:34:27.1581 Error ServiceControllerExtension ChangeServiceStatus failed to change service status [name=AATPSensor status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
   at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
   at Microsoft.Tri.Infrastructure.ServiceControllerExtension.ChangeServiceStatus(String name, ServiceControllerStatus status, TimeSpan timeout, Nullable`1 awaitedStatus)]

 

Microsoft.Tri.Sensor-Errors

2020-06-03 19:38:08.2531 Error DirectoryServicesResolver+<CreateDomainAsync>d__130 System.NullReferenceException: Object reference not set to an instance of an object.
   at async Task<Domain> Microsoft.Tri.Sensor.DirectoryServicesResolver.CreateDomainAsync(DistinguishedName distinguishedName, Guid domainControllerConfigurationGuid)
   at async Task<IReadOnlyCollection<Domain>> Microsoft.Tri.Sensor.DirectoryServicesResolver.GetDomainsAsync()+(?) => { }
   at async Task<IReadOnlyCollection<TDestinationItem>> Microsoft.Tri.Infrastructure.EnumerableExtension.SelectAsync<TSourceItem, TDestinationItem>(IEnumerable<TSourceItem> enumerable, Func<TSourceItem, Task<TDestinationItem>> selectorAsync)
   at async Task<IReadOnlyCollection<Domain>> Microsoft.Tri.Sensor.DirectoryServicesResolver.GetDomainsAsync()
   at async Task Microsoft.Tri.Sensor.DirectoryServicesResolver.OnStartAsync()
   at async Task Microsoft.Tri.Infrastructure.Module.StartAsync()
   at async Task Microsoft.Tri.Infrastructure.ModuleManager.OnStartAsync()
   at async Task Microsoft.Tri.Infrastructure.Module.StartAsync()
   at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
   at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
   at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)

 

Thanks for your help.

@ISEGOVIA I am working with the escalation engineer on this one. I got to take a look at the dumps collected today a few minutes ago and found an interesting insight about the possible root cause.
Since it involves specific domain information, support will elaborate on what was found and what to check next.

Hi @Eli Ofek 


I comment that reviewing the Azure ATP portal today we can see that one of the sensors is already running correctly and the Azure ATP tool is already starting to report information from the environment.
However the other sensors still continue in starting. 

 

I attach the evidence.

 

Thanks for your help.

Hi,

Could you find a resolution?

Regads
Farhad