empty timeline, no alerts detected

%3CLINGO-SUB%20id%3D%22lingo-sub-1512912%22%20slang%3D%22en-US%22%3Eempty%20timeline%2C%20no%20alerts%20detected%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1512912%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all.%3C%2FP%3E%3CP%3EAfter%20a%20good%20number%20of%20implementations%20with%20normal%20service%20account%20I%20tried%20the%20first%20one%20using%20gMSA.%3C%2FP%3E%3CP%3EIn%20the%20past%2C%20when%20AD%20Connect%20had%20the%20first%20sync%20after%20the%20sensor%20installations%2C%20I%20immediately%20had%20the%20%3CSPAN%3E%3CEM%3ESuspected%20DCSync%20attack%3C%2FEM%3E%26nbsp%3B%3C%2FSPAN%3Ealert%20on%20the%20timeline%2C%20without%20have%20to%20wait%20days%20of%20learning...%20This%20time%20I%20had%20no%20alert%20after%20hours%20(and%20a%20lot%20of%20full%20and%20delta%20sync).%20I%20also%20tried%20a%26nbsp%3B%3CEM%3EDirectory%20Service%20Reconnaissance%20(Directory%20Service%20Enumeration)%3C%2FEM%3E%20from%20a%20client%20and%20still%20no%20alerts.%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20sensor%20logs%20are%20clean%20(only%20showing%20this%20warning%3A%26nbsp%3B%3CEM%3EEventActivityEntityResolver%20ResolveNtlmEventAsync%3C%2FEM%3E).%3C%2FP%3E%3CP%3EIn%20my%20experience%20is%20not%20a%20normal%20behaviour.%3C%2FP%3E%3CP%3EI%20verified%20the%20gMSA%20and%20the%20DCs%20could%20retrieve%20the%20account%20password%20correctly.%20The%20sensors%20services%20ar%20running.%3C%2FP%3E%3CP%3EDo%20you%20have%20any%20troubleshooting%20suggestion%3F%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3EMike%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1522904%22%20slang%3D%22en-US%22%3ERe%3A%20empty%20timeline%2C%20no%20alerts%20detected%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1522904%22%20slang%3D%22en-US%22%3E%3CP%3Ein%20my%20sensor.log%20I%20found%20a%20lot%20of%20this%20entries%3A%3C%2FP%3E%3CP%3E%3CSTRONG%3EDebug%20NetworkAdaptersManager%20UpdateIpAddresses%20ignoring%20network%20traffic%20%5BignoredNetworkAdapters%3D%20_ignoredIpAddresses%3D%5D%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20could%20be%20a%20npcap%20driver%20problem%20related%20(even%20if%20I%20don't%20have%20nic%20teaming)%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Emy%20timeline%20is%20still%20desolately%20empty%2C%20after%20a%20week...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eany%20ideas%3F%3C%2FP%3E%3CP%3Ethanks%3C%2FP%3E%3CP%3EMike%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1523637%22%20slang%3D%22en-US%22%3ERe%3A%20empty%20timeline%2C%20no%20alerts%20detected%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1523637%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F227410%22%20target%3D%22_blank%22%3E%40Michele%20D'Angelantonio%3C%2FA%3E%26nbsp%3BThis%20line%20in%20the%20log%20is%20fine.%20it%20means%20you%20did%20not%20exclude%20any%20interfaces.%3C%2FP%3E%0A%3CP%3Enpcap%20can%20work%20without%20nic%20teaming.%3C%2FP%3E%0A%3CP%3EDid%20you%20try%20to%20simulate%20attacks%20using%20the%20playbook%20and%20nothing%20showed%20up%3F%3C%2FP%3E%0A%3CP%3EAny%20health%20issues%20in%20the%20console%3F%3C%2FP%3E%0A%3CP%3EIf%20not%2C%20I%20suggest%20to%20open%20a%20support%20ticket%26nbsp%3B%20to%20diagnose%20possible%20causes.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1523708%22%20slang%3D%22en-US%22%3ERe%3A%20empty%20timeline%2C%20no%20alerts%20detected%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1523708%22%20slang%3D%22en-US%22%3E%3CP%3Ethanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%20for%20your%20reply%3C%2FP%3E%3CP%3EI%20imagined%20that%20the%20line%20on%20log%20was%20fine%20comparing%20it%20with%20my%20others%20implementations%20but%20thanks%20for%20the%20confirmation.%3C%2FP%3E%3CP%3EI%20have%20not%20any%20alert%20on%20the%20health%20console.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eon%20the%20tri.sensor%20log%20I%20have%20this%20entry%20(once%20a%20day)%3A%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%222%22%3E2020-07-14%2009%3A54%3A39.3243%20Error%20HttpResponseMessageExtension%20Microsoft.Tri.Infrastructure.ExtendedHttpRequestException%3A%20Response%20status%20code%20does%20not%20indicate%20success%3A%20500%20(Internal%20Server%20Error).%20---%26gt%3B%20System.Net.Http.HttpRequestException%3A%20Response%20status%20code%20does%20not%20indicate%20success%3A%20500%20(Internal%20Server%20Error).%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20size%3D%222%22%3Eat%20HttpResponseMessage%20System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20size%3D%222%22%3Eat%20HttpResponseMessage%20Microsoft.Tri.Infrastructure.HttpResponseMessageExtension.CheckHttpResponseMessage(HttpResponseMessage%20httpResponseMessage)%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20size%3D%222%22%3E---%20End%20of%20inner%20exception%20stack%20trace%20---%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebut%20after%20that%20on%20the%20log%20I%20have%20other%20entries%20like%3A%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%222%22%3E2020-07-14%2010%3A04%3A23.7554%20Debug%20DirectoryServicesResolver%20UpdateDomainControllerIpAddressesAsync%20domain%20controller%20%5BDnsName%3DDC2.mylocaldomain.it%20IsReadOnly%3DFalse%20IpAddresses%3D10.0.0.182%5D%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20size%3D%222%22%3E2020-07-14%2010%3A04%3A23.7554%20Debug%20DirectoryServicesResolver%20UpdateDomainControllerIpAddressesAsync%20domain%20controller%20%5BDnsName%3DDC1.mylocaldomain.it%20IsReadOnly%3DFalse%20IpAddresses%3D10.0.0.181%5D%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eso%20it%20seems%20that%20is%20all%20ok%3C%2FP%3E%3CP%3EI%20have%20two%20suppositions%3A%3C%2FP%3E%3CP%3E-%20a%20problem%20regarding%20the%20gMSA%20account%20permission%20(in%20the%20log%20is%20explicit%20that%20the%20DC%20can%20retrieve%20the%20password%20without%20problems)%3C%2FP%3E%3CP%3E-%20a%20network%20configuration%20that%20block%20traffic%20from%20the%20sensor%20to%20the%20cloud%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Etomorrow%20morning%20I%20will%20have%20a%20troubleshooting%20session%20with%20the%20customer%2C%20if%20I%20can't%20find%20a%20solution%20I%20will%20open%20a%20support%20ticket.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again%3C%2FP%3E%3CP%3EMike%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1524738%22%20slang%3D%22en-US%22%3ERe%3A%20empty%20timeline%2C%20no%20alerts%20detected%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1524738%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F227410%22%20target%3D%22_blank%22%3E%40Michele%20D'Angelantonio%3C%2FA%3E%26nbsp%3BThe%20long%20entery%20you%20mentioned%20last%20indicates%20a%20communication%20issue%20%2C%20but%20if%20it%20indeed%20happens%20only%20once%20a%20day%2C%20it%20should%20not%20create%20the%20effect%20you%20are%20describing%2C%20so%20I%20don't%20think%20it's%20related.%3C%2FP%3E%0A%3CP%3EAs%20for%20your%20suspicions%3A%3C%2FP%3E%0A%3CP%3EIf%20the%20sensor%20would%20have%20failed%20to%20get%20the%20gmsa%20password%2C%20and%20it's%20the%20only%20ad%20account%20it%20has%2C%20it%20would%20have%20constantly%20crashed.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20for%20the%20blockage%20from%20cloud%2C%20if%20that%20would%20have%20happened%2C%26nbsp%3B%20you%20would%20either%20experience%20startup%20issues%2C%20or%20a%20log%20full%20of%20communication%20errors.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1526695%22%20slang%3D%22en-US%22%3ERe%3A%20empty%20timeline%2C%20no%20alerts%20detected%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1526695%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%3C%2FP%3E%3CP%3EI%20checked%20the%20implementation%20with%20the%20customer%20this%20morning.%3C%2FP%3E%3CP%3EI've%20noticed%20that%20on%20the%20activity%20page%20of%20the%20AD%20Connect%20server%20is%20not%20presente%20any%20dc%20sync%20related%20activity.%20I%20was%20aspecting%20something%20like%20the%20picture%20attached%20(I%20always%20see%20this%20data%20in%20any%20other%20implementation)%3A%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20installed%20the%20NPCAP%20driver%20but%20nothing%20is%20changed.%3C%2FP%3E%3CP%3EI%20think%20the%20sensor%20is%20not%20alalyzing%20some%20data%2C%20but%20I%20can't%20understand%20why.%3C%2FP%3E%3CP%3EDo%20you%20have%20any%20clue%3F%3C%2FP%3E%3CP%3EI%20think%20we%20will%20open%20a%20support%20case%20on%20the%20next%20days.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1528656%22%20slang%3D%22en-US%22%3ERe%3A%20empty%20timeline%2C%20no%20alerts%20detected%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1528656%22%20slang%3D%22en-US%22%3E%3CP%3Ehi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewe%20are%20opening%20a%20SR%20request%20to%20the%20support.%20Can%20I%26nbsp%3B%3CSPAN%3Eask%20the%20engineer%20to%20add%20you%20to%20the%20email%20thread%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3Ethanks%20again%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EMike%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1531242%22%20slang%3D%22en-US%22%3ERe%3A%20empty%20timeline%2C%20no%20alerts%20detected%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1531242%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F27768%22%20target%3D%22_blank%22%3E%40Jonathan%20Green%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F227410%22%20target%3D%22_blank%22%3E%40Michele%20D'Angelantonio%3C%2FA%3E%26nbsp%3B%20Please%20DO%20NOT%20add%20the%20gmsa%20account%20(or%20any%20other%20account%20configured%20for%20use%20with%20AATP)%20to%20Domain%20Admins!%3C%2FP%3E%0A%3CP%3EThis%20is%20a%20security%20risk%2C%20and%20is%20not%20needed%20for%20sure%20for%20AATP%20to%20run%20correctly.%3C%2FP%3E%0A%3CP%3Ethe%20AATP%20AD%20account%20should%20be%20a%20low%20privileged%20user%20with%20read%20only%20access%20to%20AD%2C%20plus%20some%20specific%20permissions%20(SAMR%2C%20deleted%20items%20etc)%20for%20enhanced%20functionality.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1531244%22%20slang%3D%22en-US%22%3ERe%3A%20empty%20timeline%2C%20no%20alerts%20detected%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1531244%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F227410%22%20target%3D%22_blank%22%3E%40Michele%20D'Angelantonio%3C%2FA%3E%26nbsp%3B%2C%20If%20the%20case%20is%20bumped%20to%20an%20escalation%20support%20engineer%20and%20you%20see%20no%20progress%2C%20feel%20free%20to%20ask%20the%20support%20engineer%20to%20add%20me%20to%20the%20thread.%3C%2FP%3E%0A%3CP%3E(They%20will%20likely%20ping%20we%20anyway%20if%20they%20get%20stuck)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1531368%22%20slang%3D%22en-US%22%3ERe%3A%20empty%20timeline%2C%20no%20alerts%20detected%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1531368%22%20slang%3D%22en-US%22%3EEli%2C%3CBR%20%2F%3EI%20had%20to%20re-read%20what%20I%20wrote%2C%20as%20mentally%20that%20wasn't%20what%20I%20was%20typing.%20Fixed.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1529624%22%20slang%3D%22en-US%22%3ERe%3A%20empty%20timeline%2C%20no%20alerts%20detected%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1529624%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20Guess%20-%26gt%3B%20Don't%20add%20gMSA%20to%20domain%20admins%20or%20delegated%20permissions%20set.%26nbsp%3B%3C%2FP%3E%3CP%3EMake%20sure%20your%20gMSA%20is%20correctly%20set%20before%20next%20step.%3C%2FP%3E%3CP%3ERemove%20AATP%20Installation.%3C%2FP%3E%3CP%3ERemove%20anything%20you've%20added%20including%20prior%20WinPCaps%20whether%20it%20was%20for%20Nmap%2C%20Suricata%2C%20etc.%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EMake%20sure%20your%20gMSA%20is%20correctly%20set%20before%20next%20step.%3CUL%3E%3CLI%3EConfirm%20Portal%20is%20correct%3C%2FLI%3E%3CLI%3EConfirm%20gMSA%20has%20permissions%3C%2FLI%3E%3CLI%3EConfirm%20gMSA%20is%20allowed%20to%20retrieve%20managed%20passwords%20from%20the%20group%20%22Domain%20Controllers%22.%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3EReinstall%20it%20using%20a%20fresh%20pull%20from%20the%20portal.%3C%2FP%3E%3CP%3EDo%20not%20go%20to%20Services%20and%20change%20anything%20like%20the%20user%20account.%20It%20needs%20to%20say%20as%20the%20Local%20Service.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EHope%20this%20helps.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1547297%22%20slang%3D%22en-US%22%3ERe%3A%20empty%20timeline%2C%20no%20alerts%20detected%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1547297%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F27768%22%20target%3D%22_blank%22%3E%40Jonathan%20Green%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3B%20thanks%20for%20your%20suggestions.%3C%2FP%3E%3CP%3EJust%20for%20update%3A%3C%2FP%3E%3CP%3EI%20checked%20and%20fixed%20the%20gMSA%20account%20Domain%20User%20membership%20and%20%3CU%3Enow%20I%20can%20see%20more%20activities%20and%20some%20alarm%3C%2FU%3E.%3C%2FP%3E%3CP%3EI've%20the%20last%20strange%20problem.%20On%20the%20AD%20Connect%20server%20activity%20page%20I%20can%20see%20everityhing%20but%20%3CSTRONG%3Ethe%20DC%20sync%20activities%20performed%20by%20AD%20Connect%20are%20still%20missing.%3C%2FSTRONG%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ein%20other%20implementations%20it%20was%20the%20first%20alerts%20I%20had.%3C%2FP%3E%3CP%3Ethanks%20again%3C%2FP%3E%3CP%3EMike%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi all.

After a good number of implementations with normal service account I tried the first one using gMSA.

In the past, when AD Connect had the first sync after the sensor installations, I immediately had the Suspected DCSync attack alert on the timeline, without have to wait days of learning... This time I had no alert after hours (and a lot of full and delta sync). I also tried a Directory Service Reconnaissance (Directory Service Enumeration) from a client and still no alerts. 

The sensor logs are clean (only showing this warning: EventActivityEntityResolver ResolveNtlmEventAsync).

In my experience is not a normal behaviour.

I verified the gMSA and the DCs could retrieve the account password correctly. The sensors services ar running.

Do you have any troubleshooting suggestion?

Thanks

Mike

11 Replies

in my sensor.log I found a lot of this entries:

Debug NetworkAdaptersManager UpdateIpAddresses ignoring network traffic [ignoredNetworkAdapters= _ignoredIpAddresses=]

 

It could be a npcap driver problem related (even if I don't have nic teaming)?

 

my timeline is still desolately empty, after a week...

 

any ideas?

thanks

Mike

 

@Michele D'Angelantonio This line in the log is fine. it means you did not exclude any interfaces.

npcap can work without nic teaming.

Did you try to simulate attacks using the playbook and nothing showed up?

Any health issues in the console?

If not, I suggest to open a support ticket  to diagnose possible causes.

thanks @Eli Ofek for your reply

I imagined that the line on log was fine comparing it with my others implementations but thanks for the confirmation.

I have not any alert on the health console.

 

on the tri.sensor log I have this entry (once a day):

2020-07-14 09:54:39.3243 Error HttpResponseMessageExtension Microsoft.Tri.Infrastructure.ExtendedHttpRequestException: Response status code does not indicate success: 500 (Internal Server Error). ---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 500 (Internal Server Error).
at HttpResponseMessage System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
at HttpResponseMessage Microsoft.Tri.Infrastructure.HttpResponseMessageExtension.CheckHttpResponseMessage(HttpResponseMessage httpResponseMessage)
--- End of inner exception stack trace ---

 

but after that on the log I have other entries like:

2020-07-14 10:04:23.7554 Debug DirectoryServicesResolver UpdateDomainControllerIpAddressesAsync domain controller [DnsName=DC2.mylocaldomain.it IsReadOnly=False IpAddresses=10.0.0.182]
2020-07-14 10:04:23.7554 Debug DirectoryServicesResolver UpdateDomainControllerIpAddressesAsync domain controller [DnsName=DC1.mylocaldomain.it IsReadOnly=False IpAddresses=10.0.0.181]

 

 

so it seems that is all ok

I have two suppositions:

- a problem regarding the gMSA account permission (in the log is explicit that the DC can retrieve the password without problems)

- a network configuration that block traffic from the sensor to the cloud

 

tomorrow morning I will have a troubleshooting session with the customer, if I can't find a solution I will open a support ticket.

 

Thanks again

Mike 

 

@Michele D'Angelantonio The long entery you mentioned last indicates a communication issue , but if it indeed happens only once a day, it should not create the effect you are describing, so I don't think it's related.

As for your suspicions:

If the sensor would have failed to get the gmsa password, and it's the only ad account it has, it would have constantly crashed.

 

As for the blockage from cloud, if that would have happened,  you would either experience startup issues, or a log full of communication errors.

Hi @Eli Ofek

I checked the implementation with the customer this morning.

I've noticed that on the activity page of the AD Connect server is not presente any dc sync related activity. I was aspecting something like the picture attached (I always see this data in any other implementation):

 

 

We installed the NPCAP driver but nothing is changed.

I think the sensor is not alalyzing some data, but I can't understand why.

Do you have any clue?

I think we will open a support case on the next days.

 

hi @Eli Ofek 

we are opening a SR request to the support. Can I ask the engineer to add you to the email thread?

thanks again

Mike

My Guess -> Don't add gMSA to domain admins or delegated permissions set. 

Make sure your gMSA is correctly set before next step.

Remove AATP Installation.

Remove anything you've added including prior WinPCaps whether it was for Nmap, Suricata, etc. 

  • Make sure your gMSA is correctly set before next step.
    • Confirm Portal is correct
    • Confirm gMSA has permissions
    • Confirm gMSA is allowed to retrieve managed passwords from the group "Domain Controllers".

Reinstall it using a fresh pull from the portal.

Do not go to Services and change anything like the user account. It needs to say as the Local Service.


Hope this helps.

@Jonathan Green ,  @Michele D'Angelantonio  Please DO NOT add the gmsa account (or any other account configured for use with AATP) to Domain Admins!

This is a security risk, and is not needed for sure for AATP to run correctly.

the AATP AD account should be a low privileged user with read only access to AD, plus some specific permissions (SAMR, deleted items etc) for enhanced functionality. 

@Michele D'Angelantonio , If the case is bumped to an escalation support engineer and you see no progress, feel free to ask the support engineer to add me to the thread.

(They will likely ping we anyway if they get stuck)

Eli,
I had to re-read what I wrote, as mentally that wasn't what I was typing. Fixed.

@Jonathan Green , @Eli Ofek  thanks for your suggestions.

Just for update:

I checked and fixed the gMSA account Domain User membership and now I can see more activities and some alarm.

I've the last strange problem. On the AD Connect server activity page I can see everityhing but the DC sync activities performed by AD Connect are still missing. 

in other implementations it was the first alerts I had.

thanks again

Mike

We support Ukraine and condemn war. Push Russian government to act against war. Be brave, vocal and show your support to Ukraine. Follow the latest news HERE