Take in consideration a scenario where you deployed Azure ATP, and after the service has worked for some time, one day the service Azure Advanced Threat Protection Sensor keeps on Starting, and after some time it quits (doesn’t show any status), it comes back to Starting, and keeps on this loop. If you go to event viewer, you an event like this one:
Log Name: System
Source: Service Control Manager
Date: 9/14/2018 10:32:52 AM
Event ID: 7031
Task Category: None
The Azure Advanced Threat Protection Sensor service terminated unexpectedly. It has done this 18 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
The next step in this type of situation is to look at the “Microsoft.Tri.sensor-Errors.log” file located in the “%programfiles%\Azure Advanced Threat Protection sensor\Version X\Logs” folder. Once you review this file, you may see something like this:
2018-09-14 15:35:50.9871 Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__34 Microsoft.Tri.Infrastructure.ExtendedException: Failed to connect to domain controller [DomainControllerDnsName=BRUTOS.fabrikam.com ErrorCode=49] ---> System.DirectoryServices.Protocols.LdapException: The supplied credential is invalid.
Yep, that’s ritght, it was the credential, and you know why? Because the account that it was created and used on step 2 of the Azure ATP deployment changed the password. Every time you change this account's password, you need to update the user's information on Azure ATP Portal, under Directory Services as shown below:
Lesson learned: it is imperative to always change your password, and change it according to your company’s password policy, however make sure to also update the account's information on Azure ATP portal, otherwise you will face a similar issue.