Symptoms:
The Sensor appliance has the ability to extract logs from the domain controllers to associate events that occur in the monitored network with the Windows users logged in on the host.

By going to Admin > Appliances > Quick Links > Monitoring Logs, you will see errors like this:



And entries in the log file /var/log/session_tracker/session-tracker.error.log like this:

2023-01-03 21:01:03,605 - session-tracker - ERROR - Empty answer from server "<server-hostname>"
2023-01-03 21:01:03,606 - session-tracker - ERROR - Failed to get version of operating system of "<server-hostname>"
2023-01-03 21:01:03,606 - session-tracker - ERROR - session-tracker.wmi_query.<server-hostname>: Failed to retrieve Windows version of Domain Controller "<server-hostname>" [80]

This is a known issue affecting on premises sensors < 9.7.2 and hosted sensors < 2023.1 since Microsoft made some changes to harden DCOM due to the vulnerability CVE-2021-26414.

The definitive solution will be delivered with versions onpremises-9.7.2 and hosted-2023.1.

Note: If the appliances are already in the fixed software version and the issue is still present, we would recommend you to file a support request to troubleshoot the issue.

Workaround:

 

For additional details about the active directory integration see:
Active Directory Guide



Note: This article is applicable to the standalone NSX Network Detection and Response product and is not intended 
to be applied to the NSX NDR feature of NSX-T.

Impact/Risks:
Active directory integration will not be able to retrieve logs from the domain controller, therefore, user information will not be available to associate to detection events.
However, none of the detection features will be impacted by this.