Troubleshoot Cloud Discovery in Microsoft Defender for Cloud Apps
This unit provides a list of Cloud Discovery errors and resolution recommendations for each.
Microsoft Defender for Endpoint integration
Organizations often integrate Microsoft Defender for Endpoint with Microsoft Defender for Cloud Apps. When an organization integrates these two Microsoft Defender XDR services and it doesn't see the results of the integration, it should refer to the following table. This table provides resolution actions that organizations can take should any of the following errors occur.
| Issue | Resolution |
|---|---|
| Reports involving Windows 10 endpoint users don't appear in the list. | Verify the devices you're connecting to are Windows 10 version 1809 or later. Also verify that you waited the necessary two hours that it takes before your data is accessible. |
| Discovery reports are empty. | If the endpoint device is behind a forward proxy, you can send logs from your forward proxy using a log collector. |
Log parsing errors
You can track the processing of Cloud Discovery logs using the governance log. This table provides resolution actions that organizations can take should any of the following errors occur.
| Error | Description | Resolution |
|---|---|---|
| Unsupported file type. | The file uploaded isn't a valid log file (for example, an image file). | Upload a text, **zip, or gzip file that you directly exported from your firewall or proxy. |
| The log format doesn't match. | The log format you uploaded didn't match the expected log format for this data source. | Complete the following steps: 1. Verify the log isn't corrupt. 2. Compare and match your log to the sample format shown in the upload page. |
| Transactions are more than 90 days old. | Cloud Discovery ignores all transactions more than 90 days old. | Export a new log with recent events and reupload it. |
| No transactions to cataloged cloud apps. | The log doesn't include transactions to any recognized cloud apps. | Verify the log contains outbound traffic information. |
| Unsupported log type. | When you select Data source = Other (unsupported), Cloud Discovery doesn't parse the log. Instead, it sends it to the Microsoft Defender for Cloud Apps technical team for review. | The Microsoft Defender for Cloud Apps technical team builds a dedicated parser for each data source. Microsoft Defender for Cloud Apps already supports the most popular data sources. The Microsoft Defender for Cloud Apps technical team reviews each upload of an unsupported data source and adds it to the pipeline for new data source parsers. Microsoft Defender for Cloud Apps publishes new parser notifications as part of its release notes. |
Log collector errors
| Issue | Resolution |
|---|---|
| Couldn't connect to the log collector over FTP. | Complete the following steps: 1. Verify that you're using FTP credentials and not SSH credentials. 2. Check if your cloud administrator set the FTP client to SFTP, which the log collector doesn't support. |
| Failed updating collector configuration. | Complete the following steps: 1. Verify that you entered the latest access token. 2. Verify in your firewall the log collector can initiate outbound traffic on port 443. |
| Logs sent to the collector don't appear in the portal. | Complete the following steps: 1. Verify whether failed parsing tasks appear in the Governance log. - If so, troubleshoot the error with the previous Log Parsing error table. - If not, complete the following steps to check the data sources and Log collector configuration in the portal: a. In the Data source page, verify the name of the data source is NSS, and verify its configuration. b. In the Log collectors page, verify that the data source is linked to the right log collector. 2. Check the local configuration of the on-premises log collector machine by completing the following steps: a. Sign-in to the log collector over SSH and run the collector_config utility. b. Confirm that your firewall or proxy is sending logs to the log collector using the protocol you defined (Syslog/TCP, Syslog/UDP or FTP). Then verify that it's sending them to the correct port and directory. c. Run netstat on the machine and verify that it receives incoming connections from your firewall or proxy. 3. Verify that the log collector can initiate outbound traffic on port 443. |
| Log collector status: Created. | The log collector deployment didn't complete. Complete the on-premises deployment steps according to the deployment guide. |
| Log collector status: Disconnected. | No data received in the last 24 hours from any of the linked data sources. |
| Failed pulling latest collector image. | If you get this error during Docker deployment, it could be that you don't have enough memory on the host. To verify this condition, run the following command on the host: docker pull mcr.microsoft.com/mcas/logcollector If you receive the following error, contact your host machine administrator to provide more space: failed to register layer: Error processing tar file(exist status 1): write /opt/jdk/jdk1.8.0_152/src.zip: no space left on device |
Discovery dashboard errors
| Issue | Resolution |
|---|---|
| Cloud Discovery successfully uploaded and parsed data, but the Cloud Discovery dashboard appears empty. | The organization configured the Dashboard to filter on data its logs don't have. As a result, there's no data to show. Try changing the filters in the Cloud Discovery dashboard to show different types of data to see the results. |