We’ve renamed Microsoft Cloud App Security. It’s now called Microsoft Defender for Cloud Apps. In the coming weeks, we’ll update the screenshots and instructions here and in related pages. For more information about the change, see this announcement. To learn more about the recent renaming of Microsoft security services, see the Microsoft Ignite Security blog.

This article provides a list of Cloud Discovery errors and resolution recommendations for each.

Microsoft Defender for Endpoint integration

If you integrated Microsoft Defender for Endpoint with Defender for Cloud Apps, and you don’t see the results of the integration.

Issue Resolution
Win10 endpoint users reports do not appear in the list Make sure the devices you’re connecting to are Windows 10 version 1809 or later, and that you waited the necessary two hours that it takes before your data is accessible.
Discovery reports are empty If the endpoint device is behind a forward proxy, you can send logs from your forward proxy using a log collector

Log parsing errors

You can track the processing of Cloud Discovery logs using the governance log. This article provides resolution actions to be taken for each error that can be displayed there.

Governance log errors

Error Description Resolution
Unsupported file type The file uploaded isn’t a valid log file (for example, an image file). Upload a text, **zip, or gzip file that was directly exported from your firewall or proxy.
The log format does not match The log format you uploaded didn’t match the expected log format for this data source. 1. Verify that the log isn’t corrupt.
2. Compare and match your log to the sample format shown in the upload page.
Transactions are more than 90 days old All transactions are more than 90 days old and are being ignored. Export a new log with recent events and reupload it.
No transactions to cataloged cloud apps No transactions to any recognized cloud apps are found in the log. Verify that the log contains outbound traffic information.
Unsupported log type When you select Data source = Other (unsupported), the log isn’t parsed. Instead, it’s sent for review to the Defender for Cloud Apps technical team. The Defender for Cloud Apps technical team builds a dedicated parser per each data source. Most popular data sources are already supported. Each upload of an unsupported data source is reviewed and added to the pipeline for new data source parsers. New parser notifications are published as part of the Defender for Cloud Apps release notes.
Discover More help  Troubleshoot Microsoft Defender for Endpoint live response issues

Log collector errors

Issue Resolution
Could not connect to the log collector over FTP 1. Verify that you are using FTP credentials and not SSH credentials.
2. Verify that the FTP client you are using is not set to SFTP.
Failed updating collector configuration 1. Verify that you entered the latest access token.
2. Verify in your firewall that the log collector is allowed to initiate outbound traffic on port 443.
Logs sent to the collector do not appear in the portal 1. Check to see if there are failed parsing tasks in the Governance log.
If so, troubleshoot the error with the Log Parsing error table above.
2. If not, check the data sources and Log collector configuration in the portal.
a. In the Data source page, verify that the name of data source is NSS and that it is configured correctly.
b. In the Log collectors page, verify that the data source is linked to the right log collector.
3. Check the local configuration of the on-premises log collector machine.
a. Log in to the log collector over SSH and run the collector_config utility.
b. Confirm that your firewall or proxy is sending logs to the log collector using the protocol you defined (Syslog/TCP, Syslog/UDP or FTP) and that it is sending them to the correct port and directory.
c. Run netstat on the machine and verify that it receives incoming connections from your firewall or proxy
4. Verify that the log collector is allowed to initiate outbound traffic on port 443.
Log collector status: Created The log collector deployment was not completed. Complete the on-premise deployment steps according to the deployment guide.
Log collector status: Disconnected No data received in the last 24 hours from any of the linked data sources.
Failed pulling latest collector image If you get this error during Docker deployment, it could be that you don’t have enough memory on the host. To check this, run this command on the host: docker pull mcr.microsoft.com/mcas/logcollector. If it returns this error: failed to register layer: Error processing tar file(exist status 1): write /opt/jdk/jdk1.8.0_152/src.zip: no space left on device contact your host machine administrator to provide more space.
Discover More help  Troubleshooting access and session controls (Microsoft)

Discovery dashboard errors

Issue Resolution
Discovery data was uploaded and parsed successfully but the Cloud Discovery dashboard looks empty The Dashboard might be filtered on data your logs don’t have so there’s no data to show. Try changing the filters in the Cloud Discovery dashboard to show different types of data to see the results.

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating / 5. Vote count:

No votes so far! Be the first to rate this post.

(Visited 3 times, 1 visits today)