We’ve renamed Microsoft Cloud App Security. It’s now called Microsoft Defender for Cloud Apps. In the coming weeks, we’ll update the screenshots and instructions here and in related pages. For more information about the change, see this announcement. To learn more about the recent renaming of Microsoft security services, see the Microsoft Ignite Security blog.
This article provides a list of Cloud Discovery errors and resolution recommendations for each.
Microsoft Defender for Endpoint integration
If you integrated Microsoft Defender for Endpoint with Defender for Cloud Apps, and you don’t see the results of the integration.
|Win10 endpoint users reports do not appear in the list||Make sure the devices you’re connecting to are Windows 10 version 1809 or later, and that you waited the necessary two hours that it takes before your data is accessible.|
|Discovery reports are empty||If the endpoint device is behind a forward proxy, you can send logs from your forward proxy using a log collector|
Log parsing errors
You can track the processing of Cloud Discovery logs using the governance log. This article provides resolution actions to be taken for each error that can be displayed there.
Governance log errors
|Unsupported file type||The file uploaded isn’t a valid log file (for example, an image file).||Upload a text, **zip, or gzip file that was directly exported from your firewall or proxy.|
|The log format does not match||The log format you uploaded didn’t match the expected log format for this data source.||1. Verify that the log isn’t corrupt.
2. Compare and match your log to the sample format shown in the upload page.
|Transactions are more than 90 days old||All transactions are more than 90 days old and are being ignored.||Export a new log with recent events and reupload it.|
|No transactions to cataloged cloud apps||No transactions to any recognized cloud apps are found in the log.||Verify that the log contains outbound traffic information.|
|Unsupported log type||When you select Data source = Other (unsupported), the log isn’t parsed. Instead, it’s sent for review to the Defender for Cloud Apps technical team.||The Defender for Cloud Apps technical team builds a dedicated parser per each data source. Most popular data sources are already supported. Each upload of an unsupported data source is reviewed and added to the pipeline for new data source parsers. New parser notifications are published as part of the Defender for Cloud Apps release notes.|
Log collector errors
|Could not connect to the log collector over FTP||1. Verify that you are using FTP credentials and not SSH credentials.
2. Verify that the FTP client you are using is not set to SFTP.
|Failed updating collector configuration||1. Verify that you entered the latest access token.
2. Verify in your firewall that the log collector is allowed to initiate outbound traffic on port 443.
|Logs sent to the collector do not appear in the portal||1. Check to see if there are failed parsing tasks in the Governance log.
If so, troubleshoot the error with the Log Parsing error table above.
2. If not, check the data sources and Log collector configuration in the portal.
a. In the Data source page, verify that the name of data source is NSS and that it is configured correctly.
b. In the Log collectors page, verify that the data source is linked to the right log collector.
3. Check the local configuration of the on-premises log collector machine.
a. Log in to the log collector over SSH and run the collector_config utility.
b. Confirm that your firewall or proxy is sending logs to the log collector using the protocol you defined (Syslog/TCP, Syslog/UDP or FTP) and that it is sending them to the correct port and directory.
c. Run netstat on the machine and verify that it receives incoming connections from your firewall or proxy
4. Verify that the log collector is allowed to initiate outbound traffic on port 443.
|Log collector status: Created||The log collector deployment was not completed. Complete the on-premise deployment steps according to the deployment guide.|
|Log collector status: Disconnected||No data received in the last 24 hours from any of the linked data sources.|
|Failed pulling latest collector image||If you get this error during Docker deployment, it could be that you don’t have enough memory on the host. To check this, run this command on the host:
Discovery dashboard errors
|Discovery data was uploaded and parsed successfully but the Cloud Discovery dashboard looks empty||The Dashboard might be filtered on data your logs don’t have so there’s no data to show. Try changing the filters in the Cloud Discovery dashboard to show different types of data to see the results.|