Azure-Sentinel icon indicating copy to clipboard operation
Azure-Sentinel copied to clipboard

Published 20 hours ago verified publisher icon Azure

Function App Not Bringing Logs into Sentinel

Open laylavo opened this issue 10 months ago • 4 comments

Describe the bug The customer is encountering an issue with their Function App, which is failing to deliver logs to Microsoft Sentinel. They have five function apps that were initially successfully bringing in logs using theAuth0 Data Connector(ARM template) on Sentinel. However, they recently observed that Sentinel workspace are no longer receiving logs, no logs are presented even though from the Function App which indicates that data is being grabbed and successfully sent to Sentinel.

To Reproduce Steps to reproduce the behavior:

  1. Go to Function App in Azure portal

  2. Click on the Function App's name

  3. In the navigation bar click on Monitor

  4. Click on the newest date to show the Invocation details to see all the logs were successfully sent to Sentinel by April 16, 2014

  5. Go to Microsoft Sentinel in Azure portal

  6. Select a Sentinel workspace's name

  7. In the navigation bar select Content hub

  8. Enter Auth0 in the search box

  9. Click on Manage

  10. Select the checkbox for Auth0 Access Management(using Azure Functions) to see the chart displayed the logs just sent to Sentinel within April 14, 2024.

Expected behavior Customer expects that Sentinel workspace can receive the logs from Function apps through Auth0 data connector normally.

Screenshots Cannot add files or paste the screenshots

Issue investigation:

  • Cus reported that there are a lot of other connectors using functions that are bringing logs normally today such as Cisco DUO, Crowdstrike Falcon Data Replicator, Netskope, etc.> this is not a workspace issue.
  • Opened collab with Function app team > they informed that there is no issue found with the Function app deployment. +I have checked on ASC to check ingestion delays but it also showed the logs flowing into sentinel by 2024-04-14.

laylavo avatar Apr 19 '24 01:04 laylavo

Hi @laylavo, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 25-04-2024. Thanks!

v-sudkharat avatar Apr 19 '24 09:04 v-sudkharat

Hey, Could you please check the configuration in Auth0 portal side. Please find below readme file for detailed steps:- https://github.com/Azure/Azure-Sentinel/blob/963275e36e107f09201a8b9ba17192583b68147b/Solutions/Auth0/readme.md

After updating the function app make sure to restart the function app. so changes get reflected.

Thanks!

v-sudkharat avatar Apr 24 '24 11:04 v-sudkharat

Many thanks for the update, I'll monitor it closely and get back to to you with the outcome.

laylavo avatar Apr 24 '24 23:04 laylavo

Hey @laylavo, please let us know once it completed. so, we can close this issue from GitHub. Thanks!

v-sudkharat avatar Apr 26 '24 13:04 v-sudkharat

Hey @laylavo, Any update for us?

v-sudkharat avatar Apr 30 '24 15:04 v-sudkharat

I'm sorry for not updating you promptly. I am pushing and following up but receiving no response since I sent the troubleshooting steps

laylavo avatar May 03 '24 00:05 laylavo

I will update you immediately once cx responds the outcome.

laylavo avatar May 03 '24 00:05 laylavo

@laylavo, Sure. Thanks!

v-sudkharat avatar May 06 '24 06:05 v-sudkharat

@laylavo, Any update for us? Thanks!

v-sudkharat avatar May 21 '24 06:05 v-sudkharat

I checking on the issue. Once i have update, I'll keep you posted. Thank you!

laylavo avatar May 22 '24 02:05 laylavo

Ok, Noted

v-sudkharat avatar May 23 '24 07:05 v-sudkharat