|
| 1 | +--- |
| 2 | +title: Troubleshoot the Microsoft Sentinel solution for Microsoft Power Platform |
| 3 | +description: Learn how to troubleshoot common issues with the Microsoft Sentinel solution for Microsoft Power Platform. |
| 4 | +ms.author: bagol |
| 5 | +author: batamig |
| 6 | +ms.service: microsoft-sentinel |
| 7 | +ms.topic: how-to |
| 8 | +ms.date: 03/18/2024 |
| 9 | +#CustomerIntent: As a security engineer, I want to learn how to troubleshoot common issues with the Power Platform inventory connector for Microsoft Sentinel. |
| 10 | +--- |
| 11 | + |
| 12 | +# Troubleshoot the Microsoft Sentinel solution for Microsoft Power Platform |
| 13 | + |
| 14 | +The Microsoft Sentinel solution for Microsoft Power Platform provides an inventory connector that collects and analyzes data from Power Platform environments. The connector uses a function app to ingest data from an Azure Data Lake Storage Gen2 (ADLSv2) account where Power Platform exports the inventory data. |
| 15 | + |
| 16 | +This article provides steps to troubleshoot common issues with data collection using the inventory connector. |
| 17 | + |
| 18 | +## Prerequisites |
| 19 | + |
| 20 | +Before performing the steps described in this article, make sure that you deployed the solution fully. For more information, see [Deploy the Microsoft Sentinel solution for Microsoft Power Platform](deploy-power-platform-solution.md). |
| 21 | + |
| 22 | +## Examine the function app logs |
| 23 | + |
| 24 | +The first step to troubleshoot issues with Power Platform data collection for Microsoft Sentinel is to examine the function app logs. |
| 25 | + |
| 26 | +**To check your function app logs**: |
| 27 | + |
| 28 | +1. Go to your function app in the Azure portal. |
| 29 | +1. In the function app's **Overview** page, under **Functions**, select the **PowerPlatformInventoryDataConnector** function. |
| 30 | +1. In the **Monitor** page, check the log entries shown for any warnings or error messages. |
| 31 | + |
| 32 | +For example, the function app logs provide details about the following types of scenarios: |
| 33 | + |
| 34 | +- The function app didn't run at the scheduled time |
| 35 | +- The function app ran but had errors while ingesting data |
| 36 | +- The function app ran but didn't find any inventory data to ingest |
| 37 | + |
| 38 | +## Synchronize your function app triggers |
| 39 | + |
| 40 | +If your function app didn't run at the scheduled time, you might need to synchronize its triggers. |
| 41 | + |
| 42 | +Do this by restarting your function app from the function app's **Overview** page. Restarting the function app forces it to synchronize the triggers and run again at the next scheduled time. |
| 43 | + |
| 44 | +For more information, see [Trigger syncing](/azure/azure-functions/functions-deployment-technologies?tabs=windows#trigger-synching). |
| 45 | + |
| 46 | + |
| 47 | +## Check the ADLSv2 storage account |
| 48 | + |
| 49 | +If the function app is running but there's no data collected, check the ADLSv2 storage account to make sure inventory data was exported by the Power Platform self service analytics feature. If the feature was recently activated, it might take up to 48 hours for data to start exporting to the storage account. |
| 50 | + |
| 51 | +**To check the ADLSv2 storage account**: |
| 52 | + |
| 53 | +1. Go to the ADLSv2 storage account in the Azure portal. |
| 54 | +1. Select **Containers** and then the **powerplatform** container. |
| 55 | + |
| 56 | +The folder structure shown is similar to the folder structure defined in the [Microsoft Power Platform self-service analytics schema definition](/power-platform/admin/self-service-analytics-schema-definition). |
| 57 | + |
| 58 | +## Force a full data ingestion |
| 59 | + |
| 60 | +To reduce ingested data volume, the function app collects data in full every seven days, and only collects incremental changes in between. During those incremental periods, if no Power Platform data is changed, data isn't reingested by default. |
| 61 | + |
| 62 | +However, customers can force a full data ingestion on the next scheduled run by deleting the **lastupdated** blob storage container in the function app storage account. This isn't the same as the ADLSv2 storage account. |
| 63 | + |
| 64 | +To delete the **lastupdated** blob storage container: |
| 65 | + |
| 66 | +1. Go to the function app storage account in the Azure portal. |
| 67 | +1. Select **Containers** and then the container named **lastupdated**. |
| 68 | +1. Delete the container and confirm the deletion. |
| 69 | + |
| 70 | +A full data collection and ingestion is run on the function app's next scheduled run. |
| 71 | + |
| 72 | +Alternately, modify the default function app behavior by editing the following settings in your function app: |
| 73 | + |
| 74 | +|Setting |Description |Default value | |
| 75 | +|---------|---------|---------| |
| 76 | +|**FULL_SYNC_INTERVAL_DAYS** | The number of days until a full data ingestion occurs. | `7` | |
| 77 | +|**TIMER_SCHEDULE** | An [NCRONTAB](/azure/azure-functions/functions-bindings-timer?tabs=python-v2%2Cisolated-process%2Cnodejs-v4&pivots=programming-language-python#ncrontab-examples) schedule that defines when the function triggers | `0 0 2 * * *` | |
| 78 | + |
| 79 | + |
| 80 | +For more information, see [Working with app settings](/azure/azure-functions/functions-how-to-use-azure-function-app-settings?tabs=portal#settings). |
| 81 | + |
| 82 | +## Related content |
| 83 | + |
| 84 | +For more information, see: |
| 85 | + |
| 86 | +- [Microsoft Sentinel solution for Microsoft Power Platform overview](power-platform-solution-overview.md) |
| 87 | +- [Microsoft Sentinel solution for Microsoft Power Platform: security content reference](power-platform-solution-security-content.md) |
0 commit comments