Skip to main content
Go to Red Canary Documentation
Red Canary Support

Azure Defender for Cloud Streaming Export Fails With "Resource Group Not Found" Error

  • Updated .

Issue

Status checks for Azure Defender for Cloud streaming export is configured are failing with Resource group not found errors similar to the following.

Resource group /subscriptions/<Subscription_ID>/resourceGroups/RCAutomation not found in subscription, check policy compliance for RC Automation Resource Group
Resource Group Not Found Error

Environment

Microsoft Azure Integration
   Defender for Cloud (Optional Ingest Enabled)

Resolution

Issue a remediation task for any subscriptions that are non-compliant with the RC Automation Resource Group policy in Azure to create the missing Resource Group.

How to Create a New Remediation Task

A user with permission to take the microsoft.policyinsights/remediations/write action at the management group scope can follow the steps below.

  1. From your Azure portal, navigate to the Policy service
  2. Navigate to the Compliance tab and search for RC Automation Resource Group
  3. Click into the policy and select Create Remediation Task
  4. Set Scope to root management group
  5. Target desired subscriptions
  6. Click the Remediate button

If subscriptions are still non-compliant after running a remediation task, you will need to review your Azure Policy configuration or audit logs to determine which policy is preventing the Resource Group from being created (see Cause).

Once identified, modify the blocking policy to allow creation of the Resource Group or revise the parameters of the Red Canary policy to suit your policy requirements.  If you have a policy preventing the Resource Group creation that requires certain parameters (e.g. region or tagging restrictions), you can modify the existing parameters of the Red Canary policy prior to creating a new remediation task.

How to Update the Azure Policy

A user with permission to take the microsoft.policyinsights/remediations/write action at the management group scope can follow the steps below.

  1. From your Azure Portal, navigate to the Policy service
  2. Navigate to Authoring > Assignments
  3. Find and select the RC Automation Resource Group policy
  4. Click Edit Assignment
  5. Under Parameters, set resourceGroupLocation to your preferred Azure region
    • Use the Programmatic Name (e.g. eastus2)
  6. (optional) If you have any required tagging policies, set them in the resourceGroupTags field
  7. Click Review + Save then Save changes
  8. Select Create Remediation Task and target the non-compliant subscriptions
  9. Click Remediate
  10. Once the remediation task completes, you should see a resource group called RCAutomation in each subscription

Alternatively, instead of modifying policy parameters and creating a new remediation task, you can manually create a Resource Group named RCAutomation in the non-compliant subscriptions with your desired parameters (i.e. tags/regions).

How to Manually Create a Missing Resource Group

A user with permission to take the microsoft.resources/subscriptions/resourcegroups/write action in the failing subscription can follow the steps below.

  1. From your Azure portal, navigate to the Resource Groups service
  2. While on the Resource Groups tab, click Create
  3. Set Subscription to the relevant non-compliant subscription
  4. Set Resource group name to RCAutomation
  5. If eastus is disallowed by your Allowed Locations policy, set Region to an allowed region.  Otherwise, set region to eastus.
  6. (optional) If you have any required tagging policies, configure them on the Tags tab
  7. Click the Review + Create button
  8. Click Create to submit changes
  9. Repeat, as needed, for additional non-compliant subscriptions
Whether editing policy parameters or creating manually, the Resource Group name must be left as RCAutomation or the Defender for Cloud export cannot be created.

Cause

The RC Automation Resource Group policy (which itself is created during onboarding when deploying the bicep file) uses a deployIfNotExists policy definition to create a Resource Group called RCAutomation in the eastus region under each subscription in your Azure tenant.  If this Resource Group cannot be created (for example, an Allowed Locations policy prevents the group from being created in eastus region), then attempts to create the Defender for Cloud data export will fail with 404 errors because the Resource Group intended to host the automations does not exist.

Red Canary's logs do not contain a root cause indicating why the Resource Group could not be created because the policy creating it is managed and remediated by your organization's Azure tenant.  To identify root cause, review your Azure Policy configuration.

Comments

0 comments

Please sign in to leave a comment.