Skip to main content
Go to Red Canary Documentation
Red Canary Support

Troubleshoot an Azure Subscription Not Sending Telemetry to Red Canary

  • Updated .

Issue

One or more Azure subscriptions are failing status checks for Telemetry has been processed in the last day with an error similar to the following.

Red Canary did not receive data from this integration.
Azure Subscription Not Sending Telemetry

Environment

Microsoft Azure Integration

Resolution

If a subscription is not sending telemetry to Red Canary, you can quickly determine the issue by answering four questions.

  1. Does Red Canary have access to my subscription?
  2. Is my subscription enabled?
  3. Is my subscription generating activity?
  4. Has Red Canary created the Diagnostic Settings on my subscription?

Does Red Canary have access to my subscription?

Permission to your subscriptions are granted to Red Canary through Azure Lighthouse via a Service Provider Offering called Red Canary - Azure Log Ingest.  Without this access, Red Canary cannot receive telemetry for the affected subscriptions.  To validate whether a subscription has delegated access to Red Canary, follow the guidance below.

How to Verify Lighthouse Access on a Subscription

A user with permission to take the microsoft.policyinsights/remediations/write action at the root tenant or management group scope can follow the steps below.

  1. From your Azure Portal, navigate to the Policy service and click the Compliance tab
  2. Under filters, set Scope to the Tenant Root Group (or Management Group if you've integrated Red Canary at a lower hierarchy)
  3. Search for and select the RC Azure Log Ingest assignment
  4. Filter by the Subscription ID of the subscription(s) failing the status check
  5. If the subscription is showing as Non-compliant, click Create Remediation Task
  6. Set Scope to root management group
  7. Target the failing subscription(s)
  8. Click the Remediate button

When integrating Azure with Red Canary, the first series of steps involves deploying Red Canary's bicep file and issuing remediation tasks using CloudShell commands.  If you issued those commands using a Management Group ID rather than your Tenant ID, any subscriptions outside of the integrated Management Group's hierarchy may not appear in the list of compliant or non-compliant subscriptions.

In that case, your Global Administrator must perform Step 1: Set up the Azure infrastructure (see the integration guide) using your Tenant ID.  This action will redeploy the bicep file at the root tenant level and enforce Red Canary's Lighthouse delegation on the missing subscriptions.

If you previously had a standalone Entra ID integration, you may see a Service Provider Offering in Lighthouse called Red Canary - Microsoft Entra ID Log Ingest.  While it does grant the some of the same role assignments as the Azure offering, it is not a suitable replacement as it is missing the Security Admin role and is only delegated to the subscription hosting your Log Analytics Workspace.

Is my subscription enabled?

Billing and cost management settings in Azure can affect subscription status in your tenant.

How to Verify a Subscription is Enabled

A user with a Reader role (at a minimum) on the subscription can follow the steps below.

  1. From your Azure Portal, navigate to the Subscriptions service
  2. Search for the Subscription Name or filter by Status = Disabled
  3. Refer to the Status column to determine the subscription's standing

Disabled or Past Due subscriptions may not be able to send telemetry or alerts to Red Canary.  In those cases, it is expected that disabled subscriptions will continue to fail status checks in Red Canary until the subscription is reenabled.

If you have questions or issues regarding reenabling a subscription, please reach out to Microsoft Support for assistance.

Is my subscription generating activity?

With Lighthouse access verified, next you'll want to validate the subscription has actually generated logs that would be ingested by Red Canary.  Subscriptions that see low activity volume or are inactive may experience intermittent failed status checks for telemetry flow.  Using the steps below, you can quickly determine whether your subscription is generating activity relevant to Red Canary.

How to Verify a Subscription is Generating Activity

A user with a Reader role (at a minimum) on the subscription can follow the steps below.

  1. From your Azure Portal, navigate to the Subscriptions service
  2. Search for and select the Subscription name of the subscription(s) failing the status check
  3. From the Subscription Overview page, click the Activity Log tab
  4. Set Timespan filter to last 24 hours
  5. Ensure Subscription filter is limited to the affected subscription(s)
  6. There should be a non-zero amount of Activity Logs returned in the table

If you cannot find the affected subscription in the Subscriptions service by name or ID, this may indicate the subscription has been deactivated/deleted and the status check failure is a false positive.

If the only Activity Logs generated in the last day are recent (an hour or less old), allow some additional time for the status check to clear during the next sync.

Has Red Canary created the Diagnostic Settings on my subscription?

If the subscription is accessible to Red Canary and generating Activity Logs, the next step is to ensure that Diagnostic Settings have been created on the Subscription.  These settings are created programmatically by Red Canary using our Lighthouse access and will export logs to an Event Hub in Red Canary's Azure tenant.  To locate the log export, use the steps below.

How to Verify Diagnostic Settings Exist

A user with a Reader role (at a minimum) on the subscription can follow the steps below.

  1. From your Azure Portal, navigate to the Subscriptions service
  2. Search for and select the Subscription name of the subscription(s) failing the status check
  3. From the Subscription Overview page, click the Activity Log tab
  4. Click Export Activity Logs in the top menu
  5. You should see a Diagnostic Setting called RC-Logs listed

If this subscription also hosts any Key Vault resources, Red Canary will create a similar Diagnostic Setting on the Key Vault.  You can find them using the following steps.

  1. Return to the Subscription overview page and navigate to Monitoring > Diagnostic Settings
  2. Click the Subscription filter and select only the failing subscription(s)
  3. From the listed resources types, any Key Vaults should show Diagnostic Settings enabled
  4. Clicking into the Key Vault should list a Diagnostic Setting called RC-Logs

Azure has a limit of 5 Diagnostic Settings per subscription or resource.  If you are at the cap and RC-Logs is not listed among the existing Diagnostic Settings, you must delete an existing export to free up space for Red Canary to create the appropriate settings.  If you are not at Diagnostic Setting capacity and the export has not been created, allow an hour for the settings to be created programmatically before reaching out to Red Canary Support.

Expanding the details blade of the RC-Logs export may result in a permission error.  This is expected behavior as your user account lacks Read access to the Event Hub destination in Red Canary's tenant.

If during the course of these troubleshooting steps you have answered Yes to each of these questions, and the affected subscription is still failing the Telemetry has been processed in the last day status check, please open a ticket with Red Canary Support.

Cause

At its core, Red Canary's Azure integration works as follows for delivery of subscription-level telemetry.

  1. The bicep file deployed during onboarding creates an Azure policy
  2. That Azure policy grants subscription-level access to Red Canary
  3. Red Canary uses that access to create settings to export Activity Logs

See FAQ for Integrating Azure with Red Canary for more information

Tags

no azure telemetry, subscription not sending data, why is a subscription not sending telemetry, troubleshooting azure telemetry issues, azure not sending telemetry, no azure activity, no azure data to Red Canary, azure data ingest failing, verify azure integration, validate working azure integration