Merge pull request #262612 from dcurwin/inbal-troubleshooting-jan7-2024

Stacyrch140 · web-flow · commit 0ac4cfa784fb · 2024-01-07T17:22:03.000-05:00
Inbal troubleshooting jan7 2024
diff --git a/articles/defender-for-cloud/troubleshooting-guide.md b/articles/defender-for-cloud/troubleshooting-guide.md
@@ -7,6 +7,7 @@ ms.topic: conceptual
 ms.custom: ignite-2022
 ms.date: 06/18/2023
 ---
+
 # Microsoft Defender for Cloud Troubleshooting Guide
 
 This guide is for information technology (IT) professionals, information security analysts, and cloud administrators whose organizations need to troubleshoot Defender for Cloud related issues.
@@ -52,13 +53,95 @@ AWS connector issues:
 - Make sure that EKS clusters are successfully connected to Arc-enabled Kubernetes.
 - If you don't see AWS data in Defender for Cloud, make sure that the AWS resources required to send data to Defender for Cloud exist in the AWS account.
 
+Defender API calls to AWS:
+
+Cost impact: When you onboard your AWS single or management account, our Discovery service initiates an immediate scan of your environment by executing API calls to various service endpoints in order to retrieve all resources that we secure.
+
+Following this initial scan, the service will continue to periodically scan your environment at the interval that you configured during onboarding. It's important to note that in AWS, each API call to the account generates a lookup event that is recorded in the CloudTrail resource.
+
+The CloudTrail resource incurs costs, and the pricing details can be found in [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/).
+
+Furthermore, if you have connected your CloudTrail to GuardDuty, you're also responsible for associated costs, which can be found in the [GuardDuty documentation](https://docs.aws.amazon.com/guardduty/latest/ug/monitoring_costs.html).
+
+**Getting the number of native API calls executed by Defender for Cloud**:
+
+There are two ways to get the number of calls made by Defender for Cloud and both rely on querying AWS CloudTrail logs:
+
+- **CloudTrail and Athena tables**:
+
+1. Use an existing or create a new *Athena table*. For more information, see [Querying AWS CloudTrail logs](https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html).
+
+1. Navigate to the above Athena table and use one of the below predefined queries per your needs.
+
+- **CloudTrail lake**:
+
+1. Use an existing or create a new *Event Data Store*. For more information, see [Working with AWS CloudTrail Lake](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake.html).
+
+1. Navigate to the above lake and use one of the below predefined queries per your needs.
+
+   Sample Queries:
+
+    - List the number of overall API calls by Defender for Cloud:
+
+      ```sql
+      SELECT COUNT(*) AS overallApiCallsCount FROM <TABLE-NAME> 
+      WHERE userIdentity.arn LIKE 'arn:aws:sts::<YOUR-ACCOUNT-ID>:assumed-role/CspmMonitorAws/MicrosoftDefenderForClouds_<YOUR-AZURE-TENANT-ID>' 
+      AND eventTime > TIMESTAMP '<DATETIME>' 
+      ```
+
+    - List the number of overall API calls by Defender for Cloud aggregated by day:
+
+      ```sql
+      SELECT DATE(eventTime) AS apiCallsDate, COUNT(*) AS apiCallsCountByRegion FROM <TABLE-NAME> 
+      WHERE userIdentity.arn LIKE 'arn:aws:sts:: <YOUR-ACCOUNT-ID>:assumed-role/CspmMonitorAws/MicrosoftDefenderForClouds_<YOUR-AZURE-TENANT-ID>' 
+      AND eventTime > TIMESTAMP '<DATETIME>' GROUP BY DATE(eventTime)
+      ```
+
+    - List the number of overall API calls by Defender for Cloud aggregated by event name:
+
+      ```sql
+      SELECT eventName, COUNT(*) AS apiCallsCountByEventName FROM <TABLE-NAME> 
+      WHERE userIdentity.arn LIKE 'arn:aws:sts::<YOUR-ACCOUNT-ID>:assumed-role/CspmMonitorAws/MicrosoftDefenderForClouds_<YOUR-AZURE-TENANT-ID>' 
+      AND eventTime > TIMESTAMP '<DATETIME>' GROUP BY eventName     
+      ```
+
+    - List the number of overall API calls by Defender for Cloud aggregated by region:
+
+      ```sql
+      SELECT awsRegion, COUNT(*) AS apiCallsCountByRegion FROM <TABLE-NAME> 
+      WHERE userIdentity.arn LIKE 'arn:aws:sts::120589537074:assumed-role/CspmMonitorAws/MicrosoftDefenderForClouds_<YOUR-AZURE-TENANT-ID>' 
+      AND eventTime > TIMESTAMP '<DATETIME>' GROUP BY awsRegion
+      ```
+
+    - The TABLE-NAME is Athena table or Event data store ID
+
 GCP connector issues:
 
 - Make sure that the GCP Cloud Shell script completed successfully.
 - Make sure that GKE clusters are successfully connected to Arc-enabled Kubernetes.
 - Make sure that Azure Arc endpoints are in the firewall allowlist. The GCP connector makes API calls to these endpoints to fetch the necessary onboarding files.
 - If the onboarding of GCP projects failed, make sure you have “compute.regions.list” permission and Microsoft Entra permission to create the service principle used as part of the onboarding process. Make sure that the GCP resources `WorkloadIdentityPoolId`, `WorkloadIdentityProviderId`, and `ServiceAccountEmail` are created in the GCP project.
 
+Defender API calls to GCP:
+
+When you onboard your GCP single project or organization, our Discovery service initiates an immediate scan of your environment by executing API calls to various service endpoints in order to retrieve all resources that we secure.
+
+Following this initial scan, the service will continue to periodically scan your environment at the interval that you configured during onboarding.
+
+**Getting the number of native API calls executed by Defender for Cloud**:
+
+   1. Go to **Logging** -> **Log Explorer**
+
+   1. Filter the dates as you wish (for example, 1d)
+
+   1. To show API calls executed by Defender for Cloud, run this query:
+
+      ```json
+      protoPayload.authenticationInfo.principalEmail : "microsoft-defender"
+      ```
+
+Refer to the histogram to see the number of calls over time.
+
 ## Troubleshooting the Log Analytics agent
 
 Defender for Cloud uses the Log Analytics agent to [collect and store data](./monitoring-components.md#log-analytics-agent). The information in this article represents Defender for Cloud functionality after transition to the Log Analytics agent.
@@ -148,9 +231,9 @@ If you are not able to onboard your Azure DevOps organization, follow the follow
 - It is important to know which account you are logged in to when you authorize the access, as that will be the account that is used. Your account can be associated with the same email address but also associated with different tenants. You should [check which account](https://app.vssps.visualstudio.com/profile/view) you are currently logged in on and ensure that the right account and tenant combination is selected.
 
     1. On your profile page, select the drop-down menu to select another account.
-    
+
         :::image type="content" source="./media/troubleshooting-guide/authorize-select-tenant.png" alt-text="Screenshot of the Azure DevOps profile page that is used to select an account.":::
-    
+
     1. After selecting the correct account/tenant combination, navigate to **Environment settings** in Defender for Cloud and edit your Azure DevOps connector. You will have the option to Re-authorize the connector, which will update the connector with the correct account/tenant combination. You should then see the correct list of organizations from the drop-down selection menu.
 
 - Ensure you have **Project Collection Administrator** role on the Azure DevOps organization you wish to onboard.
