Function App Not Bringing Logs into Sentinel

[laylavo]

Describe the bug
The customer is encountering an issue with their Function App, which is failing to deliver logs to Microsoft Sentinel. They have
five function apps that were initially successfully bringing in logs using theAuth0 Data Connector(ARM template) on Sentinel. However, they recently observed that Sentinel workspace are no longer receiving logs, no logs are presented even though from the Function App which indicates that data is being grabbed and successfully sent to Sentinel.

To Reproduce
Steps to reproduce the behavior:

1. Go to Function App in Azure portal

2. Click on the Function App's name

3. In the navigation bar click on Monitor

4. Click on the newest date to show the Invocation details to see all the logs were successfully sent to Sentinel by April 16, 2014

5. Go to Microsoft Sentinel in Azure portal

6. Select a Sentinel workspace's name

7. In the navigation bar select Content hub

8. Enter Auth0 in the search box

9. Click on Manage

10. Select the checkbox for Auth0 Access Management(using Azure Functions) to see the chart displayed the logs just sent to Sentinel within April 14, 2024.

Expected behavior
Customer expects that Sentinel workspace can receive the logs from Function apps through Auth0 data connector normally.

Screenshots
Cannot add files or paste the screenshots

Issue investigation:

• Cus reported that there are a lot of other connectors using functions that are bringing logs normally today such as Cisco DUO, Crowdstrike Falcon Data Replicator, Netskope, etc.> this is not a workspace issue.
• Opened collab with Function app team > they informed that there is no issue found with the Function app deployment.
  +I have checked on ASC to check ingestion delays but it also showed the logs flowing into sentinel by 2024-04-14.

[v-sudkharat]

Hi @laylavo, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 25-04-2024. Thanks!

[v-sudkharat]

Hey, Could you please check the configuration in Auth0 portal side. Please find below readme file for detailed steps:-
https://github.com/Azure/Azure-Sentinel/blob/963275e36e107f09201a8b9ba17192583b68147b/Solutions/Auth0/readme.md

After updating the function app make sure to restart the function app. so changes get reflected.

Thanks!

[laylavo]

Many thanks for the update, I'll monitor it closely with cx and get back to to you with the outcome.

[v-sudkharat]

Hey @laylavo, please let us know once it completed. so, we can close this issue from GitHub. Thanks!

[v-sudkharat]

Hey @laylavo, Any update for us?

[laylavo]

I'm sorry for not updating you promptly. I am pushing and following up but receiving no response from cus since I sent them the troubleshooting steps

[laylavo]

I will update you immediately once cx responds the outcome.

[v-sudkharat]

@laylavo, Sure. Thanks!