Microsoft Sentinel: Troubleshooting¶
Common Issues¶
| Issue | Resolution |
|---|---|
| Logic App fails with a "Forbidden" error | Permissions issue with the Logic App and/or Function App. Provision each playbook and the function app if installed with subscription "Microsoft Sentinel Responder" access. See the permissions section in the installation guide. |
| The Iris Investigate URL playbook doesn't run | Make sure the additional Azure Function App is installed. This is needed to run the python code needed to parse a URL to a domain. See the URL playbook prerequisites section. Make sure to also give the function app "Microsoft Sentinel Responder" permissions. |
| Nothing is getting enriched | Open the Logic App view. In the overview pane, the status should show succeeded or running. Select the most recent run for details to help diagnosis. If the run is successful, but nothing got enriched, check to make sure the entity is mapped correctly: the playbooks expect host, URL (in the case of the URL playbook), or can be modified to use DNS domain name. Farsight DNSDB playbooks also support IP. |
| Logic App loading is very slow | The Domain Enrichment - DomainTools Iris Investigate logic app can take several minutes to load due to its size. This is expected behavior. |
| Duplicate permission errors when configuring Logic Apps | If you see failure notices for duplicate permissions when adding Microsoft Sentinel Responder access, these can be safely ignored. They indicate the permission already exists. |
| API rate limit errors | Iris Investigate supports 20 requests per minute, while Iris Enrich supports 60 requests per minute. If you're hitting rate limits, consider using Iris Enrich for high-volume enrichment scenarios or implementing delays between requests. |
| DNSDB quota exceeded | DNSDB usage counts against your daily or block quota. Monitor your usage through the Service Limits action or contact your Farsight account manager to adjust your quota. |
Getting Help¶
If you continue to experience issues:
- Check the Logic App run history: Navigate to the Logic App in Azure and review the run history for detailed error messages
- Review Azure documentation: Consult Microsoft's Logic Apps troubleshooting guide
- Contact support: Email enterprisesupport@domaintools.com with:
- Description of the issue
- Logic App run history screenshots
- Error messages
- Steps to reproduce