Adapter Fetch Notifications with the Enforcement Center

Howdy folks! Axonius 4.6 introduced many great features to the Enforcement Center, including expanding available query types for triggers – specifically, adapter fetch logs and activity logs. I wanted to share how we could use adapter fetch logs in the Enforcement Center to send notifications for adapter connections not returning all devices as expected. 

An adapter might return 0 devices or users for several reasons. 

  • Updates to assets in the data source
  • Timeouts from the data source
  • The adapter connection changed to exclude too many devices
  • A change to API endpoints causes an unexpected error
  • API credentials or permissions changed

Regardless of the scenario, the adapter shows a successful green status, but we aren’t fetching any devices! 

This isn’t ideal as we could be lulled into a false sense of security, thinking our adapter is fetching our devices. In reality, they are at risk of being deleted per the adapter's “Delete devices not seen from the source in the last X hours” setting on the adapter.

Let’s review how to create notifications when this occurs to prompt manual review. We can find all our adapters’ fetch histories here:

 https://<axonius_hostname>/adapters_fetch_history. 

Here we can see some filters that we can use for our query.

Let’s create a query to alert adapters not pulling in any devices. To start, select the adapters you’d like to filter. If you’re working with devices, perhaps we don’t want to be notified if the Okta adapter isn’t bringing back any devices. 

The following filter we’ll want is on Fetch Status; this should be “Fetch ended successful.” As for total devices, we’ll set that to “Less than X” where X is the least number of devices we expect. Because I want notifications when fetches have 0 devices, I’ll set X = 1. Lastly, we want all fetch logs in the last day, so we’ll set our timeframe to the last one day.

At this point, we’re ready to create our notification action. I’ll go ahead and use the “Send Email” Notification action.

recipients have been removed

Keeping “Send email even if no data is returned in the query” disabled will ensure we only get notified when the fetch returns less than X devices.

Ensure the action runs every one day - We could also do every discovery cycle if you do one discovery cycle per day. We can manually run the action to review the results.

Here is the output from our CSV. 

These alerts can also be sent via Microsoft teams or Slack, so please pick the best that ties into your DevSecOps practice. Please let us know if you have any questions!

1

Comments

0 comments

Please sign in to leave a comment.

Didn't find what you were looking for?

New post