Errors observed in the JumpCloud Function App

[HotdogAndBaloney314]

Hi Team,

We've recently used the JumpCloud data connector available in this repository. Logs are now flowing in to Microsoft Sentinel. However, we're seeing 2 errors in the log stream. See below:

Error 1:
2025-01-08T13:10:20Z [Warning] Error response [ea143ec5-5517-4b81-91df-563cdbbe1b0f] 409 The specified container already exists. (00.0s) Server:Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0 x-ms-request-id:f8127057-d01e-0011-7fce-612bae000000 x-ms-client-request-id:ea143ec5-5517-4b81-91df-563cdbbe1b0f x-ms-version:2023-11-03 x-ms-error-code:ContainerAlreadyExists Date:Wed, 08 Jan 2025 13:10:19 GMT Content-Length:230 Content-Type:application/xml

Error 2:
2025-01-21T11:35:07Z [Error] ERROR: Cannot find an overload for "ToString" and the argument count: "1". Exception : Type : System.Management.Automation.MethodException ErrorRecord : Exception : Type : System.Management.Automation.ParentContainsErrorRecordException Message : Cannot find an overload for "ToString" and the argument count: "1". HResult : -2146233087 CategoryInfo : NotSpecified: (:) [], ParentContainsErrorRecordException FullyQualifiedErrorId : MethodCountCouldNotFindBest InvocationInfo : ScriptLineNumber : 136 OffsetInLine : 9 HistoryId : 1 ScriptName : C:\home\site\wwwroot\JCQueueTrigger1\run.ps1 Line : $LastRecordTimestamp = $LastRecordTimeStamp.ToString('yyyy-MM-ddThh:mm:ssZ') Statement : $LastRecordTimestamp = $LastRecordTimeStamp.ToString('yyyy-MM-ddThh:mm:ssZ') PositionMessage : At C:\home\site\wwwroot\JCQueueTrigger1\run.ps1:136 char:9 + $LastRecordTimestamp = $LastRecordTimeStamp.ToString('yyyy-MM … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ PSScriptRoot : C:\home\site\wwwroot\JCQueueTrigger1 PSCommandPath : C:\home\site\wwwroot\JCQueueTrigger1\run.ps1 CommandOrigin : Internal ScriptStackTrace : at , C:\home\site\wwwroot\JCQueueTrigger1\run.ps1: line 136 TargetSite : System.Object CallSite.Target(System.Runtime.CompilerServices.Closure, System.Runtime.CompilerServices.CallSite, System.Object, System.String) Message : Cannot find an overload for "ToString" and the argument count: "1". Source : Anonymously Hosted DynamicMethods Assembly HResult : -2146233087 StackTrace : at CallSite.Target(Closure, CallSite, Object, String) at System.Dynamic.UpdateDelegates.UpdateAndExecute2[T0,T1,TRet](CallSite site, T0 arg0, T1 arg1) at CallSite.Target(Closure, CallSite, Object, String) at (Closure, FunctionContext) CategoryInfo : NotSpecified: (:) [], MethodException FullyQualifiedErrorId : MethodCountCouldNotFindBest InvocationInfo : ScriptLineNumber : 136 OffsetInLine : 9 HistoryId : 1 ScriptName : C:\home\site\wwwroot\JCQueueTrigger1\run.ps1 Line : $LastRecordTimestamp = $LastRecordTimeStamp.ToString('yyyy-MM-ddThh:mm:ssZ') Statement : $LastRecordTimestamp = $LastRecordTimeStamp.ToString('yyyy-MM-ddThh:mm:ssZ') PositionMessage : At C:\home\site\wwwroot\JCQueueTrigger1\run.ps1:136 char:9 + $LastRecordTimestamp = $LastRecordTimeStamp.ToString('yyyy-MM … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ PSScriptRoot : C:\home\site\wwwroot\JCQueueTrigger1 PSCommandPath : C:\home\site\wwwroot\JCQueueTrigger1\run.ps1 CommandOrigin : Internal ScriptStackTrace : at , C:\home\site\wwwroot\JCQueueTrigger1\run.ps1: line 136
2025-01-21T11:35:07Z [Error] ERROR: Cannot find an overload for "ToString" and the argument count: "1". Exception : Type : System.Management.Automation.MethodException ErrorRecord : Exception : Type : System.Management.Automation.ParentContainsErrorRecordException Message : Cannot find an overload for "ToString" and the argument count: "1". HResult : -2146233087 CategoryInfo : NotSpecified: (:) [], ParentContainsErrorRecordException FullyQualifiedErrorId : MethodCountCouldNotFindBest InvocationInfo : ScriptLineNumber : 136 OffsetInLine : 9 HistoryId : 1 ScriptName : C:\home\site\wwwroot\JCQueueTrigger1\run.ps1 Line : $LastRecordTimestamp = $LastRecordTimeStamp.ToString('yyyy-MM-ddThh:mm:ssZ') Statement : $LastRecordTimestamp = $LastRecordTimeStamp.ToString('yyyy-MM-ddThh:mm:ssZ') PositionMessage : At C:\home\site\wwwroot\JCQueueTrigger1\run.ps1:136 char:9 + $LastRecordTimestamp = $LastRecordTimeStamp.ToString('yyyy-MM … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ PSScriptRoot : C:\home\site\wwwroot\JCQueueTrigger1 PSCommandPath : C:\home\site\wwwroot\JCQueueTrigger1\run.ps1 CommandOrigin : Internal ScriptStackTrace : at , C:\home\site\wwwroot\JCQueueTrigger1\run.ps1: line 136 TargetSite : System.Object CallSite.Target(System.Runtime.CompilerServices.Closure, System.Runtime.CompilerServices.CallSite, System.Object, System.String) Message : Cannot find an overload for "ToString" and the argument count: "1". Source : Anonymously Hosted DynamicMethods Assembly HResult : -2146233087 StackTrace : at CallSite.Target(Closure, CallSite, Object, String) at (Closure, FunctionContext) CategoryInfo : NotSpecified: (:) [], MethodException FullyQualifiedErrorId : MethodCountCouldNotFindBest InvocationInfo : ScriptLineNumber : 136 OffsetInLine : 9 HistoryId : 1 ScriptName : C:\home\site\wwwroot\JCQueueTrigger1\run.ps1 Line : $LastRecordTimestamp = $LastRecordTimeStamp.ToString('yyyy-MM-ddThh:mm:ssZ') Statement : $LastRecordTimestamp = $LastRecordTimeStamp.ToString('yyyy-MM-ddThh:mm:ssZ') PositionMessage : At C:\home\site\wwwroot\JCQueueTrigger1\run.ps1:136 char:9 + $LastRecordTimestamp = $LastRecordTimeStamp.ToString('yyyy-MM … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ PSScriptRoot : C:\home\site\wwwroot\JCQueueTrigger1 PSCommandPath : C:\home\site\wwwroot\JCQueueTrigger1\run.ps1 CommandOrigin : Internal ScriptStackTrace : at , C:\home\site\wwwroot\JCQueueTrigger1\run.ps1: line 136

We've already updated the runtime and the powershell core version to ~4 and 7.4 respectively based on the recommendation from this link -- #11535

To Reproduce

1. Go to 'Log Streams' in the Function App and monitor for a few minutes for the errors to appear.

Expected behavior
I am expecting to not see any errors within the log streams and the functions

Screenshots

Additionally, is it possible to set the logging level of the function app triggers? We're getting high number of logs into the AppTraces table -- as I understand it, it's possible to edit the host.json file to add the a line to specify the logging level (https://learn.microsoft.com/en-us/azure/azure-functions/configure-monitoring?tabs=v2)

Hoping for your kind response, thank you!

[v-sudkharat]

Hi @JustineTheHacker, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!

[v-sudkharat]

Hi @JustineTheHacker,
Based on the error message you've shared; it appears that the value for$LastRecordTimestampmight not be consistent or is not in the correct format. Updated the script to handle this.
Could you please test the updated script in your Testing environment and let us know if the error still appears in the log stream? Unfortunately, we don't have the log flow in our environment, so your testing would be greatly appreciated.

Below is the updated zip link:
https://github.com/Azure/Azure-Sentinel/raw/8334b2101266782ae75b6f910a7b2deeb58d7d29/DataConnectors/JumpCloud%20Single%20Sign%20On/AzureFunctionJumpCloud/JumpCloudSSO.zip

Go to your function app, and update the above link in WEBSITE_RUN_FROM_PACKAGE:

We have tested with available data and could not get any Error in a Log Stream :

Thanks!

[v-sudkharat]

@JustineTheHacker, Waiting for your response on above comment. Thanks!

[HotdogAndBaloney314]

Hi @v-sudkharat ,

We have now test this -- however, we've seen a drastic reduction in the logs being feeded to Sentinel (which is strangely unusual)

[v-sudkharat]

@JustineTheHacker, Thank you for the response. we will check for the connector behavior with the connector author.
Meantime, could you please send the logs with us -
a. Before updating the function app zip.
b. After updating function app zip.
It will help us analyze the received logs of different scenarios.
Email ID - v-sudkharat@microsoft.com

we will request you, If you have already tested it in your production function app and not in a lab test environment, please update the website run from the package link to the old one, as this will help ensure no logs are missed.
Old link - https://aka.ms/sentinel-Jumpcloud-functionapp

If you are still testing in a lab environment, we recommend keeping the change in place and allowing more time to see if it reduces the logs. Additionally, please check whether you are encountering the same error in the log stream as seen in the preview.

Additionally, We would also like to request that you verify the logs in the JumpCloud console to ensure that the logs being received in Sentinel are the same.

Thanks!

[v-sudkharat]

@JustineTheHacker, could you please verify and let us know that while deployment of the new function app in which the logs are reduced, is value for the Jump Cloud Event Types are same as previously it has?

Change in event type value also may the reason for it.

[HotdogAndBaloney314]

Hi @v-sudkharat,

I presume it still is. We didn't change anything aside from the WEBSITE_RUN_FROM_PACKAGE link. Unfortuantely, we won't be able to provide any logs from our end for confidentiality purposes. Would it be better to delete the old function app, and repdeloy a new one using the new package you provided?

Kind Regards

[HotdogAndBaloney314]

Hi @v-sudkharat ,

I have checked the event types and we're still getting the same event types (though at a much lower rate)

Kind Regards

[v-sudkharat]

Hi @JustineTheHacker, instead of deleting the function app, we recommend simply restarting the function app after updating the WEBSITERUNFROMPACKAGE link.

Answering to your question - we've seen a drastic reduction in the logs being feeded to Sentinel (which is strangely unusual) :

We tested the concern you shared with two different scenarios, deploying two function apps in different environments to verify if there’s any reduction in logs after updating the function app.

In our JumpCloud console we have Total 26 event count of logs:

1. Function App Deployment in Workspace 1 (No Changes):

   • We deployed the function app in our workspace without making any changes:
     

   a. After deployment, we monitored the Log Stream for errors but observed no errors, except for a warning message related to
   the storage account:
   

   b. In Sentinel workspace, we checked the log results:
   

   

2. Function App Deployment in Workspace 2 (With WebsiteRunFromPackage Link Change):

   • We deployed the function app in Workspace 2 after changing the WebsiteRunFromPackage link:
     

   a. After deployment, we again monitored the Log Stream for errors and saw no errors except for the storage account warning:
   

   b. In Sentinel workspace, we checked the log results:
   

   

In both workspaces, we observed no reduction in the log count. The logs remained consistent.

Thanks!

[HotdogAndBaloney314]

Hi @v-sudkharat ,

One thing I've noticed when using the previous script was there were a lot of logs being duplicated -- so it might be what caused the log reduction. I've seen more errors in the "AppTraces" table -- I will send it to your email for analysis.

Kind Regards

[HotdogAndBaloney314]

Hi @v-sudkharat ,

I've sent the errors to your email ID v-sudkharat@microsoft.com. Hoping for your response. Thank you!

Kind Regards

[v-sudkharat]

@HotdogAndBaloney314, Received your mail, but attachment has been blocked by ORG, could you please resent or send it with imp.
Thanks!

[v-sudkharat]

Hi @JustineTheHacker, instead of deleting the function app, we recommend simply restarting the function app after updating the WEBSITERUNFROMPACKAGE link.

Answering to your question - we've seen a drastic reduction in the logs being feeded to Sentinel (which is strangely unusual) :

We tested the concern you shared with two different scenarios, deploying two function apps in different environments to verify if there’s any reduction in logs after updating the function app.

In our JumpCloud console we have Total 26 event count of logs:

1. Function App Deployment in Workspace 1 (No Changes):

   • We deployed the function app in our workspace without making any changes:
     

   a. After deployment, we monitored the Log Stream for errors but observed no errors, except for a warning message related to
   the storage account:
   
   b. In Sentinel workspace, we checked the log results:
   
   

2. Function App Deployment in Workspace 2 (With WebsiteRunFromPackage Link Change):

   • We deployed the function app in Workspace 2 after changing the WebsiteRunFromPackage link:
     

   a. After deployment, we again monitored the Log Stream for errors and saw no errors except for the storage account warning:
   
   b. In Sentinel workspace, we checked the log results:
   
   

In both workspaces, we observed no reduction in the log count. The logs remained consistent.

Thanks!

Hi @HotdogAndBaloney314, Did you validated the count on logs in Jumpcloud and function app Logs as mentioned above?
And waiting for your app trace mail
Thanks!