This guide addresses common issues and troubleshooting methods related to cloud-based scanning in the CYRISMA platform. Most challenges arise from improper Microsoft Office 365 or Google Workspace credential configurations during setup. Follow this troubleshooting guide to resolve issues effectively.

1. Common Cloud Scanning Issues

1.1. Scans Fail to Authenticate

Symptoms:

• Cloud scans fail with an authentication error.
• Credentials are rejected or produce an error message.

Possible Causes:

• Incorrect API credentials during setup.
• Expired Client Secret or missing permissions.

Resolutions:

1. Microsoft Office 365:
   • Verify the Client ID, Publisher Domain (Netorg URL), and Client Secret entered in CYRISMA match the values from your Azure Portal.
   • Check that permissions for Microsoft Graph API include Read All for the required scopes (e.g., AuditLogs, Calendar, Mail).
   • Regenerate the Client Secret if it has expired and update it in CYRISMA.
2. Google Workspace:
   • Ensure the JSON security file is correctly uploaded or the manual values (e.g., project_id, private_key, client_email) are entered.
   • Confirm OAuth scopes (https://www.googleapis.com/auth/gmail.readonly, etc.) were added during setup and domain-wide delegation is granted.

1.2. Scans Do Not Detect Cloud Data

Symptoms:

• Scans run successfully but return no data or incomplete results.

Possible Causes:

• Incorrect permissions assigned to the API in Microsoft or Google.
• Delegated access not authorized in Google Workspace.

Resolutions:

Microsoft Office 365:

• Confirm that Microsoft Graph API permissions (e.g., Mail.Read, Drive.Read) are set to Application Permissions in the Azure Portal.
• Verify that all permissions are granted Admin Consent (green checkmarks in Azure).

Google Workspace:

• Check that domain-wide delegation is set up correctly under API Controls in the Google Admin Console.
• Ensure the Client ID used in domain-wide delegation matches the Service Account’s Client ID in the Google Cloud Project.

1.3. Expired or Invalid Credentials

Symptoms:

• Scans that previously worked now fail.
• Error messages referencing invalid or expired credentials.

Possible Causes:

• Expired Client Secret in Office 365.
• Missing or invalid JSON file for Google Workspace.

Resolutions:

Microsoft Office 365:

• Navigate to Azure Portal > Certificates & Secrets.
• Regenerate a new Client Secret with a 12-month expiration.
• Update CYRISMA with the new Client Secret.

Google Workspace:

• Recreate a new JSON security file for the Service Account in the Google Cloud Console.
• Re-upload the JSON file to CYRISMA or manually update fields like private_key and client_email.

1.4. Cloud Sensors Fail to Connect

Symptoms:

• CYRISMA cannot connect to Office 365 or Google services.
• API connection test fails.

Possible Causes:

• Network or firewall blocking agent communication.
• Incorrect base URL or API endpoints.

Resolutions:

Network and Firewall:

• Ensure the agent host has outbound access to cyrisma.com, Microsoft Graph endpoints, and Google API endpoints.
• Whitelist ports required for API communication.

Base URL and API Setup:

• Confirm that the base URL entered during the setup process is accurate (e.g., https://cc[Instance_ID].cyrisma.com).
• Verify the API endpoints in Azure and Google configurations.

2. Step-by-Step Troubleshooting

2.1. Verify Microsoft Office 365 Configuration

1. Log in to the Azure Portal.
2. Go to App Registrations > CYRISMA:
   • Verify API Permissions are correctly set.
   • Check the Certificates & Secrets section for valid Client Secret.
3. Ensure Admin Consent is granted to all permissions.
4. Update CYRISMA with the correct Client ID, Publisher Domain, and Client Secret.

2.2. Verify Google Workspace Configuration

1. Log in to Google Cloud Console.
2. Confirm that APIs are enabled for the project:
   • Admin SDK API.
   • Gmail API.
   • Google Drive API.
3. Check that the JSON security file contains accurate credentials:
   • project_id, private_key, and client_email.
4. Go to Google Admin Console > Security > API Controls:
   • Confirm domain-wide delegation is set up with the correct Client ID and scopes.

2.3. Inspect CYRISMA Cloud Sensor Configuration

1. Navigate to Admin > System Config > Integrations.
2. Verify the credentials entered for:
   • Microsoft Office 365: Check the Client ID, Publisher Domain, and Client Secret.
   • Google Workspace: Ensure the JSON file or manually entered credentials match the Google Service Account settings.
3. Run the Verify Credentials option to confirm connectivity.

3. Best Practices for Cloud Scanning

Credential Management:

• Regenerate Client Secrets or JSON security files well before they expire.
• Use descriptive names for projects and service accounts (e.g., "CYRISMA-365" or "CYRISMA-Google").

Network and Firewall Settings:

• Ensure agents have unrestricted outbound access to cyrisma.com and the relevant API endpoints for Microsoft and Google.

API Permissions:

• Always review permissions in Azure and Google Console to ensure all required scopes are granted.

Backup Credentials:

• Securely store all API credentials, including Client Secrets and JSON files, as they are often shown only once during creation.

Test Scans Regularly:

• Perform test scans after setting up or updating credentials to ensure functionality.

4. FAQs

Q: How do I fix a failed credential verification in CYRISMA?
A: Recheck the entered values for API credentials. For Office 365, verify Client ID, Publisher Domain, and Client Secret. For Google, re-upload the JSON file or check manually entered fields.

Q: Why are some Google Workspace mailboxes or files missing?
A: Confirm that the JSON file has the required scopes and domain-wide delegation is correctly configured in the Google Admin Console.

Q: What happens if my credentials expire?
A: For Microsoft, regenerate a new Client Secret in Azure and update CYRISMA. For Google, create a new JSON security file and re-upload it.