Troubleshooting
Common issues and solutions for The One Defend.
Defend Module Not Activating on Enrolled Devices
Symptoms: RMM agent is active but Defend status shows "Inactive" or doesn't appear.
Solutions:
- Verify the organization has an active Defend subscription in Hub Billing
- Confirm the device's RMM agent is online and reporting
- Wait for the next agent heartbeat — module activation happens on heartbeat check
- Check that the agent version supports Defend (minimum version required)
Device Shows Agent Active But Telemetry Not Flowing
Symptoms: Device shows "Defend: Active" but no events appear in the detection dashboard or investigation timeline.
Solutions:
- Verify outbound connectivity to
theonedefend-events.servicebus.windows.neton port 443 - Check for firewall or proxy rules blocking Event Hub endpoints
- Confirm the device's SAS token has not expired (auto-refreshes every 24 hours)
- Check the agent's local disk buffer — if full, the buffer may need to be cleared
- Verify ETW providers (Windows), ESF entitlements (macOS), or eBPF permissions (Linux) are properly configured
High Rate of False Positives
Symptoms: Many detections are being marked as False Positive, creating alert fatigue.
Solutions:
- If the device was recently enrolled, wait for the 7-day behavioral baseline learning period to complete
- Add rule exclusions for known-good software that triggers detections (e.g., backup agents, monitoring tools, deployment scripts)
- Adjust the behavioral AI anomaly threshold in Settings → Behavioral AI (raise from default 75 to reduce sensitivity)
- Review and tune process exclusions in the agent configuration for noisy processes
- Mark False Positives consistently — the ML pipeline incorporates feedback during weekly retraining
Detection Not Generating PSA Ticket
Symptoms: Critical or high-severity detection fires but no PSA ticket is created.
Solutions:
- Verify PSA integration is configured in Settings → Response Automation → PSA Integration
- Check that auto-ticket creation is enabled for the detection severity level
- Confirm the PSA API URL and integration key are correct
- Check the integration health dashboard for PSA connectivity issues
Isolate Action Not Taking Effect
Symptoms: "Isolate Device" action shows as completed but the device still has network access.
Solutions:
- Confirm the agent is online — isolation requires the agent to receive and execute the command
- Check the response action verification result — it may show failure details
- On Windows, verify that the agent has permissions to modify Windows Firewall rules
- If the device is behind a NAT or VPN, the RMM management channel may need firewall exceptions
Rewind Failed
Symptoms: Ransomware rewind recovery fails during execution.
Solutions:
- VSS not enabled: On Windows, ensure Volume Shadow Copy is enabled on affected drives
- No backup available: Verify the Backups product is active and has a snapshot at or before the rewind target
- Insufficient storage: VSS snapshots require disk space — check available space
- Backups API connectivity: Run a dry-run test in Recovery → Test to validate the pipeline
- Timing: If the attack ran for a long time before detection, the rewind target may be before the oldest available backup
Compliance Report Missing Controls
Symptoms: Generated compliance report shows gaps in controls that you expected to be covered.
Solutions:
- Verify telemetry is flowing from all relevant devices — gaps in coverage create control gaps
- Some controls require manual attestation (physical security, personnel checks) — these cannot be verified through telemetry
- Check device enrollment coverage — devices without Defend active are excluded from compliance metrics
- Ensure the reporting period captures enough data (at least 30 days for meaningful metrics)
IOC Feed Not Updating
Symptoms: IOC feeds show stale data or "Last refresh" timestamp is more than 6 hours old.
Solutions:
- Check Event Hub connectivity from the background function app
- Verify the IOC feed source URLs are accessible (abuse.ch, OTX may have temporary outages)
- Check the background timer function app health in Azure
- For AlienVault OTX, verify the API key is valid and not rate-limited
Process Tree Not Loading in Investigation
Symptoms: Investigation workspace opens but the process tree tab shows "No data available."
Solutions:
- Check the detection timestamp — process tree data requires telemetry in the ±30-minute window
- If the event is older than 90 days, data may have moved to cold archive and is no longer queryable in real time
- Verify the device was collecting process events at the time (check event type toggles in agent config)
- For macOS/Linux, ensure ESF/eBPF was properly initialized at the time of the event
Agent Consuming High CPU
Symptoms: The RMM agent (with Defend module) is using consistently high CPU on an endpoint.
Solutions:
- Check the sampling rate — reduce from 1.0 to 0.5 for high-activity endpoints
- Review process exclusions — noisy processes (build tools, database engines) should be excluded
- Increase the batch interval from 1000ms to 2000ms or higher to reduce signing overhead
- On Windows, check for ETW provider misconfiguration — too many providers enabled
- Contact support if the issue persists after tuning — provide the agent diagnostic log
Behavioral Baseline Producing Unreliable Scores After Software Deployment
Symptoms: After a major software rollout, anomaly scores spike across many devices.
Solutions:
- Bulk-reset baselines for affected devices — this re-enters the 7-day learning period
- Add the new software to process exclusions if it's generating excessive telemetry
- Temporarily raise the anomaly threshold to reduce false positive alerts during the transition
- The weekly ML retraining will naturally adjust if analysts mark these as False Positives
ℹ️If you encounter an issue not listed here, contact support with the device ID, detection ID (if applicable), and the agent diagnostic log.
Next Steps
- Getting Started — Initial setup and configuration
- Agent Installation — Agent configuration options
- Response Actions — Response action troubleshooting context