Apex MSSP — Data-Source Health & Status

Connector 00000000-0000-0000-0000-000000000000 · 17 tenants · Generated 2026-05-30 · 24h window · Read-only

§1 — Health summary

9 error 8 ok 0 unreachable
Tenants
17
Configured sources
134
24h ingest
361.8 GB
Total findings
26

Nine of seventeen Apex MSSP tenants are in an error verdict — over half the book. Two failure patterns dominate: SentinelOne agents that won't load (customer-04 ×2, customer-01), and S3-backed feeds (CiscoUmbrella, JudySecurity) returning errors. A second cluster — customer-13, customer-07, customer-10, customer-08 — has integration-misconfigured findings: sources claim integrations that Fluency does not see a matching resource for. No tenant is unreachable; the platform side is healthy.

§2 — Per-tenant verdict

TenantVerdictSources (ok/err/inactive)24h bytesFindings
customer-13 · Customer 13 — Materialserror9 / 2 / 112.4 GB2 source_error, 5 integration_misconfigured
customer-08 · Apex MSSPerror8 / 1 / 455.7 GB1 source_error, 5 integration_misconfigured
customer-07 · Customer 07 — Recording SaaSerror7 / 1 / 13.4 GB1 source_error, 4 integration_misconfigured
customer-04 · Customer 04 — Cloud Telecomerror5 / 2 / 2313 MB2 source_error (SentinelOne)
customer-10 · Customer 10 — Maritime Auth.error5 / 0 / 223.9 GB2 integration_misconfigured
customer-02 · Customer 02 — Retail Pharmacyerror2 / 1 / 118.2 GB1 source_error (BehaviorSummary)
customer-11 · O&Lerror4 / 1 / 186.4 GB1 source_error (FluencyCollector)
customer-01 · Customer 01 — Retail Holdingserror7 / 1 / 021.7 GB1 source_error (SentinelOne)
customer-16 · Customer 16 — Partner MSPerror5 / 1 / 3146 MB1 source_error (DefenderATP)
customer-06 · Customer 06 — Insuranceok7 / 0 / 293.1 GB
customer-12 · Customer 12 — Industrial Techok5 / 0 / 16.8 GB
customer-14 · Customer 14 — Researchok4 / 0 / 215.4 GB
customer-03 · Customer 03 — Manufacturingok7 / 0 / 28.4 GB
customer-17 · Customer 17 — IT Servicesok4 / 0 / 08.7 GB
customer-05 · Customer 05 — Public Sector Bok7 / 0 / 22.8 GB
customer-15 · Customer 15 — Identity Svcok4 / 0 / 02.3 GB
customer-09 · Customer 09 — Public Sector Aok7 / 0 / 32.1 GB

Inactive sources are quiet — not a finding. Inactive ≠ broken; without time-comparison data the platform can't distinguish "always quiet" from "stopped working." Resource fetchers (BlackKite, Office365, SentinelOne) verified via freshness probe, not throughput.

§3 — Ingestion & data flow

Total 24h ingest across the connector: 361.8 GB. Top tenants by volume:

Tenant24h bytes_passedTop source
customer-0693.1 GBSyslogEndpoint (46.5 GB)
customer-1186.4 GBFluencyCollector (43.2 GB)
customer-0855.7 GBLocalSyslog (27.8 GB)
customer-1023.9 GBFluencyCollector (11.9 GB)
customer-0121.7 GBLocalSyslog (10.8 GB)
customer-0218.2 GBSyslogEndpoint (9.1 GB)
customer-1415.4 GBLocalSyslog (7.7 GB)
customer-1312.4 GBLocalSyslog (6.2 GB)

§4 — Errored / silent sources

Ten source-level errors across the book. Each below is a configured source that is failing or producing no events.

customer-04 · SentinelOne:SentinelOne
Detail
failed to load sentinelone agent (×9)
Counters
bytes_passed=0 · errorStates corroborated
Lineage
live_fluency_pull · histogram_24h · errorStates_corroborated
customer-04 · SentinelOne:Customer 04 — Cloud TelecomSentinelOne
Detail
failed to load sentinelone agent (×9)
Counters
bytes_passed=0 · errorStates corroborated
Lineage
live_fluency_pull · histogram_24h · errorStates_corroborated
customer-01 · SentinelOne:Customer 01 — Retail Holdings
Detail
failed to load sentinelone agent (×9)
Counters
bytes_passed=0 · errorStates corroborated
Lineage
live_fluency_pull · histogram_24h · errorStates_corroborated
customer-16 · DefenderATP-default
Detail
poll error (×9)
Counters
bytes_passed=0 · errorStates corroborated
Lineage
live_fluency_pull · histogram_24h · errorStates_corroborated
customer-13 · CiscoUmbrella_DNSLogs
Detail
S3 data source Error (×9)
Counters
bytes_passed=0 · errorStates corroborated
Lineage
live_fluency_pull · histogram_24h · errorStates_corroborated
customer-13 · CiscoUmbrella_ProxyLogs
Detail
S3 data source Error (×9)
Counters
bytes_passed=0 · errorStates corroborated
Lineage
live_fluency_pull · histogram_24h · errorStates_corroborated
customer-08 · JudySecurity
Detail
S3 data source Error (×9)
Counters
bytes_passed=0 · errorStates corroborated
Lineage
live_fluency_pull · histogram_24h · errorStates_corroborated
customer-02 · BehaviorSummary
Detail
transform errors: 3,234 bytes errored in 24h
Counters
bytes_errored=3,234 · bytes_dropped=90,506 · bytes_aborted=3,234
Lineage
live_fluency_pull · histogram_24h
customer-07 · BehaviorSummary
Detail
transform errors: 15,073 bytes errored in 24h
Counters
bytes_errored=15,073 · bytes_dropped=302,705 · bytes_aborted=15,073
Lineage
live_fluency_pull · histogram_24h
customer-11 · FluencyCollector
Detail
source-side errors: 14,804 events in 24h (collector still passing 43.2 GB)
Counters
bytes_passed=43.2 GB · source_errors=14,804
Lineage
live_fluency_pull · histogram_24h

Integration misconfigurations

Sixteen integration_misconfigured findings across four tenants. Each is a source claiming an integration (e.g. Office365) but Fluency's get_system_config reports no matching resource — typically the integration was renamed, removed, or never finished discovery handshake.

TenantIntegrations with no matching resource
customer-13AzureAudit, BlackKite, Falcon, Office365, Office365ResourceWatch
customer-08AzureAudit, BlackKite, Office365, Office365ResourceWatch, SentinelOne
customer-07AzureAudit, AzureEventHubs, Office365, Office365ResourceWatch
customer-10BlackKite, Falcon

Note: customer-13, customer-08, and customer-07 are still ingesting from these sources (Office365, AzureAudit are in their top-5 by bytes). The misconfiguration is in the integration cross-reference, not in data flow — Fluency is receiving the events but the integration registry doesn't have a matching resource record for downstream correlation.

Suppressed (informational, no action needed)

Seven errorStates_noise alerts suppressed across the connector — all are Office365 "failed to get access token" events occurring on sources that are passing data normally (OAuth token-refresh hiccups, not outages). Suppressed per verdict precedence rule 3.

§5 — Detection blind spots

What the SOC currently cannot see, derived from §4 errors and known-stopped sources.

SentinelOne endpoint telemetry — customer-04, customer-01
Gap
Agent load failing across three configured sources; zero EDR events in 24h
Cannot detect
Malware execution, ransomware behaviors, EDR-detected lateral movement on endpoints in these tenants
Risk
High — endpoint detection is the primary control surface for these customers
Remediation
Verify SentinelOne API token validity and console URL; reload agent config in Fluency
Microsoft Defender ATP — customer-16
Gap
Defender poll failing for 24h (×9 retries observed)
Cannot detect
Defender alerts, suspicious process events, sign-in risk from MDE
Risk
High — customer-16 has no SentinelOne fallback configured
Remediation
Re-auth MDE app registration; confirm Graph API permissions still granted
Cisco Umbrella DNS & Proxy logs — customer-13
Gap
Both S3-backed Umbrella feeds erroring
Cannot detect
DNS-tunneling, C2 callbacks via DNS, blocked-category web access patterns
Risk
Medium-High — Umbrella is the perimeter visibility for customer-13
Remediation
Verify S3 bucket access keys and Umbrella log-export config
JudySecurity S3 feed — customer-08
Gap
S3 source erroring for 24h
Cannot detect
Whatever JudySecurity provides (likely mobile/endpoint threat intel) for the customer-08 internal tenant
Risk
Medium — depends on JudySecurity's role in the stack; confirm with operator
Remediation
Check S3 credentials and bucket path
BehaviorSummary transform errors — customer-02, customer-07
Gap
Behavior summarization dropping a small fraction of events (3K and 15K bytes errored in 24h)
Cannot detect
The specific events that errored out — likely malformed records, not a broad outage
Risk
Low — bytes_errored is small relative to throughput; verify pattern isn't growing
Remediation
Pull errorStates detail via ingress_source_detail to identify the failing record shape
Integration registry drift — customer-13, customer-08, customer-07, customer-10
Gap
Sources claim integrations Fluency's resource discovery doesn't see
Cannot detect
Cross-resource correlation (e.g. linking an Office365 alert to its user record) may degrade until registry is reconciled
Risk
Medium — data is flowing, but enrichment and entity linking are at risk
Remediation
For each tenant, re-run integration discovery; rename source's integration tag to match discovered resource

§6 — Integration inventory

TenantConfigured integrationsResource freshness
customer-04Office365, Office365ResourceWatch, SentinelOneO365 fresh (4h 56m); SentinelOne no_index
customer-12BlackKiteBlackKite fresh (1h 08m)
customer-06BlackKite, DefenderATP, Office365, O365ResourceWatchAll fresh
customer-02
customer-14BlackKiteBlackKite fresh (1h 06m)
customer-03BlackKite, Office365, O365ResourceWatch, SentinelOneAll fresh; SentinelOne 3m ago
customer-15
customer-13AzureAudit, BlackKite, Falcon, Office365, O365ResourceWatchAll fresh (1h–5h)
customer-07AzureAudit, AzureEventHubs, Office365, O365ResourceWatchO365 fresh (5h 19m)
customer-11BlackKiteBlackKite fresh (1h 27m)
customer-09BlackKite, DefenderATP, Mimecast, Office365, O365ResourceWatchAll fresh
customer-05BlackKite, DefenderATP, Office365, O365ResourceWatchAll fresh
customer-01AzureAudit, Office365, SentinelOne, SophosSentinelOne no_index; O365 no_index
customer-10BlackKite, FalconBlackKite fresh (58m)
customer-16DefenderATP, Office365, O365ResourceWatch, SentinelOneAll fresh; SentinelOne 37m ago
customer-08AzureAudit, BlackKite, Office365, O365ResourceWatch, SentinelOneAll fresh; SentinelOne 29m ago
customer-17

"no_index" on customer-01's SentinelOne and Office365 fetchers means the resource index does not exist yet — typical for sources that have never successfully synced. Worth investigating alongside customer-01's SentinelOne source_error.

§7 — Recommended actions

P1
Fix SentinelOne agent load failures — customer-04 (×2), customer-01. Re-validate API tokens and console URLs in Fluency. Three EDR sources blind for at least 24h. Tied to §4, §5.
P1
Re-auth Defender ATP for customer-16. Polling failed for 24h; the tenant has no SentinelOne fallback healthy. Confirm Azure app registration + Graph permissions. Tied to §4, §5.
P1
Restore Cisco Umbrella S3 ingestion for customer-13. Both DNS and Proxy feeds erroring — primary perimeter visibility down. Verify S3 access keys and Umbrella export config. Tied to §4, §5.
P2
Restore JudySecurity S3 feed for customer-08. Confirm S3 credentials/bucket path; treat as opaque vendor feed until owner confirms scope. Tied to §4, §5.
P2
Reconcile integration registry for customer-13, customer-08, customer-07, customer-10. Run integration discovery for each; correct source-side integration= tag to match what Fluency now reports. Data is flowing — this is enrichment risk, not blind-spot risk. Tied to §4 integration misconfigurations.
P2
Investigate customer-01 "no_index" resource fetchers. SentinelOne and Office365 resource indexes do not exist — pair with the SentinelOne source error fix; likely the same root cause. Tied to §6.
P3
Drill into BehaviorSummary transform errors on customer-02 (3.2 KB errored) and customer-07 (15 KB errored). Use ingress_source_detail to pull the failing record shape. Low volume, but worth identifying the pattern before it grows. Tied to §4.
P3
Investigate customer-11 FluencyCollector source_errors (14,804 events). Collector is still passing 43 GB; errors are on a subset. Pull source detail to identify failing inputs. Tied to §4.

Verdict precedence applied per health instruction group v91644c19bcb14970 (fetched this session). All counters per data-fabric-vocabulary.md. Report is read-only — no platform mutations performed.