Welcome to the new Evident.io Support Portal. Our goal was to make it easier to navigate, so please let us know if you have any questions or concerns. We have migrated the ticket content from the old portal, but you may need to re-register to log in and view your tickets.

Alerts have no user attribution data

Problem

User attribution is configured, but none of the alerts have any user attribution data.

Symptoms

Alert has no user attribution data, for example:

Cause

There are several possibilities:

  1. User attribution was not configured correctly.  For example:
  2. The alert was generated before user attribution is enabled.
  3. The CloudTrail configured with user attribution has not generated the event logs yet.
  4. The alert in question does not support user attribution.
  5. The AWS operation that generated the alert is not supported.  For example, RunInstances will create a new EBS volume, but since the RunInstances event doesn't include the volume's ID, AWS:EC2-032 (unencrypted EBS volume) cannot use that event as UA data.
  6. The alert's start time and the CloudTrail event's timestamp is more than 2 hours apart.
  7. Evident User Attribution Engine is down.  Check http://status.evident.io/ for latest status.

Resolution

  1. Make sure the alert in question supports user attribution.  Note the alert identifier (e.g. AWS:EC2-001) then go to ESP Web -> Control Panel -> Signatures, open search filters, and find that signature.  You can also filter by "Supports Attribution" option to find all signatures that supports user attribution.  For example:

    Note that there is a special symbol next to signatures that support user attribution.
  2. Confirm that the user attribution's status is "Active" (check mark).
  3. Run the following test:
    1. In AWS Console, create a new security group and do not attach it to any resources.
    2. Wait an hour
    3. In ESP Web, generate a new report for this external account
    4. Look for a new fail AWS:EC2-031 (Unused Security Group) alert for the security group we created in step #1.
    5. a) If the alert contains user attribution, then user attribution is configured and working properly.
      b) If the alert does not have user attribution data, check CloudTrails and look for the CreateSecurityGroup event. 
    6. a) If this event does not exist, then CloudTrails was not configured correctly.
      b) If this event does exist, then check the timestamp of the event and compare it with the alert's start time.
    7. a) If the alert's start time and the CloudTrail event's timestamp is more than 2 hours apart, then this was expected.  You could either try this test again or contact support@evident.io for further assistance.
      b) If the alert's start time and the CloudTrail event's timestamp is within 2 hours, then user attribution is not functioning correctly.  Please contact support@evident.io for further assistance.
  4. If none of the troubleshooting steps above resolved the issue, please contact support@evident.io and provide the following
    • URL to the alert that is expected to have user attribution data
    • CloudTrail log files that contains CloudTrail events within two hours of the alert's start time
  • 70
  • 12-Dec-2017
  • 61 Views