Alerts have no user attribution data
User attribution is configured, but none of the alerts have any user attribution data.
Alert has no user attribution data, for example:
There are several possibilities:
- User attribution was not configured correctly. For example:
- The alert was generated before user attribution is enabled.
- The CloudTrail configured with user attribution has not generated the event logs yet.
- The alert in question does not support user attribution.
- The AWS operation that generated the alert is not supported. For example, RunInstances will create a new EBS volume, but since the RunInstances event doesn't include the volume's ID, AWS:EC2-032 (unencrypted EBS volume) cannot use that event as UA data.
- The alert's start time and the CloudTrail event's timestamp is more than 2 hours apart.
- Evident User Attribution Engine is down. Check http://status.evident.io/ for latest status.
- Make sure the alert in question supports user attribution. Note the alert identifier (e.g. AWS:EC2-001) then go to ESP Web -> Control Panel -> Signatures, open search filters, and find that signature. You can also filter by "Supports Attribution" option to find all signatures that supports user attribution. For example:
Note that there is a special symbol next to signatures that support user attribution.
- Confirm that the user attribution's status is "Active" (check mark).
- Run the following test:
- In AWS Console, create a new security group and do not attach it to any resources.
- Wait an hour
- In ESP Web, generate a new report for this external account
- Look for a new fail AWS:EC2-031 (Unused Security Group) alert for the security group we created in step #1.
- a) If the alert contains user attribution, then user attribution is configured and working properly.
b) If the alert does not have user attribution data, check CloudTrails and look for the CreateSecurityGroup event.
- a) If this event does not exist, then CloudTrails was not configured correctly.
b) If this event does exist, then check the timestamp of the event and compare it with the alert's start time.
- a) If the alert's start time and the CloudTrail event's timestamp is more than 2 hours apart, then this was expected. You could either try this test again or contact firstname.lastname@example.org for further assistance.
b) If the alert's start time and the CloudTrail event's timestamp is within 2 hours, then user attribution is not functioning correctly. Please contact email@example.com for further assistance.
- If none of the troubleshooting steps above resolved the issue, please contact firstname.lastname@example.org and provide the following
- URL to the alert that is expected to have user attribution data
- CloudTrail log files that contains CloudTrail events within two hours of the alert's start time