Welcome to the new Evident.io Support Portal. Our goal was to make it easier to navigate, so please let us know if you have any questions or concerns. We have migrated the ticket content from the old portal, but you may need to re-register to log in and view your tickets.

Alert and Report Life Cycle

Alerts

Alerts are created from signatures.  A signature can produce multiple alerts.  Each alert is uniquely identified by a combination of AWS account number, signature identifier, region, and resource_id, which together we will refer to as alert chain ID.

 

Start

During a scan, a new alert is generated if one of the following is true:

  • There are no active alerts for the given alert chain ID
  • An alert with the given alert chain ID exists, but the status changed

When an alert is created, the active alert with the same alert chain ID will end.  At any given time, there can only be one active alert for a given alert chain ID.  Notifications will also be sent out from relevant integrations.

Note that when an alert is created/started, it may not be available right away.  The alert will become viewable after it is sent from ESP scanning engine to ESP web UI.  More about this in Reports - Create section below.

Update

During a scan, if an alert already exists with the given alert chain ID and the status remains the same, the existing alert will be updated.  If there are any metadata changes to the alert, then notifications will be sent out from relevant integrations with "Send Updates" option enabled.

End

There are several reason why an alert can end, including:

  • The alert status changed
  • The resource no longer exists
  • The signature is deleted
  • The signature is disabled
  • The alert has been suppressed
  • The suppressed alert is no longer suppressed (suppression deactivated)
  • The alert's risk level changed
  • The alert has not been updated for more than 3 hours.

When an alert ends, the alert details now include an "ended at" field.  Notifications will be sent out from relevant integrations with "Send Updates" option enabled.  These notifications will include an ended_at field.  For SNS Integrations, the notifications will include these additional fields:

  • ended_reason - short description explaining why the alert ended
  • replaced_by_id - if alert ended due to status change, this field will contain the new alert ID
  • replaced_by_status - if alert ended due to status change, this field will contain the new alert status

Due to caching, alerts may appear active for up to 27 hours after ending.  Generally, this only happens when the cloud resource that triggered the alert is destroyed or when signatures are disabled.  Alerts that end due to suppression and risk level changes will immediately get an "ended at" timestamp (no delay).

Delete

By default, ended alerts are retained for 90 days in ESP.  They will be deleted after that.

Reports

Report are often described as a snapshot of alerts, but that's not entirely accurate.  The word snapshots imply that the data is static, but the alerts in a report can change over time (e.g. alert metadata can update, alerts can end).  It is more accurate to say that a report is a collection of active alerts at a given point in time.  For example, if a report is generated at 5/18/17 10:30am, then it will include all alerts that are active (started_at <= 5/18/17 10:30am <= ended_at) at that time.

Create

Reports are created once per report interval (default: 1 hour).  When a report is created, it will also run any custom signatures associated with that external account.  Once all custom signatures finish running, the report will be marked as "completed".  However, this does not mean the number of alerts within a given report is finalized.  It is possible for new alerts to be added to a report after it is "completed".  This is due to delays between ESP's scanning engine and ESP web UI.  Also, unlike alert scans, reports can be generated on-demand (Control Panel -> Reports -> Run Reports).

For example, assume I generated a report at 5/18/17 10:30am, the report shows up in ESP web within a few minutes.  I check the reports at 10:35am and see a total of 10 alerts.  I check the report again at 10:40am, and this time I see a total of 11 alerts.  The new alert has a "started_at" timestamp of 10:25am.  This is possible because ESP scanning engine created the alert at 10:25am, but ESP web UI did not pick it up until 10:40am.

Delete

By default, reports are retained for 90 days in ESP.  They will be deleted after that.

  • 92
  • 07-Dec-2017
  • 84 Views