Alerts have no user attribution data

Diagnosis

User Attribution Configuration

Check if user attribution configuration status is "not configured" or "errored".  Example:

Signature Does Not Support User Attribution

Check if the alert in question supports user attribution.  Note the alert identifier (e.g. AWS:EC2-001) then go to Evident Monitoring Web UI -> Control Panel -> Signatures, open search filters, and find that signature.  You can also filter by "Supports Attribution" option to find all signatures that supports user attribution.  For example:

Cannot Retrieve CloudTrail Logs

Check if necessary permission is given to Evident-Service-Role.

Check if CloudTrail's S3 bucket policy is explicitly denying read access.

CloudTrail Log Related Issues

1. In AWS Console, create a new security group and do not attach it to any resources.
2. Wait an hour
3. In Evident Monitoring Web UI, generate a new report for this external account
4. Look for a new fail AWS:EC2-031 (Unused Security Group) alert for the security group we created in step #1.
5. If the alert does not have user attribution data, check CloudTrails and look for the CreateSecurityGroup event. 
6. a) If this event does not exist, then CloudTrails was not configured correctly.
   b) If this event does exist, then check the timestamp of the event and compare it with the alert's start time.
7. a) If the alert's start time and the CloudTrail event's timestamp is more than 2 hours apart, then this was expected.  The CloudTrail entry's event time must be within 2 hours of the alert's started at timestamp in order for it to become user attribution data.
   b) If the alert's start time and the CloudTrail event's timestamp is within 2 hours, then user attribution is not functioning correctly.

Evident Monitoring User Attribution Engine Status

Check http://status.evident.io/ to see if there are any outages.