Created On 09/26/18 19:13 PM - Last Modified 07/19/22 23:12 PM
Symptom
Symptoms
User attribution is configured, but none of the alerts have any user attribution data.
For example:
Diagnosis
User Attribution Configuration
Check if user attribution configuration status is "not configured" or "errored". Example:
Signature Does Not Support User Attribution
Check if the alert in question supports user attribution. Note the alert identifier (e.g. AWS:EC2-001) then go to Evident Monitoring Web UI -> Control Panel -> Signatures, open search filters, and find that signature. You can also filter by "Supports Attribution" option to find all signatures that supports user attribution. For example:
Cannot Retrieve CloudTrail Logs
Check if necessary permission is given to Evident-Service-Role.
Check if CloudTrail's S3 bucket policy is explicitly denying read access.
CloudTrail Log Related Issues
In AWS Console, create a new security group and do not attach it to any resources.
Wait an hour
In Evident Monitoring Web UI, generate a new report for this external account
Look for a new fail AWS:EC2-031 (Unused Security Group) alert for the security group we created in step #1.
If the alert does not have user attribution data, check CloudTrails and look for the CreateSecurityGroup event.
a) If this event does not exist, then CloudTrails was not configured correctly. b) If this event does exist, then check the timestamp of the event and compare it with the alert's start time.
a) If the alert's start time and the CloudTrail event's timestamp is more than 2 hours apart, then this was expected. The CloudTrail entry's event time must be within 2 hours of the alert's started at timestamp in order for it to become user attribution data. b) If the alert's start time and the CloudTrail event's timestamp is within 2 hours, then user attribution is not functioning correctly.
Configure / re-configure user attribution until the status becomes "active".
Signature Does Not Support User Attribution
Send enhancement request to Palo Alto Networks support. Note that not all signatures are capable of supporting user attribution.
Cannot Retrieve CloudTrail Logs
Modify Evident-Service-Role and S3 bucket policy to ensure Evident-Service-Role can retrieve files from the bucket. User attribution configuration instructions, step #2 provides details on how to setup Evident-Service-Role permissions.
CloudTrail Log Related Issues
Please contact Palo Alto Networks support and provide diagnostics steps that were taken. Also provide
URL to the alert that is expected to have user attribution data
CloudTrail log files that contains CloudTrail events within two hours of the alert's start time
Evident Monitoring User Attribution Engine Status
Wait for further information to become available or contact Palo Alto Networks support for updates.