Evident Auto-Remediation is not working as expected
Symptom
Resolution
SNS Integration
Check SNS Integration configuration
- Make sure the signature in question is "checked"
- Make sure integration triggers for both fail and warn alerts
- Note the SNS Topic ARN for later.
Ensure the SNS Integration is "Active".
Ensure that the Lambda function is subscribed to the SNS Topic configured for Evident's SNS Integration. Keep in mind that the same topic name can be re-used across regions, so be sure to check if the region is the same.
AWS Lambda Function
'=> Nothing to do.'
Depending on the script, this could either mean that the alert generated was not a fail alert or it wasn't a fail or warn alert. Compare the fail alert's "started at" timestamp and the CloudWatch event's timestamp to make sure it is the same event. If it is, please contact Palo Alto Networks support for further assistance.
'=> No <resource type> to evaluate.'
The Lambda function failed to retrieve the alert's resource ID. If the script contains this reference:
metadata['attributes']['data']['resource_id']
Change it to:
alert['data']['attributes']['resource']
If the issue persists, please contact Palo Alto Networks support for further assistance.
'=> Error: <error message>'
Please contact Palo Alto Networks support and provide the error message.