After external account is deleted and recreated, few or no alerts are generated

After external account is deleted and recreated, few or no alerts are generated

0
Created On 09/26/18 20:30 PM - Last Modified 07/19/22 23:12 PM


Symptom


Symptoms

After deleting and recreating an external account, the reports generated contain significantly less alerts than before it was deleted.

Diagnosis

Review how much time elapsed between deleting and recreating of an external account. 

Resolution


When an account is deleted, the relevant alerts are removed from Evident Monitoring Web, but they still persist in the backend.  If the account is recreated before the alerts expire in the backend, they will persist but not be visible in Evident Monitoring Web UI.

 

Possible solutions:

  • Delete the external account, wait 3 hours, then recreate the external account.
  • Delete the external account, rename the evident service role to something else, and recreate the external account.  Evident Monitoring backend caches alerts based on role ARN.  When the evident service role is renamed, the ARN will change, which will essentially clear the cache.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm4qCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail