Follow

Troubleshooting Data Ingestion in Detect for AWS

Want to make sure that Detect for AWS is properly ingesting your CloudTrail logs? If the status of your sensor says ‘Forwarding’, your setup was successful. As our system begins to learn about your environment, you should start to see detection activity in your Detect for AWS account after one or two days.

If you’re having any issues, the status code of the sensor may help you diagnose the problem. Below are the potential statuses you may be receiving:

  • Insufficient S3 Permissions: The Vectra IAM role does not have the appropriate permissions to pull CloudTrail logs from your S3 bucket. If you manually configured the deployment, double check you gave Vectra all the permissions enumerated in the deployment guide. Additionally, if you have AWS Key Management Service (KMS) enabled, make sure you’ve given the Vectra IAM role permission to decrypt your CloudTrail logs. [Add in placeholder for permissions required support page]
  • Insufficient SNS Permissions: The Vectra IAM role does not have the appropriate permissions to subscribe to the SNS topic which generates an alert upon the creation of new CloudTrail logs. Double check that the Vectra role has the appropriate permissions as enumerated in the deployment guide. [Add in placeholder for permissions required support page]
  • Insufficient S3 Event Permissions: The Vectra IAM role does not have the appropriate permissions to configure the event triggers on the S3 bucket. Double check that the Vectra role has the appropriate permissions as enumerated in the deployment guide.
  • Invalid Bucket: There’s an issue with the S3 bucket that you specified as the storage location for your CloudTrail logs when you deployed Detect for AWS. Double check that the ARN of the bucket is correct, and update the bucket ARN within Detect for AWS if necessary.
  • Invalid IAM Role: Vectra cannot assume the role specified in the deployment. Please check that the accountID and externalID are correct, and update that information within Detect for AWS if necessary.
  • Setup Failure: This is a general error message for other failures which have occurred during setup. Please review the deployment guide and ensure you have made all necessary configuration requirements.
  • Ingest Failure: The setup was successful, but ingestion of CloudTrail logs is failing. This is a general failure code to capture errors other than those enumerated above. Please review the deployment guide and ensure you have made all necessary configuration requirements.

If you’re still running into issues, don’t hesitate to contact our support team.

 

Was this article helpful?
0 out of 0 found this helpful

Download PDF

0 Comments

Article is closed for comments.