Alerts with Lack of User IDs

Created by Juan Manuel Libera Frómeta, Modified on Wed, 09 Aug 2023 at 01:37 PM by Juan Manuel Libera Frómeta


This documentation addresses the issue of alerts within the UTMstack platform that lack user identification (IDs). These alerts may display "Not available" in the User field, indicating the absence of user-related information. The document provides insights into the underlying causes of this issue, how it affects users, and the steps being taken to address it.

Alerts with Lack of User IDs

Q1: Why are some alerts missing user IDs?

A1: Certain alerts lack user IDs due to limitations in Microsoft's data, which restricts accurate identification of users involved in specific actions.

Q2: What does "User field marked as 'Not available'" mean in alerts?

A2: When user information isn't provided by Microsoft's data, the "Not available" status in alerts indicates that user identification details are unavailable.

Q3: How are alerts handled when multiple potential users are involved?

A3: In scenarios with multiple potential users, reviewing related logs helps identify specific users connected to the activity.

Q4: Is a solution in progress for these issues?

A4: Yes, our engineering team is actively developing an updated alert schema. This enhanced version will display multiple adversaries and targets to address these issues. However, it's currently under development and not yet for production use.

Q5: How can I stay informed about progress on this issue?

A5: We'll keep you updated through regular communication, providing progress reports on solutions for the lack of user IDs in alerts. Don't hesitate to reach out if you have further questions or concerns.

Q6: Can I anticipate improvements in user-related alert notifications?

A6: Absolutely, we're dedicated to enhancing alert notifications for user-related actions. Our development team is committed to effectively resolving this matter.

Resolution Steps:

1. Current Status: The engineering team is actively investigating the issue, recognizing the limitations in Microsoft's data and the challenges posed by multiple potential users.

2. Communication: Regular updates will be provided to users facing this issue. Stay informed through our communications.

3. Solution in Progress: Our team is developing an updated alert schema to address these issues. This schema will offer improved identification of users and enable the display of multiple adversaries and targets.

This documentation aims to provide a comprehensive understanding of the issue of alerts lacking user IDs within the UTMstack platform. It provides users with insights into the problem, potential solutions, and steps being taken to address it. The commitment of our engineering team to resolving this issue is evident, and we'll continue to update users as progress is made.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article