There may be times that the Threat Stack Application tells you it cannot find an event or displays a message like “Parent Process Unavailable,” but you are sure that it occurred. This might be happening for a few reasons, which we’ve listed below in order of likeliness.
- Most commonly, the event is outside your organization’s retention period. For example, if you purchased a 2 day retention period, then you cannot search for or visualize events older than 2 days. However, alerts for that event are still available, even if you dismiss them.
- Ensure that your system clock and NTP are configured correctly on the system you are looking for events from. The Threat Stack platform assumes that your clock is accurately configured and sees minimal drift (sub-hour). If your clock is not properly configured, then readjust your search parameters to find the events, and properly configure your clock to avoid future confusion.
- CloudTrail events are collected as quickly as AWS sends them to the Threat Stack platform. The worst case scenarios we have observed are AWS taking 15 minutes to an hour from the time an event occurs to when they make it available to your CloudTrail instance and therefore the Threat Stack platform. Typically, though, it takes minutes for AWS to make a CloudTrail event available.
- If the event just occurred on your system, then it may take a few seconds up to minutes for it to be available in every visualization. For example, while alerting takes seconds, it could take tens of seconds for it to show up in the process tree.
- Any events that occurred before the agent was turned on, such as during the initial boot sequence or instance turn up, will not be available.
- The Threat Stack Agent does not support running on the same server with auditd, actively shutting it down during Agent start. If you require auditd output for other tools, such as apparmor, then please contact our support team directly as we have made support for this available (also see our blog post, Threat Stack & AppArmor - a Match Made in Cloud Security Heaven).
- If any tampering occurred on the instance before the Threat Stack Agent starts, such as loading a malicious kernel module at run time or baked into your image, then the provenance of the data collected is not guaranteed. For example, some malicious kernel modules work to hide or “cloak” their activity, allowing the rest of the data to be collected. However, if the Threat Stack Agent is running when this is done, then the tampering will be caught and alerted on.
If you see any other discrepancies, please contact the support team immediately and we will investigate.