Alert Categories
Lacework classifies alerts into related categories. A category contains various properties and specifications that define the alerts within that category.
Alert Categories
The following table describes all alert categories.
| Category | Description |
|---|---|
| Anomaly | Alerts that are generated when there are behavioral changes. |
| Policy | Alerts that are generated when a violation of a custom policy is detected. |
| Composite | Alerts that are generated when a potential intrusion is detected. |
Alert Subcategories
The following table describes all alert subcategories.
| Subcategory | Description |
|---|---|
| Compliance | Compliance-related alerts such as New Violations: GCP_CIS12_1_5 Ensure that ServiceAccount has no Admin privileges. Lacework uses CIS compliance rules to check if your cloud accounts are compliant with these rules. It generates alerts if there are compliance issues. |
| Application | Application-related vulnerabilities such as a suspicious application: Suspicious test app: Suspicious application /usr/local/bin/python2.7 (and 4 more) |
| Cloud Activity | Cloud-activity alerts specific to AWS, Azure, or Google Cloud. For example: New Violations: GCP_CIS12_3_6 Ensure that SSH access is restricted from the internet new compliance violations detected. |
| File | Potentially suspicious file-related alerts such as: Clone of Suspicious Files: /var/run/qa/BFNE/08082021170247/eicar.com.txt (and 96 more). |
| Machine | Machine-related alerts such as new IP address connections: New External Server IP Address: ip-192.51.100.100.us-west-2.compute.internal connected to xx.xx.xxx.xxx |
| User | User-related alerts such as suspicious user logins: Suspicious logins from multiple GEOs: Suspicious user logins detected for user web93 (and 331 more) access from multiple geographies. |
| Platform | Platform-related alerts such as cloud activity ingestion failures: Cloud Activity log ingestion failure detected: dh-user-kt is failing for data ingestion into Lacework. |
| Kubernetes Activity | Kubernetes-related alerts such as a new binding to a Cluster Role was created: K8s Audit Log Cluster Role Created. |
| Registry | Registry-related alerts such as PolicyViolationChanged, NewPolicyViolation. |
| SystemCall | System-call-related alerts such as Attempted Host Path Mount, Host Path Mount Execution, Attempted Cron Job Creation. |
| Host Vulnerability | Host-vulnerability-related alerts such as "New vulnerable internal connection, New external host server connection from vulnerable application. |
| Container Vulnerability | Container-vulnerability-related alerts such as New security vulnerability, Known security vulnerability, Known security vulnerability discovered in repository. |
| Threat Intel | Network-related alerts such as Outbound connection to a bad external URL, Outbound connection to a bad external IP Addres, Inbound connection from a bad external IP Address. |