Alert Categories
Lacework classifies alerts into related categories. A category contains various properties and specifications that define the alerts within that category.
Alert Categories
The following table describes all alert categories.
Category | Description |
---|---|
Anomaly | Alerts that are generated when there are behavioral changes. |
Policy | Alerts that are generated when a violation of a custom policy is detected. |
Composite | Alerts that are generated when a potential intrusion is detected. |
Alert Subcategories
The following table describes all alert subcategories.
Subcategory | Description |
---|---|
Compliance | Compliance-related alerts such as New violations: AWS Account <ACCOUNT_ID> : lacework-global-128 EC2 instances should not have a Public IP address attached . Lacework provides out-of-the-box compliance policies and supports the creation of custom compliance policies. These policies trigger alerts when a violation occurs (if the policies are enabled). |
Application | Application-related vulnerabilities such as a suspicious application: Suspicious test app: Suspicious application /usr/local/bin/python2.7 (and 4 more) |
Cloud Activity | Cloud-activity alerts specific to AWS, Azure, or Google Cloud. For example: New Violations: GCP_CIS12_3_6 Ensure that SSH access is restricted from the internet new compliance violations detected. |
File | Potentially suspicious file-related alerts such as: Clone of Suspicious Files: /var/run/qa/BFNE/08082021170247/eicar.com.txt (and 96 more). |
Machine | Machine-related alerts such as new IP address connections: New External Server IP Address: ip-192.51.100.100.us-west-2.compute.internal connected to xx.xx.xxx.xxx |
User | User-related alerts such as suspicious user logins: Suspicious logins from multiple GEOs: Suspicious user logins detected for user web93 (and 331 more) access from multiple geographies. |
Platform | Platform-related alerts such as cloud activity ingestion failures: Cloud Activity log ingestion failure detected: dh-user-kt is failing for data ingestion into Lacework. |
Kubernetes Activity | Kubernetes-related alerts such as a new binding to a Cluster Role was created: K8s Audit Log Cluster Role Created. |
Registry | Registry-related alerts such as PolicyViolationChanged , NewPolicyViolation . |
SystemCall | System-call-related alerts such as Attempted Host Path Mount , Host Path Mount Execution , Attempted Cron Job Creation . |
Host Vulnerability | Host-vulnerability-related alerts such as "New vulnerable internal connection , New external host server connection from vulnerable application . |
Container Vulnerability | Container-vulnerability-related alerts such as New security vulnerability , Known security vulnerability , Known security vulnerability discovered in repository . |
Threat Intel | Network-related alerts such as Outbound connection to a bad external URL , Outbound connection to a bad external IP Addres , Inbound connection from a bad external IP Address . |