Alert Categories
Lacework classifies alerts into related categories. A category contains various properties and specifications that define the alerts within that category.
Alert Categories
The following table describes all alert categories.
| Category | Description |
|---|---|
| Anomaly | Alerts that are generated when there are behavioral changes. |
| Policy | Alerts that are generated when a violation of a custom policy is detected. |
| Composite | Alerts that are generated when a potential intrusion is detected. |
Alert Subcategories
The following table describes all alert subcategories.
| Subcategory | Description |
|---|---|
| Compliance | Compliance-related alerts such as New violations: AWS Account <ACCOUNT_ID> : lacework-global-128 EC2 instances should not have a Public IP address attached. Lacework provides out-of-the-box compliance policies and supports the creation of custom compliance policies. These policies trigger alerts when a violation occurs (if the policies are enabled). |
| Application | Application-related vulnerabilities such as a suspicious application: Suspicious test app: Suspicious application /usr/local/bin/python2.7 (and 4 more) |
| Cloud Activity | Cloud-activity alerts specific to AWS, Azure, or Google Cloud. For example: New Violations: GCP_CIS12_3_6 Ensure that SSH access is restricted from the internet new compliance violations detected. |
| File | Potentially suspicious file-related alerts such as: Clone of Suspicious Files: /var/run/qa/BFNE/08082021170247/eicar.com.txt (and 96 more). |
| Machine | Machine-related alerts such as new IP address connections: Outbound connection to a new external IP address from application: ip-192.51.100.100.us-west-2.compute.internal connected to xx.xx.xxx.xxx |
| User | User-related alerts such as suspicious user logins: Suspicious logins from multiple GEOs: Suspicious user logins detected for user web93 (and 331 more) access from multiple geographies. |
| Platform | Platform-related alerts such as cloud activity ingestion failures: Cloud Activity log ingestion failure detected: dh-user-kt is failing for data ingestion into Lacework. |
| Kubernetes Activity | Kubernetes-related alerts such as a new binding to a Cluster Role was created: K8s Audit Log Cluster Role Created. |
| Registry | Registry-related alerts such as PolicyViolationChanged, NewPolicyViolation. |
| SystemCall | System-call-related alerts such as Attempted Host Path Mount, Host Path Mount Execution, Attempted Cron Job Creation. |
| Host Vulnerability | Host-vulnerability-related alerts such as "New vulnerable internal connection, New external host server connection from vulnerable application. |
| Container Vulnerability | Container-vulnerability-related alerts such as New security vulnerability, Known security vulnerability, Known security vulnerability discovered in repository. |
| Threat Intel | Network-related alerts such as Outbound connection to a bad external URL, Outbound connection to a bad external IP Address, Inbound connection from a bad external IP Address. |