Skip to main content

Alert Categories

Lacework classifies alerts into related categories. A category contains various properties and specifications that define the alerts within that category.

Alert Categories

The following table describes all alert categories.

AnomalyAlerts that are generated when there are behavioral changes.
PolicyAlerts that are generated when a violation of a custom policy is detected.
CompositeAlerts that are generated when a potential intrusion is detected.

Alert Subcategories

The following table describes all alert subcategories.

ComplianceCompliance-related alerts such as New violations: AWS Account <ACCOUNT_ID> : lacework-global-128 EC2 instances should not have a Public IP address attached. Lacework provides out-of-the-box compliance policies and supports the creation of custom compliance policies. These policies trigger alerts when a violation occurs (if the policies are enabled).
ApplicationApplication-related vulnerabilities such as a suspicious application: Suspicious test app: Suspicious application /usr/local/bin/python2.7 (and 4 more)
Cloud ActivityCloud-activity alerts specific to AWS, Azure, or Google Cloud. For example: New Violations: GCP_CIS12_3_6 Ensure that SSH access is restricted from the internet new compliance violations detected.
FilePotentially suspicious file-related alerts such as: Clone of Suspicious Files: /var/run/qa/BFNE/08082021170247/ (and 96 more).
MachineMachine-related alerts such as new IP address connections: Outbound connection to a new external IP address from application: connected to
UserUser-related alerts such as suspicious user logins: Suspicious logins from multiple GEOs: Suspicious user logins detected for user web93 (and 331 more) access from multiple geographies.
PlatformPlatform-related alerts such as cloud activity ingestion failures: Cloud Activity log ingestion failure detected: dh-user-kt is failing for data ingestion into Lacework.
Kubernetes ActivityKubernetes-related alerts such as a new binding to a Cluster Role was created: K8s Audit Log Cluster Role Created.
RegistryRegistry-related alerts such as PolicyViolationChanged, NewPolicyViolation.
SystemCallSystem-call-related alerts such as Attempted Host Path Mount, Host Path Mount Execution, Attempted Cron Job Creation.
Host VulnerabilityHost-vulnerability-related alerts such as "New vulnerable internal connection, New external host server connection from vulnerable application.
Container VulnerabilityContainer-vulnerability-related alerts such as New security vulnerability, Known security vulnerability, Known security vulnerability discovered in repository.
Threat IntelNetwork-related alerts such as Outbound connection to a bad external URL, Outbound connection to a bad external IP Address, Inbound connection from a bad external IP Address.