Skip to main content

Alert Categories

Lacework classifies alerts into related categories. A category contains various properties and specifications that define the alerts within that category.

Alert Categories

The following table describes all alert categories.

AnomalyAlerts that are generated when there are behavioral changes.
PolicyAlerts that are generated when a violation of a custom policy is detected.
CompositeAlerts that are generated when a potential intrusion is detected.

Alert Subcategories

The following table describes all alert subcategories.

ComplianceCompliance-related alerts such as New Violations: GCP_CIS12_1_5 Ensure that ServiceAccount has no Admin privileges. Lacework uses CIS compliance rules to check if your cloud accounts are compliant with these rules. It generates alerts if there are compliance issues.
ApplicationApplication-related vulnerabilities such as a suspicious application: Suspicious test app: Suspicious application /usr/local/bin/python2.7 (and 4 more)
Cloud ActivityCloud-activity alerts specific to AWS, Azure, or Google Cloud. For example: New Violations: GCP_CIS12_3_6 Ensure that SSH access is restricted from the internet new compliance violations detected.
FilePotentially suspicious file-related alerts such as: Clone of Suspicious Files: /var/run/qa/BFNE/08082021170247/ (and 96 more).
MachineMachine-related alerts such as new IP address connections: New External Server IP Address: connected to
UserUser-related alerts such as suspicious user logins: Suspicious logins from multiple GEOs: Suspicious user logins detected for user web93 (and 331 more) access from multiple geographies.
PlatformPlatform-related alerts such as cloud activity ingestion failures: Cloud Activity log ingestion failure detected: dh-user-kt is failing for data ingestion into Lacework.
Kubernetes ActivityKubernetes-related alerts such as a new binding to a Cluster Role was created: K8s Audit Log Cluster Role Created.
RegistryRegistry-related alerts such as PolicyViolationChanged, NewPolicyViolation.
SystemCallSystem-call-related alerts such as Attempted Host Path Mount, Host Path Mount Execution, Attempted Cron Job Creation.
Host VulnerabilityHost-vulnerability-related alerts such as "New vulnerable internal connection, New external host server connection from vulnerable application.
Container VulnerabilityContainer-vulnerability-related alerts such as New security vulnerability, Known security vulnerability, Known security vulnerability discovered in repository.
Threat IntelNetwork-related alerts such as Outbound connection to a bad external URL, Outbound connection to a bad external IP Addres, Inbound connection from a bad external IP Address.