Skip to main content

Introduction to Threat Intel Alerts

This section provides information about some of the threat intel alerts that are visible in the Lacework Console.

Lacework's threat intel alerts provide warning of potential threats based on the latest intelligence and threat analysis. Each alert provides supporting facts that can be useful to you when investigating or implementing remediation steps.

For each documented alert, it provides:

  • a summary of the alert
  • why the alert is important
  • information about investigating the alert
  • information about how to resolve the alert

Advantages of Threat Intel Alerts

The following are key advantages of Lacework's threat intel alerts, contributing to our prevention and detection cybersecurity strategies:

  • Dynamic Severity Calculation - Our system determines severity based on the number of threat intel providers marking the Indicators of Compromise (IOC) as malicious, resulting in more precise threat assessment and prioritization. This reduces false positives and enhances accuracy for customers.
  • Leveraging Customer Databases - We utilize Lacework Customer Databases (CDBs) containing attacking external IP addresses to power indicator-based detection approach. This enables more accurate measurement of severity.
    • Targeted Customer Mapping: Severity levels dynamically consider the number of targeted customers for an indicator, providing an accurate representation of potential threats and estimated impact across Lacework's customer base.
    • Daily IOC Database Updates: Our IOC database is now updated daily, ensuring up-to-date and fresh data.
    • Automated Time-To-Live (TTL) Evaluation: A daily automated process evaluates the time to live (TTL) of an IOC, ensuring the database remains current and relevant. We have a 90-day maximum retention period by default.
  • Enhanced Tag System - We have revamped the tag system to provide more contextual information in the Lacework Console.
    • Malicious Intel Provider Hit Count: Tags now include the hit count of malicious intel providers, offering additional insight.
    • Additional Filtration Layer: A new filtration layer excludes specific Autonomous System Number (ASN) owners and networks from VirusTotal. Contact Lacework Support for the list of excluded ASN owners.

These advancements strengthen Lacework's threat intel alerts, empowering organizations with greater visibility and actionable intelligence for comprehensive cybersecurity.


Inbound IOC alerts are assigned a severity one level lower compared to outbound alerts. For example, if an IOC is identified as malicious by 10 or more providers, it will be classified as Medium severity for inbound connections and High severity for outbound connections. For more information, refer to Alert Severity.