Skip to main content

Security Insights FAQ

What sources of threat intelligence does Lacework use?

Lacework uses the following sources for its threat intelligence:

  • File Reputation:
    • Reversing Labs
    • Lacework Labs manually added file hashes
  • IP/Domain Reputation:
    • Lacework Labs manually added research IOCs and honey-pot data
    • Lacework Labs automated hunting from VirusTotal
    • Lacework Labs cryptomining infrastructure research
    • Variety of Open Source honey-pot sourced feeds
note

Alerting from VirusTotal intel sources requires: three or more antivirus detections, and last seen within 30 days.

How can I explain the severity of an alert?

If the alert was derived from threat intelligence, the severity is determined by the threat intelligence source + directionality (inbound or outbound) of the event.

By default, the severity of outbound connections (server events) is Critical, and the severity of inbound connections (client events) is High.

Exceptionally, for alerts derived from threat intel sources such as emerging_threats_dns, emerging_threats, combine, isc_sans, malc0de, blocklist_de, danger_rulez_blist, research_virustotal, the severity of outbound connections is High, and the severity of inbound connections is Medium.

If the alert is not derived from threat intelligence, the severity is determined by Lacework's severity scoring algorithm. See Alert Severity for more information.

Is this indicator a false positive?

False positives (FP) can occur due to stale indicators or misclassification of benign malware artifacts as malicious. If you encounter a false positive, VirusTotal can be a valuable resource for investigation. You can also check passive DNS data to determine if the suspected false positive IP is hosting legitimate domains.

If you have confirmed that the indicators are false positives and need to be added to the allowlist, or if you require assistance determining if the indicators are false positives, reach out to Lacework for assistance.

Is this vulnerability a false positive?

Provided with an <alert_id> and <CDB>, the query below will help identify the vulnerable library or executable. The query also provides the file’s version, helping to confirm whether the file is vulnerable.

SELECT DISTINCT p.props
FROM <CDB>.EVENT_INTERNAL.EVENT_DETAILS_T AS e
INNER JOIN <CDB>.PUBLIC.PROCESS_DETAILS_T AS p
ON substr(e.PROPS:originEntity:keys:pid_hash, 1, 18) = p.pid_hash
WHERE e.ID = <alert_id>
LIMIT 100;

Can you provide more information on a domain or an IP address seen with an alert?

Every threat intelligence alert is derived from one or more intelligence sources. Depending on the indicator, the source was either added manually by Lacework Labs researchers or a third party provided it.

Alerts that have an indicator tagged as “VirusTotal indicator” are sourced directly from VirusTotal. The current collection requirements for VirusTotal specify that the domain or IP must have more than three antivirus detections and must have been observed within the last 30 days. For more information, visit virustotal.com.

Why did Lacework not detect this activity?

The activity may have gone undetected if it involved a malicious domain or IP address that was not present in the threat database. If the activity involved command-line and process artifacts, custom detections can be created using LQL. In such cases, it is possible that the required LQL/LPP was either not deployed or does not exist.

Can you investigate an environment or event?

Lacework is happy to offer both hunting and investigative services. We have also developed self-enablement tools to help facilitate this process:

  • Cloud Hunter: This tool enables you to search for critical data across the Lacework platform and allows you to create LQL queries to execute every search.
  • Snowroute: This project provides automated Snowflake-hunting and a knowledge base for Lacework.

How to create exceptions to prevent alerting on an IP or domain in threat intel?

To suppress behavior anomaly alerts, you can create policies using the steps outlined in Suppress Behavior Anomaly Alerts.

When creating a policy for suppression, ensure that you do not disable the original policy that the suppression is cloned from to avoid affecting other alerts.

Why did Lacework not detect a malicious file?

By default, FIM scans are scheduled to occur once a day. If the malicious file was removed before the next scan, the agent may not be able to collect information about it.

However, if the agent did manage to collect information about the malicious file, it's worth querying the threat-resolver service to check if the file's SHA256 hash is known to be bad in our threat database. To do this, use the SHA256 hash value and check the filedata_hash column in public.filedata_details_t.