Skip to main content

Suppress Behavior Anomaly Alerts

Suppressing specific AWS, Google Cloud, and host behavior anomaly alerts reduces the number of alerts and allows you to focus on the assets that are most important to you.

To use policies to suppress specific behavior anomaly alerts:

  1. Log in to the Lacework Console.

  2. Click Policies.

  3. Click on the Domain filter group to display the list of filters associated with the selected filter group, then select either Host, AWS, Azure or GCP. Anomaly policies are available for AWS, Google Cloud, and host policy domains.

  4. Locate the policy you want to suppress and expand it.

  5. Click Clone.

  6. Enter a name for the event.

  7. Define the expressions for suppressing the event.
    You must select EXCLUDE to suppress the event for the specified expressions.
    Example: For the New External Server IP Address event, you could add these expressions: IP_ADDR EXCLUDE 10.0.10.1,10.0.10.2 AND PORT EXCLUDE 80,443. This will exclude the alert type New External Server IP Address only when the IP address matches 10.0.10.1 or 10.0.10.2 and the port matches 80 or 443.
    The following table provides parameter value examples.

    You can use the hostname parameter to allowlist both the source (machine hostname) and the destination (domain names).

    The hostname parameter supports * as a wildcard (for example, for subdomains).

  8. Ensure the policy is enabled and click Save.

  9. Ensure the default policy that you cloned remains enabled.

After you suppress an alert, Lacework does not generate an event for the expressions you defined.

If you disable the default policy category from which a policy was cloned, that setting takes precedence, meaning the entire category of that event type is disabled. In this way, anomaly policies behave differently from other types of Lacework policies. For anomaly policies, you can think of clones as extensions of the original policy, which you use to define suppressions for the original policy.

Example Parameter Values

You can also use the * wildcard when defining parameter values.

ParameterExample ValueNotes
ACCOUNT_ID1122334455
APPLICATIONwget
CONTAINER_REPOk8s.gcr.io
CONTAINER_TYPEdocker
EXE_PATH/bin/bash
HostnamemyhostnameYou can use the hostname parameter to allowlist both the source (machine hostname) and the destination (domain names). The hostname parameter supports * as a wildcard (such as for subdomains).
IP_ADDR192.0.2.0IP ranges are not supported. However, you can use the * wildcard to simplify some exceptions. For example, you can add 192.0.2.0 as 192.0.* if you have a common range.
MACHINE_TAG_KEYSubnetId
PORT443
REGIONus-west-2
RESOURCE{​"bucketName":"bucketd20143001"}
SERVICEec2.amazonaws.com
USERNAMEmyusername