Application Anomaly Alerts
Lacework generates application-based alerts when there are application-related vulnerabilities detected. You can define alert rules to trigger alerts when application-related vulnerabilities are found. See Alert Rules.
Alert List
The following table lists all the application-based alerts.
| Alert Name | Alert Type | Alert Subcategory | Connection |
|---|---|---|---|
| New application | NewBinaryType | Application | Process -> Process Process -> DNS Process -> IP Process-> Destination Process DNS-> Destination Process IP -> Destination Process |
| New child launched | NewChildLaunched | Application | |
| Bad external client DNS | NewExternalClientBadDns | Application | Domain -> Process |
| Bad external client IP address | NewExternalClientBadIp | Application | IP -> Process |
| Bad external client IP address connection | NewExternalClientBadIpConn | Application | IP -> Process IP -> Machine |
| New external client IP address connection | NewExternalClientConn | Application | IP -> Process |
| New external client DNS | NewExternalClientDns | Application | Domain -> Process |
| New external client IP address | NewExternalClientIp | Application | IP -> Process IP -> Machine |
| Bad external host | NewExternalServerBadDns | Application | Process -> Domain |
| Bad external server DNS connection | NewExternalServerBadDNSConn | Application | Machine -> Domain |
| Bad external server host connection | NewExternalServerBadDNSConn | Application | Process -> Domain |
| Bad external server IP address | NewExternalServerBadIp | Application | Process -> IP |
| Bad external server IP address connection | NewExternalServerBadIPConn | Application | Process -> IP Machine -> IP |
| Outbound connection to new domain | NewExternalServerDns | Application | Process -> Domain |
| New outbound connection from application Note: Legacy name: New external host server connection | NewExternalServerDNSConn | Application | Process -> Domain |
| New external host server connection | NewExternalServerDNSConn | Application | Machine -> Domain |
| New external host | NewExternalServerIp | Application | Process -> Domain |
| Outbound connection to a new external IP address | NewExternalServerIp | Application | Process -> IP |
| New external server IP address connection | NewExternalServerIPConn | Application | Process -> IP Machine -> IP |
| New internal connection | NewInternalConnection | Application | Process -> Process Process -> IP IP -> Process Machine -> IP IP -> Machine Machine -> Machine |
| New K8s cluster | NewK8Cluster | Application | |
| New K8s namespace | NewK8Namespace | Application | Cluster -> Namespace Namespace -> Pod |
| New K8s pod | NewK8Pod | Application |
Suppress an Alert
Suppressing specific application-related alerts reduces the number of alerts and allows you to focus on the assets that are most important to you. For details, see Suppress Behavior Anomaly Alerts.