Cloud Activity Anomaly Alerts
Lacework generates cloud-activity-based alerts when there are cloud-activity-related vulnerabilities detected. You can define alert rules to trigger alerts when cloud-activity-related vulnerabilities are found. See Alert Rules.
AWS Activity Alerting
The following polygraph changes result in node alerts or edge alerts as listed below:
Node Alerts Edge Alerts
| Alert Name | Alert Type | Alert Subcategory |
|---|---|---|
| AWS account accessed from a new geolocation with a new AWS event type | LoginFromSourceUsingCalltype | Cloud Activity |
| AWS account accessed from a new geolocation | LoginFromSourceUsingCalltype | Cloud Activity |
| New cross-account access made from external AWS account Note: Legacy name: New AWS account | NewAccount | Cloud Activity |
| New region | NewRegion | Cloud Activity |
| New service | NewService | Cloud Activity |
| New AWS user | NewAwsUser | Cloud Activity |
| Service called API | ServiceCalledApi | Cloud Activity |
| User Calltype MFA | UserCalltypeMfa | Cloud Activity |
| Alert Name | Alert Type | Alert Subcategory |
|---|---|---|
| API failed with error | ApiFailedWithError | Cloud Activity |
| AWS IAM API error spike | AwsAccountFailedApi | Cloud Activity |
| AWS GPU instance usage spike | AwsAccountGpuLaunch | Cloud Activity |
| AWS account accessed from known bad IP address with new AWS event type Note: Legacy name: Login from known bad source using Calltype | LoginFromBadSourceUsingCalltype | Cloud Activity |
| AWS account accessed from known bad IP address Note: Legacy name: Login from known bad source using Calltype | LoginFromBadSourceUsingCalltype | Cloud Activity |
| Login from new bad source using Calltype | LoginFromBadSourceUsingCalltype | Cloud Activity |
| AWS account accessed from a new geolocation with a new AWS event type Note: Legacy name: Login from source using Calltype | LoginFromSourceUsingCalltype | Cloud Activity |
| AWS account accessed from a new geolocation Note: Legacy name: Login from source using Calltype | LoginFromSourceUsingCalltype | Cloud Activity |
| New AWS service accessed in region Note: Legacy name: Service accessed in region | ServiceAccessedInRegion | Cloud Activity |
| User Calltype MFA | UserCalltypeMfa | Cloud Activity |
| New AWS API invoked Note: Legacy name: User used service in region | UserUsedServiceInRegion | Cloud Activity |
Google Cloud Activity Alerting
The following polygraph changes result in node alerts or edge alerts as listed below:
Node Alerts Edge Alerts
| Alert Name | Alert Type | Alert Subcategory |
|---|---|---|
| New GCP API call | NewGcpApiCall | Cloud Activity |
| New GCP organization | NewGcpOrganization | Cloud Activity |
| New GCP region | NewGcpRegion | Cloud Activity |
| New GCP service | NewGcpService | Cloud Activity |
| New GCP source | NewGcpSource NewGcpSourceForServiceAccount | Cloud Activity |
| New GCP user | NewGcpUser | Cloud Activity |
| New API invoked for Google Cloud service Note: Legacy name: Service called GCP API | ServiceCalledGcpApi | Cloud Activity |
| Alert Name | Alert Type | Alert Subcategory |
|---|---|---|
| GCP API failed with error | GcpApiFailedWithError | Cloud Activity |
| New Google Cloud service accessed in region Note: Legacy name: GCP service accessed in region | GcpServiceAccessedInRegion | Cloud Activity |
| GCP user accessed region | GcpUserAccessingRegion | Cloud Activity |
| GCP user logged in from bad source | GcpUserLoggedInFromBadSource | Cloud Activity |
| GCP user logged in from new source | GcpUserLoggedInFromSource | Cloud Activity |
| GCP service account logged in from new source | GcpServiceAccountLoggedInFromSource | Cloud Activity |
Azure Activity Alerting
The following polygraph changes result in node alerts or edge alerts as listed below:
Node Alerts Edge Alerts
| Alert Name | Alert Type | Alert Subcategory |
|---|---|---|
| New Azure API failed with error | NewAzureApiFailedWithError | Cloud Activity |
| New Azure SP accessing resource | NewAzureService | Cloud Activity |
| New Azure subscription created | NewAzureSubscription | Cloud Activity |
| New Azure user logged in from bad source | NewAzureUserLoggedInFromBadSource | Cloud Activity |
| Alert Name | Alert Type | Alert Subcategory |
|---|---|---|
| New Azure API call invoked by user accessed resource for the first time | NewAzureApiCallOnResource | Cloud Activity |
| New Azure user performed operation on resource for the first time | NewAzureUserEventCategory | Cloud Activity |
Suppress an Alert
Suppressing specific cloud-activity alerts reduces the number of alerts and allows you to focus on the assets that are most important to you. For details, see Suppress Behavior Anomaly Alerts.