User Anomaly Alerts
Lacework generates user-based alerts when there are user-related vulnerabilities detected. You can define alert rules to trigger alerts when user-related vulnerabilities are found. See Alert Rules.
Alert List
The following table lists all the user-based alerts.
| Alert Name | Alert Type | Alert Subcategory | Connection |
|---|---|---|---|
| New child launched from vulnerable application | NewChildLaunchedFromVulnParent | User | |
| Bad external server DNS connection | NewExternalServerBadDNSConn | User | Machine -> Domain |
| Bad external server host connection | NewExternalServerBadDNSConn | User | Process -> Domain |
| Bad external server IP address connection | NewExternalServerBadIPConn | User | Process -> IP Machine -> IP |
| Bad external server IP address connection from vulnerable application | NewExternalServerBadIPConnFromVuln | User | |
| New outbound connection from application | NewExternalServerDNSConn | User | Process -> Domain |
| New external host server connection | NewExternalServerDNSConn | User | Machine -> Domain |
| New external server IP address connection | NewExternalServerIPConn | User | Process -> IP Machine -> IP |
| New internal connection | NewInternalConnection | User | Process -> Process Process -> IP IP -> Process Machine -> IP IP -> Machine Machine -> Machine |
| New privilege escalation | NewPrivilegeEscalation | User | |
| New user | NewUser | User | |
| New vulnerable internal connection | NewVulnInternalConnection | User | Process -> Process Process -> IP IP -> Process |
| User launched new binary | UserLaunchedNewBinary | User | |
| User launched new vulnerable binary | UserLaunchedNewVulnBinary | User | |
| User logged in from new location | UserLoggedInFromNewLocation | User |
Suppress an Alert
Suppressing specific user-related alerts reduces the number of alerts and allows you to focus on the assets that are most important to you. For details, see Suppress Behavior Anomaly Alerts.