Application

Lacework generates application-based alerts when there are application-related vulnerabilities detected. You can define alert rules to trigger alerts when application-related vulnerabilities are found. See Alert Rules.

Alert List

The following table lists all the application-based alerts.

Alert Name	Alert Type	Event Model	Alert Subcategory	Connection
New application	NewBinaryType	PtypeConn Ct2Ct	Application	Process -> Process Process -> DNS Process -> IP Process-> Destination Process DNS-> Destination Process IP -> Destination Process
New child launched	NewChildLaunched	Ct2Ct	Application
New child launched from vulnerable application	NewChildLaunchedFromVulnParent	Ct2Ct	Application
Bad external client DNS	NewExternalClientBadDns	PtypeConn	Application	Domain -> Process
Bad external client IP address	NewExternalClientBadIp	PtypeConn	Application	IP -> Process
Real-time bad external client IP address	NewExternalClientBadIp	PtypeConn	Application
Bad external client IP address connection	NewExternalClientBadIpConn	PtypeConn	Application	IP -> Process IP -> Machine
Bad external client IP address connection to vulnerable application	NewExternalClientBadIpConnToVuln	PtypeConn	Application
New external client IP address connection	NewExternalClientConn	PtypeConn	Application	IP -> Process
New external client DNS	NewExternalClientDns	PtypeConn	Application	Domain -> Process
New external client IP address	NewExternalClientIp	PtypeConn	Application	IP -> Process IP -> Machine
New external client IP address connection to vulnerable application	NewExternalClientIpConnToVuln	PtypeConn	Application
Bad external host	NewExternalServerBadDns	PtypeConn	Application	Process -> Domain
Real-time bad external server host	NewExternalServerBadDns	PtypeConn	Application
Bad external server DNS connection	NewExternalServerBadDNSConn	PtypeConn	Application	Machine -> Domain
Bad external server host connection	NewExternalServerBadDNSConn	PtypeConn	Application	Process -> Domain
Bad external server IP address	NewExternalServerBadIp	PtypeConn	Application	Process -> IP
Real-time bad external server IP address	NewExternalServerBadIp	PtypeConn	Application
Bad external server IP address connection	NewExternalServerBadIPConn	PtypeConn	Application	Process -> IP Machine -> IP
Bad external server IP address connection from vulnerable application	NewExternalServerBadIPConnFromVuln	PtypeConn	Application
New external host	NewExternalServerDns	PtypeConn	Application	Process -> Domain
New external host server connection	NewExternalServerDNSConn	PtypeConn	Application	Process -> Domain
New external server host connection	NewExternalServerDNSConn	PtypeConn	Application	Machine -> Domain
New external host server connection from vulnerable application	NewExternalServerDNSConnFromVuln	PtypeConn	Application
New external host	NewExternalServerIp	PtypeConn	Application	Process -> Domain
New external server IP address	NewExternalServerIp	PtypeConn	Application	Process -> IP
New external server IP address connection	NewExternalServerIPConn	PtypeConn	Application	Process -> IP Machine -> IP
New external server IP address connection from vulnerable application	NewExternalServerIPConnFromVuln	PtypeConn	Application
New internal connection	NewInternalConnection	PtypeConn	Application	Process -> Process Process -> IP IP -> Process Machine -> IP IP -> Machine Machine -> Machine
New K8s cluster	NewK8Cluster	K8Launch	Application
New K8s namespace	NewK8Namespace	K8Launch	Application	Cluster -> Namespace Namespace -> Pod
New K8s pod	NewK8Pod	K8Launch	Application
New vulnerable child launched	NewVulnChildLaunched	Ct2Ct	Application
New vulnerable internal connection	NewVulnInternalConnection	PtypeConn	Application	Process -> Process Process -> IP IP -> Process

Suppress an Alert

Suppressing specific application-related alerts reduces the number of alerts and allows you to focus on the assets that are most important to you. For details, see Suppress Behavior Anomaly Alerts.