Skip to main content

Application

Lacework generates application-based alerts when there are application-related vulnerabilities detected. You can define alert rules to trigger alerts when application-related vulnerabilities are found. See Alert Rules.

Alert List

The following table lists all the application-based alerts.

Alert NameAlert TypeEvent ModelAlert SubcategoryConnection
New applicationNewBinaryTypePtypeConn
Ct2Ct
ApplicationProcess -> Process
Process -> DNS
Process -> IP
Process-> Destination Process
DNS-> Destination Process
IP -> Destination Process
New child launchedNewChildLaunchedCt2CtApplication
New child launched from vulnerable applicationNewChildLaunchedFromVulnParentCt2CtApplication
Bad external client DNSNewExternalClientBadDnsPtypeConnApplicationDomain -> Process
Bad external client IP addressNewExternalClientBadIpPtypeConnApplicationIP -> Process
Real-time bad external client IP addressNewExternalClientBadIpPtypeConnApplication
Bad external client IP address connectionNewExternalClientBadIpConnPtypeConnApplicationIP -> Process
IP -> Machine
Bad external client IP address connection to vulnerable applicationNewExternalClientBadIpConnToVulnPtypeConnApplication
New external client IP address connectionNewExternalClientConnPtypeConnApplicationIP -> Process
New external client DNSNewExternalClientDnsPtypeConnApplicationDomain -> Process
New external client IP addressNewExternalClientIpPtypeConnApplicationIP -> Process
IP -> Machine
New external client IP address connection to vulnerable applicationNewExternalClientIpConnToVulnPtypeConnApplication
Bad external hostNewExternalServerBadDnsPtypeConnApplicationProcess -> Domain
Real-time bad external server hostNewExternalServerBadDnsPtypeConnApplication
Bad external server DNS connectionNewExternalServerBadDNSConnPtypeConnApplicationMachine -> Domain
Bad external server host connectionNewExternalServerBadDNSConnPtypeConnApplicationProcess -> Domain
Bad external server IP addressNewExternalServerBadIpPtypeConnApplicationProcess -> IP
Real-time bad external server IP addressNewExternalServerBadIpPtypeConnApplication
Bad external server IP address connectionNewExternalServerBadIPConnPtypeConnApplicationProcess -> IP
Machine -> IP
Bad external server IP address connection from vulnerable applicationNewExternalServerBadIPConnFromVulnPtypeConnApplication
New external hostNewExternalServerDnsPtypeConnApplicationProcess -> Domain
New external host server connectionNewExternalServerDNSConnPtypeConnApplicationProcess -> Domain
New external server host connectionNewExternalServerDNSConnPtypeConnApplicationMachine -> Domain
New external host server connection from vulnerable applicationNewExternalServerDNSConnFromVulnPtypeConnApplication
New external hostNewExternalServerIpPtypeConnApplicationProcess -> Domain
New external server IP addressNewExternalServerIpPtypeConnApplicationProcess -> IP
New external server IP address connectionNewExternalServerIPConnPtypeConnApplicationProcess -> IP
Machine -> IP
New external server IP address connection from vulnerable applicationNewExternalServerIPConnFromVulnPtypeConnApplication
New internal connectionNewInternalConnectionPtypeConnApplicationProcess -> Process
Process -> IP
IP -> Process
Machine -> IP
IP -> Machine
Machine -> Machine
New K8s clusterNewK8ClusterK8LaunchApplication
New K8s namespaceNewK8NamespaceK8LaunchApplicationCluster -> Namespace
Namespace -> Pod
New K8s podNewK8PodK8LaunchApplication
New vulnerable child launchedNewVulnChildLaunchedCt2CtApplication
New vulnerable internal connectionNewVulnInternalConnectionPtypeConnApplicationProcess -> Process
Process -> IP
IP -> Process

Suppress an Alert

Suppressing specific application-related alerts reduces the number of alerts and allows you to focus on the assets that are most important to you. For details, see Suppress Behavior Anomaly Alerts.