Application
Lacework generates application-based alerts when there are application-related vulnerabilities detected. You can define alert rules to trigger alerts when application-related vulnerabilities are found. See Alert Rules.
Alert List
The following table lists all the application-based alerts.
Alert Name | Alert Type | Event Model | Alert Subcategory | Connection |
---|---|---|---|---|
New application | NewBinaryType | PtypeConn Ct2Ct | Application | Process -> Process Process -> DNS Process -> IP Process-> Destination Process DNS-> Destination Process IP -> Destination Process |
New child launched | NewChildLaunched | Ct2Ct | Application | |
New child launched from vulnerable application | NewChildLaunchedFromVulnParent | Ct2Ct | Application | |
Bad external client DNS | NewExternalClientBadDns | PtypeConn | Application | Domain -> Process |
Bad external client IP address | NewExternalClientBadIp | PtypeConn | Application | IP -> Process |
Real-time bad external client IP address | NewExternalClientBadIp | PtypeConn | Application | |
Bad external client IP address connection | NewExternalClientBadIpConn | PtypeConn | Application | IP -> Process IP -> Machine |
Bad external client IP address connection to vulnerable application | NewExternalClientBadIpConnToVuln | PtypeConn | Application | |
New external client IP address connection | NewExternalClientConn | PtypeConn | Application | IP -> Process |
New external client DNS | NewExternalClientDns | PtypeConn | Application | Domain -> Process |
New external client IP address | NewExternalClientIp | PtypeConn | Application | IP -> Process IP -> Machine |
New external client IP address connection to vulnerable application | NewExternalClientIpConnToVuln | PtypeConn | Application | |
Bad external host | NewExternalServerBadDns | PtypeConn | Application | Process -> Domain |
Real-time bad external server host | NewExternalServerBadDns | PtypeConn | Application | |
Bad external server DNS connection | NewExternalServerBadDNSConn | PtypeConn | Application | Machine -> Domain |
Bad external server host connection | NewExternalServerBadDNSConn | PtypeConn | Application | Process -> Domain |
Bad external server IP address | NewExternalServerBadIp | PtypeConn | Application | Process -> IP |
Real-time bad external server IP address | NewExternalServerBadIp | PtypeConn | Application | |
Bad external server IP address connection | NewExternalServerBadIPConn | PtypeConn | Application | Process -> IP Machine -> IP |
Bad external server IP address connection from vulnerable application | NewExternalServerBadIPConnFromVuln | PtypeConn | Application | |
New external host | NewExternalServerDns | PtypeConn | Application | Process -> Domain |
New external host server connection | NewExternalServerDNSConn | PtypeConn | Application | Process -> Domain |
New external server host connection | NewExternalServerDNSConn | PtypeConn | Application | Machine -> Domain |
New external host server connection from vulnerable application | NewExternalServerDNSConnFromVuln | PtypeConn | Application | |
New external host | NewExternalServerIp | PtypeConn | Application | Process -> Domain |
New external server IP address | NewExternalServerIp | PtypeConn | Application | Process -> IP |
New external server IP address connection | NewExternalServerIPConn | PtypeConn | Application | Process -> IP Machine -> IP |
New external server IP address connection from vulnerable application | NewExternalServerIPConnFromVuln | PtypeConn | Application | |
New internal connection | NewInternalConnection | PtypeConn | Application | Process -> Process Process -> IP IP -> Process Machine -> IP IP -> Machine Machine -> Machine |
New K8s cluster | NewK8Cluster | K8Launch | Application | |
New K8s namespace | NewK8Namespace | K8Launch | Application | Cluster -> Namespace Namespace -> Pod |
New K8s pod | NewK8Pod | K8Launch | Application | |
New vulnerable child launched | NewVulnChildLaunched | Ct2Ct | Application | |
New vulnerable internal connection | NewVulnInternalConnection | PtypeConn | Application | Process -> Process Process -> IP IP -> Process |
Suppress an Alert
Suppressing specific application-related alerts reduces the number of alerts and allows you to focus on the assets that are most important to you. For details, see Suppress Behavior Anomaly Alerts.