Skip to main content

Cloud Activity

Lacework generates cloud-activity-based alerts when there are cloud-activity-related vulnerabilities detected. You can define alert rules to trigger alerts when cloud-activity-related vulnerabilities are found. See Alert Rules.

AWS Activity Alerting

The following polygraph changes result in node alerts or edge alerts as listed below:

Alert Name Alert Type Event Model Alert Subcategory
Login from source using CalltypeLoginFromSourceUsingCalltypeAwsApiTrackerCloud Activity
New AWS accountNewAccountAwsApiTrackerCloud Activity
New regionNewRegionAwsApiTrackerCloud Activity
New serviceNewServiceAwsApiTrackerCloud Activity
New AWS userNewAwsUserAwsApiTrackerCloud Activity
Service called APIServiceCalledApiAwsApiTrackerCloud Activity
User Calltype MFAUserCalltypeMfaAwsApiTrackerCloud Activity

GCP Activity Alerting

The following polygraph changes result in node alerts or edge alerts as listed below:

Alert Name Alert Type Event Model Alert Subcategory
New GCP API callNewGcpApiCallGcpApiTrackerCloud Activity
New GCP organizationNewGcpOrganizationGcpApiTrackerCloud Activity
New GCP regionNewGcpRegionGcpApiTrackerCloud Activity
New GCP serviceNewGcpServiceGcpApiTrackerCloud Activity
New GCP sourceNewGcpSourceGcpApiTrackerCloud Activity
New GCP sourceNewGcpSourceForServiceAccountGcpApiTrackerCloud Activity
New GCP userNewGcpUserGcpApiTrackerCloud Activity
Service called GCP APIServiceCalledGcpApiGcpApiTrackerCloud Activity
Note: GKE Kubernetes logs do not contain populated request fields so they will display as NULL in the dossiers.

Azure Activity Alerting

The following polygraph changes result in node alerts or edge alerts as listed below:

Alert Name Alert Type Event Model Alert Subcategory
New Azure API failed with errorNewAzureApiFailedWithErrorAzureApiTrackerCloud Activity
New Azure SP accessing resourceNewAzureServiceAzureApiTrackerCloud Activity
New Azure subscription createdNewAzureSubscriptionAzureApiTrackerCloud Activity
New Azure user logged in from bad sourceNewAzureUserLoggedInFromBadSourceAzureApiTrackerCloud Activity

Suppress an Alert

Suppressing specific cloud-activity alerts reduces the number of alerts and allows you to focus on the assets that are most important to you. For details, see Suppress Behavior Anomaly Alerts.