Cloud Activity
Lacework generates cloud-activity-based alerts when there are cloud-activity-related vulnerabilities detected. You can define alert rules to trigger alerts when cloud-activity-related vulnerabilities are found. See Alert Rules.
AWS Activity Alerting
The following polygraph changes result in node alerts or edge alerts as listed below:
Node Alerts Edge Alerts
Alert Name | Alert Type | Event Model | Alert Subcategory |
---|---|---|---|
Login from source using Calltype | LoginFromSourceUsingCalltype | AwsApiTracker | Cloud Activity |
New AWS account | NewAccount | AwsApiTracker | Cloud Activity |
New region | NewRegion | AwsApiTracker | Cloud Activity |
New service | NewService | AwsApiTracker | Cloud Activity |
New AWS user | NewAwsUser | AwsApiTracker | Cloud Activity |
Service called API | ServiceCalledApi | AwsApiTracker | Cloud Activity |
User Calltype MFA | UserCalltypeMfa | AwsApiTracker | Cloud Activity |
Alert Name | Alert Type | Event Model | Alert Subcategory |
---|---|---|---|
API failed with error | ApiFailedWithError | AwsApiTracker | Cloud Activity |
AWS IAM API error spike | AwsAccountFailedApi | ModelServiceTimeSeriesAws | Cloud Activity |
AWS GPU instance usage spike | AwsAccountGpuLaunch | ModelServiceTimeSeriesAws | Cloud Activity |
Login from known bad source using Calltype | LoginFromBadSourceUsingCalltype | AwsApiTracker | Cloud Activity |
Login from new bad source using Calltype | LoginFromBadSourceUsingCalltype | AwsApiTracker | Cloud Activity |
Login from source using Calltype | LoginFromSourceUsingCalltype | AwsApiTracker | Cloud Activity |
Service accessed in region | ServiceAccessedInRegion | AwsApiTracker | Cloud Activity |
User Calltype MFA | UserCalltypeMfa | AwsApiTracker | Cloud Activity |
User used service in region | UserUsedServiceInRegion | AwsApiTracker | Cloud Activity |
GCP Activity Alerting
The following polygraph changes result in node alerts or edge alerts as listed below:
Node Alerts Edge Alerts
Alert Name | Alert Type | Event Model | Alert Subcategory |
---|---|---|---|
New GCP API call | NewGcpApiCall | GcpApiTracker | Cloud Activity |
New GCP organization | NewGcpOrganization | GcpApiTracker | Cloud Activity |
New GCP region | NewGcpRegion | GcpApiTracker | Cloud Activity |
New GCP service | NewGcpService | GcpApiTracker | Cloud Activity |
New GCP source | NewGcpSource | GcpApiTracker | Cloud Activity |
New GCP source | NewGcpSourceForServiceAccount | GcpApiTracker | Cloud Activity |
New GCP user | NewGcpUser | GcpApiTracker | Cloud Activity |
Service called GCP API | ServiceCalledGcpApi | GcpApiTracker | Cloud Activity |
Alert Name | Alert Type | Event Model | Alert Subcategory |
---|---|---|---|
GCP API failed with error | GcpApiFailedWithError | GcpApiTracker | Cloud Activity |
GCP service accessed in region | GcpServiceAccessedInRegion | GcpApiTracker | Cloud Activity |
GCP user accessed region | GcpUserAccessingRegion | GcpApiTracker | Cloud Activity |
GCP user logged in from bad source | GcpUserLoggedInFromBadSource | GcpApiTracker | Cloud Activity |
GCP user logged in from new source | GcpUserLoggedInFromSource | GcpApiTracker | Cloud Activity |
GCP service account logged in from new source | GcpServiceAccountLoggedInFromSource | GcpApiTracker | Cloud Activity |
Azure Activity Alerting
The following polygraph changes result in node alerts or edge alerts as listed below:
Node Alerts Edge Alerts
Alert Name | Alert Type | Event Model | Alert Subcategory |
---|---|---|---|
New Azure API failed with error | NewAzureApiFailedWithError | AzureApiTracker | Cloud Activity |
New Azure SP accessing resource | NewAzureService | AzureApiTracker | Cloud Activity |
New Azure subscription created | NewAzureSubscription | AzureApiTracker | Cloud Activity |
New Azure user logged in from bad source | NewAzureUserLoggedInFromBadSource | AzureApiTracker | Cloud Activity |
Alert Name | Alert Type | Event Model | Alert Subcategory |
---|---|---|---|
New Azure API call invoked by user accessed resource for the first time | NewAzureApiCallOnResource | AzureApiTracker | Cloud Activity |
New Azure user performed operation on resource for the first time | NewAzureUserEventCategory | AzureApiTracker | Cloud Activity |
Suppress an Alert
Suppressing specific cloud-activity alerts reduces the number of alerts and allows you to focus on the assets that are most important to you. For details, see Suppress Behavior Anomaly Alerts.