User
Lacework generates user-based alerts when there are user-related vulnerabilities detected. You can define alert rules to trigger alerts when user-related vulnerabilities are found. See Alert Rules.
Alert List
The following table lists all the user-based alerts.
Alert Name | Alert Type | Event Model | Alert Subcategory | Connection |
---|---|---|---|---|
New child launched from vulnerable application | NewChildLaunchedFromVulnParent | UserTracking | User | |
Bad external server DNS connection | NewExternalServerBadDNSConn | UserTracking | User | Machine -> Domain |
Bad external server host connection | NewExternalServerBadDNSConn | UserTracking | User | Process -> Domain |
Bad external server IP address connection | NewExternalServerBadIPConn | UserTracking | User | Process -> IP Machine -> IP |
Bad external server IP address connection from vulnerable application | NewExternalServerBadIPConnFromVuln | UserTracking | User | |
New external host server connection | NewExternalServerDNSConn | UserTracking | User | Process -> Domain |
New external server host connection | NewExternalServerDNSConn | UserTracking | User | Machine -> Domain |
New external host server connection from vulnerable application | NewExternalServerDNSConnFromVuln | UserTracking | User | |
New external server IP address connection | NewExternalServerIPConn | UserTracking | User | Process -> IP Machine -> IP |
New internal connection | NewInternalConnection | UserTracking | User | Process -> Process Process -> IP IP -> Process Machine -> IP IP -> Machine Machine -> Machine |
New privilege escalation | NewPrivilegeEscalation | Uid2Uid | User | |
New user | NewUser | Uid2Uid | User | |
New vulnerable child launched | NewVulnChildLaunched | UserTracking | User | |
New vulnerable internal connection | NewVulnInternalConnection | UserTracking | User | Process -> Process Process -> IP IP -> Process |
User launched new binary | UserLaunchedNewBinary | UserTracking | User | |
User launched new vulnerable binary | UserLaunchedNewVulnBinary | UserTracking | User | |
User logged in from new location | UserLoggedInFromNewLocation | UserTracking | User |
Suppress an Alert
Suppressing specific user-related alerts reduces the number of alerts and allows you to focus on the assets that are most important to you. For details, see Suppress Behavior Anomaly Alerts.