Skip to main content

User

Lacework generates user-based alerts when there are user-related vulnerabilities detected. You can define alert rules to trigger alerts when user-related vulnerabilities are found. See Alert Rules.

Alert List

The following table lists all the user-based alerts.

Alert NameAlert TypeEvent ModelAlert SubcategoryConnection
New child launched from vulnerable applicationNewChildLaunchedFromVulnParentUserTrackingUser
Bad external server DNS connectionNewExternalServerBadDNSConnUserTrackingUserMachine -> Domain
Bad external server host connectionNewExternalServerBadDNSConnUserTrackingUserProcess -> Domain
Bad external server IP address connectionNewExternalServerBadIPConnUserTrackingUserProcess -> IP
Machine -> IP
Bad external server IP address connection from vulnerable applicationNewExternalServerBadIPConnFromVulnUserTrackingUser
New external host server connectionNewExternalServerDNSConnUserTrackingUserProcess -> Domain
New external server host connectionNewExternalServerDNSConnUserTrackingUserMachine -> Domain
New external host server connection from vulnerable applicationNewExternalServerDNSConnFromVulnUserTrackingUser
New external server IP address connectionNewExternalServerIPConnUserTrackingUserProcess -> IP
Machine -> IP
New internal connectionNewInternalConnectionUserTrackingUserProcess -> Process
Process -> IP
IP -> Process
Machine -> IP
IP -> Machine
Machine -> Machine
New privilege escalationNewPrivilegeEscalationUid2UidUser
New userNewUserUid2UidUser
New vulnerable child launchedNewVulnChildLaunchedUserTrackingUser
New vulnerable internal connectionNewVulnInternalConnectionUserTrackingUserProcess -> Process
Process -> IP
IP -> Process
User launched new binaryUserLaunchedNewBinaryUserTrackingUser
User launched new vulnerable binaryUserLaunchedNewVulnBinaryUserTrackingUser
User logged in from new locationUserLoggedInFromNewLocationUserTrackingUser

Suppress an Alert

Suppressing specific user-related alerts reduces the number of alerts and allows you to focus on the assets that are most important to you. For details, see Suppress Behavior Anomaly Alerts.