New User
This alert occurs when the host running the Lacework agent sees a new user. A new user name generates this alert.
Why this Alert is Important
Users are created and given access to the data center by an administrator. Depending on the level of access assigned, an unauthorized new user may present a potential risk to the host and network.
Investigation
Contact the administrator and confirm the new user account.
Resolution
If the new user is determined to be unauthorized, disable the account. Perform local forensics, look for signs of lateral movement, and an alternative method of persistence. Take the necessary steps to restore the host to a known, clean state as necessary.