Cloud Activity

Lacework generates policy-based alerts when there are policy violations detected from cloud activities. You can define alert rules to trigger alerts when policy-based violations are found. See Alert Rules.

The following tabs list all policy-based alerts for AWS, Azure, and GCP:

AWS
Azure
GCP

Alert Name	Alert Type	Event Model	Alert Subcategory
Access key deleted	AccessKeyDeleted	CloudTrailCep	Cloud Activity
CloudTrail changed	CloudTrailChanged	CloudTrailCep	Cloud Activity
CloudTrail deleted	CloudTrailDeleted	CloudTrailCep	Cloud Activity
CloudTrail stopped	CloudTrailStopped	CloudTrailCep	Cloud Activity
CloudTrail stopped	CloudTrailStopped	CloudTrailCep	Cloud Activity
Config service change	ConfigServiceChange	CloudTrailCep	Cloud Activity
Customer master key disabled	CustomerMasterKeyDisabled	CloudTrailCep	Cloud Activity
Customer master key scheduled for deletion	CustomerMasterKeyScheduledForDeletion	CloudTrailCep	Cloud Activity
Failed console login	FailedConsoleLogin	CloudTrailCep	Cloud Activity
IAM access key changed	IAMAccessKeyChanged	CloudTrailCep	Cloud Activity
IAM policy changed	IAMPolicyChanged	CloudTrailCep	Cloud Activity
NACL change	NACLChange	CloudTrailCep	Cloud Activity
Network gateway change	NetworkGatewayChange	CloudTrailCep	Cloud Activity
New access key	NewAccessKey	CloudTrailCep	Cloud Activity
New customer master key	NewCustomerMasterKey	CloudTrailCep	Cloud Activity
New customer master key alias	NewCustomerMasterKeyAlias	CloudTrailCep	Cloud Activity
New grant added to customer master key	NewGrantAddedToCustomerMasterKey	CloudTrailCep	Cloud Activity
New S3 bucket	NewS3Bucket	CloudTrailCep	Cloud Activity
New AWS user created	NewUser	CloudTrailCep	Cloud Activity
New VPC	NewVPC	CloudTrailCep	Cloud Activity
New VPN connection	NewVPNConnection	CloudTrailCep	Cloud Activity
Route table change	RouteTableChange	CloudTrailCep	Cloud Activity
S3 bucket ACL changed	S3BucketACLChanged	CloudTrailCep	Cloud Activity
S3 bucket deleted	S3BucketDeleted	CloudTrailCep	Cloud Activity
S3 bucket policy changed	S3BucketPolicyChanged	CloudTrailCep	Cloud Activity
Security group change	SecurityGroupChange	CloudTrailCep	Cloud Activity
Successful console login without MFA	SuccessfulConsoleLoginWithoutMFA	CloudTrailCep	Cloud Activity
Unauthorized API call	UnauthorizedAPICall	CloudTrailCep	Cloud Activity
Usage of root account	UsageOfRootAccount	CloudTrailCep	Cloud Activity
VPC change	VPCChange	CloudTrailCep	Cloud Activity
VPN gateway change	VPNGatewayChange	CloudTrailCep	Cloud Activity

Alert Name	Alert Type	Event Model	Alert Subcategory
Network security group created or updated	NetworkSecurityGroupCreatedOrUpdated	AzureActivityLogCep	Cloud Activity
Network security group deleted	NetworkSecurityGroupDeleted	AzureActivityLogCep	Cloud Activity
Network security group rule created or updated	NetworkSecurityGroupRuleCreatedOrUpdated	AzureActivityLogCep	Cloud Activity
Network security group rule deleted	NetworkSecurityGroupRuleDeleted	AzureActivityLogCep	Cloud Activity
Policy assignment created	PolicyAssignmentCreated	AzureActivityLogCep	Cloud Activity
Security policy updated	SecurityPolicyUpdated	AzureActivityLogCep	Cloud Activity
Security solution created or updated	SecuritySolutionCreatedOrUpdated	AzureActivityLogCep	Cloud Activity
Security solution deleted	SecuritySolutionDeleted	AzureActivityLogCep	Cloud Activity
SQL server firewall rule created or updated	SQLServerFirewallRuleCreatedOrUpdated	AzureActivityLogCep	Cloud Activity
SQL server firewall rule deleted	SQLServerFirewallRuleDeleted	AzureActivityLogCep	Cloud Activity

Alert Name	Alert Type	Event Model	Alert Subcategory
Audit configuration changed	AuditConfigurationChanged	GcpAuditTrailCep	Cloud Activity
Cloud storage IAM permission changed	CloudStorageIAMPermissionChanged	GcpAuditTrailCep	Cloud Activity
Custom role changed	CustomRoleChanged	GcpAuditTrailCep	Cloud Activity
Folder IAM policy changed	GCPFolderIAMPolicyChanged	GcpAuditTrailCep	Cloud Activity
New cloud storage bucket created	GCPGCSBucketCreated	GcpAuditTrailCep	Cloud Activity
IAM policy changed	GCPIAMPolicyChanged	GcpAuditTrailCep	Cloud Activity
Cloud KMS key version destroyed	GCPKMSKeyVersionDestroyed	GcpAuditTrailCep	Cloud Activity
Cloud logging sink modified	GCPLogSinkModified	GcpAuditTrailCep	Cloud Activity
New cloud KMS key created	GCPNewKMSKey	GcpAuditTrailCep	Cloud Activity
Cloud KMS key IAM policy modified	GCPNewKMSKeyIAMPolicy	GcpAuditTrailCep	Cloud Activity
New cloud KMS key ring created	GCPNewKMSKeyRing	GcpAuditTrailCep	Cloud Activity
Organization IAM policy changed	GCPOrganizationIAMPolicyChanged	GcpAuditTrailCep	Cloud Activity
Project IAM policy changed	GCPProjectIAMPolicyChanged	GcpAuditTrailCep	Cloud Activity
Service account key changed	GCPSAAccessKeyChanged	GcpAuditTrailCep	Cloud Activity
A new service account has been created	GCPSACreated	GcpAuditTrailCep	Cloud Activity
New cloud VPN created	GCPVPCVPNCreated	GcpAuditTrailCep	Cloud Activity
Cloud VPN deleted	GCPVPCVPNDeleted	GcpAuditTrailCep	Cloud Activity
Project ownership assignments changed	ProjectOwnershipAssignmentsChanged	GcpAuditTrailCep	Cloud Activity
SQL instance configuration changed	SQLInstanceConfigurationChanged	GcpAuditTrailCep	Cloud Activity
VPC network changed	VPCNetworkChanged	GcpAuditTrailCep	Cloud Activity
VPC network firewall rule changed	VPCNetworkFirewallRuleChanged	GcpAuditTrailCep	Cloud Activity
VPC network route changed	VPCNetworkRouteChanged	GcpAuditTrailCep	Cloud Activity