Cloud Activity
Lacework generates policy-based alerts when there are policy violations detected from cloud activities. You can define alert rules to trigger alerts when policy-based violations are found. See Alert Rules.
The following tabs list all policy-based alerts for AWS, Azure, and GCP:
AWS Azure GCP
Alert Name | Alert Type | Event Model | Alert Subcategory |
---|---|---|---|
Access key deleted | AccessKeyDeleted | CloudTrailCep | Cloud Activity |
CloudTrail changed | CloudTrailChanged | CloudTrailCep | Cloud Activity |
CloudTrail deleted | CloudTrailDeleted | CloudTrailCep | Cloud Activity |
CloudTrail stopped | CloudTrailStopped | CloudTrailCep | Cloud Activity |
CloudTrail stopped | CloudTrailStopped | CloudTrailCep | Cloud Activity |
Config service change | ConfigServiceChange | CloudTrailCep | Cloud Activity |
Customer master key disabled | CustomerMasterKeyDisabled | CloudTrailCep | Cloud Activity |
Customer master key scheduled for deletion | CustomerMasterKeyScheduledForDeletion | CloudTrailCep | Cloud Activity |
Failed console login | FailedConsoleLogin | CloudTrailCep | Cloud Activity |
IAM access key changed | IAMAccessKeyChanged | CloudTrailCep | Cloud Activity |
IAM policy changed | IAMPolicyChanged | CloudTrailCep | Cloud Activity |
NACL change | NACLChange | CloudTrailCep | Cloud Activity |
Network gateway change | NetworkGatewayChange | CloudTrailCep | Cloud Activity |
New access key | NewAccessKey | CloudTrailCep | Cloud Activity |
New customer master key | NewCustomerMasterKey | CloudTrailCep | Cloud Activity |
New customer master key alias | NewCustomerMasterKeyAlias | CloudTrailCep | Cloud Activity |
New grant added to customer master key | NewGrantAddedToCustomerMasterKey | CloudTrailCep | Cloud Activity |
New S3 bucket | NewS3Bucket | CloudTrailCep | Cloud Activity |
New AWS user created | NewUser | CloudTrailCep | Cloud Activity |
New VPC | NewVPC | CloudTrailCep | Cloud Activity |
New VPN connection | NewVPNConnection | CloudTrailCep | Cloud Activity |
Route table change | RouteTableChange | CloudTrailCep | Cloud Activity |
S3 bucket ACL changed | S3BucketACLChanged | CloudTrailCep | Cloud Activity |
S3 bucket deleted | S3BucketDeleted | CloudTrailCep | Cloud Activity |
S3 bucket policy changed | S3BucketPolicyChanged | CloudTrailCep | Cloud Activity |
Security group change | SecurityGroupChange | CloudTrailCep | Cloud Activity |
Successful console login without MFA | SuccessfulConsoleLoginWithoutMFA | CloudTrailCep | Cloud Activity |
Unauthorized API call | UnauthorizedAPICall | CloudTrailCep | Cloud Activity |
Usage of root account | UsageOfRootAccount | CloudTrailCep | Cloud Activity |
VPC change | VPCChange | CloudTrailCep | Cloud Activity |
VPN gateway change | VPNGatewayChange | CloudTrailCep | Cloud Activity |
Alert Name | Alert Type | Event Model | Alert Subcategory |
---|---|---|---|
Network security group created or updated | NetworkSecurityGroupCreatedOrUpdated | AzureActivityLogCep | Cloud Activity |
Network security group deleted | NetworkSecurityGroupDeleted | AzureActivityLogCep | Cloud Activity |
Network security group rule created or updated | NetworkSecurityGroupRuleCreatedOrUpdated | AzureActivityLogCep | Cloud Activity |
Network security group rule deleted | NetworkSecurityGroupRuleDeleted | AzureActivityLogCep | Cloud Activity |
Policy assignment created | PolicyAssignmentCreated | AzureActivityLogCep | Cloud Activity |
Security policy updated | SecurityPolicyUpdated | AzureActivityLogCep | Cloud Activity |
Security solution created or updated | SecuritySolutionCreatedOrUpdated | AzureActivityLogCep | Cloud Activity |
Security solution deleted | SecuritySolutionDeleted | AzureActivityLogCep | Cloud Activity |
SQL server firewall rule created or updated | SQLServerFirewallRuleCreatedOrUpdated | AzureActivityLogCep | Cloud Activity |
SQL server firewall rule deleted | SQLServerFirewallRuleDeleted | AzureActivityLogCep | Cloud Activity |
Alert Name | Alert Type | Event Model | Alert Subcategory |
---|---|---|---|
Audit configuration changed | AuditConfigurationChanged | GcpAuditTrailCep | Cloud Activity |
Cloud storage IAM permission changed | CloudStorageIAMPermissionChanged | GcpAuditTrailCep | Cloud Activity |
Custom role changed | CustomRoleChanged | GcpAuditTrailCep | Cloud Activity |
Folder IAM policy changed | GCPFolderIAMPolicyChanged | GcpAuditTrailCep | Cloud Activity |
New cloud storage bucket created | GCPGCSBucketCreated | GcpAuditTrailCep | Cloud Activity |
IAM policy changed | GCPIAMPolicyChanged | GcpAuditTrailCep | Cloud Activity |
Cloud KMS key version destroyed | GCPKMSKeyVersionDestroyed | GcpAuditTrailCep | Cloud Activity |
Cloud logging sink modified | GCPLogSinkModified | GcpAuditTrailCep | Cloud Activity |
New cloud KMS key created | GCPNewKMSKey | GcpAuditTrailCep | Cloud Activity |
Cloud KMS key IAM policy modified | GCPNewKMSKeyIAMPolicy | GcpAuditTrailCep | Cloud Activity |
New cloud KMS key ring created | GCPNewKMSKeyRing | GcpAuditTrailCep | Cloud Activity |
Organization IAM policy changed | GCPOrganizationIAMPolicyChanged | GcpAuditTrailCep | Cloud Activity |
Project IAM policy changed | GCPProjectIAMPolicyChanged | GcpAuditTrailCep | Cloud Activity |
Service account key changed | GCPSAAccessKeyChanged | GcpAuditTrailCep | Cloud Activity |
A new service account has been created | GCPSACreated | GcpAuditTrailCep | Cloud Activity |
New cloud VPN created | GCPVPCVPNCreated | GcpAuditTrailCep | Cloud Activity |
Cloud VPN deleted | GCPVPCVPNDeleted | GcpAuditTrailCep | Cloud Activity |
Project ownership assignments changed | ProjectOwnershipAssignmentsChanged | GcpAuditTrailCep | Cloud Activity |
SQL instance configuration changed | SQLInstanceConfigurationChanged | GcpAuditTrailCep | Cloud Activity |
VPC network changed | VPCNetworkChanged | GcpAuditTrailCep | Cloud Activity |
VPC network firewall rule changed | VPCNetworkFirewallRuleChanged | GcpAuditTrailCep | Cloud Activity |
VPC network route changed | VPCNetworkRouteChanged | GcpAuditTrailCep | Cloud Activity |