Suppress Behavior Anomaly Alerts
Suppressing specific AWS, GCP, and host behavior anomaly alerts reduces the number of alerts and allows you to focus on the assets that are most important to you.
To use policies to suppress specific behavior anomaly alerts:
Log in to the Lacework Console.
Click Policies.
Click on the Domain filter group to display the list of filters associated with the selected filter group, then select either Host, AWS, Azure or GCP. Anomaly policies are available for AWS, GCP, and host policy domains.
Locate the policy you want to suppress and expand it.
Click Clone.
Enter a name for the event.
Define the expressions for suppressing the event.
You must select EXCLUDE to suppress the event for the specified expressions.
Example: For the New External Server IP Address event, you could add these expressions:IP_ADDR EXCLUDE 10.0.10.1,10.0.10.2
AND
PORT EXCLUDE 80,443
.
This will exclude the alert type New External Server IP Address only when the IP address matches 10.0.10.1 or 10.0.10.2 and the port matches 80 or 443.
The following table provides parameter value examples.You can use the
hostname
parameter to allowlist both the source (machine hostname) and the destination (domain names).The
hostname
parameter supports * as a wildcard (for example, for subdomains).Ensure the policy is enabled and click Save.
Ensure the default policy that you cloned remains enabled.
After you suppress an alert, Lacework does not generate an event for the expressions you defined.
If you disable the default policy category from which a policy was cloned, that setting takes precedence, meaning the entire category of that event type is disabled.
Example Parameter Values
You can also use the * wildcard when defining parameter values.
Parameter | Example Value | Notes |
---|---|---|
ACCOUNT_ID | 1122334455 | |
APPLICATION | wget | |
CONTAINER_REPO | k8s.gcr.io | |
CONTAINER_TYPE | docker | |
EXE_PATH | /bin/bash | |
Hostname | myhostname | You can use the hostname parameter to allowlist both the source (machine hostname) and the destination (domain names). The hostname parameter supports * as a wildcard (such as for subdomains). |
IP_ADDR | 192.0.2.0 | IP ranges are not supported. However, you can use the * wildcard to simplify some exceptions. For example, you can add 192.0.2.0 as 192.0.* if you have a common range. |
MACHINE_TAG_KEY | SubnetId | |
PORT | 443 | |
REGION | us-west-2 | |
RESOURCE | {"bucketName":"bucketd20143001"} | |
SERVICE | ec2.amazonaws.com | |
USERNAME | myusername |