Suppress Crawler-Related Alerts
Overview
Using crawlers could result in a high alert/event flow from their crawling the internet. A crawler can trigger the following event types (Policy ID):
- New External Server IP Address (LW_EXT_IP_64)
- New External Server IP Address Connection (LW_IP_75)
- New External Server DNS (LW_EXT_DNS_58)
- New External Server DNS Connection (LW_EXT_DNS_62)
- Bad External Host (LW_EXT_DNS_59)
- Bad External DNS Server (LW_EXT_DNS_63)
- Bad External Server IP Address (LW_EXT_IP_65)
- Bad External Server Host Connection (LW_HOST_78)
- Bad External Server IP Address Connection (LW_IP_76)
The IP address and IP address connection events differ slightly. The former alerts for the first ever connection to an IP address. The latter alerts if the IP address is known (already visited), but a new application connects to that IP address. The same difference applies between the DNS and DNS connection events.
Similarly named events that contain “client” denote incoming connections (as opposed to “server,” which denotes outgoing) so they are not relevant to crawler activity.
You can use the hostname
parameter to allowlist both the source (machine hostname) and the destination (domain names).
The hostname
parameter supports * as a wildcard (for example, for subdomains).
Suppress Alerts
The Lacework Console allows you to customize policies to suppress crawler-related events.
- Log in to the Lacework Console.
- Click Policies.
- Click on the Domain filter group to display the list of filters associated with the selected filter group, then select Host.
- Click Show results to apply the filter to the policy list.
- Locate the policy you want to suppress and expand it.
- Click Clone.
- Enter a name for the event.
- Use the available fields to define the conditions for suppressing this event.
Some completed custom policies:
Examples
Suppress by IP Address
If you want to suppress events from specific IP addresses, follow these steps:
Expand and clone the policy you want to suppress, such as New External Server IP Address (ID LW_EXT_IP_64).
In the parameter drop-downs, select:
- IP_ADDR
- Exclude
For the value, enter the IP addresses, such as: 10.0.10.1,10.0.10.2,10.0.10.3
Comma-separate multiple addresses with no spaces. Note that IP ranges are not supported. However, you can use the wildcard to simplify some exceptions. For example, you can add 10.0.10.0 as 10.0. if you have a common range.
Click Save.
Suppress by Machine
If you want to suppress events from specific machines, follow these steps:
Expand and clone the policy you want to suppress, such as New External Server DNS Connection (LW_EXT_DNS_62).
In the parameter drop-downs, select:
- Hostname
- Exclude
For the value, enter the machine names, such as: ip-11-22-33-44-machine,ip-55-66-77-88-machine.
Comma-separate multiple addresses with no spaces.
Click Save.
Suppress by Tag
If you want to suppress events from machines with specific machine tags and values, follow these steps:
Expand and clone the policy you want to suppress, such as New External Server DNS (LW_EXT_DNS_58).
In the parameter drop-downs, select:
- MACHINE_TAG_KEY
- Exclude
For the value, enter the desired key.
Add another parameter and select:
* MACHINE_TAG_VALUE
* Exclude
For the value, enter the desired value.
Click Save.