Kubernetes audit log policy changes - Changes include the following:
To reduce the number of alerts generated by some policies for Kubernetes audit logs (EKS and GKE), Lacework introduces the following new anomaly policies:
K8s new registry used
K8s new sensitive access to pod
K8s new user access to pod
New K8s webhook change
New sensitive configmaps access
The following policies for K8s audit logs (EKS and GKE) are now disabled by default because they are covered by anomaly policies:
Cluster role created or modified - lacework-global-194
Cluster role granting permissions on pods/exec - lacework-global-195
ClusterRoleBinding created for cluster-admin role - lacework-global-191
Ephemeral container attached to pod - lacework-global-165
kubectl attach to container process - lacework-global-164
Composite alerts - The composite analysis uses multiple detections to define more specific alert conditions. This technique allows Lacework to accurately raise a composite alert when we suspect an intrusion occurs. With composite alerts, Lacework further alleviates alert fatigue by automatically correlating disparate events across multiple detection sources into higher-level objects.
New AWS Agentless Workload Scanning integration option for AWS Organizations (using Terraform) - Use the Automatic Snapshot Role Integration (Terraform) for AWS Organizations to automatically pick up and integrate new AWS Accounts that are added to your AWS Organization.
Linux Agent can now detect active and inactive packages on hosts - Use the Package Status filter in Host Vulnerability to see active or inactive vulnerable packages on hosts. See Host Vulnerability - Package Status for details.
Additionally, the Package Status filter can be used when downloading a Custom CSV.
Bulk Update Policy API - The Bulk Update Policy API lets you programmatically change the status or severity of multiple policies at a time. For more information, see Bulk Policy Update.