ποΈ Introduction to Workload Alerts
This section provides information about some of the workload security alerts visible in the Lacework Console.
ποΈ Bad External Client IP Address
This alert occurs when Lacework detects an external IP address that has been flagged as malicious by intelligence sources connects to an internal host.
ποΈ Bad External Client IP Address Connection
This alert occurs when Lacework detects an external IP address that has been flagged as malicious by intelligence sources connects to a process on a host running a Lacework agent.
ποΈ Bad External Client DNS
This alert occurs when Lacework detects an external host, that has been flagged as malicious by intelligence sources, connects to an internal host. If an application cannot be associated with a connection, Lacework generates a machine alert.
ποΈ Bad External Host
This alert occurs when Lacework detects a bad external host (connected via an application) is seen for the first time ever in the data center. This can be observed as a βnew nodeβ in the Polygraph.
ποΈ Bad External Server DNS Connection
This alert occurs when Lacework detects an internal host connected to an external host, identified by its domain name, has been flagged as malicious by intelligence sources. If a connection cannot be associated with an application, Lacework generates a machine alert.
ποΈ Bad External Server Host Connection
This alert occurs when Lacework detects a bad external host, which has already been seen in the data center, is connected to via an application for the first time.
ποΈ Bad External Server IP Address
This alert occurs when Lacework detects an internal host connects to an IP address that has been flagged as malicious by intelligence sources. If an application cannot be associated with a connection, Lacework generates a machine alert.
ποΈ Bad External Server IP Address Connection
This alert occurs when Lacework detects an additional internal host connects to a previously seen IP address that has been flagged as malicious by intelligence sources. If an application cannot be associated with a connection, Lacework generates a machine alert.
ποΈ New Application
This alert occurs when Lacework detects an application, not included in the set of learned applications, connects to a known application.
ποΈ New Child Launched
This alert occurs when Lacework detects a process on a host running the Lacework agent launches a child process for the first time.
ποΈ New External Client IP Address
This alert occurs when Lacework detects a new external client IP address connects to an internal host running a Lacework agent. This client was unknown to the host before it connected to the host.
ποΈ New External Client IP Address Connection
This alert occurs when Lacework detects an external IP address connects to a process on a host running a Lacework agent for the first time. The host had knowledge about this client, but the client never connected to the host before this alert.
ποΈ New External Host
This alert occurs when Lacework detects an application connects to an unknown external host, identified by its domain name.
ποΈ New External Host Connection
This alert occurs when Lacework detects an application that has not previously connected to the known external host makes a connection. The external host is part of the existing baseline, meaning that either another process or machine is making connections to it.
ποΈ New External Host Server Connection
This alert occurs when Lacework detects a process on an internal host running a Lacework agent makes a connection to an external host that it has never connected to before.
ποΈ New External Server Host Connection
This alert occurs when Lacework detects an internal host that has not previously connected to the known external host makes a connection. The external host is part of the existing baseline, meaning that either another process or machine is making connections to it.
ποΈ New External Server IP Address
This alert occurs when Lacework detects an application connects to a never before seen external IP address.
ποΈ New External Server IP Address Connection
This alert occurs when Lacework detects an additional application connects to a previously seen external IP address.
ποΈ New Internal Connection
This alert occurs when Lacework detects an application running on a single machine or multiple machines connects for the first time to another application.
ποΈ New Internal Host Connection
This alert occurs when Lacework detects a known internal host makes a new connection to an unknown internal host, identified by its IP address. If an application cannot be associated with a connection, Lacework publishes a machine alert.
ποΈ New Privilege Escalation
This alert occurs when Lacework detects a user has escalated privilege to a higher privileged account.
ποΈ New User
This alert occurs when the host running the Lacework agent sees a new user. A new user name generates this alert.
ποΈ Suspicious Logins
This alert occurs when Lacework detects a failed SSH or RDP login followed by a successful SSH or RDP login from the same source IP within one hour.
ποΈ User Launched New Binary
This alert occurs when Lacework detects a user launches an application that has not previously observed being launched by that specific user.
ποΈ User Logged In From New IP
This alert occurs when Lacework detects a known user logged in from an IP address not associated with the user.
ποΈ User Logged In From New Location
This alert occurs when Lacework detects a known user logged in from a location not associated with the user.