This section provides information about some of the workload security alerts visible in the Lacework Console.
After you install the Lacework agent on hosts, Lacework scans the hosts and stream's select metadata to the Lacework data warehouse to build a baseline of normal behavior, which is updated hourly. From this, Lacework can provide detailed in-context events for anomalous behavior by comparing each hour to the previous one. Anomaly detection uses machine learning to determine, for example, if a machine sends data to an unknown IP, or if a user logs in from an IP that has not been seen before.
For each documented event, it provides:
- a summary about the alert
- why the alert is important
- information about investigating the event that triggers the alert
- information about how to resolve the alert
In the title of each event documentation topic,
Event Name: is replaced with prefix identifying the event as displayed in the Lacework Console, for example,
Event Name: could be replaced by
LW_EXT_IP_67: in the
LW_EXT_IP_67 : Bad External Client IP Address event name.
Here is some terminology used in the event descriptions:
- Unknown internal host is an internal host that is not running a Lacework agent, which is identified by an IP address.
- Unknown external host is an external host that is seen by Lacework for the first time. External hosts are identified by their domain name. If a domain name cannot be associated with the host, identification is by public IP, which may be shared.
For details about the alert categories, see Alert Categories.