Skip to main content

Introduction to Workload Alerts

This section provides information about some of the workload security alerts that are visible in the Lacework Console.

After you install the Lacework agent on hosts, Lacework scans the hosts and stream's select metadata to the Lacework data warehouse to build a baseline of normal behavior, which is updated hourly. From this, Lacework can provide detailed in-context events for anomalous behavior by comparing each hour to the previous one. Anomaly detection uses machine learning to determine, for example, if a machine sends data to an unknown IP, or if a user logs in from an IP that has not been seen before.

For each documented event, it provides:

  • a summary about the alert
  • why the alert is important
  • information about investigating the event that triggers the alert
  • information about how to resolve the alert

Terminology

Here is some terminology used in the event descriptions:

  • Unknown internal host is an internal host that is not running a Lacework agent, which is identified by an IP address.
  • Unknown external host is an external host that is seen by Lacework for the first time. External hosts are identified by their domain name. If a domain name cannot be associated with the host, identification is by public IP, which may be shared.

For details about the alert categories, see Alert Categories.