Skip to main content

New User

This event occurs when the host running the Lacework agent sees a new user. A new user name generates this event.

Why this Event is Important

Users are created and given access to the data center by an administrator. Depending on the level of access assigned, an unauthorized new user may present a potential risk to the host and network.

Investigation

Contact the administrator and confirm the new user account.

Resolution

If the new user is determined to be unauthorized, disable the account. Perform local forensics, look for signs of lateral movement, and an alternative method of persistence. Take the necessary steps to restore the host to a known, clean state as necessary.