This event occurs when the host running the Lacework agent sees a new user. A new user name generates this event.
Why this Event is Important
Users are created and given access to the data center by an administrator. Depending on the level of access assigned, an unauthorized new user may present a potential risk to the host and network.
Contact the administrator and confirm the new user account.
If the new user is determined to be unauthorized, disable the account. Perform local forensics, look for signs of lateral movement, and an alternative method of persistence. Take the necessary steps to restore the host to a known, clean state as necessary.