Suppress Behavior Anomaly Alerts
Suppressing specific AWS, Google Cloud, and host behavior anomaly alerts reduces the number of alerts and allows you to focus on the assets that are most important to you.
To use policies to suppress specific behavior anomaly alerts:
Log in to the Lacework Console.
Click Policies.
Click on the Domain filter group to display the list of filters associated with the selected filter group, then select either Host, AWS, Azure or GCP. Anomaly policies are available for AWS, Google Cloud, and host policy domains.
Locate the policy you want to suppress and expand it.
Click Clone.
Enter a name for the event.
Define the expressions for suppressing the event.
You must select EXCLUDE to suppress the event for the specified expressions.
Example: For the Outbound connection to a new external IP address from application event, you could add these expressions:IP_ADDR EXCLUDE 10.0.10.1,10.0.10.2ANDPORT EXCLUDE 80,443. This will exclude the alert type Outbound connection to a new external IP address from application only when the IP address matches 10.0.10.1 or 10.0.10.2 and the port matches 80 or 443.
The following table provides parameter value examples.You can use the
hostnameparameter to allowlist both the source (machine hostname) and the destination (domain names).The
hostnameparameter supports * as a wildcard (for example, for subdomains).Ensure the policy is enabled and click Save.
Ensure the default policy that you cloned remains enabled.
After you suppress an alert, Lacework does not generate an event for the expressions you defined.
If you disable the default policy category from which a policy was cloned, that setting takes precedence, meaning the entire category of that event type is disabled. In this way, anomaly policies behave differently from other types of Lacework policies. For anomaly policies, you can think of clones as extensions of the original policy, which you use to define suppressions for the original policy.
Example Parameter Values
You can also use the * wildcard when defining parameter values.
| Parameter | Example Value | Notes |
|---|---|---|
| ACCOUNT_ID | 1122334455 | |
| APPLICATION | wget | |
| CONTAINER_REPO | k8s.gcr.io | |
| CONTAINER_TYPE | docker | |
| EXE_PATH | /bin/bash | |
| Hostname | myhostname | You can use the hostname parameter to allowlist both the source (machine hostname) and the destination (domain names). The hostname parameter supports * as a wildcard (such as for subdomains). |
| IP_ADDR | 192.0.2.0 | IP ranges are not supported. However, you can use the * wildcard to simplify some exceptions. For example, you can add 192.0.2.0 as 192.0.* if you have a common range. |
| MACHINE_TAG_KEY | SubnetId | |
| PORT | 443 | |
| REGION | us-west-2 | |
| RESOURCE | {"bucketName":"bucketd20143001"} | |
| SERVICE | ec2.amazonaws.com | |
| USERNAME | myusername |