Skip to main content

Suppress Crawler-Related Alerts

Overview

Using crawlers could result in a high alert/event flow from their crawling the internet. A crawler can trigger the following event types (Policy ID):

  • Outbound connection to a new external IP address from application (LW_EXT_IP_64)
  • Outbound connection to a new external IP address from host (LW_EXT_IP_64)
  • New External Server IP Address Connection (LW_IP_75)
  • New External Server DNS (LW_EXT_DNS_58)
  • New External Server DNS Connection (LW_EXT_DNS_62)
  • Bad External Host (LW_EXT_DNS_59)
  • Bad External DNS Server (LW_EXT_DNS_63)
  • Bad External Server IP Address (LW_EXT_IP_65)
  • Bad External Server Host Connection (LW_HOST_78)
  • Bad External Server IP Address Connection (LW_IP_76)

The IP address and IP address connection events differ slightly. The former alerts for the first ever connection to an IP address. The latter alerts if the IP address is known (already visited), but a new application connects to that IP address. The same difference applies between the DNS and DNS connection events.

Similarly named events that contain “client” denote incoming connections (as opposed to “server,” which denotes outgoing) so they are not relevant to crawler activity.

You can use the hostname parameter to allowlist both the source (machine hostname) and the destination (domain names).

The hostname parameter supports * as a wildcard (for example, for subdomains).

Suppress Alerts

The Lacework Console allows you to customize policies to suppress crawler-related events.

  1. Log in to the Lacework Console.
  2. Click Policies.
  3. Click on the Domain filter group to display the list of filters associated with the selected filter group, then select Host.
  4. Click Show results to apply the filter to the policy list.
  5. Locate the policy you want to suppress and expand it.
  6. Click Clone.
  7. Enter a name for the event.
  8. Use the available fields to define the conditions for suppressing this event.

Examples

Suppress by IP Address

If you want to suppress events from specific IP addresses, follow these steps:

  1. Expand and clone the policy you want to suppress, such as Outbound connection to a new external IP address from application.
  2. In the parameter drop-downs, select:
    • IP_ADDR
    • Exclude
  3. For the value, enter the IP addresses, such as: 10.0.10.1,10.0.10.2,10.0.10.3
    Comma-separate multiple addresses with no spaces. Note that IP ranges are not supported. However, you can use the * wildcard to simplify some exceptions. For example, you can add 10.0.10.0 as 10.0.* if you have a common range.
  4. Click Save.

Suppress by Machine

If you want to suppress events from specific machines, follow these steps:

  1. Expand and clone the policy you want to suppress, such as New External Server DNS Connection (LW_EXT_DNS_62).
  2. In the parameter drop-downs, select:
    • Hostname
    • Exclude
  3. For the value, enter the machine names, such as: ip-11-22-33-44-machine,ip-55-66-77-88-machine.
    Comma-separate multiple addresses with no spaces.
  4. Click Save.

Suppress by Tag

If you want to suppress events from machines with specific machine tags and values, follow these steps:

  1. Expand and clone the policy you want to suppress, such as New External Server DNS (LW_EXT_DNS_58).
  2. In the parameter drop-downs, select:
    • MACHINE_TAG_KEY
    • Exclude
  3. For the value, enter the desired key.
  4. Add another parameter and select:
    • MACHINE_TAG_VALUE
    • Exclude
  5. For the value, enter the desired value.
  6. Click Save.
Last updated on