View Alerts

When there is a behavioral anomaly, a potential threat or intrusion to your cloud entities, then you should see an alert on the Alerts page.

From the alert list, click the alert to view more information about the event.

Status

• Open - The alert needs to be investigated.
• In progress - The alert is under active investigation.
• Closed - The alert has been resolved.

To change an alert status to Closed:

1. Click the status dropdown menu and select Closed.
2. Select your reason for closing the alert from the following:
   • Other
   • False positive
   • Not enough information
   • Malicious and have resolution in place
   • Expected because of routine testing
   • Expected behavior
3. Provide an optional comment.
4. Click Close alert.

You can also click Close as false positive to change the status.

For Jira bidirectional integration, you can change an alert status to Closed by changing the associated Jira ticket to the corresponding status based on your status mapping. For more information, refer to Jira alert channel.

False Positives

Lacework gathers the combined alert closure data across our customers to better understand alerts and improve the alerting experience. Closing an alert as a false positive will not impact future alerts, meaning an alert you closed as a false positive will continue to trigger if its conditions are detected.

Add Exception

Policy exceptions are a mechanism used to maintain the policies, but let you circumvent one or more restrictions.

Click Add exception to create an exception for the policy associated with this alert. For details, see Policies Overviews.

Details

Click Details to see the following sections:

WHY - Describes why the potential threat occurred.

WHEN - Describes when the event was first seen and the event time range.

WHO - Describes the username and hostname associated with the event.

WHAT - Describes the vulnerable cloud activity.

WHERE - Describes the location associated with the event, such as IP address.

note

To enhance the batch-processing time, Lacework has successfully implemented a new architecture method. Consequently, the following data will now be excluded from the Lacework Console:

List of excluded data

Data Field	Description
location	The IP address's or domain's location.
in_bytes	The amount of incoming data transferred to your cloud deployment from the identified IP address or domain.
out_bytes	The amount of out going data transferred from your cloud deployment to the identified IP address or domain.
first_filedata_hash	The first file data hash of a given machine ID and executable path.
last_filedata_hash	The last file data hash of a given machine ID and executable path.
first_seen_time	Timestamp of when a given machine ID and executable path was first seen.
last_seen_time	Timestamp of when a given machine ID and executable path was last seen.
cpu_usage	The CPU usage of all processes on a given machine.
cpu_percentage	The amount of CPU usage for all processes on a given machine.
is_external	Indicates whether any of the processes connected to an external IP address.
has_server_conns	Indicates whether a given process made any connections to a server for the past seven days.
is_server	Indicates whether a given process or container received any incoming connections for the past seven days.
earliest_known_time	Timestamp of when Lacework first detected this application.
has_external_conns	Indicates whether a given process or container made any external connections for the past seven days.
is_client	Indicates whether a given process or container made any outgoing connections for the past seven days.
login_info	The user's login information.

Context Panels

Context panels are available for host and IP address resources. Click the hostname or IP address to see additional context about the resource.

Click Open resource details to go to its Resource Explorer entry.

Exposure

For details, see Exposure Polygraph.

Investigation

Click Investigation to start investigating the event.

Polygraphs

The polygraph technology dynamically develops a behavioral model of your services and infrastructure. The model understands natural hierarchies including processes, containers, pods, and machines. It then develops behavioral models that polygraph monitors in search of activities that fall outside the model’s parameters.

Lacework provides polygraphs for Application Communication, Pod Communication, and API behavior (for anomaly events).

Use the search feature to narrow the polygraphs to any element that contains your keyword.

Investigation Questions

Lacework uses a set of investigation questions to help uncover unexpected behaviors that can be relevant to the event. Pay attention to the questions that have a Yes answer to keep your investigation in the correct direction.

Process Details

This section displays submitted rule status and logs.

List of Active Containers

This section displays all running containers.

Container Image Information

View the container image information associated with the event, such as the packaged application, dependencies, and what processes it runs when launched.

Events

Click Events to view and verify the technically relevant observations of individual events. The data presented in the Events tab may vary depending on the available data.

Actions for the list include the following:

• Refresh data.
• Download the event list as a CSV.
• Search for specific events.
• Select which columns to display in the list.

For threat intel and composite alerts, Lacework also displays the Event window, which indicates the timeframe related to the compromise. This period extends up to seven days from the initial detection.

info

• For composite alerts, the Events tab presents concrete evidence of the observed compromise that Lacework detected. Each evidence contains the following metadata:
  • Event Activity: Timestamp indicating when this event was observed.
  • Event ID: The unique identifier for this event.
  • Event Name: The descriptive name or label assigned to each event.
  • Event Description: Provides a brief explanation or summary of the details and significance of each event.
• Lacework leverages several detections to swiftly identify security incidents within your environment. For the list of detections, see Detections Reference.

Related Alerts

Click Related Alerts to view correlated alerts with similar patterns and thresholds defined in your alert rules and policies.

The alerts list displays up to 10 related alerts at a time. You can perform the following actions on related alerts:

• Refresh data.
• Download the alert list as a CSV.
• Select which columns to display in the list.

Integrations

Click Integrations to view all active and inactive integrations associated with the alert.

For a full list of supported channels, see Configure Alert Channels.

note

The Inactive integrations card contains all your disabled and deleted alert channels.

Timeline

Click Timeline to view all alert updates, integration updates, user comments, and make updates and comments when needed.

You can perform the following actions on the updates and comments:

• Refresh data.
• Filter by alert updates, user comments, user actions, and integration updates.
• Add comments to an open alert. Note that commenting on closed alerts is not allowed.

Use Markdown to write comments

You can use Markdown to quickly add formatting elements to your comments.

Italicize, bold, and strikethrough text with Markdown

• To format text as italic, enclose it in a single asterisk or underscore.
• To format text as bold, enclose it in two asterisks.
• To format text as bold and italic, enclose it in three asterisks.
• To format text in strikethrough, enclose it in two tildes.

Text in Markdown	How it appears
This text is _italic_. This text is *italic*.	This text is italic.
This text is **bold**.	This text is bold.
This text is ***bold and italic***.	This text is bold and italic.
This text is in ~~strikethrough~~.	This text is in strikethrough.

Create headings with Markdown

You can also use Markdown to create up to five different headings. To create a heading, add number signs (#) before your heading text. The number of number signs you use corresponds to the heading level.
For example, to create a heading 2, use two number signs (e.g., ## My Header).

Text in Markdown	How it appears
# Heading 1	Heading 1
## Heading 2	Heading 2
### Heading 3	Heading 3
#### Heading 4	Heading 4
##### Heading 5	Heading 5

Create ordered and bullet lists with Markdown

• To create an ordered list, add line items with numbers followed by periods. Indent one or more items to create a nested list.
• To create an unordered list, add dashes (-), asterisks (*), or plus signs (+) in front of line items. Indent one or more items to create a nested list.

Text in Markdown	How it appears
1. First item 2. Second item 3. Third item 4. Fourth item	1. First item 2. Second item 3. Third item 4. Fourth item
1. First item 1. Second item 1. Third item 1. Fourth item	1. First item 2. Second item 3. Third item 4. Fourth item
- First item - Second item - Third item - Fourth item	First item Second item Third item Fourth item
* First item * Second item * Third item * Fourth item	First item Second item Third item Fourth item
+ First item + Second item + Third item + Fourth item	First item Second item Third item Fourth item

Create code blocks and blockquotes with Markdown

• To denote a word or phrase as code, enclose it in backticks (`).

  Text in Markdown	How it appears
  At the command prompt, type `nano`.	At the command prompt, type nano.

• To create a blockquote, add a > in front of a paragraph.

  Text in Markdown	How it appears
  > Dorothy followed her through many of the beautiful rooms in her castle.	Dorothy followed her through many of the beautiful rooms in her castle.

Create tables and horizontal rules with Markdown

• To add a table, use three or more hyphens (---) to create each column’s header, and use pipes (|) to separate each column. For compatibility, you should also add a pipe on either end of the row.
  
  

  | Syntax      | Description |
  | ----------- | ----------- |
  | Header      | Title       |
  | Paragraph   | Text        |
  

  The rendered output looks like this:
  
  

  Syntax	Description
  Header	Title
  Paragraph	Text

• To create a horizontal rule, use three or more asterisks (***), dashes (---), or underscores (___) on a line by themselves.

  *** --- _________________
  The rendered output of all three looks identical:
  __________________________________________________________

Create links with Markdown

To create a link, enclose the link text in brackets (e.g., [Lacework]) and then follow it immediately with the URL in parentheses (e.g., (https://www.lacework.com)).

Text in Markdown	How it appears
[Lacework](https://www.lacework.com) is one platform to secure your clouds.	Lacework is one platform to secure your clouds.

Evolving Alerts

Evolving alerts are the ones that are still receiving new data to update the alert details accordingly. For example, the latest data allows Lacework to upgrade the alert severity from High to Critical or reopen an alert you have closed.

When viewing an "Evolving" alert from the Lacework Console, you'll see the alert time range and corresponding observations. Lacework will post updates to the Timeline tab, showing the number of newly observed events from the previous update. A similar update will also be sent to your chosen alert channel.

Lacework continues to update the alerts for up to one hour for threat intel alerts and up to 48 hours for composite alerts. Any new data that occurs beyond that period creates a new alert.

You can configure evolving alerts when creating alert rules. See Alert Rules.

note

Evolving Alerts feature is only available for threat intel and composite alerts.

Alert Name Updates

We have updated certain alert names to enhance communication, understanding, and the actionability of alerts within your system. The table below provides a list of all the updated alert names:

Old alert name	New alert name
New external server IP address	Outbound connection to a new external IP address from application Outbound connection to a new external IP address from host
New external host	Outbound connection to new domain from application Outbound connection to new domain from host
New external server IP address connection from vulnerable application	Outbound connection from vulnerable application to an IP address
New external host server connection from vulnerable application	Outbound connection from vulnerable application to a domain
New external host server connection	New outbound connection from application
Login from source using Calltype	AWS account accessed from a new geolocation with a new AWS event type AWS account accessed from a new geolocation
Login from known bad source using Calltype	AWS account accessed from known bad IP address with new AWS event type AWS account accessed from known bad IP address
Service accessed in region	New AWS service accessed in region
User used service in region	New AWS API invoked
New AWS account	New cross-account access made from external AWS account
Service called GCP API	New API invoked for Google Cloud service
GCP service accessed in region	New Google Cloud service accessed in region