ποΈ Introduction to Workload Alerts
This section provides information about some of the workload security alerts visible in the Lacework Console.
ποΈ Bad External Client IP Address
This event occurs when an external IP address that has been flagged as malicious by intelligence sources connects to an internal host.
ποΈ Bad External Client IP Address Connection
This event occurs when an external IP address that has been flagged as malicious by intelligence sources connects to a process on a host running a Lacework agent.
ποΈ Bad External Client DNS
This event occurs when an external host, that has been flagged as malicious by intelligence sources, connects to an internal host. If an application cannot be associated with a connection, Lacework generates a machine event.
ποΈ Bad External Host
This event occurs when a bad external host (connected via an application) is seen for the first time ever in the data center. This can be observed as a βnew nodeβ in the Polygraph.
ποΈ Bad External Server DNS Connection
This event occurs when an internal host connected to an external host, identified by its domain name, has been flagged as malicious by intelligence sources. If a connection cannot be associated with an application, Lacework generates a machine event.
ποΈ Bad External Server Host Connection
This event occurs when a bad external host, which has already been seen in the data center, is connected to via an application for the first time.
ποΈ Bad External Server IP Address
This event occurs when an internal host connects to an IP address that has been flagged as malicious by intelligence sources. If an application cannot be associated with a connection, Lacework generates a machine event.
ποΈ Bad External Server IP Address Connection
This event occurs when an additional internal host connects to a previously seen IP address that has been flagged as malicious by intelligence sources. If an application cannot be associated with a connection, Lacework generates a machine event.
ποΈ New Application
This event occurs when an application, not included in the set of learned applications, connects to a known application.
ποΈ New Child Launched
This event occurs when a process on a host running the Lacework agent launches a child process for the first time.
ποΈ New External Client IP Address
This event occurs when a new external client IP address connects to an internal host running a Lacework agent. This client was unknown to the host before it connected to the host.
ποΈ New External Client IP Address Connection
This event occurs when an external IP address connects to a process on a host running a Lacework agent for the first time. The host had knowledge about this client, but the client never connected to the host before this event.
ποΈ New External Host
This event occurs when an application connects to an unknown external host, identified by its domain name.
ποΈ New External Host Connection
This event occurs when an application that has not previously connected to the known external host makes a connection. The external host is part of the existing baseline, meaning that either another process or machine is making connections to it.
ποΈ New External Host Server Connection
This event occurs when a process on an internal host running a Lacework agent makes a connection to an external host that it has never connected to before.
ποΈ New External Server Host Connection
This event occurs when an internal host that has not previously connected to the known external host makes a connection. The external host is part of the existing baseline, meaning that either another process or machine is making connections to it.
ποΈ New External Server IP Address
This event occurs when an application connects to a never before seen external IP address.
ποΈ New External Server IP Address Connection
This event occurs when an additional application connects to a previously seen external IP address.
ποΈ New Internal Connection
This event occurs when an application running on a single machine or multiple machines connects for the first time to another application.
ποΈ New Internal Host Connection
A known internal host makes a new connection to an unknown internal host, identified by its IP address. If an application cannot be associated with a connection, Lacework publishes a machine event.
ποΈ New Privilege Escalation
This event occurs when a user has escalated privilege to a higher privileged account.
ποΈ New User
This event occurs when the host running the Lacework agent sees a new user. A new user name generates this event.
ποΈ Suspicious Login
This event occurs when a user is able to log in to a known internal host from an external IP address that has been flagged as malicious by intelligence sources.
ποΈ User Launched New Binary
This event occurs when a user launches an application that has not previously observed being launched by that specific user.
ποΈ User Logged In From New IP
This event occurs when a known user logged in from an IP address not associated with the user.
ποΈ User Logged In From New Location
This event occurs when a known user logged in from a location not associated with the user.