Suppressing specific AWS and workload behavior anomaly alerts reduces the number of alerts and allows you to focus on the assets that are most important to you.
To use policies to suppress specific behavior anomaly alerts, follow these steps:
- Navigate to MONITOR > Policies.
- Behavior anomaly rules are available for AWS and Workload policy types.
In the Behavior Anomaly Rules table, locate the event you want to suppress and expand it.
- Click CLONE.
- Enter a name for the event.
- Use the available columns to define the conditions for suppressing this event.
You must select EXCLUDE to suppress the event for the specified conditions.
Example: For the New External Server IP Address event, you could add these conditions: IP ADDRESS EXCLUDE h1, h2 AND PORT EXCLUDE a1, a2. Below is a screenshot of an example.
This will exclude the event of type New External Server IP Address only when the IP address matches h1 or h2 and the port matches a1 or a2.
The table below provides examples for available conditions.
- Ensure the rule is enabled and click Save.
- Ensure the Lacework rule that you cloned remains enabled.
After you suppress an alert, Lacework does not generate an event for the conditions you specified.
If you disable the Lacework rules category from which a rule was cloned, that setting takes precedence, meaning the entire category of that event type is disabled.
You can also use the * wildcard when defining conditions.
|IP_ADDR||192.0.2.0||IP ranges are not supported. You can use * to simplify some exceptions. For example, you can add 192.0.2.0 as 192.0.* if you have a common range.|
AWS Behavior Anomaly Rules
You can suppress the following AWS behavior anomaly rules.
|Rule ID||Behavior Rule||Description|
|LW_AWS_ACCNT_86||New Account||Detects an external account seen for the first time|
|LW_AWS_API_97||Service Called API||Detects an API used for a service|
|LW_AWS_API_98||API Failed With Error||Detects an API that failed with an error|
|LW_AWS_ERR_92||New Error Code||Detects an API that failed with a new error code|
|LW_AWS_LOGIN_93||Login From Known Bad Source Location||Detects a login from a known malicious source location|
|LW_AWS_LOGIN_94||Login From New Source Location||Detects a login from a new source location|
|LW_AWS_REGION_90||New Region||Detects a region used for the first time|
|LW_AWS_REGION_91||User Used Service In Region||Detects a user using an API for a service in a region|
|LW_AWS_REGION_95||User Accessing Region||Detects a user accessing a region for the first time|
|LW_AWS_REGION_96||Service Accessed In Region||Detects a user accessing a service for the first time in a region|
|LW_AWS_SERVICE_89||New Service||Detects a user using a service for the first time|
|LW_AWS_USR_87||AWS User Logged In From Source||Detects an AWS user logging in from a new source|
|LW_AWS_USR_88||User Calltype MFA||Detects a user accessing a service with MFA for the first time|
Workload Behavior Anomaly Rules
You can suppress the following workload behavior anomaly rules.
|Rule ID||Behavior Rule||Description|
|LW_APP_TYPE_70||New Binary Type||Detects a new application type being launched|
|LW_EXT_DNS_58||New External Server DNS||Detects a connection to a new external host|
|LW_EXT_DNS_59||Bad New External Server DNS||Detects a connection to a known malicious host|
|LW_EXT_DNS_60||New External Client DNS||Detects a new external host making a connection|
|LW_EXT_DNS_61||Bad New External Client DNS||Detects a known malicious host making a connection|
|LW_EXT_DNS_62||New External DNS Server||Detects an external IP used as a DNS server for for the first time|
|LW_EXT_DNS_63||Bad New External DNS Server||Detects a known malicious IP used as a DNS server for the first time|
|LW_EXT_IP_64||New External Server IP Address||Detects a connection to a new external IP|
|LW_EXT_IP_65||Bad New External Server IP Address||Detects a connection to a malicious IP|
|LW_EXT_IP_66||New External Client IP Address||Detects a new external IP making a connection|
|LW_EXT_IP_67||Bad External Client IP Address||Detects a known malicious IP making a connection|
|LW_EXT_IP_68||New Internal Server IP||Detects a connection to a new internal IP|
|LW_EXT_IP_69||New Internal Client IP||Detects a new internal IP making a connection|
|LW_HOST_77||New External Server DNS Connection||Detects a connection a new external host|
|LW_HOST_78||New External Server Bad DNS Connection||Detects a connection to a known malicious host|
|LW_IP_73||New External Client Connection||Detects a new external IP making a connection|
|LW_IP_74||New External Client Bad IP Address Connection||Detects a known malicious IP making a connection|
|LW_IP_75||New External Server IP Address Connection||Detects a connection to a new external IP|
|LW_IP_76||New External Server Bad IP Address Connection||Detects a connection to a malicious IP|
|LW_IP_79||New Internal Connection||Detects a new internal connection|
|LW_MCH_71||New Machine Server Cluster||Detects a new machine server cluster|
|LW_PROCESS_80||New Privilege Escalation||Detects a privilege escalation|
|LW_PROCESS_81||New Child Launched||Detects an application launching a child application|
|LW_USR_72||New User||Detects a user seen for the first time on a host|
|LW_USR_82||Machine Cluster Launched New Binary||Detects a new machine cluster launching an application|
|LW_USR_83||User Launched New Binary||Detects a user launching a new application|
|LW_USR_84||User Logged In From New IP Address||Detects a user logging in from a new IP address|
|LW_USR_85||User Logged In From New Location||Detects a user logging in from a new location|