This section provides information about some of the workload security events visible in the Lacework Console.
After you install the Lacework agent on hosts, Lacework scans those hosts and streams select metadata to the Lacework data warehouse to build a baseline of normal behavior, which is updated hourly. From this, Lacework can provide detailed in-context events for anomalous behavior by comparing each hour to the previous one. Anomaly detection uses machine learning to determine, for example, if a machine sends data to an unknown IP, or if a user logs in from an IP that has not been seen before.
For each documented event, the following information is provided:
- a summary about the event
- why the event is important
- information about investigating the event
- information about how to resolve the alert
In the title of each event documentation topic, 'Event Name:" is replaced with prefix identifying the event as displayed in the Lacework Console, for example, 'Event Name:' could be replaced by 'LW_EXT_IP_67:' in the LW_EXT_IP_67 : Bad External Client IP Address event name.
Here is some terminology used in the event descriptions:
- Unknown internal host is an internal host that is not running a Lacework agent, which is identified by an IP address.
- Unknown external host is an external host that is seen by Lacework for the first time. External hosts are identified by their domain name. If a domain name cannot be associated with the host, identification is by public IP, which may be shared.