This article discusses how to suppress alerts resulting from crawler activity.
Overview
Using crawlers could result in a high alert/event flow from their crawling the internet. A crawler could trigger the following event types (Rule ID):
- New External Server IP Address (LW_EXT_IP_64)
- New External Server IP Address Connection (LW_IP_75)
- New External Server DNS (LW_EXT_DNS_58)
- New External Server DNS Connection (LW_EXT_DNS_62)
- Bad External External Host (LW_EXT_DNS_59)
- Bad External DNS Server (LW_EXT_DNS_63)
- Bad Host Server IP Address (LW_EXT_IP_65)
- Bad External Server Host Connection (LW_HOST_78)
- Bad External Server IP Address Connection (LW_IP_76)
The IP address and IP address connection events differ slightly. The former alerts for the first ever connection to an IP address. The latter alerts if the IP address is known (already visited), but a new application connects to that IP address. The same difference applies between the DNS and DNS connection events.
Similarly named events that contain “client” denote incoming connections (as opposed to “server,” which denotes outgoing) so they are not relevant to crawler activity.
Suppress Alerts
The Lacework Console allows you to customize rules to suppress crawler-related events.
- Navigate to Monitor > Policies.
- For the Policy Type select Host.
- Under the Host Behavior Anomaly Suppression Rules, locate the event you want to suppress and expand it.
- Click Clone.
- Enter a name for the event.
- Use the available fields to define the conditions for suppressing this event.
A completed custom rule:
Examples
Suppress by IP Address
If you want to suppress events from specific IP addresses, follow these steps:
- Expand and clone the rule you want to suppress, such as New External Server IP Address (ID LW_EXT_IP_64).
In the parameter drop-downs, select:
- IP_ADDR
- Exclude
For the value, enter the IP addresses, such as: 10.0.10.1,10.0.10.2,10.0.10.3
Comma-separate multiple addresses with no spaces. Note that IP ranges are not supported. However, you can use the * wildcard to simplify some exceptions. For example, you can add 10.0.10.0 as 10.0.* if you have a common range.
Click Save.
Suppress by Machine
If you want to suppress events from specific machines, follow these steps:
- Expand and clone the rule you want to suppress, such as New External Server DNS Connection (LW_EXT_DNS_62).
In the parameter drop-downs, select:
- Hostname
- Exclude
For the value, enter the machine names, such as: ip-11-22-33-44-machine,ip-55-66-77-88-machine.
Comma-separate multiple addresses with no spaces.
Click Save.
Suppress by Tag
If you want to suppress events from machines with specific machine tags and values, follow these steps:
- Expand and clone the rule you want to suppress, such as New External Server DNS (LW_EXT_DNS_58).
In the parameter drop-downs, select:
- MACHINE_TAG_KEY
- Exclude
For the value, enter the desired key.
Add another parameter and select:
- MACHINE_TAG_VALUE
- Exclude
For the value, enter the desired value.
Click Save.