Alert Conditions
Lacework Edge models data and activity coming from clients and integrations to assemble a complete picture of a user, their access habits, and their characteristics. Lacework Edge uses this modeling to suggest when one of these alert conditions have been met.
This list represents all of those conditions for which you can receive alerts. Included below is the condition "type" that indicates which data source the condition relates to.
Conditions Summary
| Name | Summary | Type |
|---|---|---|
| AccessDenied | Access denied | user |
| AnomalousDocumentEventType | Anomalous document download | document |
| AnomalousExternalUserDocumentAccess | Anomalous document access by external user | document |
| AnomalousLocationByUser | Unusual user activity at abnormal ip/location | user |
| DgaDetected | DGA (Domain Generation Algorithm) detected | user |
| DocumentSharedExternally | New external sharing of internal document | document |
| DocumentSharedToRestrictedDomain | Document shared to restricted domain | user |
| NewAppByUser | New service/app accessed by the user | user |
| NewDeviceByUser | New device seen for the first time for user | user |
| NewDriveAccessByGroup | New drive access by user or group | document |
| NewExeByUser | New executable used by user | user |
| NewUser | New user seen for the first time | user |
| NewUserAgentByUser | New user agent for user | user |
| RareAccessByUser | Unusual app access by user | user |
| SuspiciousAccessDenied | Blocked user access to app or web site | user |
| UnusualDownloadsByUser | Unusual amount of data downloaded by user | user |
| UnusualNumberOfAlertsByUser | Unusual number of alerts for user | user |
| UnusualNumberOfAppsLoggedInByUser | Unusual # of application logins by user | user |
| UnusualNumberOfConnectionsByUser | Unusual number of network connections created by user's device | user |
| UnusualNumberOfDocumentRequestsByEventTypeByUser | Unusual number of requests for document | document |
| UnusualNumberOfDocumentsByEventTypeByUser | Unusual number of documents accessed by user | document |
| UnusualNumberOfLoginsByUser | Unusual number of login attempts made by user | user |
| UnusualTimebehaviorByUser | Unusual user activity at abnormal time | user |
| UnusualUploadsByUser | Unusual amount of data uploaded by user | user |
| UserOnVpn | User on VPN | user |
| UserTravelling | Unusual user location - potential travel | user |
| WorkflowApproved | Workflow approved | user |
| WorkflowDeniedByUser | Workflow denied by user | user |
| WorkflowRun | Workflow triggered by user | user |
| WorkflowStarted | Workflow triggered by user | user |
| WorkflowTimedOut | Triggered workflow timed out | user |
Condition Details
AccessDenied
Summary: Access denied
Type: user
Frequency real-time
Detail: A person attempts to access a resource, such as a document, a network or a url, but is prevented from doing so by the security system. This could happen if the user does not have the necessary permissions or credentials to access the resource, or if the resource is restricted for some other reason. In this case, the user would be unable to access the resource, and would receive an error message or other notification indicating that access has been denied. It is important for organizations to implement appropriate security measures to prevent unauthorized access and protect sensitive information.
AnomalousDocumentEventType
Summary: Anomalous document action observed
Type: document
Frequency: hourly
Detail:
A person performs some anomalous action (typically view, edit, download or sharing) on a document. The alert arises if it is very uncommon for the user, or users belonging to the same user group to perform such action on this specific document or similar documents. The alert could signal that a user gains unauthorized access to some documents, bypassing security measures because of certain misconfigured document access policies or system flaws. It often involves external users. This type of unauthorized access could be a potential security threat, as the external user may be able to view or alter sensitive information contained in the document. It is important for organizations to regularly monitor and secure their systems to prevent this type of potential unauthorized access.
AnomalousExternalUserDocumentAccess
Summary: Anomalous document access by external user
Type: document
Frequency: hourly
Detail: An external user accessing some company document, which generally is not accessible to external users.
AnomalousLocationByUser
Summary: Unusual user activity at abnormal ip/location
Type: user
Frequency: hourly
Detail: A user is accessing some resource from a location that is not typically associated with their account or device. This could be due to a number of reasons, such as the user traveling to a different location, using a different device, or attempting to access the app from a vpn or proxy. In many cases, if the user is authenticating into an app, the app provider may flag the user's access as anomalous and require additional authentication or security measures to verify their identity and protect the user's account.
DgaDetected
Summary: Dga (domain generation algorithm) detected
Type: user
Frequency: real-time
Detail: There is potentially a malicious actor or bot communicating with one or more generated domains. DGA is often used by hackers and bots to bypass security measures and evade detection, as it allows them to quickly generate a large number of domain names used for command and control traffic, which is difficult to track or block. When dga is detected, it is important for security teams to take action to prevent further attacks and protect the network or system from potential harm.
DocumentSharedExternally
Summary: New external sharing of internal document
Type: document
Frequency: hourly
Detail: A user has made a document accessible to people outside the organization or network. This could be done through a variety of methods, such as emailing the document, uploading it to a shared file server or cloud storage service, or sharing a link to the document on social media or a messaging platform. In these cases, the user is giving others access to view or edit the document, and it is important for the user to ensure that the document is shared securely and only with individuals who have permission to access it.
DocumentSharedToRestrictedDomain
Summary: Document shared to restricted domain
Type: user
Frequency: hourly
Detail: A document that is not typically available to individuals outside a specific organization or group is shared with individuals in a different organization or group, identified by some restricted domain. This could indicate that the document contains sensitive information that is being accessed by unauthorized individuals. It could also potentially be a sign of a security breach, where the document was shared without the proper authorization. In this case, it would be important for the organization to investigate the situation and take appropriate action to prevent any potential security threats.
NewAppByUser
Summary: New service/app accessed by the user
Type: user
Frequency: hourly
Detail: A user is accessing an app or online service that is not typically associated with their account. This could be due to the user downloading or installing a new app, or it could be due to the user trying out a different app that offers similar or complementary features to an app they already use. In these cases, the app or service may require the user to verify their identity or set up their account on the new device before they can access their account or data. This is to ensure that the user's account is secure and only accessible by the user themselves.
NewDeviceByUser
Summary: New device seen for the first time for user
Type: user
Frequency: hourly
Detail: A user is accessing an app or online service from a device that is not typically associated with their account. This could be due to the user purchasing a new device, using a borrowed or temporary device, or accessing the app from a public device such as a library or shared computer. In these cases, the app or service may require the user to verify their identity or set up their account on the new device before they can access their account or data.
NewDriveAccessByGroup
Summary: New drive access by user or group
Type: document
Frequency: hourly
Detail: A user from certain user group is accessing some shared drive that is not typically accessed by users from this particular group.
NewExeByUser
Summary: New executable used by user
Type: user
Frequency: hourly
Detail: A user is accessing an app or online service from a device that is running a different version or type of software than what is typically associated with their account. An executable is a type of file that is used to run a program or application on a computer or device. In these cases, the app or service may require the user to verify their identity or set up their account on the new device before they can access their account or data. This is to ensure that the user's account is secure and only accessible by the user themselves.
NewUser
Summary: New user seen for the first time
Type: user
Frequency: hourly
Detail: A user who has not previously accessed the system is able to do so. This could happen if the user is able to provide the necessary credentials or permissions to access the system, or if there is a flaw in the system that allows the user to gain unauthorized access. In this case, the system would recognize the user as a new user and may log their access or take other actions as appropriate. It is important for organizations to monitor and secure their systems to prevent unauthorized access and protect sensitive information.
NewUserAgentByUser
Summary: New user agent for user
Type: user
Frequency: hourly
Detail: A user is accessing an app or online service from a browser that is not typically associated with their account. A user-agent is a string of information that is sent by a web browser to a server to identify the browser and device being used to access the app or service. In these cases, the app or service may require the user to verify their identity or set up their account on the new device or browser before they can access their account or data. This is to ensure that the user's account is secure and only accessible by the user themselves.
RareAccessByUser
Summary: Unusual app access by user
Type: user
Frequency: hourly
Detail: A user is using an app or other online resource outside their typical usage patterns or behaviors. This could be due to the user needing to use the app for a specific reason, such as for work or an emergency, or it could be due to the user simply wanting to try out the app again after not using it for a 'long' time. In these cases, the app may flag the user's access as unusual and require additional authentication or security measures to verify their identity and protect the user's account. It is important for the user to ensure that they are accessing the app securely and only from trusted devices and networks.
SuspiciousAccessDenied
Summary: Blocked user access to app or web site
Type: user
Frequency: real-time
Detail: A user who is exhibiting suspicious access to an application may be attempting to access the app in a way that is outside the normal usage patterns or behaviors for their account. This could include accessing the app from multiple locations or devices, using unusual or uncommon login methods, or attempting to access the app during unusual times or with large amounts of data. In these cases, the app may flag the user's access as suspicious and require additional authentication or security measures to verify their identity and protect the user's account.
UnusualDownloadsByUser
Summary: Unusual amount of data downloaded by user
Type: user
Frequency: hourly
Detail: A user downloaded significantly more data than usual in the indicated hour from an app or an online service. This could indicate that the user conducting some kind of data exfiltration, by accessing or copying excessive amount of information, some maybe sensitive. It could also potentially be a sign of malicious activity, such as the user downloading malware or other harmful software. In this case, it would be important for the organization to monitor the user's activity and take appropriate action to prevent any potential security threats.
UnusualNumberOfAlertsByUser
Summary: Unusual number of alerts for user
Type: user
Frequency: hourly
Detail: A user has triggered a large number of alerts or notifications from the security system in the last 24 hours. This could indicate that the user is performing actions that are outside their normal behavior, potentially including activities that are a security threat. In this case, it would be important for the organization to monitor the user's activity and take appropriate action to prevent any potential security threats.
UnusualNumberOfAppsLoggedInByUser
Summary: Unusual # of application logins by user
Type: user
Frequency: daily
Detail: A user has attempted significantly more logins than usual to various applications through a specific IDP. This could indicate that the user has been frequently attempting to gain access to one or more applications in the daily time frame. It could potentially be a sign of malicious activity, such as the user attempting to exploit vulnerabilities in the application to gain unauthorized access. It could also signal that someone is trying to compromise the credential of the target user, especially when the attempt result in failures. In this case, it would be important for the organization to monitor the user's activity and take appropriate action to prevent any potential security threats.
UnusualNumberOfConnectionsByUser
Summary: Unusual number of network connections created by user's device
Type: user
Frequency: hourly
Detail: A person is having significantly more requests than usual in the particular hour to an app or an online service.
UnusualNumberOfDocumentRequestsByEventTypeByUser
Summary: Unusual number of requests for document
Type: document
Frequency: hourly
Detail: A user has conducted an unusual number of a specific document action in the hour. It could also potentially be a sign of malicious activity, such as the document being used to spread malware or other harmful content. In this case, it would be important for the organization to monitor the activity around the document and take appropriate action to prevent any potential security threats.
UnusualNumberOfDocumentsByEventTypeByUser
Summary: Unusual number of documents accessed by user
Type: document
Frequency: hourly
Detail: An unusual number of documents by a user could refer to a situation where a person who is not typically known for accessing or creating a large number of documents suddenly starts doing so. This could indicate that the user is attempting to access or share sensitive information. It could also potentially be a sign of malicious activity, such as the user creating or modifying documents to spread malware or other harmful content. In this case, it would be important for the organization to monitor the user's activity and take appropriate action to prevent any potential security threats.
UnusualNumberOfLoginsByUser
Summary: Unusual number of login attempts made by user
Type: user
Frequency: daily
Detail: A user attempted to log into significantly more apps than usual through a specific IDP. This could indicate that the user is attempting to gain unauthorized access to various different apps, network or system. It could also potentially be a sign of malicious activity, such as the user attempting to steal login credentials or bypass security measures, especially when the login attempts result in failure and the apps involved are not commonly associated with the specific user In this case, it would be important for the organization to monitor the user's activity and take appropriate action to prevent any potential security threats.
UnusualTimebehaviorByUser
Summary: Unusual user activity at abnormal time
Type: user
Frequency: hourly
Detail: A user is accessing some resource at the time of day when there is normally little activity from the user. This could be due to the user needing to access the app for a specific reason at an unusual time, such as for work or an emergency, or it could be due to the user accessing the app at a time when they are typically asleep or not using the app. The alert is generally investigated in the context of other anomalous alerts around the same period. Combined with other alerts such as AnomalousLocationByUser, it could signal a compromised user credential or device, resulting in unauthorized user and activities. In these cases, the app may flag the user's access as unusual and require additional authentication or security measures to verify their identity and protect the user's account.
UnusualUploadsByUser
Summary: Unusual amount of data uploaded by user
Type: user
Frequency: hourly
Detail: A user uploaded significantly more data than usual in the indicated hour to an app or an online service. This could indicate that the user or some local agent conducting some kind of data exfiltration, especially when the user is using office or enterprise device that hosts sensitive information locally. In this case, it would be important for the organization to monitor the user's activity and take appropriate action to prevent any potential security threats.
UserOnVpn
Summary: User on vpn
Type: user
Frequency: hourly
Detail: When a user is potentially accessing some resource while connected to a VPN.
UserTravelling
Summary: Unusual user location - potential travel
Type: user
Frequency: hourly
Detail: A user is accessing an app from a location that is different from their usual location. This could be due to the user being on vacation, business trip, or other temporary travel situation. In these cases, the app may flag the user's access as anomalous and require additional authentication or security measures to verify their identity and protect the user's account. It is important for the user to ensure that they are accessing the app securely and only from trusted devices and networks while traveling.
WorkflowApproved
Summary: Workflow approved
Type: user
Frequency: real-time
Detail: The steps or tasks outlined in a given Lacework Edge workflow have been reviewed and deemed to be appropriate, relevant, and effective by the appropriate parties.
WorkflowDeniedByUser
Summary: Workflow denied by user
Type: user
Frequency: real-time
Detail: A user has chosen not to follow the steps or processes that are outlined in a given workflow.
WorkflowRun
Summary: Workflow triggered by user
Type: user
Frequency: real-time
Detail: A user has initiated the series of steps or tasks that are outlined in a given Lacework Edge workflow.
WorkflowStarted
Summary: Workflow triggered by user
Type: user
Frequency: real-time
Detail: A user has initiated the series of steps or tasks that are outlined in a given Lacework Edge workflow.
WorkflowTimedOut
Summary: Triggered workflow timed out
Type: user
Frequency: real-time
Detail: A user has not completed the steps or tasks of a given Lacework Edge workflow within the allotted time frame.