Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.1.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Alerts Reference

    Home FortiCNAPP Alerts Reference

    Alert categories

    Alert categories

    Lacework FortiCNAPP classifies alerts into categories and subcategories. A category contains various properties and specifications that define the alerts within that category.

    Alert categories

    The following table describes all alert categories.

    Category Description
    Anomaly Alerts that are generated when there are behavioral changes.
    Policy Alerts that are generated when a violation of a custom policy is detected.
    Composite Alerts that are generated when a potential intrusion is detected.

    Alert subcategories

    The following table describes all alert subcategories.

    Subcategory Description

    Compliance

    		 Compliance-related alerts such as New violations: AWS Account <ACCOUNT_ID> : lacework-global-128 EC2 instances should not have a Public IP address attached. We provide out-of-the-box compliance policies and supports the creation of custom compliance policies. These policies trigger alerts when a violation occurs (if the policies are enabled).

    Application

    		 Application-related vulnerabilities such as a suspicious application: Suspicious test app: Suspicious application /usr/local/bin/python2.7 (and 4 more)

    Cloud Activity

    		 Cloud-activity alerts specific to AWS, Azure, or Google Cloud. For example: New Violations: GCP_CIS12_3_6 Ensure that SSH access is restricted from the internet new compliance violations detected.

    File

    		 Potentially suspicious file-related alerts such as: Clone of Suspicious Files: /var/run/qa/BFNE/08082021170247/eicar.com.txt (and 96 more).

    Machine

    		 Machine-related alerts such as new IP address connections: Outbound connection to a new external IP address from application: ip-192.51.100.100.us-west-2.compute.internal connected to xx.xx.xxx.xxx

    User

    		 User-related alerts such as suspicious user logins: Suspicious logins from multiple GEOs: Suspicious user logins detected for user web93 (and 331 more) access from multiple geographies.

    Platform

    		 Platform-related alerts such as cloud activity ingestion failures: Cloud Activity log ingestion failure detected: dh-user-kt is failing for data ingestion into Lacework FortiCNAPP.

    Kubernetes Activity

    		 Kubernetes-related alerts such as a new binding to a Cluster Role was created: K8s Audit Log Cluster Role Created.

    Registry

    		 Registry-related alerts such as PolicyViolationChanged, NewPolicyViolation.

    SystemCall

    		 System-call-related alerts such as Attempted Host Path Mount, Host Path Mount Execution, Attempted Cron Job Creation.

    Host Vulnerability

    		 Host-vulnerability-related alerts such as "New vulnerable internal connection, New external host server connection from vulnerable application.

    Container Vulnerability

    		 Container-vulnerability-related alerts such as New security vulnerability, Known security vulnerability, Known security vulnerability discovered in repository.

    Threat Intel

    		 Network-related alerts such as Outbound connection to a bad external URL, Outbound connection to a bad external IP Address, Inbound connection from a bad external IP Address.
    Previous
    Next

    Alert categories

    Alert categories

    Lacework FortiCNAPP classifies alerts into categories and subcategories. A category contains various properties and specifications that define the alerts within that category.

    Alert categories

    The following table describes all alert categories.

    Category Description
    Anomaly Alerts that are generated when there are behavioral changes.
    Policy Alerts that are generated when a violation of a custom policy is detected.
    Composite Alerts that are generated when a potential intrusion is detected.

    Alert subcategories

    The following table describes all alert subcategories.

    Subcategory Description

    Compliance

    		 Compliance-related alerts such as New violations: AWS Account <ACCOUNT_ID> : lacework-global-128 EC2 instances should not have a Public IP address attached. We provide out-of-the-box compliance policies and supports the creation of custom compliance policies. These policies trigger alerts when a violation occurs (if the policies are enabled).

    Application

    		 Application-related vulnerabilities such as a suspicious application: Suspicious test app: Suspicious application /usr/local/bin/python2.7 (and 4 more)

    Cloud Activity

    		 Cloud-activity alerts specific to AWS, Azure, or Google Cloud. For example: New Violations: GCP_CIS12_3_6 Ensure that SSH access is restricted from the internet new compliance violations detected.

    File

    		 Potentially suspicious file-related alerts such as: Clone of Suspicious Files: /var/run/qa/BFNE/08082021170247/eicar.com.txt (and 96 more).

    Machine

    		 Machine-related alerts such as new IP address connections: Outbound connection to a new external IP address from application: ip-192.51.100.100.us-west-2.compute.internal connected to xx.xx.xxx.xxx

    User

    		 User-related alerts such as suspicious user logins: Suspicious logins from multiple GEOs: Suspicious user logins detected for user web93 (and 331 more) access from multiple geographies.

    Platform

    		 Platform-related alerts such as cloud activity ingestion failures: Cloud Activity log ingestion failure detected: dh-user-kt is failing for data ingestion into Lacework FortiCNAPP.

    Kubernetes Activity

    		 Kubernetes-related alerts such as a new binding to a Cluster Role was created: K8s Audit Log Cluster Role Created.

    Registry

    		 Registry-related alerts such as PolicyViolationChanged, NewPolicyViolation.

    SystemCall

    		 System-call-related alerts such as Attempted Host Path Mount, Host Path Mount Execution, Attempted Cron Job Creation.

    Host Vulnerability

    		 Host-vulnerability-related alerts such as "New vulnerable internal connection, New external host server connection from vulnerable application.

    Container Vulnerability

    		 Container-vulnerability-related alerts such as New security vulnerability, Known security vulnerability, Known security vulnerability discovered in repository.

    Threat Intel

    		 Network-related alerts such as Outbound connection to a bad external URL, Outbound connection to a bad external IP Address, Inbound connection from a bad external IP Address.
    Previous
    Next