Start your investigation by gaining an understanding of the vulnerability impacting the application. Ensure you know what exploitation activity for the vulnerability looks like in your environment.
Then, focus your attention to the activity that triggered the alert which will typically be a network connection. Investigate the connection details, the source and destination hosts, the IP Addresses, and the processes involved to determine if the connection is expected within your environment. Utilize the Resources dossier to expand your search criteria to check for similar activity in other parts of the environment, also expand the date and time range to check for historical context.
Once you understand the activity that triggered the alert, assess it to determine if the activity aligns to what you would expect to see if the vulnerability was exploited.
If you do find evidence of vulnerability exploitation or other signs of malicious activity, escalate the alert to an official incident and follow a standardized Incident Response process.
If there is no evidence of exploitation or malicious activity, leverage the Vulnerability Dossier to find all instances of impacted resources and engage the impacted stakeholders to drive remediation of the vulnerability.
To learn more about how to triage all Lacework Alerts, check out our How-To Guide here:
Agent
N/A
Platform
Using Lacework/Operationalizing
Cloud
N/A