Skip to main content

Alert Rules

You can have route alerts generated by policy assessments using alert rules. Alert rules specify the properties that generate notifications, such as a minimum alert severity or category. Alert rules combine those settings with an alert channel, which determines the destination to which the alert is delivered, such as a group email address.

Before configuring alert rules, be sure to configure alert channels. For more information, see Alert Channels.

Using Alert Rules with Resource Groups

When configuring an alert rule, you can choose to select resource groups for the rule. Resource groups give you much greater control over which resources can serve as the event sources for notifications.

For example, if you have a resource group that contains all AWS resources tagged "production", you can create an alert rule that specifies that resource group and an email address for your site reliability engineering team as the alert channel.

Note that the type of resource group you choose affects which type of alert subcategory is available. When you choose a resource group, the console displays the alert subcategories that are available for that choice.

For more information about resource groups, see Resource Groups.

Create an Alert Rule

To create an alert rule, complete the following steps:

  1. Log in to the Lacework Console as a Lacework user with administrative privileges.

  2. Go to Settings > Alert rules.

  3. Click + Add New.

  4. Choose whether you want to create an alert rule with traditional resource groups or with new (enhanced) resource groups. For more information about the difference, see Using Alert Rules with Resource Groups.

  5. Name the rule and optionally provide a description.

  6. Select one or more alert channels for the rule to use.

    The list displays only enabled configured channels. Each alert rule can only have one bidirectional alert channel.

  7. Select the alert severities that you want the rule to apply to.

  8. Select the resource groups that you want the rule to apply to.

    The All AWS Accounts, All Tenants and Subscriptions, and All Organizations and Projects resource groups only apply to alerts related to the logging/config from the respective cloud provider (Config and CloudTrail events from AWS). If you do not select any groups, the rule applies to all resource groups.

  9. If configuring an alert rule with new resource group support, the supported subcategories for the selected resource groups appear. Choose a subcategory. For more information, see Using Alert Rules with Resource Groups.

  10. Click Save.

The new rule appears in the table.

note
  • If you do not select any categories or subcategories, the rule applies to all alert categories and subcategories.
  • Alert rules defined within an account can be used by that account only. They cannot be used by the organization. Alert rules defined at the organization level can be used at the organization level only. They cannot be used by accounts.
  • For the Cloud Activity subcategory we cannot support resource tags currently. Additionaly we cannot support GCP Folder ID, AWS Account Alias, Azure Tenant Name if config is not enabled.