Skip to main content

Platform Policies and Alerts

Lacework includes a special type of policy that enables you to monitor the health of the integration between Lacework and your AWS cloud activity integrations. The platform policy is an anomaly platform that detects log errors indicating integration failures between Lacework and your integrations.

By cloning the policy, you can specialize the policy for your requirements, as described here. For example, you can set a specific severity level for AWS and another level for Google Cloud.

Customize the Platform Policy

You cannot modify a default Lacework policy, such as the platform policy, directly. Instead, you must clone the policy and modify the settings of the duplicated policy. By disabling the original policy, you can effectively modify the original behavior.

To customize the platform policy, follow these steps:

  1. In the Policies page, find the platform policy quickly by filtering for Platform as the Domain type or by searching by ID, LW_PLATFORM_106.

  2. Click the platform policy to open the Policy Details pane.

  3. Click the Clone policy icon.

  4. In the cloned policy, modify the following settings as desired:

    • Summary:

      • Frequency: The frequency to be notified if the issue is not resolved. Select 1h for hourly basis and 1d for daily basis.
      • Severity: The severity of the alerts generated by the policy.
    • Query:

      • Integration Name: The cloud provider integration for which integration errors are detected. The list of cloud activity integrations that are obtained from Account Settings (only active integration names) appear in the drop-down.

        By default, all integrations are included (*). Here you can customize the policy for specific integrations or integration types, for example, if you have cloud provider types associated with specific teams.

      • Failure Threshold: Specify the number of contiguous hours an integration failures must span in order to generate an alert. This setting lets you control the volume of alerts generated by the platform policy, and avoid alerts for intermittent or short-lived failures.

        The default setting is Failure Threshold GREATER THAN OR EQUAL TO 3.

  5. Be sure to give the cloned policy a meaningful name.

View Platform Alerts

After you configure a policy, when there is an integration failure and it meets the filter criteria that you specify, then you should see an event on the Alerts page.

Click Details to view more information about the event.

Event details includes these sections:

  • Why - Describes why the integration failure occurred.
  • When - Displays the date and time when the error first occurred.
  • What - Describes the cloud activity integration failure.