Alerts Overview
Lacework provides alerts that are interactive and manageable. Each alert contains various metadata information, such as severity level, type, status, alert category, and associated tags.
Lacework is currently expanding its service coverage in the Cloud Service Providers. As we begin assessing these services for the first time, you may notice the following alerts on your Lacework Console:
- For AWS: New AWS service accessed in region
- For Google Cloud: New GCP service accessed in region.
These alerts will originate from Lacework Service IP Addresses and can be safely disregarded. If you have any questions regarding the alerts, contact Lacework Support for further assistance.
View Alerts
By default, the Alerts page displays all alerts. You can use the following methods to refine the list of displayed alerts:
Use filters to display a subset of specific alerts. Click the filter groups along the top of the page to display the list of filters associated with the selected filter group, then select the filters that you want to apply. Click Show more to display all the filter groups.
Use the search function to display a subset of specific alerts. Click the search icon to see a list of field names that you can use to build your search.
Use the time filter to display a subset of specific alerts based on when they occurred.
When the page displays your desired alerts, click Save or Create view in the top right corner. This allows you to access the saved view later. You can also copy the link to a saved view by opening the list of saved views and clicking the Share view icon of the view you want to share. You can then send that link to others so they can see the same view. For more details about saved views, refer to Views Management.
The statistics and charts depict data for the current view: total alerts by severity, total alerts over time, and the number of filters applied.
The alerts list displays up to 10 alerts on each page. You can perform the following actions on the alerts list:
- Bulk select all alerts.
- Refresh data.
- Download the alert list as a CSV. Each CSV file contains only the first 100 alerts.
- Sort alerts by Alert created by Lacework, Alert ID, First activity, Last activity, and Severity.
Alert Timestamps
Use alert timestamps to track the event activity or when it was last updated. All timestamps are displayed in your local timezone using a 12-hour format.
Timestamp | Description | Example |
---|---|---|
Event activity | The time range between the first-seen and last-seen activity. | Event activity: 11/15/2022 at 2:32 PM EST to 3:48 PM EST |
Event activity window | The time range during which the activity was detected. | Event activity window: 11/15/2022 between 2:00 PM EST and 3:00 PM EST |
Alert modified | The last time a user manually updated the alert status, comment, or primary integration selection. | Alert modified: 11/15/2022 at 3:31 PM EST |
Perform Bulk Actions on Alerts
It can take some time to modify the status of many alerts individually. Bulk Actions allow you to complete the following actions on multiple alerts at the same time:
- Download
- Change status to Closed
- Change status to Open
- Change status to In progress
To download multiple alerts at once, select the checkboxes next to the alerts, then click Bulk Actions > Download.
To change the status of multiple alerts to Closed, select the checkboxes next to the alerts, then click Bulk Actions > Change status to closed. In the Close alerts dialog box, select the reason for closing these alerts, and optionally provide your comments regarding this action. Click Close alerts to confirm the action. To close as false positive, click Bulk Actions > Close as false positive.
To change the status of multiple alerts to Open, select the checkboxes next to the alerts, then click Bulk Actions > Change status to open.
To change the status of multiple alerts to In progress, select the checkboxes next to the alerts, then click Bulk Actions > Change status to in progress.