Lacework combines alert channels and alert rules to provide a flexible method for routing alerts. For alert channels, you define information about where to send alerts, such as to Jira or Slack. For alert rules, you define information about which alert types to send, such as critical and high severity compliance alerts. This two-part method provides the flexibility to define multiple channels and multiple rules and then have each rule sent to the channels you specify.
To create an alert rule, complete the following steps:
Log in to the Lacework Console as a Lacework user with administrative privileges.
Go to Settings > Notifications > Alert rules.
Click + Add New.
Name the rule and optionally provide a description.
Select an alert channel for the rule to use. The list displays only enabled configured channels. Note that each alert rule can only have one bidirectional alert channel.
Add additional channels if appropriate.
Select the severities that you want the rule to apply to.
Select the alert categories that will use this rule for alert routing. See Alert Categories for the list of categories.
Select the alert subcategories that will use this rule for alert routing. See Alert Subcategories for the list of subcategories.note
If you do not select any categories or subcategories, the rule applies to all alert categories and subcategories.
Select the resource groups that you want the rule to apply to.
The All AWS Accounts, All Tenants and Subscriptions, and All Organizations and Projects resource groups only apply to alerts related to the logging/config from the respective cloud provider (Config and CloudTrail events from AWS). The default cloud provider resource groups do not cover agent events from agents within the cloud providers. If you do not select any groups, the rule applies to all resource groups.
Select the alert sources that will use this rule for alert routing, such as AWS, Azure, GCP, Agent, K8s.
Click Save. The new rule appears in the table.
Alert rules defined within an account can be used by that account only. They cannot be used by the organization. Alert rules defined at the organization level can be used at the organization level only. They cannot be used by accounts.