Skip to main content

Alert Severity

Alert severity levels are a measurement of the impact an alert has on the business. Lacework's severity scoring algorithm applies a variable alert severity based on several factors, including:

  • Number of involved entities.
  • User attributes.
  • Frequency of activity.

This means that alerts of the same name may have different severities if their event scores are different. For example, if a user associated with an alert has MFA enabled, Lacework reduces the alert severity due to the reduced probability that the activity is malicious (AWS and Google Cloud).

For threats identified through threat intelligence, alert severity is dynamically calculated. This approach assesses multiple threat intelligence providers that flag the Indicators of Compromise (IOCs) as malicious, facilitating a more precise threat assessment and prioritization. This method not only enhances accuracy but also reduces false positives, providing a more reliable alert system for our customers.

The severity of anomaly alerts could be affected by crowdsourced risk analysis.


While the severity of an alert may not match the severity of the originating default policy due to the severity scoring algorithm described, Lacework never reduces alert severity for custom policies. Therefore, to prevent severity reduction for a particular policy, you can make a copy of the default policy. As a custom policy, the copy will not be subject to the scoring algorithm and therefor severity reduction. For information on creating and managing policies, see Policies.

The following table describes all severity levels.

CriticalAlerts that need immediate attention. This might indicate that the system has failed or stopped responding.Access level is not set to Private.
HighAlerts that indicate a problem, but do not require immediate attention.Storage logging is not enabled for Queue service read, write, and delete requests.
MediumAlerts that provide forewarning of potential problems, although not an actual error. These events might lead to displaying errors or critical events.Guest account with owner permissions should be removed from subscription.
LowAlerts with minor impact.S3 bucket does not have auditing enabled.
InfoAlerts that provide informational messages that might be helpful to you.No support role has been created to manage incidents with AWS Support.
Recommended Reading

To learn more about the alert severity for known threats via threat intel, see Advantages of Threat Intel Alerts.