Lacework provides alerts that are interactive and manageable. Each alert contains various metadata information, such as severity level, type, status, alert category, and associated tags.
Lacework is currently expanding its service coverage in the Cloud Service Providers. As we begin assessing these services for the first time, you may notice the following alerts on your Lacework Console:
These alerts will originate from Lacework Service IP Addresses and can be safely disregarded. If you have any questions regarding the alerts, contact Lacework Support for further assistance.
By default, the Alerts page displays all alerts. You can use the following methods to refine the list of displayed alerts:
Use filters to display a subset of specific alerts. Click the filter groups along the top of the page to display the list of filters associated with the selected filter group, then select the filters that you want to apply. Click Show more to display all the filter groups.
Use the search function to display a subset of specific alerts. Click the search icon to see a list of field names that you can use to build your search.
Use the time filter to display a subset of specific alerts based on when they occurred.
When the page displays your desired alerts, click Save or Create view in the top right corner. This allows you to access the saved view later. You can also copy the link to a saved view by opening the list of saved views and clicking the Share view icon of the view you want to share. You can then send that link to others so they can see the same view. For more details about saved views, refer to Views Management.
The statistics and charts depict data for the current view: total alerts by severity, total alerts over time, and the number of filters applied.
The alerts list displays up to 10 alerts on each page. You can perform the following actions on the alerts list:
- Bulk select all alerts.
- Refresh data.
- Download the alert list as a CSV. Each CSV file contains only the first 100 alerts.
- Sort alerts by Alert created by Lacework, Alert ID, First activity, Last activity, and Severity.
Use alert timestamps to track the event activity or when it was last updated. All timestamps are displayed in your local timezone using a 12-hour format.
|Event activity||The time range between the first-seen and last-seen activity.|
|Event activity window||The time range during which the activity was detected.|
|Alert modified||The last time a user manually updated the alert status, comment, or primary integration selection.|
Perform Bulk Actions on Alerts
It can take some time to modify the status of many alerts individually. Bulk Actions allow you to complete the following actions on multiple alerts at the same time:
- Change status to Closed
- Change status to Open
- Change status to In progress
To download multiple alerts at once, select the checkboxes next to the alerts, then click Bulk Actions > Download.
To change the status of multiple alerts to Closed, select the checkboxes next to the alerts, then click Bulk Actions > Change status to closed. In the Close alerts dialog box, select the reason for closing these alerts, and optionally provide your comments regarding this action. Click Close alerts to confirm the action. To quickly close as false positive, click Bulk Actions > Close as false positive.
To change the status of multiple alerts to Open, select the checkboxes next to the alerts, then click Bulk Actions > Change status to open.
To change the status of multiple alerts to In progress, select the checkboxes next to the alerts, then click Bulk Actions > Change status to in progress.
Alert Name Updates
We have updated certain alert names to enhance communication, understanding, and the actionability of alerts within your system. The table below provides a list of all the updated alert names:
|Old alert name||New alert name|
|New external server IP address|
|New external host|
|New external server IP address connection from vulnerable application||Outbound connection from vulnerable application to an IP address|
|New external host server connection from vulnerable application||Outbound connection from vulnerable application to a domain|
|New external host server connection||New outbound connection from application|
|Login from source using Calltype|
|Login from known bad source using Calltype|
|Service accessed in region||New AWS service accessed in region|
|User used service in region||New AWS API invoked|
|New AWS account||New cross-account access made from external AWS account|
|Service called GCP API||New API invoked for Google Cloud service|
|GCP service accessed in region||New Google Cloud service accessed in region|