Filter Alerts
You can filter alerts to retrieve alert details using specific parameters to help further investigation. The default filters are: Open, Critical, Medium, and High.
Filter Alerts Using Built-in Filters
To filter the Alerts page using the built-in filters:
- Click the filter groups along the top of the page to display the list of filters associated with the selected filter group, then select the filters that you want to apply. Click Show more to display all the filter groups.
- Click Show results to apply the selected filters to the alert list. The selected filter group is highlighted with the number of selected filters.
Built-in Filters
The following table shows all the built-in filters you can use to refine the alert list.
Filter Group | Filters | Note |
---|---|---|
Source |
| The term "source" refers to the integration that serves as the origin of the data. For instance, the "Agent" source pertains to alerts that originate from data collected by Lacework agents. |
Severity |
| To adjust the configuration of an alert's severity level, see Alert Rules. |
Status |
|
|
Alert Category |
| Lacework classifies alerts into related categories. For the list of alert categories, see Alert Categories. |
Alert Subcategory |
| For the list of alert subcategories, see Alert Subcategories. |
Internet Exposure |
|
|
MITRE ATT&CKAdditional infoMITRE ATT&CK is an internationally accessible repository of adversary tactics and techniques derived from real-world observations. |
|
|
Filter Alerts Using Operators
To use filters with operators to form search criteria, complete the following steps:
- On the Alerts page, click a filter.
- Select an operator (these vary depending on the filter), for example:
- does not match
- ends with
- excludes
- includes
- starts with
- matches
- Enter your keyword to the textbox.
Operators do not support multiple keywords. For example, they do not allow you to defineincludes
valueA
andvalueB
. You can separate values with a space to find one string that includes a space. For example, definingincludes
withsome value
searches forsome value
as one string; it does not search for two stringssome
andvalue
. - Click Show results to apply the filter to the alert list. The selected filter is highlighted.
- For the list of alert types, see Alert Types.
- Lacework assigns custom attributes to policies to help identify and organize the alerts generated when a policy violation occurs. For the full list of policy tags, see Policy Tags.
Filter Alerts by Date/Time Range
The top of the page contains Date/time range and parameter filters.
The Date range (calendar) icon provides preset ranges for data that you want to display:
- Latest hour
- Latest day
- Latest three days
- Latest week
- Latest month
You can click the Date range icon, then click Custom to select the start and end date/time manually.
For example, if you select Latest three days from the Date range drop-down at 3 PM on May 05 2022, the alert list includes alerts that happen during the following date/time range: May 02, 2022, 3 PM to May 05, 2022, 3 PM.
The page only loads alerts found during the specified date range.
All timestamps are in local time.
Filter Alerts Using the Search Function
The top of the page contains the search field. You can build a custom search to refine the list of displayed alerts.
To build a custom search:
- Click the search icon to display a list of field names.
- For the selected field, either choose a value or choose an operator and then enter your keyword.
- Press the Enter key to submit. Your filter is highlighted.
To remove a filter, click the filter group, then click Reset.
Searches can only include the most recent 5,000 alerts.
Reset All Filters
Click Reset to reset all filters. The alert list returns a default list containing only Critical, High, and Medium alerts.