Skip to main content

Filter Alerts

You can filter alerts to retrieve alert details using specific parameters to help further investigation. The default filters are: Open, Critical, Medium, and High.

Filter Alerts Using Built-In Filters

To filter the Alerts page using the built-in filters:

  1. Click the filter groups along the top of the page to display the list of filters associated with the selected filter group, then select the filters that you want to apply. Click Show more to display all the filter groups.
  2. Click Show results to apply the selected filters to the alert list. The selected filter group is highlighted with the number of selected filters.

Built-in Filters

The following table shows all the built-in filters you can use to refine the alert list.

Filter GroupFiltersNote
Source- AWS
- Azure
- Agent
- K8s
The term "source" refers to the integration that serves as the origin of the data. For instance, the "Agent" source pertains to alerts that originate from data collected by Lacework agents.
Severity- Critical
- High
- Medium
- Low
- Info
To adjust the configuration of an alert's severity level, see Alert Rules.
Status- Open
- In progress
- Closed
Open - The alert needs to be investigated.
In progress - The alert is under active investigation.
Closed - The alert has been resolved.
Alert Category- Policy
- Anomaly
- Composite
Lacework classifies alerts into related categories. For the list of alert categories, see Alert Categories.
Alert Subcategory- Compliance
- Application
- Cloud Activity
- File
- Machine
- User
- Platform
- Kubernetes Activity
- Registry
- SystemCall
- Host Vulnerability
- Container Vulnerability
- Threat Intel
For the list of alert subcategories, see Alert Subcategories.
Internet Exposure- Yes
- No
- Unknown
Yes - A possible network exposure of resources.
No - No network exposure of resources has been identified.
Unknown - Network exposure of resources is unknown.

Filter Groups with Operators

You can also use any of the following filter groups with an operator to form search criteria related to each other.

  • Account Alias
  • Alert ID
  • Alert Name
  • Alert Type
  • Application
  • AWS Account ID
  • Azure Subscription ID
  • Container
  • File Hash
  • File Path
  • GCP Project ID
  • Hostname
  • IPv4 Address
  • Kubernetes Cluster
  • Machine Tags
  • Pod IP Address
  • Pod Name
  • Pod Namespace
  • Pod Type
  • Port
  • Username
  • VM Type

To use a filter group with an operator to form search criteria, complete the following steps:

  1. On the Alerts page, click a filter group.
  2. From the list of operators, select one of the following:
    • does not match
    • ends with
    • excludes
    • includes
    • starts with
    • matches
  3. Enter your keyword to the textbox.
  4. Click Show results to apply the filter to the alert list. The selected filter group is highlighted.
  • For the list of alert types, see Alert Types.
  • Lacework assigns custom attributes to policies to help identify and organize the alerts generated when a policy violation occurs. For the full list of policy tags, see Policy Tags.

Filter Alerts by Date/Time Range

The top of the page contains Date/time range and parameter filters.

The Date range (calendar) icon provides preset ranges for data that you want to display:

  • Latest hour
  • Latest three days
  • Latest week
  • Latest month

You can click the Date range icon, then click Custom to select the start and end date/time manually.

For example, if you select Latest three days from the Date range drop-down at 3 PM on May 05 2022, the alert list includes alerts that happen during the following date/time range: May 02, 2022, 3 PM to May 05, 2022, 3 PM.

The page only loads alerts found during the specified date range.


All timestamps are in local time.

Filter Alerts Using the Search Function

The top of the page contains the search field. You can build custom search to refine the list of displayed alerts.

To build a custom search:

  1. Click the search icon to display a list of field names.

  2. Choose a value for the selected field if it is one of the following fields:

    • Source
    • Severity
    • Status
    • Internet Exposure
    • Alert Category
    • Alert Subcategory

    For other selected fields, choose an operator from the list of operators, then enter your keyword to the adjacent of the selected operator.
    Available operators are:

    • matches
    • includes
    • excludes
    • starts with
    • ends with
    • does not match
  3. Press the Enter key to submit. Your filter is highlighted.

To remove a filter, click the filter group, then click Reset.


Searches can only include the most recent 5,000 alerts.

Reset All Filters

Click Reset to reset all filters. The alert list returns a default list containing only Critical, High, and Medium alerts.