You can filter alerts to retrieve alert details using specific parameters to help further investigation. The default filters are: Open, Critical, Medium, and High.
Filter Alerts Using Built-In Filters
To filter the Alerts page using the built-in filters:
- Click the filter groups along the top of the page to display the list of filters associated with the selected filter group, then select the filters that you want to apply. Click Show more to display all the filter groups.
- Click Show results to apply the selected filters to the alert list. The selected filter group is highlighted with the number of selected filters.
The following table shows all the built-in filters you can use to refine the alert list.
|Source||- AWS |
|The term "source" refers to the integration that serves as the origin of the data. For instance, the "Agent" source pertains to alerts that originate from data collected by Lacework agents.|
|Severity||- Critical |
|To adjust the configuration of an alert's severity level, see Alert Rules.|
|Status||- Open |
- In progress
|Open - The alert needs to be investigated. |
In progress - The alert is under active investigation.
Closed - The alert has been resolved.
|Alert Category||- Policy |
|Lacework classifies alerts into related categories. For the list of alert categories, see Alert Categories.|
|Alert Subcategory||- Compliance |
- Cloud Activity
- Kubernetes Activity
- Host Vulnerability
- Container Vulnerability
- Threat Intel
|For the list of alert subcategories, see Alert Subcategories.|
|Internet Exposure||- Yes |
|Yes - A possible network exposure of resources. |
No - No network exposure of resources has been identified.
Unknown - Network exposure of resources is unknown.
Filter Groups with Operators
You can also use any of the following filter groups with an operator to form search criteria related to each other.
- Account Alias
- Alert ID
- Alert Name
- Alert Type
- AWS Account ID
- Azure Subscription ID
- File Hash
- File Path
- GCP Project ID
- IPv4 Address
- Kubernetes Cluster
- Machine Tags
- Pod IP Address
- Pod Name
- Pod Namespace
- Pod Type
- VM Type
To use a filter group with an operator to form search criteria, complete the following steps:
- On the Alerts page, click a filter group.
- From the list of operators, select one of the following:
- does not match
- ends with
- starts with
- Enter your keyword to the textbox.
- Click Show results to apply the filter to the alert list. The selected filter group is highlighted.
- For the list of alert types, see Alert Types.
- Lacework assigns custom attributes to policies to help identify and organize the alerts generated when a policy violation occurs. For the full list of policy tags, see Policy Tags.
Filter Alerts by Date/Time Range
The top of the page contains Date/time range and parameter filters.
The Date range (calendar) icon provides preset ranges for data that you want to display:
- Latest hour
- Latest three days
- Latest week
- Latest month
You can click the Date range icon, then click Custom to select the start and end date/time manually.
For example, if you select Latest three days from the Date range drop-down at 3 PM on May 05 2022, the alert list includes alerts that happen during the following date/time range: May 02, 2022, 3 PM to May 05, 2022, 3 PM.
The page only loads alerts found during the specified date range.
All timestamps are in local time.
Filter Alerts Using the Search Function
The top of the page contains the search field. You can build custom search to refine the list of displayed alerts.
To build a custom search:
Click the search icon to display a list of field names.
Choose a value for the selected field if it is one of the following fields:
- Internet Exposure
- Alert Category
- Alert Subcategory
For other selected fields, choose an operator from the list of operators, then enter your keyword to the adjacent of the selected operator.
Available operators are:
- starts with
- ends with
- does not match
Press the Enter key to submit. Your filter is highlighted.
To remove a filter, click the filter group, then click Reset.
Searches can only include the most recent 5,000 alerts.
Reset All Filters
Click Reset to reset all filters. The alert list returns a default list containing only Critical, High, and Medium alerts.