Filter Alerts

You can filter alerts to retrieve alert details using specific parameters to help further investigation. The default filters are: Open, Critical, Medium, and High.

Filter Alerts Using Built-in Filters

To filter the Alerts page using the built-in filters:

1. Click the filter groups along the top of the page to display the list of filters associated with the selected filter group, then select the filters that you want to apply. Click Show more to display all the filter groups.
2. Click Show results to apply the selected filters to the alert list. The selected filter group is highlighted with the number of selected filters.

Built-in Filters

The following table shows all the built-in filters you can use to refine the alert list.

Filter Group	Filters	Note
Source	AWS Azure GCP OCI Agent K8s	The term "source" refers to the integration that serves as the origin of the data. For instance, the "Agent" source pertains to alerts that originate from data collected by Lacework agents.
Severity	Critical High Medium Low Info	To adjust the configuration of an alert's severity level, see Alert Rules.
Status	Open In progress Closed	Open - The alert needs to be investigated. In progress - The alert is under active investigation. Closed - The alert has been resolved.
Alert Category	Policy Anomaly Composite	Lacework classifies alerts into related categories. For the list of alert categories, see Alert Categories.
Alert Subcategory	Compliance Application Cloud Activity File Machine User Platform Kubernetes Activity Registry SystemCall Host Vulnerability Container Vulnerability Threat Intel	For the list of alert subcategories, see Alert Subcategories.
Internet Exposure	Yes No Unknown	Yes - A possible network exposure of resources. No - No network exposure of resources has been identified. Unknown - Network exposure of resources is unknown.
MITRE ATT&CK Additional info MITRE ATT&CK is an internationally accessible repository of adversary tactics and techniques derived from real-world observations.	Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control Impact Resource Development Reconnaissance	Any alert that is detected to have utilized one or more MITRE ATT&CK techniques will be tagged accordingly. Each MITRE ATT&CK tag provides information about the specific technique employed in the compromise. For more information about common MITRE ATT&CK tactics, see MITRE ATT&CK Tactics.

Filter Alerts Using Operators

To use filters with operators to form search criteria, complete the following steps:

1. On the Alerts page, click a filter.
2. Select an operator (these vary depending on the filter), for example:
   • does not match
   • ends with
   • excludes
   • includes
   • starts with
   • matches
3. Enter your keyword to the textbox.
   Operators do not support multiple keywords. For example, they do not allow you to define includes valueA and valueB. You can separate values with a space to find one string that includes a space. For example, defining includes with some value searches for some value as one string; it does not search for two strings some and value.
4. Click Show results to apply the filter to the alert list. The selected filter is highlighted.

note

• For the list of alert types, see Alert Types.
• Lacework assigns custom attributes to policies to help identify and organize the alerts generated when a policy violation occurs. For the full list of policy tags, see Policy Tags.

Filter Alerts by Date/Time Range

The top of the page contains Date/time range and parameter filters.

The Date range (calendar) icon provides preset ranges for data that you want to display:

• Latest hour
• Latest day
• Latest three days
• Latest week
• Latest month

You can click the Date range icon, then click Custom to select the start and end date/time manually.

For example, if you select Latest three days from the Date range drop-down at 3 PM on May 05 2022, the alert list includes alerts that happen during the following date/time range: May 02, 2022, 3 PM to May 05, 2022, 3 PM.

The page only loads alerts found during the specified date range.

note

All timestamps are in local time.

Filter Alerts Using the Search Function

The top of the page contains the search field. You can build a custom search to refine the list of displayed alerts.

To build a custom search:

1. Click the search icon to display a list of field names.
2. For the selected field, either choose a value or choose an operator and then enter your keyword.
3. Press the Enter key to submit. Your filter is highlighted.

To remove a filter, click the filter group, then click Reset.

note

Searches can only include the most recent 5,000 alerts.

Reset All Filters

Click Reset to reset all filters. The alert list returns a default list containing only Critical, High, and Medium alerts.