View Alerts
Alerts generated before 2022/09/26 do not contain all the metadata mentioned on this page.
When there is a behavioural anomaly, a potential threat or intrusion to your cloud entities, then you should see an alert on the Alerts page.
From the alert list, click on the alert to view more information about the event.
Status
- Open - The alert needs to be investigated.
- In progress - The alert is under active investigation.
- Closed - The alert has been resolved.
You can change an alert status to Closed by clicking on the status dropdown menu, and then select Closed.
For Jira bidirectional integration, you can change an alert status to Closed by changing the associated Jira ticket to the corresponding status based on your status mapping. See Jira alert channel.
Add Exception
Policy exceptions are a mechanism used to maintain the policies, but let you circumvent one or more restrictions.
Click Add exception to create an exception for the policy associated with this alert. For details, see Policies Overviews.
Details
Click Details to see the following sections:
WHY - Describes why the potential threat occurred.
WHEN - Describes when the event was first seen and the event time range.
WHO - Describes the username and hostname associated with the event.
WHAT - Describes the vulnerable cloud activity.
WHERE - Describes the location associated with the event, such as IP address.
Exposure
For details, see Exposure Polygraph.
Investigation
Click Investigation to start investigating the event.
Polygraphs
The polygraph technology dynamically develops a behavioral model of your services and infrastructure. The model understands natural hierarchies including processes, containers, pods, and machines. It then develops behavioral models that polygraph monitors in search of activities that fall outside the model’s parameters.
Lacework provides polygraphs for Application Communication, Pod Communication, and API behavior (for anomaly events).
Use the search feature to narrow the polygraphs to any element that contains your keyword.
Investigation Questions
Lacework uses a set of investigation questions to help uncover unexpected behaviors that can be relevant to the event. Pay attention to the questions that have a Yes answer to keep your investigation in the correct direction.
Process Details
This section displays submitted rule status and logs.
List of Active Containers
This section displays all running containers.
Container Image Information
View the container image information associated with the event, such as the packaged application, dependencies, and what processes it runs when launched.
Events
Click Events to view and verify the observation details of individual events.
Actions for the list include the following:
- Refresh data.
- Download the event list as a CSV.
- Search for specific events.
- Select which columns to display in the list.
Related Alerts
Click Related Alerts to view correlated alerts with similar patterns and thresholds defined in your alert rules and policies.
The alerts list displays up to 10 related alerts at a time. You can perform the following actions on related alerts:
- Refresh data.
- Download the alert list as a CSV.
- Select which columns to display in the list.
Integrations
Click Integrations to view all active and inactive integrations associated with the alert.
For a full list of supported channels, see Supported Alert Channels.
The Inactive integrations card contains all your disabled and deleted alert channels.
Timeline
Click Timeline to view all alert updates, integration updates, user comments, and make updates and comments when needed.
You can perform the following actions on the updates and comments:
- Refresh data.
- Filter by alert updates, user comments, user actions, and integration updates.
- Add comments to an open alert.
When no information is available, the corresponding tab is disabled.
Evolving Alerts
Evolving alerts are the ones that are still receiving new data to update the alert details accordingly. For example, the latest data allows Lacework to upgrade the alert severity from High to Critical or reopen an alert you have closed.
Lacework continues to update the alerts for up to 24 hours. Any new data that happen beyond that period creates a new alert.
You can configure evolving alerts when creating alert rules. See Alert Rules.
Evolving Alerts feature is only available for Threat-Intel alerts.