Lacework combines channels and report rules to provide a flexible method for routing reports. For channels (outgoing integrations), you define email information about where to send reports. For report rules, you define information about which reports to send. This two-part method provides the flexibility to define multiple channels and multiple rules and then have each rule sent to the email channels you specify.
Select reports from a list of predefined reports, summaries, and snapshots. You can also select specific event severities.
For example, you could define three email channels in Lacework. Then you can define multiple report rules: AWS S3, Workload Security, and Daily Snapshot. Then select the appropriate channel for each report.
Workflow Changes for Sending Reports
This version of the Lacework Console provides a more flexible method for setting up which reports to send and who receives them. This section summarizes the differences between the current and previous workflows.
Previously, you would navigate to Settings > Integrations and edit the Email outgoing integration to determine which reports to send, when to send them, and event severity. Any members that enabled email notifications would receive reports.
Previously, the Lacework Console used the term outgoing integrations and grouped them with incoming integrations under the Integrations menu. Now, outgoing integrations are named alert channels and are under the Alert Routing menu with alert rules and report rules. When the default email alert channel is used, only members with enabled default email notifications receive reports.
Currently, you use separate steps when setting up sending reports. You can define an email alert channel, which includes the email list only. Then you define a report rule separately, where you can select the channel to use, reports to send, and event severities.
|Feature or Functionality||Current||Previous|
|Name in the Lacework Console||Report rule||Outgoing integration|
|Location in the Lacework Console||Settings > Alert Routing||Settings > Integrations|
|Separately define which reports to send and the recipients?||Yes||No|
|Granularity of severity selection||Any||x and above only|
|Number of email channels supported||Multiple||One|
Create a Report Rule
- Log in to the Lacework Console with a Lacework user that has administrative privileges.
- Navigate to Settings > Report Rules.
- Click + Create New.
- Select an email alert channel for the rule to use. The list displays only enabled configured channels. Reports are sent to team members whose email is included in the alert channel. When the default email alert channel is used, only members that enabled default email notifications receive reports.
- Name the rule and optionally provide a description.
- Select the reports, summaries, or snapshots that you want the rule to apply to.
- If you select reports or the daily summary, you can configure them further by clicking the icon under Configuration. You can select specific reports, event severities, and resource groups if they are defined. Not selecting any resource groups means all resource groups are selected.
- Click Save. The new rule appears in the table.
NOTE: If multiple report rules send to the same channel, Lacework aggregates the resource groups and sends one email with multiple attachments.
You can change the default compliance report schedule (1200 GMT) by navigating to Settings > General Settings. This is when Lacework starts running a complete compliance assessment, generates reports based on that assessment, and sends those reports to team members.
The time specified in the drop-down is not the time that you will receive the report email because it takes time to collect the data, generate the report, and send the email. Note that this drop-down does not affect when event summaries are generated, only reports. Event summaries start generating at 1200 GMT.
Alerts versus Reports
Alerts and reports contain the same information about issues detected by Lacework. Alerts are typically meant to be consumed immediately after they occur so you can take appropriate action. Alerts can be delivered through all channel types. Reports are typically meant to be generated and delivered once per day for a predefined information set, such as SOC 2 or NIST. You can run reports on-demand as well. Reports can be delivered through email channels only.