Lacework combines channels and report rules to provide a flexible method for routing reports. For channels (outgoing integrations), you define email information about where to send reports. For report rules, you define information about which reports to send. This two-part method provides the flexibility to define multiple channels and multiple rules and then have each rule sent to the email channels you specify.
Select reports from a list of predefined reports, summaries, and snapshots. You can also select specific event severities.
For example, you could define three email channels in Lacework. Then you can define multiple report rules: AWS S3, Workload Security, and Daily Snapshot. Then select the appropriate channel for each report.
Create a Report Rule
- Log in to the Lacework Console with a Lacework user that has administrative privileges.
- Navigate to Settings > Alert Routing > Report Rules.
- Click + Create New.
- Select an email alert channel for the rule to use. The list displays only enabled configured channels. Reports are sent to team members whose email is included in the alert channel. When the default email alert channel is used, only members that enabled default email notifications receive reports.
- Name the rule and optionally provide a description.
- Select the reports, summaries, or snapshots that you want the rule to apply to.
- AWS, Azure, GCP Compliance Reports - Compliance reports for the respective cloud platforms.
- Daily Summary - Daily event summary reports.
- Weekly Snapshot - A weekly compliance trend report for all monitored resources.
- If you select reports or the daily summary, you can configure them further by clicking the icon under Configuration. You can select specific reports, event severities, and resource groups if they are defined. Not selecting any resource groups means all resource groups are selected.
- Click Save. The new rule appears in the table.
NOTE: If multiple report rules send to the same channel, Lacework aggregates the resource groups and sends one email with multiple attachments.
You can change the default compliance report schedule (1200 GMT) by navigating to Settings > General Settings. This is when Lacework starts running a complete compliance assessment, generates reports based on that assessment, and sends those reports to team members.
The time specified in the drop-down is not the time that you will receive the report email because it takes time to collect the data, generate the report, and send the email. Note that this drop-down does not affect when event summaries are generated, only reports. Event summaries start generating at 1200 GMT.
Alerts versus Reports
Alerts and reports contain the same information about issues detected by Lacework. Alerts are typically meant to be consumed immediately after they occur so you can take appropriate action. Alerts can be delivered through all channel types. Reports are typically meant to be generated and delivered once per day for a predefined information set, such as SOC 2 or NIST. You can run reports on-demand as well. Reports can be delivered through email channels only.