Lacework combines alert channels and alert rules to provide a flexible method for routing alerts. For alert channels (outgoing integrations), you define information about where to send alerts, such as to Jira or Slack. For alert rules, you define information about which alert types to send, such as critical and high severity compliance alerts. This two-part method provides the flexibility to define multiple channels and multiple rules and then have each rule use the channels you specify.
For example, you could define three channels in Lacework: email, Jira, and Slack. Then you can define multiple rules: critical severity alerts, high severity network and compliance alerts, high and medium alerts, and low and info alerts. Then select the appropriate channel(s) for each alert.
Workflow Changes for Sending Alerts
This version of the Lacework Console provides a more flexible method for setting up how to send alerts, which alerts to send, and who receives them. This section summarizes the differences between the current and previous workflows.
Previously, you would navigate to Settings > Integrations and select an outgoing integration, such as Slack. Then you complete the integration-specific settings and also define which alert severities to send through that integration.
Previously, the Lacework Console used the term outgoing integrations and grouped them with incoming integrations under the Integrations menu. Now, outgoing integrations are named alert channels and are under the Alert Routing menu with alert rules and report rules.
Currently, you use two separate steps when setting up sending alerts. You can define an alert channel, which includes channel-specific settings only. Then you define an alert rule separately, where you can select the alert channel to use and define alert severities. The alert rule also allows you to choose which resource groups and event categories you want to send alerts from.
|Feature or Functionality||Current||Previous|
|Name in the Lacework Console||Alert channel||Outgoing integration|
|Location in the Lacework Console||Settings > Alert Routing||Settings > Integrations|
|Separately define which alerts and how to send?||Yes||No|
|Granularity of severity selection||Any||x and above only|
|Send alerts from specific resource groups?||Yes||No|
|Send alerts from specific event categories?||Yes||No|
Create an Alert Channel
- Log in to the Lacework Console with a Lacework user that has administrative privileges.
- Navigate to Settings > Alert Channels.
- Click + Create New.
- Select a Channel Type and name the channel.
- Complete the fields to configure the channel.
See each channel's separate help for detailed field information.
- Click Save.
The new channel appears in the table.
If you disable or delete a channel, ensure that any rules using the channel are associated with an enabled channel so that Lacework can still deliver the rule's alerts or reports. If a rule's only channel is disabled, its alerts or reports cannot be delivered.
Alert channels defined within an account can be used by that account only. They cannot be used by the organization. Alert channels defined at the organization level can be used at the organization level only. They cannot be used by accounts.
NOTE: The ability to enroll in an organization is currently in invitation only, limited beta.