Lacework combines alert channels and alert rules to provide a flexible method for routing alerts. For alert channels, you define information about where to send alerts, such as to Jira or Slack. For alert rules, you define information about which alert types to send, such as critical and high severity compliance alerts. This two-part method provides the flexibility to define multiple channels and multiple rules and then have each rule sent to the channels you specify.
You can define alert rules based on a combination of severity, resource group, and event category.
For example, you could define three channels in Lacework: email, Jira, and Slack. Then you can define multiple rules: critical severity alerts, high severity network and compliance alerts, medium alerts, and low and info alerts. Then select the appropriate channel(s) for each alert.
- Log in to the Lacework Console with a Lacework user that has administrative privileges.
- Navigate to Settings > Alert Rules.
- Click + Create New.
Select an alert channel for the rule to use.
The list displays only enabled configured channels.
Add additional channels if appropriate.
- Name the rule and optionally provide a description.
- Select the severities that you want the rule to apply to.
Select the resource groups that you want the rule to apply to.
The All AWS Accounts, All Tenants and Subscriptions, and All Organizations and Projects resource groups only apply to alerts related to the logging/config from the respective cloud provider (Config and CloudTrail events from AWS). The default cloud provider resource groups do not cover agent events from agents within the cloud providers. If you do not select any groups, the rule applies to all resource groups.
Select the event categories that you want the rule to apply to.
If you do not select any categories, the rule applies to all event categories.
The new rule appears in the table.
For example, you select the following: critical and high severities, Dev resource group, and compliance category. This results in critical and high severity compliance events in the Dev resource group using this alert rule through the alert channel that you specify.
Alert rules defined within an account can be used by that account only. They cannot be used by the organization. Alert rules defined at the organization level can be used at the organization level only. They cannot be used by accounts.
Alerts versus Reports
Alerts and reports contain the same information about issues detected by Lacework. Alerts are typically meant to be consumed immediately after they occur so you can take appropriate action. Alerts can be delivered through all channel types. Reports are typically meant to be generated and delivered once per day for a predefined information set, such as SOC 2 or NIST. You can run reports on-demand as well. Reports can be delivered through email channels only.