Platform alerts notify you of audit log integration failures from your AWS, GCP, or Azure cloud account to Lacework whenever they occur, so that you can immediately troubleshoot the issue. This feature provides additional security visibility.
You can control the frequency and volume of alerts in the Policies page.
To view existing platform alerts and configure new platform alerts:
- Log in to the Lacework Console.
- Click Policies.
- Select the Platform tab to view platform-related policies.
- Click Default Policies to display a default policy (disabled by default) that you can clone and customize.
- Click a policy name to customize it.
Customize a Policy
Use the following steps to customize a policy.
Click a policy name to display the customization page.
- Under Queries, select an Integration Name from the drop-down to filter the list. For example, you might have multiple cloud provider accounts integrated with many teams. You can select a specific production integration name and customize it.
The list of cloud activity integrations that are obtained from Account Settings (only active integration names) appear in the drop-down.
You can select all by choosing * (default value).
In Failure Threshold, specify (type or select from the drop-down) how many hours you want to wait until you see an alert.
The default setting is
Failure Threshold GREATER THAN OR EQUAL TO 3.
At the bottom of the dialog, under Description, select the frequency at which you want to be notified if the issue is not resolved. Select 1h for hourly basis and 1d for daily basis. You can also select the severity of the alerts.
Frequency: 1h - Hourly basis or 1d - Daily basis
After you configure a policy, when there is an integration failure and it meets the filter criteria that you specify, then you should see an event on the Events page.
Click Details to view more information about the event.
WHY - Describes why the integration failure occurred.
WHAT - Describes the cloud activity integration failure. Click MORE DETAIL to view details such as integration name, integration type, account ID, cloud account, and error type.
WHEN - Displays the date and time when the error first occurred.