Skip to main content


Alerts are events that either the Lacework Edge platform has detected as anomalous/risky behavior or that match the criteria you have configured.

Some examples of the types of activities or conditions that can generate alerts include:

  • A user has shared an internal document to a user outside of your organization or to their personal email address.
  • A user is active from a new or unusual location, or at times of the day when they aren't usually working.
  • A user has attempted to access many applications in a short period of time, or transferred significant amounts of data.
  • A user is over-provisioned, meaning that there are applications this user has never or rarely used.

Alerts enable you to act upon anomalous behavior automatically and proactively. They can trigger a notification, present your analysts with contextual detail about this alert, or even drive a decision within a Policy.

Getting Started With Alerts


Using Lacework Edge for alerting begins with integrating the platform with your Identity Provider and Doc Repos, from which Lacework Edge receives metadata on users, groups, access, documents, and related activity logs.

Having your users run the Lacework Edge Client brings in information about devices, device posture, locations and user behavior. Defining Policies to route user traffic through Lacework Edge also affords Lacework Edge access to the logs of those applications and their traffic.

Using Lacework Edge Alert Conditions

From your data sources, Lacework Edge assembles a complete picture of a user, their access habits, and their characteristics. Lacework Edge uses this modeling to suggest when one of a set of Alert Conditions is violated.

To make use of these Alert Conditions, use Alert Rules to choose which ones and which severities should be raised. Based on the rules, you can have alerts sent to users or user groups, or to a Notification Channel.