Skip to main content

Alert Rules

Alert Rules define the appropriate destinations for alerts, be they individual users, groups or 3rd party tools like Slack and Microsoft Teams. Alert Rules are used to route both Lacework Edge-generated alerts (based on Alert Conditions) and custom alerts (based on Cards).

Alert Rules UI

Found under Alerts > Alert Rules, the Alert Rules UI lists all of the alert rules for your account. You can view and edit an individual rule by clicking on its name, or you can delete it by clicking on the three dots on the far right of its row.

alerts-AlertRulesList.png

Create an Alert Rule

To create a new Alert Rule, click Create Rule in the menu bar. You will be presented with the following options:

Common Options

  • Name
  • Description
  • Notifications - determine who/what will receive alerts from this Rule.
    • Users / Groups - Alerts will be sent the the user (or users in a group) at the email addressed on file with Lacework Edge.
    • Notification Channels - Specific places to send alerts, other than to individual users and groups, i.e. Slack & Microsoft Teams channels.

Using Lacework Edge Alert Conditions

To use Lacework Edge Alert Conditions, below Name and Description, choose the Create tab. You will be presenting with the following options:

  • Conditions
    • If left blank, this Alert Rule will apply to all Alert Conditions.
    • Selecting conditions (multiple conditions are allowed) here will filter this rule to those conditions.
  • Users / Groups
    • If left blank, this rule will use alerts triggered by any user / group.
    • Selecting specific users / groups here will filter this rule to alerts triggered by those users / groups.
  • Applications
    • If left blank, this rule will use alerts triggered involving any app.
    • Selecting specific apps here will filter this rule to alerts triggered involving those apps.

Using Custom Alerts

Lacework Edge Cards have several uses, but a key characteristic of a Card is that it contains criteria for filtering events. Given this feature, you can use a Card in an Alert Rule to generate custom alerts: an Alert is triggered every time an event matches the criteria in the Card.

To create a custom alert, choose the Card tab in the Alert Definition section of the Alert Rule. You will be presenting with the following options:

  • Card: Choose any existing Card. If none fit your needs, you will need to create a new card.
  • Severity - Choose the severity level you determine this alert should have.