Skip to main content

Filter Alerts

You can filter alerts to retrieve alert details using specific parameters to help further investigation. The default filters are: Open, Critical, Medium, and High.

Filter Alerts Using Built-In Filters

To filter the Alerts page using the built-in filters:

  1. Log in to the Lacework Console.
  2. Click Alerts.
  3. Click the filter groups along the top of the page to display the list of filters associated with the selected filter group, then select the filters that you want to apply. Click Show more to display all the filter groups.
  4. Click Show results to apply the selected filters to the alert list. The selected filter group is highlighted with the number of selected filters.

Built-in Filters

The following table shows all the built-in filters you can use to refine the alert list.

Filter GroupFiltersNote
Source- AWS
- Azure
- GCP
Severity- Critical
- High
- Medium
- Low
- Info
To adjust the configuration of an alert's severity level, see Alert Rules.
Status- Open
- Closed
Open - The alert needs to be investigated.
In progress - The alert is under active investigation.
Closed - The alert has been resolved.
Alert Category- Policy
- Anomaly
Lacework classifies alerts into related categories. For the list of alert categories, see Alert Categories.
Alert Subcategory- Compliance
- Application
- Cloud Activity
- File
- Machine
- User
- Platform
- Kubernetes Activity
For the list of alert subcategories, see Alert Subcategories.
Internet Exposure- Yes
- No
- Unknown
Yes - A possible network exposure of resources.
No - No network exposure of resources has been identified.
Unknown - Network exposure of resources is unknown.

Filter Alerts by Account Alias

To filter the Alerts page according to the account alias:

  1. Log in to the Lacework Console.
  2. Click Alerts.
  3. Click Account Alias filter group.
  4. From the list of operators, select one of the following:
    • does not match
    • ends with
    • excludes
    • includes
    • starts with
    • matches
  5. Enter your keyword to the textbox.
  6. Click Show results to apply the filter to the alert list. The selected filter group is highlighted.

Filter Alerts by Alert ID

To filter the Alerts page according to the alert ID:

  1. Log in to the Lacework Console.
  2. Click Alerts.
  3. Click Alert ID filter group.
  4. From the list of operators, select one of the following:
    • does not match
    • ends with
    • excludes
    • includes
    • starts with
    • matches
  5. Enter your keyword to the textbox.
  6. Click Show results to apply the filter to the alert list. The selected filter group is highlighted.

Filter Alerts by Alert Name

To filter the Alerts page according to the alert name:

  1. Log in to the Lacework Console.
  2. Click Alerts.
  3. Click Alert Name filter group.
  4. From the list of operators, select one of the following:
    • does not match
    • ends with
    • excludes
    • includes
    • starts with
    • matches
  5. Enter your keyword to the textbox.
  6. Click Show results to apply the filter to the alert list. The selected filter group is highlighted.

Filter Alerts by Alert Type

To filter the Alerts page according to the alert type:

  1. Log in to the Lacework Console.
  2. Click Alerts.
  3. Click Alert Type filter group.
  4. From the list of operators, select one of the following:
    • does not match
    • ends with
    • excludes
    • includes
    • starts with
    • matches
  5. Enter your keyword to the textbox.
  6. Click Show results to apply the filter to the alert list. The selected filter group is highlighted.

For the list of alert types, see Alert Types.

Filter Alerts by Application

To filter the Alerts page according to the application:

  1. Log in to the Lacework Console.
  2. Click Alerts.
  3. Click Application filter group.
  4. From the list of operators, select one of the following:
    • does not match
    • ends with
    • excludes
    • includes
    • starts with
    • matches
  5. Enter your keyword to the textbox.
  6. Click Show results to apply the filter to the alert list. The selected filter group is highlighted.

Filter Alerts by AWS Account ID

To filter the Alerts page according to the AWS account ID:

  1. Log in to the Lacework Console.
  2. Click Alerts.
  3. Click AWS Account ID filter group.
  4. From the list of operators, select one of the following:
    • does not match
    • ends with
    • excludes
    • includes
    • starts with
    • matches
  5. Enter your keyword to the textbox.
  6. Click Show results to apply the filter to the alert list. The selected filter group is highlighted.

Filter Alerts by Azure Subscription ID

To filter the Alerts page according to the Azure Subscription ID:

  1. Log in to the Lacework Console.
  2. Click Alerts.
  3. Click Azure Subscription ID filter group.
  4. From the list of operators, select one of the following:
    • does not match
    • ends with
    • excludes
    • includes
    • starts with
    • matches
  5. Enter your keyword to the textbox.
  6. Click Show results to apply the filter to the alert list. The selected filter group is highlighted.

Filter Alerts by Containers

To filter the Alerts page according to the container:

  1. Log in to the Lacework Console.
  2. Click Alerts.
  3. Click Container filter group.
  4. From the list of operators, select one of the following:
    • does not match
    • ends with
    • excludes
    • includes
    • starts with
    • matches
  5. Enter your keyword to the textbox.
  6. Click Show results to apply the filter to the alert list. The selected filter group is highlighted.

Filter Alerts by File Hash

To filter the Alerts page according to the file hash:

  1. Log in to the Lacework Console.
  2. Click Alerts.
  3. Click File Hash filter group.
  4. From the list of operators, select one of the following:
    • does not match
    • ends with
    • excludes
    • includes
    • starts with
    • matches
  5. Enter your keyword to the textbox.
  6. Click Show results to apply the filter to the alert list. The selected filter group is highlighted.

Filter Alerts by File Path

To filter the Alerts page according to the file path:

  1. Log in to the Lacework Console.
  2. Click Alerts.
  3. Click File Path filter group.
  4. From the list of operators, select one of the following:
    • does not match
    • ends with
    • excludes
    • includes
    • starts with
    • matches
  5. Enter your keyword to the textbox.
  6. Click Show results to apply the filter to the alert list. The selected filter group is highlighted.

Filter Alerts by GCP Project ID

To filter the Alerts page according to the GCP project ID:

  1. Log in to the Lacework Console.
  2. Click Alerts.
  3. Click GCP Project ID filter group.
  4. From the list of operators, select one of the following:
    • does not match
    • ends with
    • excludes
    • includes
    • starts with
    • matches
  5. Enter your keyword to the textbox.
  6. Click Show results to apply the filter to the alert list. The selected filter group is highlighted.

Filter Alerts by Hostname

To filter the Alerts page according to the hostname:

  1. Log in to the Lacework Console.
  2. Click Alerts.
  3. Click Hostname filter group.
  4. From the list of operators, select one of the following:
    • does not match
    • ends with
    • excludes
    • includes
    • starts with
    • matches
  5. Enter your keyword to the textbox.
  6. Click Show results to apply the filter to the alert list. The selected filter group is highlighted.

Filter Alerts by IPv4 Address

To filter the Alerts page according to the IPv4 address:

  1. Log in to the Lacework Console.
  2. Click Alerts.
  3. Click IPv4 Address filter group.
  4. From the list of operators, select one of the following:
    • does not match
    • ends with
    • excludes
    • includes
    • starts with
    • matches
  5. Enter your keyword to the textbox.
  6. Click Show results to apply the filter to the alert list. The selected filter group is highlighted.

Filter Alerts by Kubernetes Cluster

To filter the Alerts page according to the Kubernetes cluster:

  1. Log in to the Lacework Console.
  2. Click Alerts.
  3. Click Kubernetes Cluster filter group.
  4. From the list of operators, select one of the following:
    • does not match
    • ends with
    • excludes
    • includes
    • starts with
    • matches
  5. Enter your keyword to the textbox.
  6. Click Show results to apply the filter to the alert list. The selected filter group is highlighted.

Filter Alerts by Machine Tags

Lacework assigns custom attributes to policies to help identify and organize the alerts generated when a policy violation occurs. For the full list of policy tags, see Policy Tags.

To filter the Alerts page according to the machine tag:

  1. Log in to the Lacework Console.
  2. Click Alerts.
  3. Click Machine Tags filter group.
  4. From the list of operators, select one of the following:
    • does not match
    • ends with
    • excludes
    • includes
    • starts with
    • matches
  5. Enter your keyword to the textbox.
  6. Click Show results to apply the filter to the alert list. The selected filter group is highlighted.

Alternatively, select the machine tag from the list of tags, then click Show results to apply the filter to the alert list.

Filter Alerts by Pod ID Address

To filter the Alerts page according to the pod ID address:

  1. Log in to the Lacework Console.
  2. Click Alerts.
  3. Click Pod IP Address filter group.
  4. From the list of operators, select one of the following:
    • does not match
    • ends with
    • excludes
    • includes
    • starts with
    • matches
  5. Enter your keyword to the textbox.
  6. Click Show results to apply the filter to the alert list. The selected filter group is highlighted.

Filter Alerts by Pod Name

To filter the Alerts page according to the pod name:

  1. Log in to the Lacework Console.
  2. Click Alerts.
  3. Click Pod Name filter group.
  4. From the list of operators, select one of the following:
    • does not match
    • ends with
    • excludes
    • includes
    • starts with
    • matches
  5. Enter your keyword to the textbox.
  6. Click Show results to apply the filter to the alert list. The selected filter group is highlighted.

Filter Alerts by Pod Namespace

To filter the Alerts page according to the pod namespace:

  1. Log in to the Lacework Console.
  2. Click Alerts.
  3. Click Pod Namespace filter group.
  4. From the list of operators, select one of the following:
    • does not match
    • ends with
    • excludes
    • includes
    • starts with
    • matches
  5. Enter your keyword to the textbox.
  6. Click Show results to apply the filter to the alert list. The selected filter group is highlighted.

Filter Alerts by Pod Type

To filter the Alerts page according to the pod type:

  1. Log in to the Lacework Console.
  2. Click Alerts.
  3. Click Pod Type filter group.
  4. From the list of operators, select one of the following:
    • does not match
    • ends with
    • excludes
    • includes
    • starts with
    • matches
  5. Enter your keyword to the textbox.
  6. Click Show results to apply the filter to the alert list. The selected filter group is highlighted.

Filter Alerts by Port

To filter the Alerts page according to the port:

  1. Log in to the Lacework Console.
  2. Click Alerts.
  3. Click Port filter group.
  4. From the list of operators, select one of the following:
    • does not match
    • ends with
    • excludes
    • includes
    • starts with
    • matches
  5. Enter your keyword to the textbox.
  6. Click Show results to apply the filter to the alert list. The selected filter group is highlighted.

Filter Alerts by Username

To filter the Alerts page according to the username:

  1. Log in to the Lacework Console.
  2. Click Alerts.
  3. Click Username filter group.
  4. From the list of operators, select one of the following:
    • does not match
    • ends with
    • excludes
    • includes
    • starts with
    • matches
  5. Enter your keyword to the textbox.
  6. Click Show results to apply the filter to the alert list. The selected filter group is highlighted.

Filter Alerts by VM Type

To filter the Alerts page according to the virtual machine (VM) type:

  1. Log in to the Lacework Console.
  2. Click Alerts.
  3. Click VM Type filter group.
  4. From the list of operators, select one of the following:
    • does not match
    • ends with
    • excludes
    • includes
    • starts with
    • matches
  5. Enter your keyword to the textbox.
  6. Click Show results to apply the filter to the alert list. The selected filter group is highlighted.

Filter Alerts by Date/Time Range

The top of the page contains Date/time range and parameter filters.

The Date range (calendar) icon provides preset ranges for data that you want to display:

  • Latest hour
  • Latest three days
  • Latest week
  • Latest month

You can click the Date range icon, then click Custom to select the start and end date/time manually.

For example, if you select Latest three days from the Date range drop-down at 3 PM on May 05 2022, the alert list includes alerts that happen during the following date/time range: May 02, 2022, 3 PM to May 05, 2022, 3 PM.

The page only loads alerts found during the specified date range.

note

All timestamps are in local time.

Filter Alerts Using the Search Function

The top of the page contains the search field. You can build custom search to refine the list of displayed alerts.

To build a custom search:

  1. Log in to the Lacework Console.

  2. Click Alerts.

  3. Click the search icon to display a list of field names:

    • Account Alias
    • Alert Category
    • Alert ID
    • Alert Name
    • Alert Subcategory
    • Alert Type
    • Application
    • AWS Account ID
    • Azure Subscription ID
    • Container
    • External Hostname
    • File Hash
    • File Path
    • GCP Project ID
    • Hostname
    • Internet Exposure
    • IPv4 Address
    • Kubernetes Cluster
    • Machine Tags
    • Pod IP Address
    • Pod Name
    • Pod Namespace
    • Pod Type
    • Port
    • Severity
    • Source
    • Status
    • Username
    • VM Type
  4. Choose a value for the selected field if it is one of the following fields:

    • Source
    • Severity
    • Status
    • Internet Exposure
    • Alert Category
    • Alert Subcategory

    For other selected fields, choose an operator from the list of operators, then enter your keyword to the adjacent of the selected operator.
    Available operators are:

    • matches
    • includes
    • excludes
    • starts with
    • ends with
    • does not match
  5. Press the Enter key to submit. Your filter is highlighted.

To remove a filter, click the filter group, then click Reset.

note

Searches can only include the most recent 5,000 alerts.

Reset All Filters

Click Reset to reset all filters. The alert list returns a default list containing only Critical, High, and Medium alerts.