Alert Insights
The command lacework alert
helps you perform initial discovery and analysis of alerts happening in your Lacework account.
You can quickly see the list of all the alerts from the last 7 days in your account with their severity:
lacework alert list
note
This command is limited to displaying 7 days of data.
To filter alerts by a time period:
- Specify a start time with the flag
--start
. - Specify both start and end times with the flags
--start
and--end
.
To show all the alerts from a specific start time that has severity medium and above (critical, high, and medium):
lacework alert list --start 2020-08-26T23:28:29Z --severity medium
note
Time constraint: The start time must be within the last 92 days. The difference between start and end time should not be greater than 7 days.
There are different types of alert details that can be shown to assist with alert investigation. These types are referred to as alert detail scopes.
The following alert detail scopes are available:
- Details (default)
- Investigation
- Events
- RelatedAlerts
- Integrations
- Timeline
To drill into an alert and show its details with the default scope:
lacework alert show <alert_id>
View an alert's details with the timeline scope:
lacework alert show <alert_id> --scope Timeline
To open an alert in the Lacework Console for further investigation:
lacework alert open <alert_id>