Skip to main content

Alert Severity

Alert severity levels are a measurement of the impact an alert has on the business. Lacework's severity scoring algorithm applies a variable alert severity based on several factors, including:

  • Number of involved entities.
  • User attributes.
  • Frequency of activity.

This means that alerts of the same name may have different severities if their event scores are different. For example, if a user associated with an alert has MFA enabled, Lacework reduces the alert severity due to the reduced probability that the activity is malicious (AWS & GCP).

For known threats via threat intel, the alert is set to a Critical severity, regardless of the severity scoring factors, unless the threat intel is from less reliable sources. In this case, Lacework downgrades the severity to be either High or Medium.

The following table describes all severity levels.

SeverityDescriptionExample
CriticalAlerts that need immediate attention. This might indicate that the system has failed or stopped responding.Access level is not set to Private.
HighAlerts that indicate a problem, but do not require immediate attention.Storage logging is not enabled for Queue service read, write, and delete requests.
MediumAlerts that provide forewarning of potential problems, although not an actual error. These events might lead to displaying errors or critical events.Guest account with owner permissions should be removed from subscription.
LowAlerts with minor impact.S3 bucket does not have auditing enabled.
InfoAlerts that provide informational messages that might be helpful to you.No support role has been created to manage incidents with AWS Support.