Skip to main content

Report Rules

Lacework combines channels and report rules to provide a flexible method for routing reports. For channels (outgoing integrations), you define email information about where to send reports. For report rules, you define information about which reports to send. This two-part method provides the flexibility to define multiple channels and multiple rules and then have each rule sent to the email channels you specify.

Select reports from a list of predefined reports, summaries, and snapshots. You can also select specific event severities.

For example, you could define three email channels in Lacework. Then you can define multiple report rules: AWS S3, Workload Security, and Daily Snapshot. Then select the appropriate channel for each report.

Create a Report Rule

  1. Log in to the Lacework Console with a Lacework user that has administrative privileges.
  2. Navigate to Settings > Configuration > Report rules.
  3. Click + Add New.
  4. Name the rule and optionally provide a description.
  5. Select an email alert channel for the rule to use. The list displays only enabled configured channels. Reports are sent to team members whose email is included in the alert channel. When the default email alert channel is used, only members that enabled default email notifications receive reports.
  6. Select the reports, summaries, or snapshots that you want the rule to apply to.
    • AWS, Azure, GCP, EKS Compliance Reports - Compliance reports for the respective cloud platforms.
    • Daily Summary - Daily event summary reports.
    • Weekly Snapshot - A weekly compliance trend report for all monitored resources.
    • Vulnerability Reports - A daily vulnerability report for all monitored resources (hosts and containers).
  7. You can further configure them by clicking on the gear icon located on the same row of each report, then select specific reports, event severities, and resource groups if they are defined. Not selecting any resource groups means all resource groups are selected.
  8. Click Save. The new rule appears in the table.
note

If multiple report rules send to the same channel, Lacework aggregates the resource groups and sends one email with multiple attachments.

You can change the default compliance report schedule (1200 GMT) by navigating to Settings > General. This is when Lacework starts running a complete compliance assessment, generates reports based on that assessment, and sends those reports to team members.

The time specified in the drop-down is not the time that you will receive the report email because it takes time to collect the data, generate the report, and send the email. Note that this drop-down does not affect when event summaries are generated, only reports. Event summaries start generating at 1200 GMT.

Event Severity Levels

Event severity levels are a measurement of the impact an event has on the business. The severities configuration only applies to event summary reports, such as Daily Summary.

The following table describes all severity levels.

SeverityDescriptionExample
CriticalEvents that need immediate attention. This might indicate that the system has failed or stopped responding.Access level is not set to Private.
HighEvents that indicate a problem, but do not require immediate attention.Storage logging is not enabled for Queue service read, write, and delete requests.
MediumEvents that provide forewarning of potential problems, although not an actual error. These events might lead to displaying errors or critical events.Guest account with owner permissions should be removed from subscription.
LowEvents with minor impact.S3 bucket does not have auditing enabled.
InfoEvents that provide informational messages that might be helpful to you.No support role has been created to manage incidents with AWS Support.
note

If you configure a report rule for the event summary report (such as Daily Summary) and select the severity levels, then the event summary report includes only events with chosen severity levels in the report. For example, if you select Critical and High, the event summary report includes only critical and high events.

When you configure a report rule for the event summary report using Lacework API, you can specify the severity level by numbers:

  • 1=Critical
  • 2=High
  • 3=Medium
  • 4=Low
  • 5=Info

Managing Report Rules with Terraform

You can configure your report rules using Terraform with the Lacework Report Rule resource.

resource "lacework_alert_channel_email" "team_email" {
name = "My Team Members"
recipients = ["foo@lacework.net"]
}

resource "lacework_resource_group_aws" "aws_group" {
name = "My AWS Resource Group"
description = "This groups a subset of AWS Accounts"
accounts = ["123456789", "234567891"]
}

resource "lacework_report_rule" "example" {
name = "My Report Rule"
description = "This is an example Report Rule"
enabled = true
severities = ["Critical", "High"]
resource_groups = lacework_resource_group_aws.aws_group.*.id
email_alert_channels = lacework_alert_channel_email.team_email.*.id

aws_compliance_reports {
pci = true
cis_s3 = true
}

weekly_snapshot = true
}

Additional information on the lacework_report_rule resource can be found on the Terraform Registry.