Tune Activity Log Ingestion Failure Alerts

  • 26 January 2024
  • 0 replies
  • 45 views

Badge

Are you getting alerts about a Cloud Activity Log ingestion failure and want to tune the alert? 

Well, you’ve come to the right spot!

Once you have received and investigated the alert, 

When checking your integration, you should see the following message:

“Warning: Lacework application did not receive any data from the configured integrations within the last 120 minutes (default).”

Note: This warning can be found by going to Settings => Cloud Accounts and follow for the status with Warning or Error. 

wO_fDYxWOxUZR_vH6R_9tn6MDicZhEkHCmYvwrqdEwC2va3GRm22-ipbP_VS2a-1DWKvRnkm0g_meL2m_g5RbMAvwwbgAmBPfTSDMDfBkjo6bDkQDd5YuFLaXXKxYCqyjZ3XHrjLzNHLfT4UaFMZCsE

If the alert becomes too noisy, we can tune it. 

  • Step 1: Go to Policies
  • Step 2: Search by Cloud Activity Log Ingestion Failure or Policy ID: LW_PLATFORM_106 
  • Step 3: Select Policy and select the clone icon.

KupAQuLyIXW2ReviWSSMOAC1y9RRfs6dp3Kyhjl8xLHP1Z64D78yVm4Nr0gm-J17p0N2G5nq11PnGPV2B3is5079_yyQgpz94f8aaxaVesKALVB8-6FxnO3amPqQp-CQaS12BZnws3GDxO2JMV5LKUc

Step 4: On the Summary page, choose which frequency makes sense for your business. We recommend keeping the severity as High and never disabling this policy.

9KBZZIz87JBFEX80zk1xMK4QG0Nj1r3h5KTwHtX-iGoj9wPOuwYZceaeWayrig4L_6VcG6uA9ufvkND3g4P4PDaKcJJaaJtiY6E2fA2P9VsMDw2nPY_wOPFQYE9HSZpPzJwYp5mxnJ42uqsIPMUKLJo

Step 5: By default, this policy will trigger an alert every hour when the Lacework platform does not receive fresh data from your integrations.
Step 6: If you want to be prescriptive and tune the alert for specific accounts, go to the Query tab.
Step 7: Within the Query tab, you can select specific integrations and configure failure thresholds. Then, when the account hits the failure threshold, an alert will trigger.

JgkrFoqkZwpy5WtF6aV4aXb2Q3rRFpSGmOyjvFXk-1Q1d1QnW6xg2Fi2Gh5OhXjW49jGiwvZgYz19oPdBxdsHjv8ab_ZuQenP2qoyg-NA2oipeS3ywGEcNkl0VmXW3LdbYIQsBiEAeoPxT0MoSvOqXU

Step 8: As with all policies, after you clone your policy. Don’t forget to disable the original policy.

 

Agent

N/A

Platform

Tuning Lacework/Customization

Cloud

N/A


0 replies

Be the first to reply!

Reply