Are you getting alerts about a Cloud Activity Log ingestion failure and want to tune the alert? 

Well, you’ve come to the right spot!

Once you have received and investigated the alert, 

When checking your integration, you should see the following message:

“Warning: Lacework application did not receive any data from the configured integrations within the last 120 minutes (default).”

Note: This warning can be found by going to Settings => Cloud Accounts and follow for the status with Warning or Error. 

If the alert becomes too noisy, we can tune it. 

• Step 1: Go to Policies
• Step 2: Search by Cloud Activity Log Ingestion Failure or Policy ID: LW_PLATFORM_106 
• Step 3: Select Policy and select the clone icon.

Step 4: On the Summary page, choose which frequency makes sense for your business. We recommend keeping the severity as High and never disabling this policy.

Step 5: By default, this policy will trigger an alert every hour when the Lacework platform does not receive fresh data from your integrations.
Step 6: If you want to be prescriptive and tune the alert for specific accounts, go to the Query tab.
Step 7: Within the Query tab, you can select specific integrations and configure failure thresholds. Then, when the account hits the failure threshold, an alert will trigger.

Step 8: As with all policies, after you clone your policy. Don’t forget to disable the original policy.

Agent

N/A

Platform

Tuning Lacework/Customization

Cloud

N/A