Question

What changed in my configuration to cause the alert?

  • 4 October 2023
  • 1 reply
  • 313 views

Userlevel 2
Badge

A Lacework Alert comes in and it is for compliance or configuration changes.  Once you get the alert, it is logical to want to investigate and figure out what caused it, when it happened, and keep investigating so you know when something happened and who made the change.  How can I, within Lacework, identify those changes and be able to compare the configurations so I can identify what changed and when it happend?

Agent

N/A

Platform

Using Lacework/Operationalizing

Cloud

AWS


1 reply

Userlevel 2
Badge

I recently had this discussion with a customer and we walked through the steps together trying to get to the bottom of this.

So you get an Alert within Lacework….so what. Why did that happen because I know I didn’t just open up my resources to 0.0.0.0/0 inbound...or did I (I am sure it was the dog).

  • An Alert Comes in relating to some configuration issue
  • Review the Alert (Note: You can proactively look up these bad boys by going to the alert page, then filtering by “alert subcategory = compliance.”)
  • Click on the Alert
  • Scroll down within the Details page to the “What” section
  • Click on the “Resources” tab 
  • Click on the Resource value (Note: It should be highlighted blue as a hyperlink)
    • Once you are in the Resource inventory page, if one exists, there will be a “configuration history” table
  • Click the checkbox on the “configuration” Column for two of the historical configuration items.
  • Click the now highlighted button that says “Diff configurations”

In the end, you should have something that looks kinda like this.  This is a side-by-side comparison of the lines that changed from your Historical Configuration data to the Latest configuration data.

 

Historical Configuration vs Latest Configuration Comparison

 

Reply