Lacework
Access helpful articles and other FAQs on Lacework
Kate_M
Community Manager
Community Manager
Article Id 339246
Description Can I suppress noisy Lacework Alerts?
Scope Lacework
Solution

Yes, absolutely! Organizations may experience high alert volume due to expected recurring activity that triggers Lacework alerts. For example, hosted crawler applications that generate internet crawling activity typically cause high alert volume.

If your organization is experiencing high alert volume, the Lacework platform allows you to modify policies to suppress the expected activity which will prevent future alerts from triggering.

 

To implement alert tuning/suppression:

  1. Navigate the Policies Dossier and find the policy that is triggering high alert volume
  2. Clone the policy
  3. Select the Query tab and explore the available parameters ( IP Address, Application, Username, Host, etc.)
  4. Specify a parameter and value to exclude in the policy

 

Be sure to include as many relevant parameters in the suppression query as possible to prevent the cloned policy from filtering out activity that is not in scope.

Once you specified a sufficient suppression query, rename the cloned policy and save it. For the alert suppression to take affect, ensure that the cloned policy is enabled and disable the default policy.

 

As a best practice, keep both policies enabled for a day or two to ensure that the new cloned policy is not triggering on the suppressed activity. Once you are confident that the suppression is working as expected, disable the default policy.

Contributors