The composite analysis uses multiple detections to define more specific alert conditions. This allows Lacework to accurately raise a composite alert when we suspect an intrusion occurs

You can find composite alerts using the “Alert Category” filter in the “Alerts” section.

How does it help?

These alerts are a new way to group multiple Lacework detections (based on anomalies and policies) that when evaluated together, can indicate an intrusion. Hence, these could arguably be the most important alerts that Lacework generates and should most definitely be triaged with utmost urgency.

You can find more information on Composite Alert types here.

How do we use it?

Let’s look at how we can create a dedicated alert channel and rule to make sure they are sent to somewhere that a human will receive as soon as possible.

1. Create a new alert channel
   This could be something like PagerDuty, where it might wake someone up who is in an on-call rotation or simply a dedicated Slack channel or your SIEM.

You can do this by navigating to Settings > Alert Channels
 

2. Create a new alert rule. For this rule, we’ll simply send all alerts of the Composite type to the newly created alert channel

Navigate to Settings > Alert Rules

For “Alert Categories”, select “Composite Alerts”