Skip to main content

Alert Profile Overview

An alert profile is a set of metadata that defines how your LQL queries are translated into alerts.

Alert profiles exist as a system. Lacework provides a set of predefined alert profiles to ensure that policy evaluation gives you useful results out of the box. To create your own customized profiles, extend an existing alert profile and add your custom templates to it.

An alert profile has three components:

  • Fields
  • Alert templates
  • Description keys

The following sections discuss each component.

Fields

A field is a declaration of a field to be mapped in from an LQL query. Only LQL result fields that are declared as an alert profile field are mapped into event details and alerts. Fields returned by a query that are not listed as an alert profile field won't be mapped into event details and alerts.

For each Lacework-defined datasource, each field of that datasource is already defined as an alert profile field.

Currently, alert profile APIs do not support defining custom fields.

Alert Templates

An alert template is a definition of content to create from the results of a resource's policy violation. The event name, subject, and description contained in the alert appear in pushed alerts and in the Lacework Console.

An alert template's subject and description fields are not fixed text. You can specify customized subject and description fields by using regular text, which can refer to fields returned from the description keys within curly braces.

Each Lacework-defined datasource has defined default alerts. Your policies can use them without modification.

Alert profile APIs support creating and modifying your own custom alerts.

Description Keys

A description key is a placeholder variable that you can use in an alert template's subject and/or description. Description keys can refer to LQL query result fields and can also refer to other available data (such as metadata, like the name of a policy). Only description keys can be referred to by an alert template. A field must be used in a description key to be available in an alert.

For each Lacework-defined alert profile field, a description key is already defined for use in your alert templates.

Currently, alert profile APIs do not support defining custom description keys.

Defining Alert Templates in a Profile

To create new alert templates, create your own alert profile that extends a predefined Lacework alert profile.

Each alert has the following fields:

  • name: The name that policies can use to refer to this template when generating alerts.
  • eventName: The name of the resulting alert.
  • subject: The subject text for the resulting alert.
  • description: The description text for the resulting alert.

Each predefined alert profile contains default alert templates. If you do not define any custom alerts, a policy that references the alert profile will use the default alert template.

To use these alerts in a policy, refer to the alerts by the name you give them. The Lacework Policy Platform generates events and alerts based on the alert template that the policy refers to. If the policy refers to a named alert, but the alert profile doesn't have an alert with that name being generated, the policy uses the Lacework default template.

Select an Alert Profile

Because an alert profile helps to map what data is available for the alert message, each alert profile corresponds to a datasource. The following sections list the alert profiles and their corresponding datasources.

An alert profile has two components: the alert profile ID and the alert template name which follow this format: alertProfileId.alert_template_name.

For example, if you created a query that uses the LW_CFG_AWS_EC2_SECURITY_GROUPS datasource, use or extend the LW_CFG_AWS_DEFAULT_PROFILE alert profile.

To use the LW_CFG_AWS_DEFAULT_PROFILE alert profile, specify the following in the policies alertProfile field: LW_CFG_AWS_DEFAULT_PROFILE.CFG_AWS_Violation.

AWS Configuration Datasources

For all AWS configuration datasources, use the same alert profile.

DatasourceAlert Profile
LW_CFG_AWS_*LW_CFG_AWS_DEFAULT_PROFILE.CFG_AWS_Violation

Agent Datasources

DatasourceAlert Profile
LW_HA_DNS_REQUESTSLW_HA_DNS_REQUESTS_DEFAULT_PROFILE.HA_DNS_Request_Violation
LW_HA_FILE_CHANGESLW_HA_FILE_CHANGES_DEFAULT_PROFILE.HA_File_Changes_Violation
LW_HA_USER_LOGINSLW_HA_USER_LOGINS_DEFAULT_PROFILE.HA_User_Login_Violation
LW_HE_CONTAINERSLW_HE_CONTAINERS_DEFAULT_PROFILE.HE_Container_Violation
LW_HE_FILESLW_HE_FILES_DEFAULT_PROFILE.HE_File_Violation
LW_HE_IMAGESLW_HE_IMAGES_DEFAULT_PROFILE.HE_Image_Violation
LW_HE_MACHINESLW_HE_MACHINES_DEFAULT_PROFILE.HE_Machine_Violation
LW_HE_PROCESSESLW_HE_PROCESSES_DEFAULT_PROFILE.HE_Process_Violation
LW_HE_USERSLW_HE_USERS_DEFAULT_PROFILE.HE_User_Violation

AWS CloudTrail Datasource

DatasourceAlert Profile
CloudTrailRawEventsLW_CloudTrail_Alerts.CloudTrailDefaultAlert_AwsResource
note

The API (GET /api/v2/AlertProfiles) does not currently expose the CloudTrail alert profile because it is not customizable.

Example Alert Profile

To get all alert profiles, use this endpoint:

GET https://AccountName.lacework.net/api/v2/AlertProfiles

To get only the LW_CFG_AWS_DEFAULT_PROFILE alert profile and its details, use this endpoint:

GET https://AccountName.lacework.net/api/v2/AlertProfiles/LW_CFG_AWS_DEFAULT_PROFILE
LW_CFG_AWS_DEFAULT_PROFILE details (truncated)
{
"data": {
"alertProfileId": "LW_CFG_AWS_DEFAULT_PROFILE",
"extends": "LW_LPP_BaseProfile",
"fields": [
{
"name": "_PRIMARY_TAG"
},
{
"name": "RESOURCE_ID"
}, ...
],
"descriptionKeys": [
{
"name": "_OCCURRENCE",
"spec": "{{_OCCURRENCE}}"
},
{
"name": "RESOURCE_ID",
"spec": "{{RESOURCE_ID}}"
}, ...
],
"alerts": [
{
"name": "CFG_AWS_PolicyChanged",
"eventName": "LW Configuration AWS Violation Alert",
"description": "{{_OCCURRENCE}} Violation for AWS Resource {{RESOURCE_TYPE}}:{{RESOURCE_ID}} in account {{ACCOUNT_ID}} region {{RESOURCE_REGION}}",
"subject": "{{_OCCURRENCE}} violation detected for AWS Resource {{RESOURCE_TYPE}}:{{RESOURCE_ID}} in account {{ACCOUNT_ID}} region {{RESOURCE_REGION}}"
},
{
"name": "CFG_AWS_NewViolation",
"eventName": "LW Configuration AWS Violation Alert",
"description": "{{_OCCURRENCE}} Violation for AWS Resource {{RESOURCE_TYPE}}:{{RESOURCE_ID}} in account {{ACCOUNT_ID}} region {{RESOURCE_REGION}}",
"subject": "{{_OCCURRENCE}} violation detected for AWS Resource {{RESOURCE_TYPE}}:{{RESOURCE_ID}} in account {{ACCOUNT_ID}} region {{RESOURCE_REGION}}"
},
{
"name": "CFG_AWS_Violation",
"eventName": "LW Configuration AWS Violation Alert",
"description": "{{_OCCURRENCE}} Violation for AWS Resource {{RESOURCE_TYPE}}:{{RESOURCE_ID}} in account {{ACCOUNT_ID}} region {{RESOURCE_REGION}}",
"subject": "{{_OCCURRENCE}} violation detected for AWS Resource {{RESOURCE_TYPE}}:{{RESOURCE_ID}} in account {{ACCOUNT_ID}} region {{RESOURCE_REGION}}"
}
]
}
}