Clone Policies
You cannot modify default policies directly. Instead, you can create a policy by cloning an existing policy. Cloning a policy creates a new, independent policy based on the original policy. That is, if the original policy is changed, the change is not propagated to the clone.
Overview
The steps for creating a policy by cloning one include:
- Clone the default policy.
- Modify its criteria.
- Enable the new custom policy.
- Disable the default policy.
A policy clone does not supersede its original, default policy. That is, if both the default policy and custom policy are enabled and their configuration and input data are the same, you will get two alerts for the same event (one alert per policy).
Create a Policy by Cloning
To create a policy by cloning an existing one:
- Click Policies.
- Locate and click the policy you want to base your custom policy on.
- In the policy details:
- If the Clone policy icon is available, you can clone the policy.
- If the Clone policy icon is not available, the policy cannot be cloned or the policy has already been cloned the maximum number of times (4 clones). You may be able to create a new policy. For details, see Create Custom Policies for more information.
- Enter an appropriate title for the event that is generated when the policy triggers when all expressions are true or all query parameters are met.
- Enter one or more AND expressions or query parameters. Each expression requires a parameter, operator, and value. Refer to the following tables for the appropriate policy. When creating custom policies, Lacework recommends limiting the number of expressions to three or fewer.
By design, Lacework captures the names of processes that engage in network activities. If you create a policy with an expression such as 'Executable path INCLUDE */whoami', the 'whoami' usage is not captured and therefore, this expression is never true. - Select the Severity and Frequency.
- The policy is enabled by default. If you want to disable the policy, toggle the Status.
String Behavior in Expressions
When using strings in an expression, you can effect partial matches using the wildcard * character, as shown by the following examples:
- If you specify "Username INCLUDE sue" and the current value of Username is suehunt, the expression is not true, the policy does not trigger or generate alerts.
- If you specify the "Username INCLUDE sue*" expression (with the * wildcard) and the current value of Username is suehunt, the expression is true and the policy triggers and generates alerts.
To specify file paths in an expression, you need to use a wildcard as well. That is, to specify all files at the path “/myFilePath”, create an expression such as the following: “File path INCLUDE /myNewFilePath/*". Note that this syntax differs from agent configuration syntax, in which the wildcard is not needed.
You can specify multiple possible matches using a comma-separated list. For example, if you specify the ‘Username INCLUDE suehunt,joesmith’ expression and the current value of Username is suehunt or joesmith, the expression is true, the policy triggers and generates alerts.
Parameters for Application Policies (Prefix: LW_APP)
| Parameter | Type | Description |
|---|---|---|
| Account | String | Specify the unique 12-digit ID number that identifies the AWS account. For more information, see the AWS documentation site. |
| Executable path | String | Specify a full absolute directory path to an executable that includes the name of the executable. Typically you want to specify the exact directory path without wildcards to limit the number of matching expressions. |
| Hostname | String | Specify the machine hostname. |
| Username | String | Specify the username of the local user that is running the process. For example, if joesmith securely logs into a machine as suehunt and runs a process, suehunt is the username. |
Parameters for File Integrity Monitoring (FIM) Policies (Prefix: LW_FIM)
| Parameter | Type | Description |
|---|---|---|
| Account | String | Specify the unique 12-digit ID number that identifies the AWS account. For more information, see the AWS documentation site. |
| File Change type | String | Specify one of the following file change types: 1) New—files were added. 2) Removed—files were deleted. 3) Changed—files were modified, added, or deleted. Do not specify quotes around the type. This parameter is used in combination with the File path parameter to determine if the files matching the File path expression have been added, removed or changed. For example, the policy triggers if the following expressions occur: a policy has a File path INCLUDE /usr/lib/* expression, a File Change INCLUDE Changed expression, and files are modified in the /usr/lib directory. |
| File path | String | Specify a file path or file paths to a set of files. This parameter is used in combination with the File Change type parameter to determine if files are modified, added, or deleted. To specify file paths in policy expressions, use wildcards, for example, /myNewFilePath/*. |
| File owner | String | Enter the owner of a file, such as root. |
| File size | Number | Enter the number of bytes to compare against the specified operator such as Greater Than. |
| File hash | String | Enter a single hash value that matches one or more files. For example, you could specify a hash that matches a set of suspicious files. |
| Hostname | String | Enter the machine hostname. |
Parameters for User Login Activity Policies (Prefix: LW_USER)
| Parameter | Type | Description |
|---|---|---|
| Machine Name | String | Enter a unique identifier given to a machine. |
| Number of countries from where logins detected | Number | Enter the total number of different countries where logins have been detected originating from, per user and machine within the last hour. |
| Number of distinct source/originating IPs | Number | Enter the total number of IP addresses where logins have been detected originating from within the last hour. |
| Number of failed logins | Number | Enter the total number of failed login attempts that have been detected on a machine within the last hour. |
| Number of successful logins | Number | Enter the total number of successful login attempts that have been detected on a machine within the last hour. |
| Source IP address | String | Specify the source IP address/es to include/exclude for custom policy filters. For multiple IPs, use a comma-separated list without spaces. |
| Username | String | Enter the username that is logging in to a machine. |