In addition to creating a custom policy using the Lacework API, you can create a custom policy through the Lacework Console. This section provides the steps to create a custom Lacework Query Language (LQL) policy, as well as information on how to view and edit policies.
Create a New Custom Policy
Lacework enables you to create a new LQL policy through the Lacework Console.
Log into the Lacework Console and navigate to Policies.
Click + Add Policy. The New Policy window appears.
Specify the parameters for your policy.
- Title: Name for the new policy that also identifies what the policy does
- Description: Information about the new policy
- Alerts: Select the action to take for an event triggered by this policy. You can either send an alert notification or mute the event.
- Severity: The severity of an event triggered by the policy. Select the level of severity to assign to events triggered by this policy. This allows you to sort and filter based on severity level.
- Status: Enable or disable this policy with this toggle.
Missing required fields are indicated with a red error message. You cannot continue with the policy creation until you provide these required parameters.
Click Save and Continue. The Query window appears.
Specify a query identifier in Query ID for your new policy.
Paste the custom query you created earlier into the window. See Create a Query. Lacework performs a validation on your query. An error appears if you enter an invalid or empty query. If you want to erase the pasted query, click the Remove the pasted query icon .
Click Save and Continue. The Context window appears.
Optionally, enter remediation information to display with notifications from this new policy.
Click Save and Continue. A confirmation message appears upon successful creation of your new custom LQL policy.