Skip to main content

Create Policies

note

The information and steps discussed in this topic apply to non-LQL-based policies only. To create custom LQL-based policies, see Use the Lacework Console to Create Custom Policies. For general information on LQL, see LQL Overview.

Overview

Lacework categorizes policies into default and custom policies. Default policies are read-only, so you can only enable or disable them. If you want a policy that does something different than what the default policy offers, you must create a custom policy. The policy that you create does not overwrite the default policy. Summarized steps:

  1. Clone the default policy.
  2. Modify its criteria.
  3. Enable the new custom policy.
  4. Disable the default policy.

If both the default policy and custom policy are enabled and their input data is the same, you get two alerts (one alert per policy). Lacework evaluates all active policies regardless if they are default or custom.

Create a Policy

To create a policy:

  1. Click Policies.
  2. Locate and click the policy you want to base your custom policy on.
  3. In the policy details:
    • If the Clone policy icon is available, you can clone the policy.
    • If the Clone policy icon is not available, the policy cannot be cloned or the policy has already been cloned the maximum number of times (4 clones).
  4. Enter an appropriate title for the event that is generated when the policy triggers when all expressions are true or all query parameters are met.
  5. Enter one or more AND expressions or query parameters. Each expression requires a parameter, operator, and value. Refer to the following tables for the appropriate policy. When creating custom policies, Lacework recommends limiting the number of expressions to three or fewer.
    By design, Lacework captures the names of processes that engage in network activities. If you create a policy with an expression such as 'Executable path INCLUDE */whoami', the 'whoami' usage is not captured and therefore, this expression is never true.
  6. Select the Severity and Frequency.
  7. The policy is enabled by default. If you want to disable the policy, toggle the Status.

String Behavior in Expressions

When you specify a string in an expression, partial matches are not supported unless you specify the * wildcard, as shown by the following examples:

  • If you specify ‘Username INCLUDE sue’ and the current value of Username is suehunt, the expression is not true, the policy does not trigger or generate alerts.
  • If you specify the ‘Username INCLUDE sue*’ expression (with the * wildcard) and the current value of Username is suehunt, the expression is true, the policy triggers and generates alerts.

You can specify multiple possible matches using a comma-separated list. For example, if you specify the ‘Username INCLUDE suehunt,joesmith’ expression and the current value of Username is suehunt or joesmith, the expression is true, the policy triggers and generates alerts.

Parameters for Application Policies (Prefix: LW_APP)

ParameterTypeDescription
AccountStringSpecify the unique 12-digit ID number that identifies the AWS account. For more information, see the AWS documentation site.
Executable pathStringSpecify a full absolute directory path to an executable that includes the name of the executable. Typically you want to specify the exact directory path without wildcards to limit the number of matching expressions.
HostnameStringSpecify the machine hostname.
UsernameStringSpecify the username of the local user that is running the process. For example, if joesmith securely logs into a machine as suehunt and runs a process, suehunt is the username.

Parameters for File Integrity Monitoring (FIM) Policies (Prefix: LW_FIM)

ParameterTypeDescription
AccountStringSpecify the unique 12-digit ID number that identifies the AWS account. For more information, see the AWS documentation site.
File Change typeStringSpecify one of the following file change types: 1) New—files were added. 2) Removed—files were deleted. 3) Changed—files were modified, added, or deleted. Do not specify quotes around the type. This parameter is used in combination with the File path parameter to determine if the files matching the File path expression have been added, removed or changed. For example, the policy triggers if the following expressions occur: a policy has a File path INCLUDE /usr/lib/* expression, a File Change INCLUDE Changed expression, and files are modified in the /usr/lib directory.
File pathStringSpecify a file path or file paths to a set of files. This parameter is used in combination with the File Change type parameter to determine if files are modified, added, or deleted.
File ownerStringEnter the owner of a file, such as root.
File sizeNumberEnter the number of bytes to compare against the specified operator such as Greater Than.
File hashStringEnter a single hash value that matches one or more files. For example, you could specify a hash that matches a set of suspicious files.
HostnameStringEnter the machine hostname.

Parameters for User Login Activity Policies (Prefix: LW_USER)

ParameterTypeDescription
Machine NameStringEnter a unique identifier given to a machine.
Number of countries from where logins detectedNumberEnter the total number of different countries where logins have been detected originating from, per user and machine within the last hour.
Number of distinct source/originating IPsNumberEnter the total number of IP addresses where logins have been detected originating from within the last hour.
Number of failed loginsNumberEnter the total number of failed login attempts that have been detected on a machine within the last hour.
Number of successful loginsNumberEnter the total number of successful login attempts that have been detected on a machine within the last hour.
Source IP addressStringSpecify the source IP address/es to include/exclude for custom policy filters. For multiple IPs, use a comma-separated list without spaces.
UsernameStringEnter the username that is logging in to a machine.

Parameters for Vulnerability Policies (Prefix: LW_VULN)

ParameterTypeDescription
CVEStringEnter the CVE ID full name(s), such as CVE-2019-01234, CVE-2019-5678. You can specify multiple values in one line separated by a comma. Common Vulnerabilities and Exposures (CVE) is a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures.
CVE severityStringEnter the CVE severity or severities, such as Critical or High. You can specify multiple values separated by a comma. This policy would generate an alert with the specified severities only. The severity is derived from the CVSS rating score. Valid values are None, Low, Medium, High, and Critical.
Image activeNumberEnter 0 for false, meaning the image is not active. Enter 1 for true, meaning the image is active.
Image privilegedNumberEnter 0 for false, meaning the image is not privileged. Enter 1 for true, meaning the image is privileged.
Image repoStringEnter the image repository, such as lacework/myrepo123. A container image repository is a collection of related container images.
Image tagsStringEnter the image tag(s). A typical tag could look like DATE_BRANCH_RANDOM_ID, such as 2019-10-10_master_db0dd95. You can specify multiple values separated by a comma. A tag is a label applied to an image so that different images or versions of the same image can be identified.
Host nameStringEnter the host name, such as myhostname.
Machine tagsStringSelect existing machine tags from the drop-down menu. Or enter new machine tags in the indicated format key->value.
MidNumberEnter the machine ID, a unique identifier from the agent, such as 1234.
Package activeNumberEnter 0 for false, meaning the package is not active. Enter 1 for true, meaning the package is active.
Package nameStringEnter the name of the software package, such as vim.
Package namespaceStringEnter the namespace associated with the package, such as ubuntu:18.04.
Package versionStringSpecify the package version, such as 2.20.9-0ubuntu7.14.

Edit a Policy

To edit a policy, click it on the Policies page and then edit your chosen settings.

You can also edit a custom policy directly from an event that was generated by the custom policy:

  1. From the timeline in Events, find the event generated from a custom policy.
  2. Click the icon_details.png Open Event Dossier icon.
    This displays the Event details.
  3. In the top right corner, locate and click the icon_edit_policy.png Edit Policy icon.
  4. Make any changes to the policy and click Save.