Skip to main content

Default Policies

See Policies Overview for information on how to view, enable, or disable policies.

note

We'd love to hear your feedback We are continually looking for ways to improve our detections and want to hear from you. Your observations and feedback will guide our evolution as we continue to help you reduce your security risk.

Please email your feedback to support@lacework.com.

This topic describes default Lacework policies.

General Policies

The following table specifies general anomaly policies.

Policy IDAlert Generated by PolicyDescription
LACEWORK-GLOBAL-491Offensive security containerOffensive security tools are used during testing to evaluate the effectiveness of security products and security controls. Attackers might also use offensive security tools for developing exploits, identifying weaknesses in the target system, and carrying out attacks. Remediation is environment-dependent because this might be expected or the result of normal operations. Investigate and determine the nature of the activity.
LACEWORK-GLOBAL-492Potential reverse shellReverse shell is a shell session initiated by the target machine, rather than from the client. Determine if the event is associated with reverse shell initiation by examining the command line arguments associated with the flagged process. If a reverse shell is suspect, determine if legitimate use was the case. Otherwise, prepare incident response for the workload to investigate unauthorized access.
LACEWORK-GLOBAL-493Potential Codecov Bash uploader commandIn the Codecov supply chain attack, the Bash uploader script was maliciously modified to upload potentially sensitive environment variables to an attacker-controlled site. This policy flags a similar use of cURL for data exfiltration. Determine if the affected cURL process is legitimate. If you don't find any legitimate use, prepare the host for incident response to determine unauthorized access.
LACEWORK-GLOBAL-494Commonly used scannersScanning tools are often used during exercises and testing to map the target environment and identify vulnerable systems and services. Attackers, likewise, use these tools to assist in post-exploitation activities. Determine if the activity is legitimate. If not, prepare incident response for the affected host. Check other reachable hosts for signs of malicious activity.
LACEWORK-GLOBAL-495Out-of-Band Application Security Testing (OAST) toolsOut-of-Band Application Security Testing (OAST) tools, such as Burp Suite and Project Discovery, are commonly used by pen-testers, researchers, and attackers to test for various vulnerabilities and perform reconnaissance. Any DNS request for these domains might represent a vulnerability. Determine if the nature of the queries are from legitimate internal sources or from external sources. Determine if affected hosts have any internet accessible remote code execution vulnerabilities and remediate.
LACEWORK-GLOBAL-496Container with writable root volume map detectedA container was detected running with the root of the host system mounted. This could potentially allow a container escape to access the host system. Determine if the root volume mount is required. Remove this requirement to reduce chances of container escape if the affected container is compromised. This policy is disabled by default. To enable it, see Policies Overview.
LACEWORK-GLOBAL-646Reverse Shell ConnectionA reverse shell is a shell session initiated by the target machine, rather than from the client. It is a common method used by attackers to control compromised systems that are not publicly routable. This policy detects reverse shell invocations that have successfully established network connections.
LACEWORK-GLOBAL-647Cryptojacking ArtifactsCryptojacking is the act of hijacking cloud infrastructure to illegally mine cryptocurrencies. This policy detects command-line artifacts observed to be initializing cryptomining applications.

AWS CloudTrail Policies

Lacework generates the data needed to populate reports on a regular schedule, typically once a day. After it generates the report data, Lacework assesses all the enabled policies. During this assessment, Lacework checks if all the expressions in a policy assess to true and if they do, it generates an event. It repeats this assessment for each enabled policy.

If the same policy triggers again within the next hour, Lacework updates the existing event with summary information about what triggered the subsequent trigger. After one hour if the same policy triggers again, it creates another event.

The following table specifies the default AWS CloudTrail policies. For more information about these alerts, see AWS Policy Alerting.

Policy IDAlert Generated by Policy
LACEWORK-GLOBAL-1VPC Change
LACEWORK-GLOBAL-2Security Group Change
LACEWORK-GLOBAL-3NACL Change
LACEWORK-GLOBAL-4Network Gateway Change
LACEWORK-GLOBAL-5Route Table Change
LACEWORK-GLOBAL-6New VPN Connection
LACEWORK-GLOBAL-7VPN Gateway Change
LACEWORK-GLOBAL-8Usage of Root Account
LACEWORK-GLOBAL-9New S3 Bucket
LACEWORK-GLOBAL-10S3 Bucket Deleted
LACEWORK-GLOBAL-11S3 Bucket Policy Change
LACEWORK-GLOBAL-12IAM Policy Change
LACEWORK-GLOBAL-13IAM Access Key Change
LACEWORK-GLOBAL-14New User
LACEWORK-GLOBAL-15New Customer Master Key
LACEWORK-GLOBAL-16New Customer Master Key Alias
LACEWORK-GLOBAL-17Customer Master Key Disabled
LACEWORK-GLOBAL-18Customer Master Key Scheduled for Deletion
LACEWORK-GLOBAL-19New Grant Added to Customer Master Key
LACEWORK-GLOBAL-20CloudTrail Change
LACEWORK-GLOBAL-21Successful Console Login Without MFA
LACEWORK-GLOBAL-22Failed Console Login
LACEWORK-GLOBAL-23Configuration Service Change
LACEWORK-GLOBAL-24Access Key Deleted
LACEWORK-GLOBAL-25CloudTrail Deleted
LACEWORK-GLOBAL-26CloudTrail Stopped
LACEWORK-GLOBAL-27New Access Key
LACEWORK-GLOBAL-28New VPC
LACEWORK-GLOBAL-29Unauthorized API Call
LACEWORK-GLOBAL-30S3 Bucket ACL Change

AWS Behavior Anomaly Policies

The following table specifies the default AWS behavior anomaly policies. For more information about these alerts, see AWS Activity Alerting.

Policy IDAlert Generated by Policy
LW_AWS_ACCNT_86New Account
LW_AWS_API_97Service Called API
LW_AWS_API_98API Failed With Error
LW_AWS_ERR_92New Error Code
LW_AWS_LOGIN_93Login From Known Bad Source Location
LW_AWS_LOGIN_94Login From New Source Location
LW_AWS_MODELSERVICE_155Unexpected Change in AWS Api Error Volume
LW_AWS_MODELSERVICE_156Unexpected Change in AWS GPU Instance Launch Volume
LW_AWS_REGION_90New Region
LW_AWS_REGION_91User Used Service In Region
LW_AWS_REGION_95User Accessing Region
LW_AWS_REGION_96Service Accessed In Region
LW_AWS_SERVICE_89New Service
LW_AWS_USR_87AWS User Logged In From Source
LW_AWS_USR_88User Calltype MFA

Azure Activity Log Policies

The following table specifies the default Azure Activity Log policies. For more information about these alerts, see Azure Activity Alerting.

Policy IDAlert Generated by Policy
LW_AL_APP_40Security Solution Created/Updated
LW_AL_APP_41Security Solution Deleted
LW_AL_FIREWALL_42SQL Server Firewall Rule Created/Updated
LW_AL_FIREWALL_43SQL Server Firewall Rule Deleted
LW_AL_IAM_35Policy Assignment Created
LW_AL_IAM_44Security Policy Updated
LW_AL_NETWORK_36Network Security Group Created/Updated
LW_AL_NETWORK_37Network Security Group Deleted
LW_AL_NETWORK_38Network Security Group Rule Created/Updated
LW_AL_NETWORK_39Network Security Group Rule Deleted

Azure Behavior Anomaly Policies

The following table specifies the default Azure behavior anomaly policies. For more information about these alerts, see Azure Policy Alerting.

Policy IDAlert Generated by Policy
LW_AZURE_API_142New Azure API Call Accessed Resource
LW_AZURE_ERROR_140New Azure API Failed
LW_AZURE_EVENT_141New Azure Operation On Resource
LW_AZURE_LOGIN_139New Azure Login From Bad Source
LW_AZURE_SERVICE_138New Azure Service
LW_AZURE_SUBSCRIPTION_137New Azure Subscription

GCP Audit Log Policies

The following table specifies the default GCP Audit Log policies. For more information about these alerts, see GCP Policy Alerting.

Policy IDAlert Generated by Policy
LW_AT_IAM_51Cloud Storage IAM Permission Changed
LW_AT_IAM_165Project IAM Policy Changed
LW_AT_IAM_166Folder IAM Policy Changed
LW_AT_IAM_167Organization IAM Policy Changed
LW_AT_IAM_168GCP Resource IAM Policy Changed
LW_AT_IAM_178Cloud KMS IAM Policy Modified
LW_AT_RESOURCE_173Cloud Storage Bucket Created
LW_AT_RESOURCE_45Project Ownership Assignments Changed
LW_AT_RESOURCE_46Audit Configuration Changed
LW_AT_RESOURCE_47Custom Role Changed
LW_AT_RESOURCE_169Service Account Created
LW_AT_RESOURCE_170Service Account Key Modified
LW_AT_RESOURCE_171Cloud VPN Created
LW_AT_RESOURCE_172Cloud VPN Created
LW_AT_RESOURCE_173Cloud Storage Bucket Created
LW_AT_RESOURCE_174Cloud Logging Sink Modified
LW_AT_RESOURCE_175Cloud KMS Key Ring Created
LW_AT_RESOURCE_176Cloud KMS Key Created
LW_AT_RESOURCE_177Cloud KMS Key Version Destroyed
LW_AT_SQL_52SQL Instance Configuration Changed
LW_AT_VPC_49VPC Network Route Changed
LW_AT_VPC_48VPC Network Firewall Rule Changed
LW_AT_VPC_50VPC Network Changed

GCP Behavior Anomaly Policies

The following table specifies the default GCP behavior anomaly policies. For more information about these alerts, see GCP Activity Alerting.

Policy IDAlert Generated by Policy
LW_GCP_ACCNT_107New GCP Organization
LW_GCP_ERROR_118GCP Api Failed With Error
LW_GCP_LOGIN_108New GCP Source
LW_GCP_LOGIN_113GCP User Logged In From Bad Source
LW_GCP_LOGIN_114GCP User Logged In From Source
LW_GCP_REGION_111New GCP Region
LW_GCP_REGION_115GCP User Accessing Region
LW_GCP_REGION_116GCP Service Accessed In Region
LW_GCP_SERVICE_110New GCP Service
LW_GCP_SERVICE_112New GCP Api Call
LW_GCP_SERVICE_117GCP Service Called Api
LW_GCP_USR_109New GCP User

Host Policies

If Lacework detects that a process or application has run, it assesses all enabled default and custom host policies. During this assessment, Lacework checks if all expressions in a host policy assess to true and if they do, it generates an event that you can see in the Lacework Console. It repeats this assessment for each enabled policy.

If the same rule triggers again within the next hour, Lacework updates the existing event with summary information about what triggered the subsequent trigger. After one hour if the same rule triggers again, it creates another event.

In addition to default and custom policies, Lacework has a set of internal expressions that also generate host events, which you can view in the Lacework Console. For example, if Lacework finds a file with a suspicious hash, it generates a Malicious File event. These internal detections and event generation occur concurrently. Lacework uses the default and custom policies for detection and event generation.

The following table specifies the default host policies. For more information about these alerts, see Alert Types Classified as Policy Category.

Policy IDAlert Generated by Policy
LACEWORK-GLOBAL-484Changes to Autorun Registry Keys on Windows
LACEWORK-GLOBAL-491Offensive Security Containers
LACEWORK-GLOBAL-492Potential Reverse Shell
LACEWORK-GLOBAL-493Potential Codecov Bash Uploader Command
LACEWORK-GLOBAL-494Commonly Used Scanners
LACEWORK-GLOBAL-495Out-of-Band Application Security Testing (OAST) Tools
LACEWORK-GLOBAL-496Container with Writeable Root Volume Map Detected
LACEWORK-GLOBAL-646Reverse Shell Connection
LACEWORK-GLOBAL-647Cryptojacking Artifacts
LW_APP_1Suspicious Applications
LW_APP_TYPE_70New Application
LW_APP_TYPE_125New Vulnerable Application
LW_EXT_DNS_58New External Host
LW_EXT_DNS_59Bad External Host
LW_EXT_DNS_60New External Client DNS
LW_EXT_DNS_61Bad External Client DNS
LW_EXT_DNS_62New External Server
LW_EXT_DNS_63Bad External DNS Server
LW_EXT_IP_64New External Server IP Address
LW_EXT_IP_65Bad External Server IP Address
LW_EXT_IP_66New External Client IP Address
LW_EXT_IP_67Bad External Client IP Address
LW_EXT_IP_68New Internal Server IP
LW_EXT_IP_69New Internal Client IP
LW_FIM_33Files Changed
LW_FIM_34Suspicious Files
LW_FIM_136Malicious File
LW_HOST_77New External Host Server Connection
LW_HOST_78Bad External Server Host Connection
LW_HOST_128New External Host Server Connection From Vulnerable Application
LW_HOST_129Bad External Server Host Connection From Vulnerable Application
LW_IP_73New External Client IP Address Connection
LW_IP_74Bad External Client IP Address Connection
LW_IP_75New External Server IP Address Connection
LW_IP_76Bad External Server IP Address Connection
LW_IP_79New Internal Connection
LW_IP_126New External Server IP Address Connection From Vulnerable Application
LW_IP_127Bad External Server IP Address Connection From Vulnerable Application
LW_IP_131New Vulnerable Internal Connection
LW_IP_134Bad External Client IP Address Connection To Vulnerable Application
LW_IP_135New External Client IP Address Connection To Vulnerable Application
LW_K8LAUNCH_99New K8s Cluster
LW_K8LAUNCH_100New K8s Namespace
LW_K8LAUNCH_101New K8s Pod
LW_PROCESS_80New Privilege Escalation
LW_PROCESS_81New Child Launched
LW_PROCESS_132New Child Launched From Vulnerable Application
LW_PROCESS_133New Vulnerable Child Launched
LW_USER_31Suspicious logins from multiple GEOs
LW_USER_32Suspicious Logins
LW_USR_72New User
LW_USR_82Machine Cluster Launched New Binary
LW_USR_83User Launched New Binary
LW_USR_84User Logged In From New IP
LW_USR_85User Logged In From New Location
LW_USR_130User Launched New Vulnerable Binary

Host Behavior Anomaly Policies

The following table specifies the default host behavior anomaly policies. For more information about these alerts, see Alert Types Classified as Anomaly Category.

Policy IDAlert Generated by Policy
LW_APP_TYPE_70New Application
LW_APP_TYPE_125New Vulnerable Application
LW_EXT_DNS_58New External Host
LW_EXT_DNS_59Bad External Host
LW_EXT_DNS_60New External Client DNS
LW_EXT_DNS_61Bad External Client DNS
LW_EXT_DNS_62New External Server
LW_EXT_DNS_63Bad External DNS Server
LW_EXT_IP_64New External Server IP Address
LW_EXT_IP_65Bad External Server IP Address
LW_EXT_IP_66New External Client IP Address
LW_EXT_IP_67Bad External Client IP Address
LW_EXT_IP_68New Internal Server IP
LW_EXT_IP_69New Internal Client IP
LW_FIM_136Malicious File
LW_HOST_77New External Host Server Connection
LW_HOST_78Bad External Server Host Connection
LW_HOST_128New External Host Server Connection From Vulnerable Application
LW_HOST_129Bad External Server Host Connection From Vulnerable Application
LW_IP_73New External Client IP Address Connection
LW_IP_74Bad External Client IP Address Connection
LW_IP_75New External Server IP Address Connection
LW_IP_76Bad External Server IP Address Connection
LW_IP_79New Internal Connection
LW_IP_126New External Server IP Address Connection From Vulnerable Application
LW_IP_127Bad External Server IP Address Connection From Vulnerable Application
LW_IP_131New Vulnerable Internal Connection
LW_IP_134Bad External Client IP Address Connection To Vulnerable Application
LW_IP_135New External Client IP Address Connection To Vulnerable Application
LW_K8LAUNCH_99New K8s Cluster
LW_K8LAUNCH_100New K8s Namespace
LW_K8LAUNCH_101New K8s Pod
LW_MCH_71New Machine Server Cluster
LW_PROCESS_80New Privilege Escalation
LW_PROCESS_81New Child Launched
LW_PROCESS_132New Child Launched From Vulnerable Application
LW_PROCESS_133New Vulnerable Child Launched
LW_USR_72New User
LW_USR_82Machine Cluster Launched New Binary
LW_USR_83User Launched New Binary
LW_USR_84User Logged In From New IP
LW_USR_85User Logged In From New Location
LW_USR_130User Launched New Vulnerable Binary

Kubernetes Policies

beta feature

This section describes functionality that is currently in beta.

The following table specifies the default Kubernetes policies. For more information about these alerts, see Alert Types Classified as Policy Category.

Policy IDAlert Generated by PolicyDescription
LACEWORK-GLOBAL-158Successful command execution on containerDetects access to a container (kubectl exec <container>).
LACEWORK-GLOBAL-162API access of container logsDetects access to the container logs (kubectl logs <container>).
LACEWORK-GLOBAL-163Usage of kubernetes Port ForwardDetects usage of port forwarding (kubectl port-forward <resource name>).
LACEWORK-GLOBAL-164kubectl attach to container processDetects access to the container stdout (kubectl attach <container>).
LACEWORK-GLOBAL-165Ephemeral container attached to podAn ephemeral container was launched and attached to a running pod.
LACEWORK-GLOBAL-166Workload created on clusterA workload was created on a cluster.
LACEWORK-GLOBAL-167Workload deleted on clusterA workload was deleted from a cluster.
LACEWORK-GLOBAL-168Workload created in default namespaceA workload was created in the default namespace.
LACEWORK-GLOBAL-169Workload created with container privilege escalationA workload with container privilege escalation was created.
LACEWORK-GLOBAL-170Workload created with privileged containersA workload with privileged containers was created.
LACEWORK-GLOBAL-172Workload created with shared host networkA workload with a shared host network was created.
LACEWORK-GLOBAL-173Workload created with shared host PIDA workload with shared host PID was created.
LACEWORK-GLOBAL-174Workload created with shared host IPCA workload with shared host IPC was created.
LACEWORK-GLOBAL-175Workload created with hostPath volumeA workload with a hostPath volume was created.
LACEWORK-GLOBAL-176Workload created with Unmasked proc mountA workload with an Unmasked proc mount was created.
LACEWORK-GLOBAL-177Kubernetes namespace creationA Kubernetes namespace was successfully created.
LACEWORK-GLOBAL-178Kubernetes namespace deletionA Kubernetes namespace was successfully deleted.
LACEWORK-GLOBAL-185Role or Cluster Role deletedA Role or Cluster Role was deleted.
LACEWORK-GLOBAL-186Role binding or Cluster Role binding createdA binding to a Kubernetes Role or Cluster Role was created.
LACEWORK-GLOBAL-187Role binding or Cluster Role binding deletedA binding to a Kubernetes Role or Cluster Role was deleted.
LACEWORK-GLOBAL-188Change or deletion of system:* Cluster RoleOne of the default system:* Cluster Roles was modified or deleted.
LACEWORK-GLOBAL-189Change or deletion of system:* RoleOne of the default system:* Roles was modified or deleted.
LACEWORK-GLOBAL-190Role or Cluster Role createdA Kubernetes Role or Cluster Role was created.
LACEWORK-GLOBAL-191ClusterRoleBinding created for cluster-admin RoleA Cluster Role Binding to the cluster-admin Cluster Role was created. The cluster-admin Cluster Role gives full access to all Kubernetes resources and actions.
LACEWORK-GLOBAL-192Role or Cluster Role created with wildcarded resources or verbsA Role or Cluster Role was created with a wildcard (*) for resources, giving permissions for all Kubernetes Resources.
LACEWORK-GLOBAL-193Role or Cluster Role created with access to secretsA Role or Cluster Role was created that allows access to Kubernetes secrets.
LACEWORK-GLOBAL-194Cluster Role created or modifiedA Kubernetes Cluster Role was modified or deleted.
LACEWORK-GLOBAL-195Cluster Role granting permissions on pods/execA Cluster Role was created that allows the creation of new pods (pods/exec).
LACEWORK-GLOBAL-200Service created with External Load BalancerA service with an external load balancer was created.
LACEWORK-GLOBAL-201Service created with NodePortA service with NodePort was created.
LACEWORK-GLOBAL-202Ingress created without TLSAn ingress without TLS was created.
LACEWORK-GLOBAL-203Pod started with image from non-standard registryA pod was started with an image from a non-standard registry.
LACEWORK-GLOBAL-204Admin privileges bound to default service accountAdmin privileges were bound to the default service account.
LACEWORK-GLOBAL-205Kubernetes Dashboard exposed by load balancerThe Kubernetes Dashboard was exposed by a load balancer.
LACEWORK-GLOBAL-206System namespace exposed by load balancerA system namespace was exposed by a load balancer.

Kubernetes Behavior Anomaly Policies

beta feature

This section describes functionality that is currently in beta.

The following table specifies the default Kubernetes behavior anomaly policies. For more information about these alerts, see Kubernetes Activity.

Policy IDAlert Generated by Policy
LW_K8S_AUDIT_LOG_119K8s Audit Log Cluster Role Created
LW_K8S_AUDIT_LOG_120K8s Audit Log Cluster Role Binding Created
LW_K8S_AUDIT_LOG_121K8s Audit Log Role Created
LW_K8S_AUDIT_LOG_122K8s Audit Log Role Binding Created
LW_K8S_AUDIT_LOG_123K8s Audit Log Ingress Created
LW_K8S_AUDIT_LOG_124K8s Audit Log Workload Created
LW_K8S_AUDIT_LOG_143K8s Audit Log Namespace Created
LW_K8S_AUDIT_LOG_144K8s Audit Log Resource Created
LW_K8S_AUDIT_LOG_145K8s Audit Log Role Created With All Resources Permission
LW_K8S_AUDIT_LOG_146K8s Audit Log Role Created With Pods Write Permission
LW_K8S_AUDIT_LOG_147K8s Audit Log Role Created With Pod Exec Permission
LW_K8S_AUDIT_LOG_148K8s Audit Log Role Created With Secrets Permission
LW_K8S_AUDIT_LOG_149K8s Workload Created With Privilege Escalation
LW_K8S_AUDIT_LOG_150K8s Workload Created With Host Access
LW_K8S_AUDIT_LOG_151K8s Audit Log Cluster Role Created With All Resources Permission
LW_K8S_AUDIT_LOG_152K8s Audit Log Cluster Role Created With Pods Write Permission
LW_K8S_AUDIT_LOG_153K8s Audit Log Cluster Role Created With Pod Exec Permission
LW_K8S_AUDIT_LOG_154K8s Audit Log Cluster Role Created With Secrets Permission
LW_K8S_AUDIT_LOG_157K8s Audit Log Cluster Role Bindings To Cluster Admin
LW_K8S_AUDIT_LOG_158K8s Audit Log Cluster Role Bindings To Admin
LW_K8S_AUDIT_LOG_159K8s Audit Log Cluster Role Bindings To Edit
LW_K8S_AUDIT_LOG_160K8s Audit Log Cluster Role Bindings To System
LW_K8S_AUDIT_LOG_161K8s Audit Log Role Bindings To Cluster Admin
LW_K8S_AUDIT_LOG_162K8s Audit Log Role Bindings To Admin
LW_K8S_AUDIT_LOG_163K8s Audit Log Role Bindings To Edit
LW_K8S_AUDIT_LOG_164K8s Audit Log Role Bindings To System

Vulnerability Assessment

Vulnerability assessment provides the ability to scan, identify, and report vulnerabilities found in the operating system software packages in hosts or Docker container images. After you install the Lacework agent on hosts or integrate a container registry in Lacework, Lacework scans the hosts or container images in the registry repositories for software packages with known vulnerabilities, and reports them. For information about vulnerability assessments, see Container Vulnerability Assessment Overview and Host Vulnerability Assessment Overview.

Vulnerability assessment policies are designed to help define organization-specific risk management and to notify you of critical software risk items within your monitored infrastructure. These policies apply to hosts and containers only and cannot be modified to apply to processes, users, etc.

The following table specifies the default vulnerability policies. For more information about these alerts, see Application.

Policy IDAlert Generated by Policy
LW_VULN_53New Security Vulnerability
LW_VULN_54Known Security Vulnerability
LW_VULN_55New Security Vulnerability in Repository
LW_VULN_56Severity changes for Security Vulnerability
LW_VULN_57A Fix available for Security Vulnerability
LW_VULN_102New Security Vulnerability
LW_VULN_103Known Security Vulnerability
LW_VULN_104Severity changes for Security Vulnerability
LW_VULN_105A Fix available for Security Vulnerability