Host Integrity Policies
Several additional types of Lacework policies do not rely on Lacework Query Language (LQL) queries, but instead perform assessments and detections in different ways.
You can customize these policy types by cloning the policies and setting or editing the conditions upon which the policies are based. These include the following host-oriented policy types:
- Application Policies (Policy ID prefix: LW_APP)
- File Integrity Monitoring (FIM) Policies (Policy ID prefix: LW_FIM)
- User Login Activity Policies (Policy ID prefix: LW_USER)
Default policies for these types follow:
| Policy ID | Alert Generated by Policy | Description |
|---|---|---|
| LW_APP_1 | Suspicious Applications | Remote connection applications were used. |
| LW_FIM_33 | Files Changed | Password and group membership files were changed |
| LW_USER_31 | Suspicious logins from multiple GEOs | Suspicious logins from multiple GEOs - A single user logged in from more than one country |
| LW_USER_32 | Suspicious Logins | Suspicious Logins - Repeated failed attempts to login |
The following topics describe how to create and modify these policies: