Skip to main content

Policies

Policies add annotated metadata to queries for improving the context of alerts, reports, and information displayed in the Lacework Console.

Policies also facilitate the scheduled execution of a Lacework query.

Queries let you interactively request information from specified curated datasources. Queries have a defined structure for authoring detections.

Lacework offers a set of default LQL policies that are available in your account.

Limitations:

  • The maximum number of records that each policy will return is 1000
  • The maximum number of API calls is 120 per hour for on-demand LQL query executions

To view all the policies in your Lacework account.

lacework policy ls
  • To show only enabled policies, use the --enabled flag
  • To show only policies with the alert functionality enabled, use the --alert_enabled flag
  • To filter policies by severity threshold (critical, high, medium, low, info), use the --severity flag
  • To filter policies by tag, use the --tag flag

To list all tags associated with policies.

lacework policy list-tags

To view more details about a single policy.

lacework policy show <policy_id>

To view the LQL query associated with the policy, use the query ID.

lacework query show <query_id>
note

LQL syntax may change.

To delete a policy.

lacework policy delete <policy_id>

Create a Policy

There are multiple ways you can create a policy:

  • Type the policy into your default editor (via $EDITOR)
  • Pipe the policy to the Lacework CLI command (via $STDIN)
  • From a local file on disk using the flag --file
  • From a URL using the flag --url

There are two formats you can use to define a policy:

  • Javascript Object Notation (JSON)
  • YAML Ain't Markup Language (YAML)

To launch your default editor and create a new policy.

lacework policy create

The following attributes are required:

---
title: My Policy
enabled: false
policyType: Violation
alertEnabled: false
alertProfile: Alert_Profile_ID.Alert_Template_Name
evalFrequency: Daily
queryId: MyQuery
severity: high
description: My Policy Description
remediation: My Policy Remediation

To view all LQL queries in your Lacework account.

lacework query ls

For more information about queries, see LQL Queries.

Update a Policy

There are multiple ways you can update a policy:

  • Type the policy into your default editor (via $EDITOR)
  • Pipe the policy to the Lacework CLI command (via $STDIN)
  • From a local file on disk using the flag --file
  • From a URL using the flag --url

There are two formats you can use to define a policy:

  • Javascript Object Notation (JSON)
  • YAML Ain't Markup Language (YAML)

To launch your default editor to update a policy.

lacework policy update <policy_id>

A policy identifier specifed via command argument always takes precedence over a policy identifer specified via payload.