Policies
Policies add annotated metadata to queries for improving the context of alerts, reports, and information displayed in the Lacework Console.
Policies also facilitate the scheduled execution of a Lacework query.
Queries let you interactively request information from specified curated datasources. Queries have a defined structure for authoring detections.
Lacework offers a set of default LQL policies that are available in your account.
Limitations:
- The maximum number of records that each policy will return is 1000
- The maximum number of API calls is 120 per hour for on-demand LQL query executions
To view all the policies in your Lacework account.
lacework policy ls
- To show only enabled policies, use the
--enabled
flag - To show only policies with the alert functionality enabled, use the
--alert_enabled
flag - To filter policies by severity threshold (critical, high, medium, low, info), use the
--severity
flag - To filter policies by tag, use the
--tag
flag
To list all tags associated with policies.
lacework policy list-tags
To view more details about a single policy.
lacework policy show <policy_id>
To view the LQL query associated with the policy, use the query ID.
lacework query show <query_id>
note
LQL syntax may change.
To delete a policy.
lacework policy delete <policy_id>
Create a Policy
There are multiple ways you can create a policy:
- Type the policy into your default editor (via
$EDITOR
) - Pipe the policy to the Lacework CLI command (via
$STDIN
) - From a local file on disk using the flag
--file
- From a URL using the flag
--url
There are two formats you can use to define a policy:
- Javascript Object Notation (JSON)
- YAML Ain't Markup Language (YAML)
To launch your default editor and create a new policy.
lacework policy create
The following attributes are required:
---
title: My Policy
enabled: false
policyType: Violation
alertEnabled: false
alertProfile: Alert_Profile_ID.Alert_Template_Name
evalFrequency: Daily
queryId: MyQuery
severity: high
description: My Policy Description
remediation: My Policy Remediation
To view all LQL queries in your Lacework account.
lacework query ls
For more information about queries, see LQL Queries.
Update a Policy
There are multiple ways you can update a policy:
- Type the policy into your default editor (via
$EDITOR
) - Pipe the policy to the Lacework CLI command (via
$STDIN
) - From a local file on disk using the flag
--file
- From a URL using the flag
--url
There are two formats you can use to define a policy:
- Javascript Object Notation (JSON)
- YAML Ain't Markup Language (YAML)
To launch your default editor to update a policy.
lacework policy update <policy_id>
A policy identifier specifed via command argument always takes precedence over a policy identifer specified via payload.