Create Policies (Non-LQL)
note
This topic applies to non-LQL-based policies only. To create custom LQL-based policies, see Use the Lacework Console to Create Custom Policies. For general information on LQL, see LQL Overview.
Overview
Lacework categorizes policies into default and custom policies. Default policies are read-only, so you can only enable or disable them. If you want a policy that does something different than what the default policy offers, you must create a custom policy.
A summary of the steps includes:
- Clone the default policy.
- Modify its criteria.
- Enable the new custom policy.
- Disable the default policy.
A policy clone does not supersede its original, default policy. That is, if both the default policy and custom policy are enabled and their configuration and input data are the same, you will get two alerts for the same event (one alert per policy).
note
You can clone only violation and compliance type policies. Custom vulnerability or anomaly are not supported.
Create a Policy
To create a policy:
- Click Policies.
- Locate and click the policy you want to base your custom policy on.
- In the policy details:
- If the Clone policy icon is available, you can clone the policy.
- If the Clone policy icon is not available, the policy cannot be cloned or the policy has already been cloned the maximum number of times (4 clones).
- Enter an appropriate title for the event that is generated when the policy triggers when all expressions are true or all query parameters are met.
- Enter one or more AND expressions or query parameters. Each expression requires a parameter, operator, and value. Refer to the following tables for the appropriate policy. When creating custom policies, Lacework recommends limiting the number of expressions to three or fewer.
By design, Lacework captures the names of processes that engage in network activities. If you create a policy with an expression such as 'Executable path INCLUDE */whoami', the 'whoami' usage is not captured and therefore, this expression is never true. - Select the Severity and Frequency.
- The policy is enabled by default. If you want to disable the policy, toggle the Status.
String Behavior in Expressions
When you specify a string in an expression, partial matches are not supported unless you specify the * wildcard, as shown by the following examples:
- If you specify ‘Username INCLUDE sue’ and the current value of Username is suehunt, the expression is not true, the policy does not trigger or generate alerts.
- If you specify the ‘Username INCLUDE sue*’ expression (with the * wildcard) and the current value of Username is suehunt, the expression is true, the policy triggers and generates alerts.
You can specify multiple possible matches using a comma-separated list. For example, if you specify the ‘Username INCLUDE suehunt,joesmith’ expression and the current value of Username is suehunt or joesmith, the expression is true, the policy triggers and generates alerts.
Parameters for Application Policies (Prefix: LW_APP)
| Parameter | Type | Description |
|---|---|---|
| Account | String | Specify the unique 12-digit ID number that identifies the AWS account. For more information, see the AWS documentation site. |
| Executable path | String | Specify a full absolute directory path to an executable that includes the name of the executable. Typically you want to specify the exact directory path without wildcards to limit the number of matching expressions. |
| Hostname | String | Specify the machine hostname. |
| Username | String | Specify the username of the local user that is running the process. For example, if joesmith securely logs into a machine as suehunt and runs a process, suehunt is the username. |
Parameters for File Integrity Monitoring (FIM) Policies (Prefix: LW_FIM)
| Parameter | Type | Description |
|---|---|---|
| Account | String | Specify the unique 12-digit ID number that identifies the AWS account. For more information, see the AWS documentation site. |
| File Change type | String | Specify one of the following file change types: 1) New—files were added. 2) Removed—files were deleted. 3) Changed—files were modified, added, or deleted. Do not specify quotes around the type. This parameter is used in combination with the File path parameter to determine if the files matching the File path expression have been added, removed or changed. For example, the policy triggers if the following expressions occur: a policy has a File path INCLUDE /usr/lib/* expression, a File Change INCLUDE Changed expression, and files are modified in the /usr/lib directory. |
| File path | String | Specify a file path or file paths to a set of files. This parameter is used in combination with the File Change type parameter to determine if files are modified, added, or deleted. |
| File owner | String | Enter the owner of a file, such as root. |
| File size | Number | Enter the number of bytes to compare against the specified operator such as Greater Than. |
| File hash | String | Enter a single hash value that matches one or more files. For example, you could specify a hash that matches a set of suspicious files. |
| Hostname | String | Enter the machine hostname. |
Parameters for User Login Activity Policies (Prefix: LW_USER)
| Parameter | Type | Description |
|---|---|---|
| Machine Name | String | Enter a unique identifier given to a machine. |
| Number of countries from where logins detected | Number | Enter the total number of different countries where logins have been detected originating from, per user and machine within the last hour. |
| Number of distinct source/originating IPs | Number | Enter the total number of IP addresses where logins have been detected originating from within the last hour. |
| Number of failed logins | Number | Enter the total number of failed login attempts that have been detected on a machine within the last hour. |
| Number of successful logins | Number | Enter the total number of successful login attempts that have been detected on a machine within the last hour. |
| Source IP address | String | Specify the source IP address/es to include/exclude for custom policy filters. For multiple IPs, use a comma-separated list without spaces. |
| Username | String | Enter the username that is logging in to a machine. |
Parameters for Vulnerability Policies (Prefix: LW_VULN)
| Parameter | Type | Description |
|---|---|---|
| CVE | String | Enter the CVE ID full name(s), such as CVE-2019-01234, CVE-2019-5678. You can specify multiple values in one line separated by a comma. Common Vulnerabilities and Exposures (CVE) is a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures. |
| CVE severity | String | Enter the CVE severity or severities, such as Critical or High. You can specify multiple values separated by a comma. This policy would generate an alert with the specified severities only. The severity is derived from the CVSS rating score. Valid values are None, Low, Medium, High, and Critical. |
| Image active | Number | Enter 0 for false, meaning the image is not active. Enter 1 for true, meaning the image is active. |
| Image privileged | Number | Enter 0 for false, meaning the image is not privileged. Enter 1 for true, meaning the image is privileged. |
| Image repo | String | Enter the image repository, such as lacework/myrepo123. A container image repository is a collection of related container images. |
| Image tags | String | Enter the image tag(s). A typical tag could look like DATE_BRANCH_RANDOM_ID, such as 2019-10-10_master_db0dd95. You can specify multiple values separated by a comma. A tag is a label applied to an image so that different images or versions of the same image can be identified. |
| Host name | String | Enter the host name, such as myhostname. |
| Machine tags | String | Select existing machine tags from the drop-down menu. Or enter new machine tags in the indicated format key->value. |
| Mid | Number | Enter the machine ID, a unique identifier from the agent, such as 1234. |
| Package active | Number | Enter 0 for false, meaning the package is not active. Enter 1 for true, meaning the package is active. |
| Package name | String | Enter the name of the software package, such as vim. |
| Package namespace | String | Enter the namespace associated with the package, such as ubuntu:18.04. |
| Package version | String | Specify the package version, such as 2.20.9-0ubuntu7.14. |
Edit a Policy
To edit a policy, click it on the Policies page and then edit your chosen settings.
You can also edit a custom policy directly from an event that was generated by the custom policy:
- From the timeline in Events, find the event generated from a custom policy.
- Click the
Open Event Dossier icon.
This displays the Event details. - In the top right corner, locate and click the
Edit Policy icon. - Make any changes to the policy and click Save.