Skip to main content

Custom Policy Overview

You can supplement the Lacework default with your own custom policy, as described here.

Overview

A Lacework custom policy can be either:

  • An LQL policy, which uses the Lacework Query Language to query Lacework datasources.
  • A non-LQL policy, which specifies a rule made up of one or more condition statements.

For more information on non-LQL policies, see Create Policies (Non-LQL). The other topics in this section pertain to LQL policies.

The best way to get started with custom policies is to follow the example of a similar built-in policies. To view all the policies in your Lacework instance, click Policies in the left navigation panel. To view the LQL query associated with a policy, click the policy name.

For example, to view the VPC Change LQL policy, select Policies and enter VPC Change in the search field. To view the LQL query that is called by VPC Change, click VPC Change in the list.

You can use default queries as the basis for your LQL queries.

Limitations

  • The maximum number of records that each policy will return is 1000.
  • The maximum number of API calls is 120 per hour for on-demand LQL query executions and LQL policy create, read, update, and delete operations.
note

LQL syntax may change.

Lacework Query Language

LQL is a SQL-like query language for specifying the selection, filtering, and manipulation of data. Queries let you interactively request information from specified curated datasources. Queries have a defined structure for authoring detections.

For general information on LQL, see LQL Overview.

Supported Datasources

Datasources are structured collections of related sets of information. Currently, LQL can access the integrated resources listed on Manage Integrated AWS Resources, Manage Integrated GCP Resources, and Manage Integrated Azure Resources.

Example Query

The following example shows a query that finds VPCs with flow logging not enabled:

Example query
 {
source {
LW_CFG_AWS_EC2_VPCS vpc
with LW_CFG_AWS_EC2_VPC_FLOW_LOGS log
}
filter {
not value_exists(log.RESOURCE_CONFIG)
or log.RESOURCE_CONFIG:FlowLogStatus <> 'ACTIVE'
}
return distinct {
vpc.ACCOUNT_ALIAS,
vpc.ACCOUNT_ID,
vpc.ARN as RESOURCE_KEY,
vpc.RESOURCE_REGION,
vpc.RESOURCE_TYPE,
vpc.SERVICE,
case when not value_exists(log.RESOURCE_CONFIG) then 'VPCFlowLoggingNotEnabled'
else 'VPCFlowLoggingNotActive' end as COMPLIANCE_FAILURE_REASON
}
}

Alert Profiles

Use alert profiles to define how your LQL queries get consumed into events and alerts. Lacework provides a set of predefined alert profiles to ensure that policy evaluation gives you useful results out of the box. To create your own customized profile, extend an existing alert profile and add custom templates to it.

LW_CFG_AWS_DEFAULT_PROFILE details (truncated)
{
"data": {
"alertProfileId": "LW_CFG_AWS_DEFAULT_PROFILE",
"extends": "LW_LPP_BaseProfile",
"fields": [
{
"name": "_PRIMARY_TAG"
},
{
"name": "RESOURCE_ID"
}, ...
],
"descriptionKeys": [
{
"name": "_OCCURRENCE",
"spec": "{{_OCCURRENCE}}"
},
{
"name": "RESOURCE_ID",
"spec": "{{RESOURCE_ID}}"
}, ...
],
"alerts": [
{
"name": "CFG_AWS_PolicyChanged",
"eventName": "LW Configuration AWS Violation Alert",
"description": "{{_OCCURRENCE}} Violation for AWS Resource {{RESOURCE_TYPE}}:{{RESOURCE_ID}} in account {{ACCOUNT_ID}} region {{RESOURCE_REGION}}",
"subject": "{{_OCCURRENCE}} violation detected for AWS Resource {{RESOURCE_TYPE}}:{{RESOURCE_ID}} in account {{ACCOUNT_ID}} region {{RESOURCE_REGION}}"
},
{
"name": "CFG_AWS_NewViolation",
"eventName": "LW Configuration AWS Violation Alert",
"description": "{{_OCCURRENCE}} Violation for AWS Resource {{RESOURCE_TYPE}}:{{RESOURCE_ID}} in account {{ACCOUNT_ID}} region {{RESOURCE_REGION}}",
"subject": "{{_OCCURRENCE}} violation detected for AWS Resource {{RESOURCE_TYPE}}:{{RESOURCE_ID}} in account {{ACCOUNT_ID}} region {{RESOURCE_REGION}}"
},
{
"name": "CFG_AWS_Violation",
"eventName": "LW Configuration AWS Violation Alert",
"description": "{{_OCCURRENCE}} Violation for AWS Resource {{RESOURCE_TYPE}}:{{RESOURCE_ID}} in account {{ACCOUNT_ID}} region {{RESOURCE_REGION}}",
"subject": "{{_OCCURRENCE}} violation detected for AWS Resource {{RESOURCE_TYPE}}:{{RESOURCE_ID}} in account {{ACCOUNT_ID}} region {{RESOURCE_REGION}}"
}
]
}
}

Policies

Policies add annotated metadata to queries for improving the context of alerts, reports, and information displayed in the Lacework Console. Use the following methods to create custom policies:

note

To create custom non-LQL-based policies, use the steps described in Create Policies (Non-LQL).

Example Policy

The following shows a custom policy that uses the above query to alert about VPC flow logging:

Example policy
{
"title": "Ensure VPC flow logging is enabled in all VPCs",
"enabled": false,
"policyType": "Violation",
"alertEnabled": false,
"alertProfile": "LW_CFG_AWS_DEFAULT_PROFILE.CFG_AWS_Violation",
"evalFrequency": "Hourly",
"queryId": "Example_Global_AWS_Config_VPCFlowLoggingNotEnabled",
"severity": "medium",
"description": "VPC Flow Logs is a feature that enables you to capture information\nabout the IP traffic going to and from network interfaces in your VPC. After\nyou've created a flow log, you can view and retrieve its data in Amazon CloudWatch\nLogs. It is recommended that VPC Flow Logs be enabled for packet \"Rejects\" for\nVPCs.",
"remediation": "Perform the following to determine if VPC Flow logs is enabled:\nFrom Console:\n1. Sign into the management console\n2. Select Services then VPC\n3. In the left navigation pane, select Your VPCs\n4. Select a VPC\n5. In the right pane, select the Flow Logs tab.\n6. If no Flow Log exists, click Create Flow Log\n7. For Filter, select Reject\n8. Enter in a Role and Destination Log Group\n9. Click Create Log Flow\n10. Click on CloudWatch Logs Group\nNote: Setting the filter to \"Reject\" will dramatically reduce the logging data accumulation for this recommendation\nand provide sufficient information for the purposes of breach detection, research and remediation. However,\nduring periods of least privilege security group engineering, setting this the filter to \"All\" can be very helpful in discovering\nexisting traffic flows required for proper operation of an already running environment.",
"tags": [
"domain:AWS",
"subdomain:Configuration"
]
}

For the types of policies you can create, see Custom Policy Types.