Console Custom Policies
This topic walks you through using the Lacework Console to create a custom policy that checks for unrestricted ingress to TCP port 445.
To learn more about using the Lacework Console to manage policies, see Use the Lacework Console.
Lacework Academy Course Available
If you want to learn more about Custom Policies and LQL, take the Custom Policies/LQL course from the Lacework Academy.
Policy Query Definition
What Datasources Are Available
The easiest way to learn about the LQL datasources is to discover the names of the datasources and then get details about the one you are interested in.
Run the command that corresponds to your cloud provider:
lacework query list-sources | grep AWS
lacework query list-sources | grep GCP
lacework query list-sources | grep AZURE
What Fields Can I Use from a Datasource
The examples use the following datasources:
- AWS datasource:
LW_CFG_AWS_EC2_SECURITY_GROUPS - GCP datasource (currently in beta):
LW_CFG_GCP_COMPUTE_FIREWALL - Azure datasource (currently in beta):
LW_CFG_AZURE_NETWORK_NETWORKSECURITYGROUPS
In order to learn which fields to use in your query, run the lacework query show-source command for a description of the fields. For some datasources, you can run the lacework query preview-source command (not available for all datasources).
The following command shows the details for the LW_CFG_AWS_EC2_SECURITY_GROUPS datasource.
lacework query show-source LW_CFG_AWS_EC2_SECURITY_GROUPS
DATASOURCE DESCRIPTION
---------------------------------+---------------------------------
LW_CFG_AWS_EC2_SECURITY_GROUPS Results from AWS EC2
'describe-security-groups'
FIELD NAME DATA TYPE DESCRIPTION
-------------------+-----------+---------------------------------
BATCH_START_TIME Timestamp Beginning of time interval
BATCH_END_TIME Timestamp End of time interval
QUERY_START_TIME Timestamp Start time of query for this
resource
QUERY_END_TIME Timestamp End time of query for this
resource
ARN String ARN for the resource
API_KEY String Key describing the API used to
fetch data for this resource
SERVICE String Service this resource belongs
to
ACCOUNT_ID String AWS Account ID
ACCOUNT_ALIAS String User friendly alias for AWS
Account
RESOURCE_TYPE String Type of this resource
RESOURCE_ID String Identifier for this resource
RESOURCE_REGION String Region this resource belongs
to
RESOURCE_CONFIG JSON JSON Definition of this
resource
RESOURCE_TAGS JSON Tags associated with this
resource
The RESOURCE_CONFIG field is frequently used in LQL. Because it is a JSON datasource, the LQL query must first convert the field using the array_to_rows() function. To know exactly which JSON fields you need, you can either read the cloud provider's API documentation, or write an LQL query to explore the full content before writing the actual policy.
Explore Datasources Using LQL
The following let you explore the LW_CFG_AWS_EC2_SECURITY_GROUPS datasource. Replace the datasource with LW_CFG_GCP_COMPUTE_FIREWALL or LW_CFG_AZURE_NETWORK_NETWORKSECURITYGROUPS respectively if using GCP or Azure.
- Open your text editor, create a new file, and add the following content:
---
queryId: Explore_AWS_EC2_SECURITY_GROUPS
queryText: |-
{
source {
LW_CFG_AWS_EC2_SECURITY_GROUPS
}
return {
RESOURCE_CONFIG
}
} - Save the file as YAML with the filename Explore_AWS_EC2_SECURITY_GROUPS.yaml. Note the file's location.
- In the Lacework CLI, run this command:
lacework query run -f <path_to>/Explore_AWS_EC2_SECURITY_GROUPS.yamlResponse{
"RESOURCE_CONFIG": {
"Description": "default VPC security group",
"GroupId": "sg-000",
"GroupName": "default",
"IpPermissions": [
{
"IpProtocol": "-1",
"IpRanges": [],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": [
{
"GroupId": "sg-000",
"UserId": "111"
}
]
}
],
"IpPermissionsEgress": [
{
"IpProtocol": "-1",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": []
}
],
"OwnerId": "111",
"VpcId": "vpc-000"
}
}
Create a Policy
The following procedure creates a query against the datasource that contains data related to security groups.
- Log in to the Lacework Console and navigate to Policies.
- Click + Add policy.
- Specify the following for your policy.
- Title: Security Groups Should Not Allow Unrestricted Ingress to TCP Port 445
- Description: Security groups should not allow unrestricted ingress to TCP port 445
- Alerts: Notify
- Severity: High
- Status: Enabled
- Click Next.
- Add the following Query ID: LW_Custom_UnrestrictedIngressToTCP445
- Copy and paste the content that corresponds to your cloud provider into the query field:AWS query
{
source {
LW_CFG_AWS_EC2_SECURITY_GROUPS a,
array_to_rows(a.RESOURCE_CONFIG:IpPermissions) as (ip_permissions),
array_to_rows(ip_permissions:IpRanges) as (ip_ranges)
}
filter {
ip_permissions:IpProtocol = 'tcp'
and ip_permissions:FromPort = 445
and ip_permissions:ToPort = 445
and ip_ranges:CidrIp = '0.0.0.0/0'
}
return distinct {
ACCOUNT_ALIAS,
ACCOUNT_ID,
ARN as RESOURCE_KEY,
RESOURCE_REGION,
RESOURCE_TYPE,
SERVICE
}
}GCP query (currently in beta){
source {
LW_CFG_GCP_COMPUTE_FIREWALL firewall,
array_to_rows(firewall.RESOURCE_CONFIG:allowed) as (allowed),
array_to_rows(allowed:ports) as (ports),
array_to_rows(firewall.RESOURCE_CONFIG:sourceRanges) as (ranges)
}
filter {
RESOURCE_CONFIG:direction = 'INGRESS'
and allowed:IPProtocol = 'tcp'
and ports = '445'
and ranges = '0.0.0.0/0'
}
return distinct {
ORGANIZATION_ID,
PROJECT_NUMBER,
PROJECT_ID,
FOLDER_IDS,
URN as RESOURCE_KEY,
RESOURCE_REGION,
RESOURCE_TYPE,
SERVICE
}
}Azure query (currently in beta){
source {
LW_CFG_AZURE_NETWORK_NETWORKSECURITYGROUPS a,
array_to_rows(a.RESOURCE_CONFIG:securityRules) as (rules)
}
filter {
rules:"properties".access = 'Allow'
and rules:"properties".direction = 'Inbound'
and rules:"properties".protocol = 'Tcp'
and rules:"properties".destinationPortRange = '445'
and rules:"properties".sourceAddressPrefix = '*'
}
return distinct {
TENANT_ID,
TENANT_NAME,
SUBSCRIPTION_ID,
SUBSCRIPTION_NAME,
URN as RESOURCE_KEY,
RESOURCE_REGION,
RESOURCE_TYPE
}
} - Click Next.
- Leave the Remediation Steps field empty.
- Click Save and Continue. A confirmation message appears upon successful creation of your new custom policy.