Default Policies
See Policies Overview for information on how to view, enable, or disable policies.
note
We'd love to hear your feedback. We are continually looking for ways to improve our detections and want to hear from you. Your observations and feedback will guide our evolution as we continue to help you reduce your security risk.
Please email your feedback to support@lacework.com.
This topic describes default Lacework policies.
- General Policies
- AWS CloudTrail Policies
- AWS Behavior Anomaly Policies
- Azure Activity Log Policies
- Azure Behavior Anomaly Policies
- GCP Audit Log Policies
- GCP Behavior Anomaly Policies
- Host Policies
- Host Behavior Anomaly Policies
- Kubernetes Policies
- Kubernetes Behavior Anomaly Policies
- Vulnerability Assessment
General Policies
The following table specifies general anomaly policies.
| Policy ID | Alert Generated by Policy | Description |
|---|---|---|
| LACEWORK-GLOBAL-491 | Offensive security container | Offensive security tools are used during testing to evaluate the effectiveness of security products and security controls. Attackers might also use offensive security tools for developing exploits, identifying weaknesses in the target system, and carrying out attacks. Remediation is environment-dependent because this might be expected or the result of normal operations. Investigate and determine the nature of the activity. |
| LACEWORK-GLOBAL-492 | Potential reverse shell | Reverse shell is a shell session initiated by the target machine, rather than from the client. Determine if the event is associated with reverse shell initiation by examining the command line arguments associated with the flagged process. If a reverse shell is suspect, determine if legitimate use was the case. Otherwise, prepare incident response for the workload to investigate unauthorized access. |
| LACEWORK-GLOBAL-493 | Potential Codecov Bash uploader command | In the Codecov supply chain attack, the Bash uploader script was maliciously modified to upload potentially sensitive environment variables to an attacker-controlled site. This policy flags a similar use of cURL for data exfiltration. Determine if the affected cURL process is legitimate. If you don't find any legitimate use, prepare the host for incident response to determine unauthorized access. |
| LACEWORK-GLOBAL-494 | Commonly used scanners | Scanning tools are often used during exercises and testing to map the target environment and identify vulnerable systems and services. Attackers, likewise, use these tools to assist in post-exploitation activities. Determine if the activity is legitimate. If not, prepare incident response for the affected host. Check other reachable hosts for signs of malicious activity. |
| LACEWORK-GLOBAL-495 | Out-of-Band Application Security Testing (OAST) tools | Out-of-Band Application Security Testing (OAST) tools, such as Burp Suite and Project Discovery, are commonly used by pen-testers, researchers, and attackers to test for various vulnerabilities and perform reconnaissance. Any DNS request for these domains might represent a vulnerability. Determine if the nature of the queries are from legitimate internal sources or from external sources. Determine if affected hosts have any internet accessible remote code execution vulnerabilities and remediate. |
| LACEWORK-GLOBAL-496 | Container with writable root volume map detected | A container was detected running with the root of the host system mounted. This could potentially allow a container escape to access the host system. Determine if the root volume mount is required. Remove this requirement to reduce chances of container escape if the affected container is compromised. This policy is disabled by default. To enable it, see Policies Overview. |
| LACEWORK-GLOBAL-646 | Reverse Shell Connection | A reverse shell is a shell session initiated by the target machine, rather than from the client. It is a common method used by attackers to control compromised systems that are not publicly routable. This policy detects reverse shell invocations that have successfully established network connections. |
| LACEWORK-GLOBAL-647 | Cryptojacking Artifacts | Cryptojacking is the act of hijacking cloud infrastructure to illegally mine cryptocurrencies. This policy detects command-line artifacts observed to be initializing cryptomining applications. |
AWS CloudTrail Policies
Lacework generates the data needed to populate reports on a regular schedule, typically once a day. After it generates the report data, Lacework assesses all the enabled policies. During this assessment, Lacework checks if all the expressions in a policy assess to true and if they do, it generates an event. It repeats this assessment for each enabled policy.
If the same policy triggers again within the next hour, Lacework updates the existing event with summary information about what triggered the subsequent trigger. After one hour if the same policy triggers again, it creates another event.
The following table specifies the default AWS CloudTrail policies. For more information about these alerts, see AWS Policy Alerting.
| Policy ID | Alert Generated by Policy |
|---|---|
| LACEWORK-GLOBAL-1 | VPC Change |
| LACEWORK-GLOBAL-2 | Security Group Change |
| LACEWORK-GLOBAL-3 | NACL Change |
| LACEWORK-GLOBAL-4 | Network Gateway Change |
| LACEWORK-GLOBAL-5 | Route Table Change |
| LACEWORK-GLOBAL-6 | New VPN Connection |
| LACEWORK-GLOBAL-7 | VPN Gateway Change |
| LACEWORK-GLOBAL-8 | Usage of Root Account |
| LACEWORK-GLOBAL-9 | New S3 Bucket |
| LACEWORK-GLOBAL-10 | S3 Bucket Deleted |
| LACEWORK-GLOBAL-11 | S3 Bucket Policy Change |
| LACEWORK-GLOBAL-12 | IAM Policy Change |
| LACEWORK-GLOBAL-13 | IAM Access Key Change |
| LACEWORK-GLOBAL-14 | New User |
| LACEWORK-GLOBAL-15 | New Customer Master Key |
| LACEWORK-GLOBAL-16 | New Customer Master Key Alias |
| LACEWORK-GLOBAL-17 | Customer Master Key Disabled |
| LACEWORK-GLOBAL-18 | Customer Master Key Scheduled for Deletion |
| LACEWORK-GLOBAL-19 | New Grant Added to Customer Master Key |
| LACEWORK-GLOBAL-20 | CloudTrail Change |
| LACEWORK-GLOBAL-21 | Successful Console Login Without MFA |
| LACEWORK-GLOBAL-22 | Failed Console Login |
| LACEWORK-GLOBAL-23 | Configuration Service Change |
| LACEWORK-GLOBAL-24 | Access Key Deleted |
| LACEWORK-GLOBAL-25 | CloudTrail Deleted |
| LACEWORK-GLOBAL-26 | CloudTrail Stopped |
| LACEWORK-GLOBAL-27 | New Access Key |
| LACEWORK-GLOBAL-28 | New VPC |
| LACEWORK-GLOBAL-29 | Unauthorized API Call |
| LACEWORK-GLOBAL-30 | S3 Bucket ACL Change |
AWS Behavior Anomaly Policies
The following table specifies the default AWS behavior anomaly policies. For more information about these alerts, see AWS Activity Alerting.
| Policy ID | Alert Generated by Policy |
|---|---|
| LW_AWS_ACCNT_86 | New Account |
| LW_AWS_API_97 | Service Called API |
| LW_AWS_API_98 | API Failed With Error |
| LW_AWS_ERR_92 | New Error Code |
| LW_AWS_LOGIN_93 | Login From Known Bad Source Location |
| LW_AWS_LOGIN_94 | Login From New Source Location |
| LW_AWS_MODELSERVICE_155 | Unexpected Change in AWS API Error Volume |
| LW_AWS_MODELSERVICE_156 | Unexpected Change in AWS GPU Instance Launch Volume |
| LW_AWS_REGION_90 | New Region |
| LW_AWS_REGION_91 | User Used Service In Region |
| LW_AWS_REGION_95 | User Accessing Region |
| LW_AWS_REGION_96 | Service Accessed In Region |
| LW_AWS_SERVICE_89 | New Service |
| LW_AWS_USR_87 | AWS User Logged in from New Source |
| LW_AWS_USR_88 | User Calltype MFA |
Azure Activity Log Policies
The following table specifies the default Azure Activity Log policies. For more information about these alerts, see Azure Activity Alerting.
| Policy ID | Alert Generated by Policy |
|---|---|
| LW_AL_APP_40 | Security Solution Created/Updated |
| LW_AL_APP_41 | Security Solution Deleted |
| LW_AL_FIREWALL_42 | SQL Server Firewall Rule Created/Updated |
| LW_AL_FIREWALL_43 | SQL Server Firewall Rule Deleted |
| LW_AL_IAM_35 | Policy Assignment Created |
| LW_AL_IAM_44 | Security Policy Updated |
| LW_AL_NETWORK_36 | Network Security Group Created/Updated |
| LW_AL_NETWORK_37 | Network Security Group Deleted |
| LW_AL_NETWORK_38 | Network Security Group Rule Created/Updated |
| LW_AL_NETWORK_39 | Network Security Group Rule Deleted |
Azure Behavior Anomaly Policies
The following table specifies the default Azure behavior anomaly policies. For more information about these alerts, see Azure Policy Alerting.
| Policy ID | Alert Generated by Policy |
|---|---|
| LW_AZURE_API_142 | New Azure API Call Accessed Resource |
| LW_AZURE_ERROR_140 | New Azure API Failed |
| LW_AZURE_EVENT_141 | New Azure Operation On Resource |
| LW_AZURE_LOGIN_139 | New Azure Login From Bad Source |
| LW_AZURE_SERVICE_138 | New Azure Service |
| LW_AZURE_SUBSCRIPTION_137 | New Azure Subscription |
GCP Audit Log Policies
The following table specifies the default GCP Audit Log policies. For more information about these alerts, see GCP Policy Alerting.
| Policy ID | Alert Generated by Policy |
|---|---|
| LW_AT_IAM_51 | Cloud Storage IAM Permission Changed |
| LW_AT_IAM_165 | Project IAM Policy Changed |
| LW_AT_IAM_166 | Folder IAM Policy Changed |
| LW_AT_IAM_167 | Organization IAM Policy Changed |
| LW_AT_IAM_168 | GCP Resource IAM Policy Changed |
| LW_AT_IAM_178 | Cloud KMS IAM Policy Modified |
| LW_AT_RESOURCE_173 | Cloud Storage Bucket Created |
| LW_AT_RESOURCE_45 | Project Ownership Assignments Changed |
| LW_AT_RESOURCE_46 | Audit Configuration Changed |
| LW_AT_RESOURCE_47 | Custom Role Changed |
| LW_AT_RESOURCE_169 | Service Account Created |
| LW_AT_RESOURCE_170 | Service Account Key Modified |
| LW_AT_RESOURCE_171 | Cloud VPN Created |
| LW_AT_RESOURCE_172 | Cloud VPN Created |
| LW_AT_RESOURCE_173 | Cloud Storage Bucket Created |
| LW_AT_RESOURCE_174 | Cloud Logging Sink Modified |
| LW_AT_RESOURCE_175 | Cloud KMS Key Ring Created |
| LW_AT_RESOURCE_176 | Cloud KMS Key Created |
| LW_AT_RESOURCE_177 | Cloud KMS Key Version Destroyed |
| LW_AT_SQL_52 | SQL Instance Configuration Changed |
| LW_AT_VPC_49 | VPC Network Route Changed |
| LW_AT_VPC_48 | VPC Network Firewall Rule Changed |
| LW_AT_VPC_50 | VPC Network Changed |
GCP Behavior Anomaly Policies
The following table specifies the default GCP behavior anomaly policies. For more information about these alerts, see GCP Activity Alerting.
| Policy ID | Alert Generated by Policy |
|---|---|
| LW_GCP_ACCNT_107 | New GCP organization |
| LW_GCP_ERROR_118 | GCP API failed with error |
| LW_GCP_LOGIN_108 | New GCP source |
| LW_GCP_LOGIN_113 | GCP user logged in from bad source |
| LW_GCP_LOGIN_114 | GCP user logged in from source |
| LW_GCP_REGION_111 | New GCP region |
| LW_GCP_REGION_115 | GCP user accessing region |
| LW_GCP_REGION_116 | GCP service accessed in region |
| LW_GCP_SERVICE_110 | New GCP service |
| LW_GCP_SERVICE_112 | New GCP API call |
| LW_GCP_SERVICE_117 | Service called GCP API |
| LW_GCP_USR_109 | New GCP user |
Host Policies
If Lacework detects that a process or application has run, it assesses all enabled default and custom host policies. During this assessment, Lacework checks if all expressions in a host policy assess to true and if they do, it generates an event that you can see in the Lacework Console. It repeats this assessment for each enabled policy.
If the same rule triggers again within the next hour, Lacework updates the existing event with summary information about what triggered the subsequent trigger. After one hour if the same rule triggers again, it creates another event.
In addition to default and custom policies, Lacework has a set of internal expressions that also generate host events, which you can view in the Lacework Console. For example, if Lacework finds a file with a suspicious hash, it generates a Malicious File event. These internal detections and event generation occur concurrently. Lacework uses the default and custom policies for detection and event generation.
The following table specifies the default host policies. For more information about these alerts, see Alert Types Classified as Policy Category.
| Policy ID | Alert Generated by Policy |
|---|---|
| LACEWORK-GLOBAL-484 | Changes to Autorun Registry Keys on Windows |
| LACEWORK-GLOBAL-491 | Offensive Security Containers |
| LACEWORK-GLOBAL-492 | Potential Reverse Shell |
| LACEWORK-GLOBAL-493 | Potential Codecov Bash Uploader Command |
| LACEWORK-GLOBAL-494 | Commonly Used Scanners |
| LACEWORK-GLOBAL-495 | Out-of-Band Application Security Testing (OAST) Tools |
| LACEWORK-GLOBAL-496 | Container with Writeable Root Volume Map Detected |
| LACEWORK-GLOBAL-646 | Reverse Shell Connection |
| LACEWORK-GLOBAL-647 | Cryptojacking Artifacts |
| LW_APP_1 | Suspicious Applications |
| LW_FIM_33 | Files Changed |
| LW_FIM_34 | Suspicious Files |
| LW_USER_31 | Suspicious logins from multiple GEOs |
| LW_USER_32 | Suspicious Logins |
Host Behavior Anomaly Policies
The following table specifies the default host behavior anomaly policies. For more information about these alerts, see Alert Types Classified as Anomaly Category.
| Policy ID | Alert Generated by Policy |
|---|---|
| LW_APP_TYPE_70 | New Application |
| LW_APP_TYPE_125 | New Vulnerable Application |
| LW_EXT_DNS_58 | New External Host |
| LW_EXT_DNS_59 | Bad External Host |
| LW_EXT_DNS_60 | New External Client DNS |
| LW_EXT_DNS_61 | Bad External Client DNS |
| LW_EXT_DNS_62 | New External Server |
| LW_EXT_DNS_63 | Bad External DNS Server |
| LW_EXT_IP_64 | New External Server IP Address |
| LW_EXT_IP_65 | Bad External Server IP Address |
| LW_EXT_IP_66 | New External Client IP Address |
| LW_EXT_IP_67 | Bad External Client IP Address |
| LW_EXT_IP_68 | New Internal Server IP |
| LW_EXT_IP_69 | New Internal Client IP |
| LW_FIM_136 | Malicious File |
| LW_HOST_77 | New External Host Server Connection |
| LW_HOST_78 | Bad External Server Host Connection |
| LW_HOST_128 | New External Host Server Connection From Vulnerable Application |
| LW_HOST_129 | Bad External Server Host Connection From Vulnerable Application |
| LW_IP_73 | New External Client IP Address Connection |
| LW_IP_74 | Bad External Client IP Address Connection |
| LW_IP_75 | New External Server IP Address Connection |
| LW_IP_76 | Bad External Server IP Address Connection |
| LW_IP_79 | New Internal Connection |
| LW_IP_126 | New External Server IP Address Connection From Vulnerable Application |
| LW_IP_127 | Bad External Server IP Address Connection From Vulnerable Application |
| LW_IP_131 | New Vulnerable Internal Connection |
| LW_IP_134 | Bad External Client IP Address Connection To Vulnerable Application |
| LW_IP_135 | New External Client IP Address Connection To Vulnerable Application |
| LW_K8LAUNCH_99 | New K8s Cluster |
| LW_K8LAUNCH_100 | New K8s Namespace |
| LW_K8LAUNCH_101 | New K8s Pod |
| LW_MCH_71 | New Machine Server Cluster |
| LW_PROCESS_80 | New Privilege Escalation |
| LW_PROCESS_81 | New Child Launched |
| LW_PROCESS_132 | New Child Launched From Vulnerable Application |
| LW_PROCESS_133 | New Vulnerable Child Launched |
| LW_USR_72 | New User |
| LW_USR_82 | Machine Cluster Launched New Binary |
| LW_USR_83 | User Launched New Binary |
| LW_USR_84 | User Logged In From New IP |
| LW_USR_85 | User Logged In From New Location |
| LW_USR_130 | User Launched New Vulnerable Binary |
Kubernetes Policies
The following table specifies the default Kubernetes policies. For more information about these alerts, see Alert Types Classified as Policy Category.
| Policy ID | Alert Generated by Policy | Description |
|---|---|---|
| LACEWORK-GLOBAL-158 | Successful command execution on container | Detects access to a container (kubectl exec <container>). |
| LACEWORK-GLOBAL-162 | API access of container logs | Detects access to the container logs (kubectl logs <container>). |
| LACEWORK-GLOBAL-163 | Usage of kubernetes Port Forward | Detects usage of port forwarding (kubectl port-forward <resource name>). |
| LACEWORK-GLOBAL-164 | kubectl attach to container process | Detects access to the container stdout (kubectl attach <container>). |
| LACEWORK-GLOBAL-165 | Ephemeral container attached to pod | An ephemeral container was launched and attached to a running pod. |
| LACEWORK-GLOBAL-166 | Workload created on cluster | A workload was created on a cluster. |
| LACEWORK-GLOBAL-167 | Workload deleted on cluster | A workload was deleted from a cluster. |
| LACEWORK-GLOBAL-168 | Workload created in default namespace | A workload was created in the default namespace. |
| LACEWORK-GLOBAL-169 | Workload created with container privilege escalation | A workload with container privilege escalation was created. |
| LACEWORK-GLOBAL-170 | Workload created with privileged containers | A workload with privileged containers was created. |
| LACEWORK-GLOBAL-172 | Workload created with shared host network | A workload with a shared host network was created. |
| LACEWORK-GLOBAL-173 | Workload created with shared host PID | A workload with shared host PID was created. |
| LACEWORK-GLOBAL-174 | Workload created with shared host IPC | A workload with shared host IPC was created. |
| LACEWORK-GLOBAL-175 | Workload created with hostPath volume | A workload with a hostPath volume was created. |
| LACEWORK-GLOBAL-176 | Workload created with Unmasked proc mount | A workload with an Unmasked proc mount was created. |
| LACEWORK-GLOBAL-177 | Kubernetes namespace creation | A Kubernetes namespace was successfully created. |
| LACEWORK-GLOBAL-178 | Kubernetes namespace deletion | A Kubernetes namespace was successfully deleted. |
| LACEWORK-GLOBAL-185 | Role or Cluster Role deleted | A Role or Cluster Role was deleted. |
| LACEWORK-GLOBAL-186 | Role binding or Cluster Role binding created | A binding to a Kubernetes Role or Cluster Role was created. |
| LACEWORK-GLOBAL-187 | Role binding or Cluster Role binding deleted | A binding to a Kubernetes Role or Cluster Role was deleted. |
| LACEWORK-GLOBAL-188 | Change or deletion of system:* Cluster Role | One of the default system:* Cluster Roles was modified or deleted. |
| LACEWORK-GLOBAL-189 | Change or deletion of system:* Role | One of the default system:* Roles was modified or deleted. |
| LACEWORK-GLOBAL-190 | Role or Cluster Role created | A Kubernetes Role or Cluster Role was created. |
| LACEWORK-GLOBAL-191 | ClusterRoleBinding created for cluster-admin Role | A Cluster Role Binding to the cluster-admin Cluster Role was created. The cluster-admin Cluster Role gives full access to all Kubernetes resources and actions. |
| LACEWORK-GLOBAL-192 | Role or Cluster Role created with wildcarded resources or verbs | A Role or Cluster Role was created with a wildcard (*) for resources, giving permissions for all Kubernetes Resources. |
| LACEWORK-GLOBAL-193 | Role or Cluster Role created with access to secrets | A Role or Cluster Role was created that allows access to Kubernetes secrets. |
| LACEWORK-GLOBAL-194 | Cluster Role created or modified | A Kubernetes Cluster Role was modified or deleted. |
| LACEWORK-GLOBAL-195 | Cluster Role granting permissions on pods/exec | A Cluster Role was created that allows the creation of new pods (pods/exec). |
| LACEWORK-GLOBAL-200 | Service created with External Load Balancer | A service with an external load balancer was created. |
| LACEWORK-GLOBAL-201 | Service created with NodePort | A service with NodePort was created. |
| LACEWORK-GLOBAL-202 | Ingress created without TLS | An ingress without TLS was created. |
| LACEWORK-GLOBAL-203 | Pod started with image from non-standard registry | A pod was started with an image from a non-standard registry. |
| LACEWORK-GLOBAL-204 | Admin privileges bound to default service account | Admin privileges were bound to the default service account. |
| LACEWORK-GLOBAL-205 | Kubernetes Dashboard exposed by load balancer | The Kubernetes Dashboard was exposed by a load balancer. |
| LACEWORK-GLOBAL-206 | System namespace exposed by load balancer | A system namespace was exposed by a load balancer. |
Disabled Policies Mapped to Anomaly Policies
A number of policies are disabled by default because the detected behavior is covered by anomaly policies. The following maps the disabled policies to anomaly policies.
| Disabled Policies | Anomaly Policies |
|---|---|
| Kubernetes namespace creation - lacework-global-177 | K8s Audit Log Namespace Created |
| ClusterRoleBinding created for cluster-admin role - lacework-global-191 | K8s Audit Log Role Bindings To Cluster Admin K8s Audit Log Cluster Role Bindings To Cluster Admin |
| Role or cluster role created with wild carded resources or verbs - lacework-global-192 | K8s Audit Log Role Created With All Resources Permission K8s Audit Log Cluster Role Created With All Resources Permission |
| Role or cluster role created with access to secrets - lacework-global-193 | K8s Audit Log Role Created With Secrets Permission K8s Audit Log Cluster Role Created With Secrets Permission |
| Cluster role created or modified - lacework-global-194 | K8s Audit Log Cluster Role Created K8s Audit Log Role Created |
| Cluster role granting permissions on pods/exec - lacework-global-195 | K8s Audit Log Role Created With Pod Exec Permission K8s Audit Log Cluster Role Created With Pod Exec Permission |
| Role or cluster role created with access to secrets - lacework-global-193 | K8s Audit Log Role Created With Secrets Permission K8s Audit Log Cluster Role Created With Secrets Permission |
| kubectl attach to container process - lacework-global-164 Ephemeral container attached to pod - lacework-global-165 Successful command execution on container - lacework-global-158 Usage of kubernetes Port Forward - lacework-global-163 | K8s new sensitive access to pod K8s new user access to pod |
Kubernetes Behavior Anomaly Policies
The following table specifies the default Kubernetes behavior anomaly policies. For more information about these alerts, see Kubernetes Activity.
| Policy ID | Alert Generated by Policy |
|---|---|
| LW_K8S_AUDIT_LOG_119 | K8s Audit Log Cluster Role Created |
| LW_K8S_AUDIT_LOG_120 | K8s Audit Log Cluster Role Binding Created |
| LW_K8S_AUDIT_LOG_121 | K8s Audit Log Role Created |
| LW_K8S_AUDIT_LOG_122 | K8s Audit Log Role Binding Created |
| LW_K8S_AUDIT_LOG_123 | K8s Audit Log Ingress Created |
| LW_K8S_AUDIT_LOG_124 | K8s Audit Log Workload Created |
| LW_K8S_AUDIT_LOG_143 | K8s Audit Log Namespace Created |
| LW_K8S_AUDIT_LOG_144 | K8s Audit Log Resource Created |
| LW_K8S_AUDIT_LOG_145 | K8s Audit Log Role Created With All Resources Permission |
| LW_K8S_AUDIT_LOG_146 | K8s Audit Log Role Created With Pods Write Permission |
| LW_K8S_AUDIT_LOG_147 | K8s Audit Log Role Created With Pod Exec Permission |
| LW_K8S_AUDIT_LOG_148 | K8s Audit Log Role Created With Secrets Permission |
| LW_K8S_AUDIT_LOG_149 | K8s Workload Created With Privilege Escalation |
| LW_K8S_AUDIT_LOG_150 | K8s Workload Created With Host Access |
| LW_K8S_AUDIT_LOG_151 | K8s Audit Log Cluster Role Created With All Resources Permission |
| LW_K8S_AUDIT_LOG_152 | K8s Audit Log Cluster Role Created With Pods Write Permission |
| LW_K8S_AUDIT_LOG_153 | K8s Audit Log Cluster Role Created With Pod Exec Permission |
| LW_K8S_AUDIT_LOG_154 | K8s Audit Log Cluster Role Created With Secrets Permission |
| LW_K8S_AUDIT_LOG_157 | K8s Audit Log Cluster Role Bindings To Cluster Admin |
| LW_K8S_AUDIT_LOG_158 | K8s Audit Log Cluster Role Bindings To Admin |
| LW_K8S_AUDIT_LOG_159 | K8s Audit Log Cluster Role Bindings To Edit |
| LW_K8S_AUDIT_LOG_160 | K8s Audit Log Cluster Role Bindings To System |
| LW_K8S_AUDIT_LOG_161 | K8s Audit Log Role Bindings To Cluster Admin |
| LW_K8S_AUDIT_LOG_162 | K8s Audit Log Role Bindings To Admin |
| LW_K8S_AUDIT_LOG_163 | K8s Audit Log Role Bindings To Edit |
| LW_K8S_AUDIT_LOG_164 | K8s Audit Log Role Bindings To System |
| LW_K8S_AUDIT_LOG_182 | New K8s webhook change |
| LW_K8S_AUDIT_LOG_183 | New sensitive configmaps access |
| LW_K8S_AUDIT_LOG_184 | K8s new sensitive access to pod Detects kubectl exec/attach/port-forward/log to new pods |
| LW_K8S_AUDIT_LOG_185 | K8s new user access to pod Detects kubectl exec/attach/port-forward/log to any pod from new users |
| LW_K8S_AUDIT_LOG_186 | K8s new registry used |
Vulnerability Assessment
Vulnerability assessment provides the ability to scan, identify, and report vulnerabilities found in the operating system software packages in hosts or Docker container images. After you install the Lacework agent on hosts or integrate a container registry in Lacework, Lacework scans the hosts or container images in the registry repositories for software packages with known vulnerabilities, and reports them. For information about vulnerability assessments, see Container Vulnerability Assessment Overview and Host Vulnerability Assessment Overview.
Vulnerability assessment policies are designed to help define organization-specific risk management and to notify you of critical software risk items within your monitored infrastructure. These policies apply to hosts and containers only and cannot be modified to apply to processes, users, etc.
The following table specifies the default vulnerability policies. For more information about these alerts, see Application.
info
A known vulnerability is one that already exists in Lacework's vulnerability (CVE) sources.
A vulnerability/CVE in Lacework is defined as: "CVE ID + Package Name + OS/Language".
For example, CVE-12345 openssl debian:8 will be different from CVE-12345 openssl ubuntu:20.04.
| Policy ID | Alert Generated by Policy | Description |
|---|---|---|
| LW_VULN_53 | New Security Vulnerability | A new vulnerability (it is new to Lacework's vulnerability/CVE sources) was discovered for the first time across all monitored repositories. |
| LW_VULN_54 | Known Security Vulnerability | A known vulnerability was detected within monitored repositories for a defined severity level. This is the first time that the vulnerability has been seen in your environment in any monitored repository. The related alert will only trigger once when the known vulnerability is detected for the first time in one or more monitored repositories. |
| LW_VULN_55 | New Security Vulnerability in Repository | A known vulnerability was found within a monitored repository for the first time. The related alert will trigger once for each new repository the known vulnerability is found in. |
| LW_VULN_56 | Severity changes for Security Vulnerability | A vulnerability severity change was detected within monitored repositories. |
| LW_VULN_57 | A Fix available for Security Vulnerability | A software vulnerability patch status change was detected within monitored repositories. |
| LW_VULN_102 | New Security Vulnerability | A new vulnerability (it is new to Lacework's vulnerability/CVE sources) was discovered for the first time across all monitored hosts. |
| LW_VULN_103 | Known Security Vulnerability | A known vulnerability was detected across all monitored hosts for a defined severity level. This is the first time that the vulnerability has been seen in your environment across all hosts. |
| LW_VULN_104 | Severity changes for Security Vulnerability | A vulnerability severity change was detected within monitored hosts. |
| LW_VULN_105 | A Fix available for Security Vulnerability | A software vulnerability patch status change was detected within monitored hosts. |
Examples for LW_VULN_54 and LW_VULN_55
If a known vulnerability/CVE is introduced into any image in each repository on the same day at the same time:
- One alert for LW_VULN_54 and one or more alerts for LW_VULN_55 will be generated.
- LW_VULN_54 will state that this is the first time the known vulnerability has been seen in your repositories, and will reference all repositories where it has been found.
- LW_VULN_55 will state that this is the first time the known vulnerability has been seen in the repository, and will reference the specific repository it was found in. Multiple alerts for LW_VULN_55 are generated for each repository that the known vulnerability is found in.
Alternatively, if a known vulnerability is found in a single repository on day 1:
- One alert for LW_VULN_54 and one alert for LW_VULN_55 will be generated.
If the same known vulnerability is found in a different repository on day 2:
- One alert for LW_VULN_55 is generated.