Skip to main content

Create a Custom Violation Policy

Violation policies look for events that may indicate risk in Cloud activity logs, including in CloudTrail or Kubernetes audit logs. Violation policies generate one alert for each violation. (In contrast, compliance policies may generate a single alert for a misconfiguration that affects multiple instances.)

Violation policies reference an alert profile which specifies the information included in an alert. (In the Lacework, these are surfaced as the "5 Ws" typically shown for an alert: who, what, when, where, and why).

This topic describes how to create custom violation policies in the Lacework Console. For information on creating policies by Lacework CLI or the Lacework API, see the following topics:

Before Starting

At the core of each violation policy is an LQL query. Before creating a policy, you should be familiar with LQL and compose and test your LQL query with the Lacework CLI. As a short cut, you can start with an existing query that comes close to what you'd like to achieve with your custom policy. You can see existing queries by viewing policy details from the Policies dashboard. For information on developing queries with the CLI, see LQL Queries in the LQL documentation.

Violation policies sources include AWS Cloudtrail, Azure audit logs, and GCP activity logs, and inspect operations, events, and user activity data in those logs. Typically, they look for events like “resource added”, “resource deleted”, “resource moved”, “new user log in”, “new user created”, “policy changed”, “policy deleted”, and so in.

To learn more about the datasources and fields you can query, see Datasource Information.

To perform these steps, you need to be a user with Policies write permission in the Lacework Console.

Create a New Violation Policy

There are two ways to create a custom violation policy in the Lacework Console:

  • Create a Violation Policy by Cloning
  • Create a Violation Policy Manually

If an existing policy closely matches the policy that you want to create, the easiest way is to clone the existing policy and modify it to fit your needs. Note that cloning a policy creates a new, independent policy; changes to the original policy do not affect it. Alternatively, you can create a brand new policy from scratch, as described here.

Create a Violation Policy by Cloning

To create a policy by cloning and modifying an existing policy, follow these steps:

  1. As a user with write permissions for policies, click Policies from the left navigation menu.
  2. Find the violation policy on which you want to base your custom policy, and click on the policy to open its details pane.
  3. Click the clone icon below the policy name.
  4. Click the edit icon next to the name or descriptions to edit the default values for your new policy.
  5. Click the Query tab and click the edit icon next to the query ID.
  6. Provide a new query ID and modify the LQL query in the query pane. See LQL Queries for more information about LQL.
  7. Click the Context tab and review and optionally modify the remediation steps.
  8. Click Save.

Create a Violation Policy Manually

To create a new LQL policy, follow these steps:

  1. As a user with write permissions for policies, click Policies from the left navigation menu.
  2. Click the Configure policy button at the top right.
  3. Choose the status of the policy, draft or live. A draft policy can appear in assessment reports, but do not generate alerts and are not considered in overall assessment results. Using draft status for new policies allows you to test and troubleshoot a new policy, and understand its impact before promoting it to live status.
  4. Add details for your policy:
    • Policy title: Enter a descriptive name for the new policy that suggests what the policy does
    • Policy description: Add descriptive information that documents the new policy to other Console users.
  5. For Policy type, choose Violation.
  6. Select the severity of the policy. This severity is used by alerts generated by the policy and appears in reports where assessments for the policy appear.
  7. In the Query ID field provide a unique name for the LQL query you are creating. The ID should be a single string that uses underscores to divide words, for example, LW_Custom_UnrestrictedIngressToTCP445.
  8. In the text field under the Query ID, enter your LQL query.To try out a query, try pasting the following query for a violation policy. It checks for unrestricted ingress to TCP port 445.
    {
    source {
    LW_CFG_AWS_EC2_SECURITY_GROUPS a,
    array_to_rows(a.RESOURCE_CONFIG:IpPermissions) as (ip_permissions),
    array_to_rows(ip_permissions:IpRanges) as (ip_ranges)
    }
    filter {
    ip_permissions:IpProtocol = 'tcp'
    and ip_permissions:FromPort = 445
    and ip_permissions:ToPort = 445
    and ip_ranges:CidrIp = '0.0.0.0/0'
    }
    return distinct {
    ACCOUNT_ALIAS,
    ACCOUNT_ID,
    ARN as RESOURCE_KEY,
    RESOURCE_REGION,
    RESOURCE_TYPE,
    SERVICE
    }
    }
  9. Optionally, enter remediation information to display with notifications from this new policy.
  10. Click Save. The details view opens with the new policy. From there you can modify or delete the policy or set exceptions.