Alert Profile Overview
An alert profile is a set of metadata that defines how your LQL queries are translated into alerts.
Alert profiles exist as a system. Lacework provides a set of predefined alert profiles to ensure that policy evaluation gives you useful results out of the box. To create your own customized profiles, extend an existing alert profile and add your custom templates to it.
An alert profile has three components:
- Fields
- Alert templates
- Description keys
The following sections discuss each component.
Fields
A field is a declaration of a field to be mapped in from an LQL query. Only LQL result fields that are declared as an alert profile field are mapped into event details and alerts. Fields returned by a query that are not listed as an alert profile field won't be mapped into event details and alerts.
For each Lacework-defined datasource, each field of that datasource is already defined as an alert profile field.
Currently, alert profile APIs do not support defining custom fields.
Alert Templates
An alert template is a definition of content to create from the results of a resource's policy violation. The event name, subject, and description contained in the alert appear in pushed alerts and in the Lacework Console.
An alert template's subject and description fields are not fixed text. You can specify customized subject and description fields by using regular text, which can refer to fields returned from the description keys within curly braces.
Each Lacework-defined datasource has defined default alerts. Your policies can use them without modification.
Alert profile APIs support creating and modifying your own custom alerts.
Description Keys
A description key is a placeholder variable that you can use in an alert template's subject and/or description. Description keys can refer to LQL query result fields and can also refer to other available data (such as metadata, like the name of a policy). Only description keys can be referred to by an alert template. A field must be used in a description key to be available in an alert.
For each Lacework-defined alert profile field, a description key is already defined for use in your alert templates.
Currently, alert profile APIs do not support defining custom description keys.
Defining Alert Templates in a Profile
To create new alert templates, create your own alert profile that extends a predefined Lacework alert profile.
Each alert has the following fields:
name
: The name that policies can use to refer to this template when generating alerts.eventName
: The name of the resulting alert.subject
: The subject text for the resulting alert.description
: The description text for the resulting alert.
Each predefined alert profile contains default alert templates. If you do not define any custom alerts, a policy that references the alert profile will use the default alert template.
To use these alerts in a policy, refer to the alerts by the name you give them. The Lacework Policy Platform generates events and alerts based on the alert template that the policy refers to. If the policy refers to a named alert, but the alert profile doesn't have an alert with that name being generated, the policy uses the Lacework default template.
Select an Alert Profile
Because an alert profile helps to map what data is available for the alert message, each alert profile corresponds to a datasource. The following sections list the alert profiles and their corresponding datasources.
An alert profile has two components: the alert profile ID and the alert template name which follow this format: alertProfileId.alert_template_name
.
For example, if you created a query that uses the LW_CFG_AWS_EC2_SECURITY_GROUPS
datasource, use or extend the LW_CFG_AWS_DEFAULT_PROFILE
alert profile.
To use the LW_CFG_AWS_DEFAULT_PROFILE
alert profile, specify the following in the policies alertProfile
field: LW_CFG_AWS_DEFAULT_PROFILE.CFG_AWS_Violation
.
AWS Configuration Datasources
For all AWS configuration datasources, use the same alert profile.
Datasource | Alert Profile |
---|---|
LW_CFG_AWS_* | LW_CFG_AWS_DEFAULT_PROFILE.CFG_AWS_Violation |
Agent Datasources
Datasource | Alert Profile |
---|---|
LW_HA_DNS_REQUESTS | LW_HA_DNS_REQUESTS_DEFAULT_PROFILE.HA_DNS_Request_Violation |
LW_HA_FILE_CHANGES | LW_HA_FILE_CHANGES_DEFAULT_PROFILE.HA_File_Changes_Violation |
LW_HA_USER_LOGINS | LW_HA_USER_LOGINS_DEFAULT_PROFILE.HA_User_Login_Violation |
LW_HE_CONTAINERS | LW_HE_CONTAINERS_DEFAULT_PROFILE.HE_Container_Violation |
LW_HE_FILES | LW_HE_FILES_DEFAULT_PROFILE.HE_File_Violation |
LW_HE_IMAGES | LW_HE_IMAGES_DEFAULT_PROFILE.HE_Image_Violation |
LW_HE_MACHINES | LW_HE_MACHINES_DEFAULT_PROFILE.HE_Machine_Violation |
LW_HE_PROCESSES | LW_HE_PROCESSES_DEFAULT_PROFILE.HE_Process_Violation |
LW_HE_USERS | LW_HE_USERS_DEFAULT_PROFILE.HE_User_Violation |
AWS CloudTrail Datasource
Datasource | Alert Profile |
---|---|
CloudTrailRawEvents | LW_CloudTrail_Alerts.CloudTrailDefaultAlert_AwsResource |
The API (GET /api/v2/AlertProfiles
) does not currently expose the CloudTrail alert profile because it is not customizable.
Example Alert Profile
To get all alert profiles, use this endpoint:
GET https://AccountName.lacework.net/api/v2/AlertProfiles
To get only the LW_CFG_AWS_DEFAULT_PROFILE
alert profile and its details, use this endpoint:
GET https://AccountName.lacework.net/api/v2/AlertProfiles/LW_CFG_AWS_DEFAULT_PROFILE
{
"data": {
"alertProfileId": "LW_CFG_AWS_DEFAULT_PROFILE",
"extends": "LW_LPP_BaseProfile",
"fields": [
{
"name": "_PRIMARY_TAG"
},
{
"name": "RESOURCE_ID"
}, ...
],
"descriptionKeys": [
{
"name": "_OCCURRENCE",
"spec": "{{_OCCURRENCE}}"
},
{
"name": "RESOURCE_ID",
"spec": "{{RESOURCE_ID}}"
}, ...
],
"alerts": [
{
"name": "CFG_AWS_PolicyChanged",
"eventName": "LW Configuration AWS Violation Alert",
"description": "{{_OCCURRENCE}} Violation for AWS Resource {{RESOURCE_TYPE}}:{{RESOURCE_ID}} in account {{ACCOUNT_ID}} region {{RESOURCE_REGION}}",
"subject": "{{_OCCURRENCE}} violation detected for AWS Resource {{RESOURCE_TYPE}}:{{RESOURCE_ID}} in account {{ACCOUNT_ID}} region {{RESOURCE_REGION}}"
},
{
"name": "CFG_AWS_NewViolation",
"eventName": "LW Configuration AWS Violation Alert",
"description": "{{_OCCURRENCE}} Violation for AWS Resource {{RESOURCE_TYPE}}:{{RESOURCE_ID}} in account {{ACCOUNT_ID}} region {{RESOURCE_REGION}}",
"subject": "{{_OCCURRENCE}} violation detected for AWS Resource {{RESOURCE_TYPE}}:{{RESOURCE_ID}} in account {{ACCOUNT_ID}} region {{RESOURCE_REGION}}"
},
{
"name": "CFG_AWS_Violation",
"eventName": "LW Configuration AWS Violation Alert",
"description": "{{_OCCURRENCE}} Violation for AWS Resource {{RESOURCE_TYPE}}:{{RESOURCE_ID}} in account {{ACCOUNT_ID}} region {{RESOURCE_REGION}}",
"subject": "{{_OCCURRENCE}} violation detected for AWS Resource {{RESOURCE_TYPE}}:{{RESOURCE_ID}} in account {{ACCOUNT_ID}} region {{RESOURCE_REGION}}"
}
]
}
}