Create Custom Policies
You can create a custom policy through the Lacework Console. This section provides the steps to create a custom Lacework Query Language (LQL) policy, including cloud compliance and cloud activity policies. These steps do not apply to vulnerability, or other types of policies.
For information on LQL, see the LQL documentation. As an alternative to creating a custom policy in the console, you can create them with the Lacework CLI or Lacework API.
Create a New Custom Policy
To create a new LQL policy through the Lacework Console, follow these steps:
Log in to the Lacework Console and navigate to Policies.
Click + Add Policy. The New Policy window appears.
Specify the parameters for your policy.
- Title: Name for the new policy that also identifies what the policy does
- Description: Information about the new policy
- Alerts: Select the action to take for an event triggered by this policy. You can either send an alert notification or mute the event.
- Severity: The severity of an event triggered by the policy. Select the level of severity to assign to events triggered by this policy. This allows you to sort and filter based on severity level.
- Status: Enable or disable this policy with this toggle.
noteMissing required fields are indicated with a red error message. You cannot continue with the policy creation until you provide these required parameters.
Click Save and Continue. The Query window appears.
Specify a query identifier in Query ID for your new policy.
Paste your custom query into the window. Lacework validates your query and presents an error if you enter an invalid or empty query. If you want to erase the pasted query, click the Remove the pasted query icon
.
To try out a query, you can paste the following query. It checks for unrestricted ingress to TCP port 445.
{
source {
LW_CFG_AWS_EC2_SECURITY_GROUPS a,
array_to_rows(a.RESOURCE_CONFIG:IpPermissions) as (ip_permissions),
array_to_rows(ip_permissions:IpRanges) as (ip_ranges)
}
filter {
ip_permissions:IpProtocol = 'tcp'
and ip_permissions:FromPort = 445
and ip_permissions:ToPort = 445
and ip_ranges:CidrIp = '0.0.0.0/0'
}
return distinct {
ACCOUNT_ALIAS,
ACCOUNT_ID,
ARN as RESOURCE_KEY,
RESOURCE_REGION,
RESOURCE_TYPE,
SERVICE
}
}For more information about LQL policies, see the LQL documentation.
Click Save and Continue. The Context window appears.
Optionally, enter remediation information to display with notifications from this new policy.
Click Save and Continue. A confirmation message appears upon successful creation of your new custom LQL policy.