Identity Risk Exceptions
Exceptions are a mechanism that lets you specify certain risk factors to ignore when Lacework calculates identity risk severity.
Some reasons to create an exception:
- You are willing to consider some risks as accepted risks. Perhaps you have a short-lived risky test environment. Another example is if the identity is a root account or a break-glass account, these types of accounts inherently have a lot of permissions that are seldom used.
- You have already implemented or will soon implement a fix to address the risks in question.
- There are other measures in effect that are not accounted for by what Lacework observes in your environment.
- You can confirm or can reasonably conclude that a detected risk is a false positive.
To reach the Exceptions tab, go to the Explore: Identities page, click an identity, and then click Exceptions. You can do the following:
- Create exceptions for that individual identity
- Review existing exceptions and their details (which risks they apply to, why they were created, who created them, when they expire, and status)
- Edit or remove existing exceptions
To create and edit exceptions, you must be a user with identities write permissions in the Lacework Console.
For a use case, refer to Add an Exception for One or More Risks.
Exceptions List
Use the following methods to define which exceptions are displayed.
- Select the time of assessment
- Choose to display All, Active, or Inactive exceptions
Click the icons to select which columns to display or search the exceptions.
Each exception has the following details.
| Column | Description |
|---|---|
| Name | The name of the exception. |
| Created by | The Lacework user that created the exception. |
| Created on | The date the exception was created. |
| Expiration | The date the exception expires. |
| Rationale | The reason why the exception was created. Available rationale include: Accepted Risk, Planned Work, Fix Pending, Compensating Controls, False Positive, and Other. |
| Status | The current status of the exception, such as Active or Expired. |
Create an Exception
To create an effective exception, follow these guidelines:
- Ensure you select only the risks that you have a reason to ignore.
- Configure a short expiration date; a short expiration duration will help reduce risk. You can always extend the expiration date if needed. Leaving an exception for longer than necessary could increase risk.
- Go to Identities > Explore: Identities.
- Click the identity you want to add an exception for.
- Switch to the Exceptions tab and click Create new exception.
- Select the scope of the exception. You can select specific risks or all of the active risks. Only risks associated with the identity in question are displayed.
- Click Next.
- Provide a name and select a reason for the exception.
- Select an expiration date for the exception. Lacework recommends setting a short expiration duration to help reduce overall risk.
- Provide a thorough description of the exception.
- Click Save exception.
Remember that an active exception has the following impact:
- All selected risk factors will be ignored while calculating risk severity. This may result in a lower overall risk severity.
- Lacework strongly recommends configuring an expiration date. A short expiration date helps reduce overall risk. When an exception expires, all of its excepted risks are included in the identity's risk severity calculation, which may increase its overall risk.
- You can remove the exception at any time.
Edit Exceptions
To display an exception’s details, click the exception.
To edit the exception, click Edit exception.
Details
Exception details include the following fields.
| Field | Description |
|---|---|
| Created by | The Lacework user that created the exception. |
| Created on | The date the exception was created. |
| Last updated | The date the exception was updated. |
| Expiration | The date the exception expires. |
| Rationale | The reason why the exception was created. Available rationale include: Accepted risk, Fix pending, Compensating controls, False positive, and Other. |
| Description | The description of the exception. |
| Excepted risks | The risks that the exception applies to. |
Changelog
The changelog tracks any updates made to the exception.
Impact
The impact tab provides general details about the impact of an exception.
Close Exceptions
To close an exception, click the exception, Close exception, and then Confirm.
When you close an exception, Lacework recalculates the identity's risk severity by including all of the excepted risks you just removed.