Skip to main content

Host Integrity Policies

Several additional types of Lacework policies do not rely on Lacework Query Language (LQL) queries, but instead perform assessments and detections in different ways.

You can customize these policy types by cloning the policies and setting or editing the conditions upon which the policies are based. These include the following host-oriented policy types:

  • Application Policies (Policy ID prefix: LW_APP)
  • File Integrity Monitoring (FIM) Policies (Policy ID prefix: LW_FIM)
  • User Login Activity Policies (Policy ID prefix: LW_USER)

Default policies for these types follow:

Policy IDAlert Generated by PolicyDescription
LW_APP_1Suspicious ApplicationsRemote connection applications were used.
LW_FIM_33Files ChangedPassword and group membership files were changed
LW_USER_31Suspicious logins from multiple GEOsSuspicious logins from multiple GEOs - A single user logged in from more than one country
LW_USER_32Suspicious LoginsSuspicious Logins - Repeated failed attempts to login

The following topics describe how to create and modify these policies: