Skip to main content

Host Policies

Overview

Create policies to check for unwanted behavior specific to your environment. A policy is a set of rules that can define the following:

  • The conditions to be triggered, for example:
    • Connecting to new hosts or IP addresses.
    • Logins originating from a certain country.
    • A file having certain file hash.
  • A severity, such as low, medium, high, or critical.
  • The status of the policy: Enabled or Disabled.

Lacework provides a number of default policies that you can enable or disable depending on your requirements.

Policy Management

Use the Policies page in the Lacework Console to manage policies.

Create a Policy

Follow these steps to create a policy:

  1. Click Policies.
  2. Create new policies by cloning existing ones. Locate and click the policy you want to base your policy on.
  3. In the policy window:
    • If the Clone policy icon is available, you can clone the policy.
    • If the Clone policy icon is not available, the policy cannot be cloned or the policy has already been cloned the maximum number of times (4 clones).
  4. Once cloned, click the edit option for the title policy-edit-title.png to provide the event name that is generated when the policy triggers. Click Save when complete.
  5. Click the Query tab in the policy drawer and fill in your parameters. The subsections in Policy Types provide the available parameters for each type.
  6. Click Save after completing the parameters.
  7. The policy is enabled by default. If you want to disable the policy, toggle the Status policy-status-toggle.png.

Policy Types

You can manage policies through the Policies page. The subsections below detail the parameters for each type.

Application (Prefix: LW_APP)

ParameterTypeDescription
AccountStringSpecify the unique 12-digit ID number that identifies the AWS account. For more information, see https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html.
Executable pathStringSpecify a full absolute directory path to an executable which includes the name of the executable. Typically you want to specify the exact directory path without wildcards to limit the number of matching expressions.
HostnameStringSpecify the machine hostname.
UsernameStringSpecify the username of the local user that is running the process. For example, if joesmith securely logs into a machine as suehunt and runs a process, suehunt is the username.

Files (Prefix: LW_FIM)

ParameterTypeDescription
AccountStringSpecify the unique 12-digit ID number that identifies the AWS account. For more information, see https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html.
File Change typeStringSpecify one of the following file change types: 1) New—files were added. 2) Removed—files were deleted. 3) Changed—files were modified, added, or deleted. Do not specify quotes around the type. This parameter is used in combination with the File path parameter to determine if the files matching the File path expression have been added, removed or changed. For example, the policy triggers, if the following expressions occur: a policy has a File path INCLUDE /usr/lib/* expression, a File Change INCLUDE Changed expression, and files are modified in the /usr/lib directory.
File pathStringSpecify a file path or file paths to a set of files. This parameter is used in combination with the File Change type parameter to determine if files are modified, added, or deleted.
File ownerStringSpecify the owner of a file, such as root.
File sizeNumberSpecify the number of bytes to compare against the specified operator such as Greater Than.
File hashStringSpecify a single hash value that matches one or more files. For example, you could specify a hash that matches a set of suspicious files.
HostnameStringSpecify the machine hostname.

Users (Prefix: LW_USER)

ParameterTypeDescription
Machine NameStringSpecify a unique identifier given to a machine.
Number of countries from where logins detectedNumberSpecify the total number of different countries where logins have been detected originating from, per user and machine within the last hour.
Number of distinct source/originating IPsNumberSpecify the total number of IP addresses where logins have been detected originating from, within the last hour.
Number of failed loginsNumberSpecify the total number of failed login attempts that have been detected on a machine, within the last hour.
Number of successful loginsNumberSpecify the total number of successful login attempts that have been detected on a machine, within the last hour.
Source IP addressStringSpecify the source IP address/es to include/exclude for custom policy filters. For multiple IPs, use a comma-separated list without spaces.
UsernameStringSpecify the username that is logging in to a machine.

Vulnerability (Prefix: LW_VULN)

ParameterTypeDescription
CVEStringSpecify the CVE ID full name(s), such as CVE-2019-01234, CVE-2019-5678. You can specify multiple values in one line separated by a comma. Common Vulnerabilities and Exposures (CVE) is a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures.
CVE severityStringSpecify the CVE severity or severities, such as Critical, High. You can specify multiple values separated by a comma. This policy would generate an alert with the specified severities only. The severity is derived from the CVSS rating score. Valid values are None, Low, Medium, High, and Critical.
Host nameStringSpecify the host name, such as myhostname.
Machine tagsStringSelect existing machine tags from the drop-down menu. Or specify new machine tags in the indicated format key->value.
MidNumberSpecify the machine ID, a unique identifier from the agent, such as 1234.
Package activeNumberSpecify 0 for false, meaning the package is not active. Specify 1 for true, meaning the package is active.
Package nameStringSpecify the name of the software package, such as vim.
Package namespaceStringSpecify the namespace associated with the package, such as ubuntu:18.04.
Package versionStringSpecify the package version, such as 2.20.9-0ubuntu7.14.

Edit a Policy

Edit a policy by clicking it in the Policies page and then clicking the edit policy-edit-title.png option.

Delete a Policy

Delete a policy by clicking it in the Policies page and then clicking the delete policy-delete-option.png option.

Disable/Enable a Policy

On the Policies page, find the policy and click the Status toggle policy-status-toggle.png to disable or enable the policy.

Policy Evaluation Results

View evaluation results for host policies by choosing a specific resource type from the Workloads > Hosts menu. The events display under the Timeline.

Default Policies

Default policies are read-only. Lacework provides the following default policies:

Anomaly

Policy IDBehavior PolicyDescription
LW_APP_TYPE_70New ApplicationDetects a new application type being launched
LW_EXT_DNS_58New External HostDetects a connection to a new external host
LW_EXT_DNS_60New External Client DNSDetects a new external host making a connection
LW_EXT_DNS_62New External ServerDetects an external IP used as a DNS server for for the first time
LW_EXT_IP_64New External Server IP AddressDetects a connection to a new external IP
LW_EXT_IP_66New External Client IP AddressDetects a new external IP making a connection
LW_EXT_IP_68New Internal Server IPDetects a connection to a new internal IP
LW_EXT_IP_69New Internal Client IPDetects a new internal IP making a connection
LW_HOST_77New External Host Server ConnectionDetects a connection a new external host
LW_IP_73New External Client IP Address ConnectionDetects a new external IP making a connection
LW_IP_75New External Server IP Address ConnectionDetects a connection to a new external IP
LW_IP_79New Internal ConnectionDetects a new internal connection
LW_MCH_71New Machine Server ClusterDetects a new machine server cluster
LW_PROCESS_80New Privilege EscalationDetects a privilege escalation
LW_PROCESS_81New Child LaunchedDetects an application launching a child application
LW_USR_72New UserDetects a user seen for the first time on a host
LW_USR_82Machine Cluster Launched New BinaryDetects a new machine cluster launching an application
LW_USR_83User Launched New BinaryDetects a user launching a new application
LW_USR_84User Logged In From New IP AddressDetects a user logging in from a new IP address
LW_USR_85User Logged In From New LocationDetects a user logging in from a new location

Application

Policy IDBehavior PolicyDescription
LW_APP_1Suspicious ApplicationsDetects potential suspicious applications

Files

Policy IDBehavior PolicyDescription
LW_FIM_33Files ChangedDetects changes in files that may indicate suspicious activity
LW_FIM_34Suspicious FilesDetects suspicious files

Users

Policy IDBehavior PolicyDescription
LW_USER_31Suspicious Logins from multiple GEOsDetects suspicious logins from multiple countries
LW_USER_32Suspicious LoginsDetects suspicious logins

Vulnerability

Policy IDBehavior PolicyDescription
LW_VULN_102New Security VulnerabilityDetects a new software vulnerability within monitored hosts for a defined severity level
LW_VULN_103Known Security VulnerabilityDetects a known software vulnerability within monitored hosts for a defined severity level
LW_VULN_104Severity changes for Security VulnerabilityDetects a software vulnerability severity change within monitored hosts
LW_VULN_105Fix available for Security VulnerabilityDetects a software vulnerability patch status change within monitored hosts

Edit a Default Policy

Default policies cannot be edited. They can be cloned or disabled if required.

Delete a Default Policy

Default policies cannot be deleted, only disabled.

Disable/Enable a Default Policy

On the Policies page, find the default policy and click the Status toggle policy-status-toggle.png to disable or enable the policy.

Policies Chart

The Policies page display a visual summary detailing the following information:

  • Coverage - Shows total number of policies, including the number of enabled vs disabled, and the number of policy exceptions.
  • Policy Types - Shows the number of default vs custom policies.
  • Policies By Severity - Shows the number of policies for each severity.

policies-page-chart.png

The chart updates when any filters are active.