Host Policies
Overview
Create policies to check for unwanted behavior specific to your environment. A policy is a set of rules that can define the following:
- The conditions to be triggered, for example:
- Connecting to new hosts or IP addresses.
- Logins originating from a certain country.
- A file having certain file hash.
- A severity, such as low, medium, high, or critical.
- The status of the policy: Enabled or Disabled.
Lacework provides a number of default policies that you can enable or disable depending on your requirements.
Policy Management
Use the Policies page in the Lacework Console to manage policies.
Create a Policy
Follow these steps to create a policy:
- Click Policies.
- Create new policies by cloning existing ones. Locate and click the policy you want to base your policy on.
- In the policy window:
- If the Clone policy icon is available, you can clone the policy.
- If the Clone policy icon is not available, the policy cannot be cloned or the policy has already been cloned the maximum number of times (4 clones).
- Once cloned, click the edit option for the title
to provide the event name that is generated when the policy triggers. Click Save when complete. - Click the Query tab in the policy drawer and fill in your parameters. The subsections in Policy Types provide the available parameters for each type.
- Click Save after completing the parameters.
- The policy is enabled by default. If you want to disable the policy, toggle the Status
.
Policy Types
You can manage policies through the Policies page. The subsections below detail the parameters for each type.
Application (Prefix: LW_APP)
| Parameter | Type | Description |
|---|---|---|
| Account | String | Specify the unique 12-digit ID number that identifies the AWS account. For more information, see https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html. |
| Executable path | String | Specify a full absolute directory path to an executable which includes the name of the executable. Typically you want to specify the exact directory path without wildcards to limit the number of matching expressions. |
| Hostname | String | Specify the machine hostname. |
| Username | String | Specify the username of the local user that is running the process. For example, if joesmith securely logs into a machine as suehunt and runs a process, suehunt is the username. |
Files (Prefix: LW_FIM)
| Parameter | Type | Description |
|---|---|---|
| Account | String | Specify the unique 12-digit ID number that identifies the AWS account. For more information, see https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html. |
| File Change type | String | Specify one of the following file change types: 1) New—files were added. 2) Removed—files were deleted. 3) Changed—files were modified, added, or deleted. Do not specify quotes around the type. This parameter is used in combination with the File path parameter to determine if the files matching the File path expression have been added, removed or changed. For example, the policy triggers, if the following expressions occur: a policy has a File path INCLUDE /usr/lib/* expression, a File Change INCLUDE Changed expression, and files are modified in the /usr/lib directory. |
| File path | String | Specify a file path or file paths to a set of files. This parameter is used in combination with the File Change type parameter to determine if files are modified, added, or deleted. |
| File owner | String | Specify the owner of a file, such as root. |
| File size | Number | Specify the number of bytes to compare against the specified operator such as Greater Than. |
| File hash | String | Specify a single hash value that matches one or more files. For example, you could specify a hash that matches a set of suspicious files. |
| Hostname | String | Specify the machine hostname. |
Users (Prefix: LW_USER)
| Parameter | Type | Description |
|---|---|---|
| Machine Name | String | Specify a unique identifier given to a machine. |
| Number of countries from where logins detected | Number | Specify the total number of different countries where logins have been detected originating from, per user and machine within the last hour. |
| Number of distinct source/originating IPs | Number | Specify the total number of IP addresses where logins have been detected originating from, within the last hour. |
| Number of failed logins | Number | Specify the total number of failed login attempts that have been detected on a machine, within the last hour. |
| Number of successful logins | Number | Specify the total number of successful login attempts that have been detected on a machine, within the last hour. |
| Source IP address | String | Specify the source IP address/es to include/exclude for custom policy filters. For multiple IPs, use a comma-separated list without spaces. |
| Username | String | Specify the username that is logging in to a machine. |
Vulnerability (Prefix: LW_VULN)
| Parameter | Type | Description |
|---|---|---|
| CVE | String | Specify the CVE ID full name(s), such as CVE-2019-01234, CVE-2019-5678. You can specify multiple values in one line separated by a comma. Common Vulnerabilities and Exposures (CVE) is a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures. |
| CVE severity | String | Specify the CVE severity or severities, such as Critical, High. You can specify multiple values separated by a comma. This policy would generate an alert with the specified severities only. The severity is derived from the CVSS rating score. Valid values are None, Low, Medium, High, and Critical. |
| Host name | String | Specify the host name, such as myhostname. |
| Machine tags | String | Select existing machine tags from the drop-down menu. Or specify new machine tags in the indicated format key->value. |
| Mid | Number | Specify the machine ID, a unique identifier from the agent, such as 1234. |
| Package active | Number | Specify 0 for false, meaning the package is not active. Specify 1 for true, meaning the package is active. |
| Package name | String | Specify the name of the software package, such as vim. |
| Package namespace | String | Specify the namespace associated with the package, such as ubuntu:18.04. |
| Package version | String | Specify the package version, such as 2.20.9-0ubuntu7.14. |
Edit a Policy
Edit a policy by clicking it in the Policies page and then clicking the edit option.
Delete a Policy
Delete a policy by clicking it in the Policies page and then clicking the delete 
option.
Disable/Enable a Policy
On the Policies page, find the policy and click the Status toggle to disable or enable the policy.
Policy Evaluation Results
View evaluation results for host policies by choosing a specific resource type from the Workloads > Hosts menu. The events display under the Timeline.
Default Policies
Default policies are read-only. Lacework provides the following default policies:
Anomaly
| Policy ID | Behavior Policy | Description |
|---|---|---|
| LW_APP_TYPE_70 | New Application | Detects a new application type being launched |
| LW_EXT_DNS_58 | New External Host | Detects a connection to a new external host |
| LW_EXT_DNS_60 | New External Client DNS | Detects a new external host making a connection |
| LW_EXT_DNS_62 | New External Server | Detects an external IP used as a DNS server for for the first time |
| LW_EXT_IP_64 | New External Server IP Address | Detects a connection to a new external IP |
| LW_EXT_IP_66 | New External Client IP Address | Detects a new external IP making a connection |
| LW_EXT_IP_68 | New Internal Server IP | Detects a connection to a new internal IP |
| LW_EXT_IP_69 | New Internal Client IP | Detects a new internal IP making a connection |
| LW_HOST_77 | New External Host Server Connection | Detects a connection a new external host |
| LW_IP_73 | New External Client IP Address Connection | Detects a new external IP making a connection |
| LW_IP_75 | New External Server IP Address Connection | Detects a connection to a new external IP |
| LW_IP_79 | New Internal Connection | Detects a new internal connection |
| LW_MCH_71 | New Machine Server Cluster | Detects a new machine server cluster |
| LW_PROCESS_80 | New Privilege Escalation | Detects a privilege escalation |
| LW_PROCESS_81 | New Child Launched | Detects an application launching a child application |
| LW_USR_72 | New User | Detects a user seen for the first time on a host |
| LW_USR_82 | Machine Cluster Launched New Binary | Detects a new machine cluster launching an application |
| LW_USR_83 | User Launched New Binary | Detects a user launching a new application |
| LW_USR_84 | User Logged In From New IP Address | Detects a user logging in from a new IP address |
| LW_USR_85 | User Logged In From New Location | Detects a user logging in from a new location |
Application
| Policy ID | Behavior Policy | Description |
|---|---|---|
| LW_APP_1 | Suspicious Applications | Detects potential suspicious applications |
Files
| Policy ID | Behavior Policy | Description |
|---|---|---|
| LW_FIM_33 | Files Changed | Detects changes in files that may indicate suspicious activity |
| LW_FIM_34 | Suspicious Files | Detects suspicious files |
Users
| Policy ID | Behavior Policy | Description |
|---|---|---|
| LW_USER_31 | Suspicious Logins from multiple GEOs | Detects suspicious logins from multiple countries |
| LW_USER_32 | Suspicious Logins | Detects suspicious logins |
Vulnerability
| Policy ID | Behavior Policy | Description |
|---|---|---|
| LW_VULN_102 | New Security Vulnerability | Detects a new software vulnerability within monitored hosts for a defined severity level |
| LW_VULN_103 | Known Security Vulnerability | Detects a known software vulnerability within monitored hosts for a defined severity level |
| LW_VULN_104 | Severity changes for Security Vulnerability | Detects a software vulnerability severity change within monitored hosts |
| LW_VULN_105 | Fix available for Security Vulnerability | Detects a software vulnerability patch status change within monitored hosts |
Edit a Default Policy
Default policies cannot be edited. They can be cloned or disabled if required.
Delete a Default Policy
Default policies cannot be deleted, only disabled.
Disable/Enable a Default Policy
On the Policies page, find the default policy and click the Status toggle to disable or enable the policy.
Policies Chart
The Policies page display a visual summary detailing the following information:
- Coverage - Shows total number of policies, including the number of enabled vs disabled, and the number of policy exceptions.
- Policy Types - Shows the number of default vs custom policies.
- Policies By Severity - Shows the number of policies for each severity.
The chart updates when any filters are active.