The Lacework and custom rules are available from Monitor > Policies in the Lacework Console. Lacework and custom rules are grouped in Policies.
Lacework supports the following types of rules:
- Lacework rules - Lacework provides a set of predefined Lacework rules that are visible from the Lacework Console. You can use the Lacework rules to suppress the generation of unwanted events in your environment. Lacework rules start with the LW_ prefix. For more information, see Disable Rules to Suppress Events.
- Custom rules - You may want to create custom rules that check for unwanted behavior in your environment such as Telnet being used in your environment. You can also customize the triggers and severities for custom rules. Custom rules start with the CUSTOM_ prefix.
The Lacework and custom rules can be enabled or disabled. Rules are grouped into policy types. To view another set of rules, select a policy from the Policy Type drop-down. You can additionally filter rules by category, such as All, Container, or Host, for Vulnerability rules.
To find out if a rule can be cloned and therefore customized, expand the rule and look for the Clone button. If the Clone button does not appear, this rule cannot be cloned or this rule has already been cloned the maximum number of times (4 clones).
NOTE: Each rule has a default severity, but the actual event severity could be higher or lower based on different risk factors determined by the Lacework risk engine.
To create a custom rule
- Select Monitor > Policies.
- From the Policy Type drop-down, select the rule type, such as Host.
- Expand the rule and look for the Clone button.
- If the Clone button displays, you can create a custom rule by clicking Clone.
- If the Clone button does not appear, this rule cannot be cloned or this rule has already been cloned the maximum number of times (4 clones).
- In the Event Name field, enter an appropriate title for the event generated when the rule fires because all the conditions are true.
- Enter one or more AND conditions. When creating custom rules, Lacework recommends limiting the number of conditions to three or fewer. Also, by design, Lacework captures the names of processes that engage in network activities. If you create a rule with a condition such as 'Executable path INCLUDE */whoami', the 'whoami' usage is not captured and therefore, this condition is never true.
- From the left drop-down select a parameter type such as Executable path.
- From the middle drop-down select an operator type such as INCLUDE.
- In the right field, enter a value for the operator to compare against the value in the specified parameter.
- Select the rule Severity.
- Toggle Enabled. When the trigger to run rules occurs, Lacework runs only rules that are enabled. For more information, see Host Rules, Vulnerability Assessment, AWS Compliance Rules, Azure Compliance Rules, and GCP Compliance Rules.
NOTE: You can also edit a custom rule directly from an event that was generated by the custom rule. From the timeline in Monitor > Events, find the event generated from a custom rule. Click the 
Open Event Dossier icon and the Event details are displayed. In the top right corner, locate and click the 
Edit Rule icon to edit the custom rule that generated the event. Make any changes to the rule if desired and click Save.
String Type Behavior
When you specify a string in a condition, partial matches are not supported unless you specify the * wildcard, as shown by the following examples:
- If you specify the ‘Username INCLUDE sue’ condition and the current value of Username is suehunt, the condition is not true, the rule does not trigger or generate alerts.
- If you specify the ‘Username INCLUDE sue*’ condition (with the * wildcard) and the current value of Username is suehunt, the condition is true, the rule triggers and generates alerts.
You can specify multiple possible matches using a comma-separated list. For example, If you specify the ‘Username INCLUDE suehunt,joesmith’ condition and the current value of Username is suehunt or joesmith, the condition is true, the rule triggers and generates alerts.
Disable Rules to Suppress Events
You can optionally disable rules if some rules do not apply to your environment. For example, if you use third-party MFA (multi-factor authentication) tool instead of AWS MFA, the Successful Console Login Without MFA rule generates events for every AWS login. You can disable the Successful Console Login Without MFA rule to suppress this rule from generating alerts.
To disable a rule:
- Select Monitor > Policies.
- From the Policy Type drop-down, select the rule type, such as Host.
- Find and expand the rule to disable.
- Toggle Disabled.
Host Rules
The table below specifies the predefined host rules.
If Lacework detects that a process or application has run, Lacework assesses all the enabled Lacework and custom host rules. During this rule assessment, Lacework checks if all the conditions in a host rule assess to true and if they do, an event is generated that is visible from the Lacework Console. This rule assessment is repeated for each enabled rule.
If the same rule triggers again within the next hour, the existing event is updated with summary information about what triggered the subsequent trigger. After one hour if the same rule triggers again, another event is created.
In addition to the Lacework and custom rules, Lacework has a set of internal conditions that also generate host events that are visible from the Lacework console, for example, if a file with a suspicious hash is found, a Malicious File event is generated. These internal detections and event generation occur concurrently with the detection and event generation done by the custom and Lacework rules.
| Rule ID | Event Generated by Rule | Description |
|---|---|---|
| LW_APP_1 | Suspicious Applications | Detects potential suspicious applications |
| LW_FIM_33 | Files Changed | Detects changes in files that may indicate suspicious activity |
| LW_FIM_34 | Suspicious Files | Detects suspicious files |
| LW_USER_31 | Suspicious Logins from multiple GEOs | Detects suspicious logins from multiple countries |
| LW_USER_32 | Suspicious Logins | Detects suspicious logins |
Parameters for Application Rules (Prefix: LW_APP)
| Parameter Type | Type | Description |
|---|---|---|
| Account | String | Specify the unique 12-digit ID number that identifies the AWS account. For more information, see https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html. |
| Executable path | String | Specify a full absolute directory path to an executable which includes the name of the executable. Typically you want to specify the exact directory path without wildcards to limit the number of matching conditions. |
| Hostname | String | Specify the machine hostname. |
| Username | String | Specify the username of the local user that is running the process. For example, if josesmith securely logs into a machine as suehunt and runs a process, suehunt is the username. |
Parameters for File Integrity Monitoring (FIM) Rules (Prefix: LW_FIM)
| Parameter Type | Type | Description |
|---|---|---|
| Account | String | Specify the unique 12-digit ID number that identifies the AWS account. For more information, see https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html. |
| File Change type | String | Specify one of the following file change types: 1) New—files were added. 2) Removed—files were deleted. 3) Changed—files were modified, added, or deleted. Do not specify quotes around the type. This parameter is used in combination with the File path parameter to determine if the files matching the File path condition have been added, removed or changed. For example, the rule triggers, if the following conditions occur: a rule has a File path INCLUDE /usr/lib/* condition, a File Change INCLUDE Changed condition, and files are modified in the /usr/lib directory. |
| File path | String | Specify a file path or file paths to a set of files. This parameter is used in combination with the File Change type parameter to determine if files are modified, added, or deleted. |
| File owner | String | Specify the owner of a file, such as root. |
| File size | Number | Specify the number of bytes to compare against the specified operator such as Greater Than. |
| File hash | String | Specify a single hash value that matches one or more files. For example, you could specify a hash that matches a set of suspicious files. |
| Hostname | String | Specify the machine hostname. |
Parameters for User Login Activity Rules (Prefix: LW_USER)
| Parameter Type | Type | Description |
|---|---|---|
| Machine Name | String | Specify a unique identifier given to a machine. |
| Number of countries from where logins detected | Number | Specify the total number of different countries where logins have been detected originating from, per user and machine within the last hour. |
| Number of distinct source/originating IPs | Number | Specify the total number of IP addresses where logins have been detected originating from, within the last hour. |
| Number of failed logins | Number | Specify the total number of failed login attempts that have been detected on a machine, within the last hour. |
| Number of successful logins | Number | Specify the total number of successful login attempts that have been detected on a machine, within the last hour. |
| Source IP address | String | Specify the source IP address/es to include/exclude for custom rule filters. For multiple IPs, use a comma-separated list without spaces. |
| Username | String | Specify the username that is logging in to a machine. |
Vulnerability Assessment
Vulnerability assessment provides the ability to scan, identify, and report vulnerabilities found in the operating system software packages in hosts or Docker container images. After you install the Lacework agent on hosts or integrate a container registry in Lacework, Lacework scans the hosts or container images in the registry repositories for software packages with known vulnerabilities, and reports them. For information about vulnerability assessments, see Container Vulnerability Assessment Overview and Host Vulnerability Assessment Overview.
Vulnerability assessment policies are designed to help define organization-specific risk management and to notify you of critical software risk items within your monitored infrastructure. These policies apply to hosts and containers only and cannot be modified to apply to processes, users, etc.
By default, vulnerability assessment policies are disabled. To enable them, follow these steps:
- Select Monitor > Policies.
- From the Policy Type drop-down, select Vulnerability.
- Expand the rule you want to enable and click the status.
- Change the status to enabled and click Save.
You can customize vulnerability assessment policies by cloning the default system rules. For details, see To create a custom rule.
The table below specifies the system-defined vulnerability rules.
| Rule ID | Event Generated by Rule | Description |
|---|---|---|
| LW_VULN_53 | New Security Vulnerability | Detects a new software vulnerability within monitored repositories for a defined severity level |
| LW_VULN_54 | Known Security Vulnerability | Detects a known software vulnerability within monitored repositories for a defined severity level |
| LW_VULN_55 | New Security Vulnerability in Repository | Detects a software vulnerability status change for a specific monitored repository |
| LW_VULN_56 | Severity changes for Security Vulnerability | Detects a software vulnerability severity change within monitored repositories |
| LW_VULN_57 | Fix available for Security Vulnerability | Detects a software vulnerability patch status change within monitored repositories |
| LW_VULN_102 | New Security Vulnerability | Detects a new software vulnerability within monitored hosts for a defined severity level |
| LW_VULN_103 | Known Security Vulnerability | Detects a known software vulnerability within monitored hosts for a defined severity level |
| LW_VULN_104 | Severity changes for Security Vulnerability | Detects a software vulnerability severity change within monitored hosts |
| LW_VULN_105 | Fix available for Security Vulnerability | Detects a software vulnerability patch status change within monitored hosts |
Parameters for Vulnerability Rules (Prefix: LW_VULN)
| Parameter Type | Type | Description |
|---|---|---|
| CVE | String | Specify the CVE ID full name(s), such as CVE-2019-01234, CVE-2019-5678. You can specify multiple values in one line separated by a comma. Common Vulnerabilities and Exposures (CVE) is a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures. |
| CVE severity | String | Specify the CVE severity or severities, such as Critical, High. You can specify multiple values separated by a comma. This rule would generate an alert with the specified severities only. The severity is derived from the CVSS rating score. Valid values are None, Low, Medium, High, and Critical. |
| Image active | Number | Specify 0 for false, meaning the image is not active. Specify 1 for true, meaning the image is active. |
| Image privileged | Number | Specify 0 for false, meaning the image is not privileged. Specify 1 for true, meaning the image is privileged. |
| Image repo | String | Specify the image repository, such as lacework/myrepo123. A container image repository is a collection of related container images. |
| Image tags | String | Specify the image tag(s). A typical tag could look like DATE_BRANCH_RANDOM_ID, such as 2019-10-10_master_db0dd95. You can specify multiple values separated by a comma. A tag is a label applied to an image so that different images or versions of the same image can be identified. |
| Host name | String | Specify the host name, such as myhostname. |
| Machine tags | String | Select existing machine tags from the drop-down menu. Or specify new machine tags in the indicated format key->value. |
| Mid | Number | Specify the machine ID, a unique identifier from the agent, such as 1234. |
| Package active | Number | Specify 0 for false, meaning the package is not active. Specify 1 for true, meaning the package is active. |
| Package name | String | Specify the name of the software package, such as vim. |
| Package namespace | String | Specify the namespace associated with the package, such as ubuntu:18.04. |
| Package version | String | Specify the package version, such as 2.20.9-0ubuntu7.14. |
AWS Compliance Rules
The table below specifies the predefined AWS Compliance Lacework rules.
Lacework generates the data needed to populate the compliance reports on a regular schedule, typically once a day. After the report data is generated, Lacework assesses all the enabled compliance rules. During this rule assessment, Lacework checks if all the conditions in a compliance rule assess to true and if they do, an event is generated. This rule assessment is repeated for each enabled rule.
If the same rule triggers again within the next hour, the existing event is updated with summary information about what triggered the subsequent trigger. After one hour if the same rule triggers again, another event is created.
| Rule ID | Event Generated by Rule | Description |
|---|---|---|
| LW_CT_AWSConfig_30 | Config Service Change | Detects an AWS Config Service change |
| LW_CT_CloudTrail_18 | CloudTrail Changed | Detects an AWS CloudTrail change |
| LW_CT_CloudTrail_19 | CloudTrail Stopped | Detects if the logging of an AWS CloudTrail has been stopped |
| LW_CT_CloudTrail_20 | CloudTrail Deleted | Detects if an AWS CloudTrail has been deleted |
| LW_CT_IAM_13 | IAM Access Key Changed | Detects AWS IAM access keys changes |
| LW_CT_IAM_14 | IAM Policy Changed | Detects AWS IAM policy changes |
| LW_CT_IAM_16 | New Access Key | Detects the creation of a new AWS New Access Key |
| LW_CT_IAM_17 | Access Key Deleted | Detects the deletion of an AWS Access Key |
| LW_CT_IAM_26 | Successful Console Login Without MFA | Detects a successful AWS console login without MFA (multi-factor authentication) |
| LW_CT_IAM_27 | Failed Console Login | Detects a failed AWS console login |
| LW_CT_IAM_28 | Usage of Root Account | Detects the usage of a root account in AWS |
| LW_CT_IAM_29 | Unauthorized API Call | Detects an unauthorized AWS API call |
| LW_CT_KMS_21 | New Customer Master Key | Detects if a new AWS New Customer Master Key is created |
| LW_CT_KMS_22 | New Customer Master Key Alias | Detects if a new AWS Customer Master Key Alias is created |
| LW_CT_KMS_23 | Customer Master Key Disabled | Detects if the AWS Customer Master Key is disabled |
| LW_CT_KMS_24 | New Grant Added To Customer Master Key | Detects if a new grant is added to an AWS Customer Master Key |
| LW_CT_KMS_25 | Customer Master Key Scheduled For Deletion | Detects if an AWS Customer Master Key is scheduled for deletion |
| LW_CT_S3_10 | New S3 Bucket | Detects the creation of a new AWS S3 Bucket |
| LW_CT_S3_11 | AWS S3 Bucket deleted | Detects the deletion of an S3 Bucket in any AWS account |
| LW_CT_S3_12 | S3 Bucket Policy Changed | Detects AWS S3 Bucket policy changes |
| LW_CT_S3_15 | S3 Bucket ACL Changed | Detects AWS S3 Bucket ACL changes |
| LW_CT_VPC_2 | New VPC | Detects the creation of a new VPC |
| LW_CT_VPC_3 | VPC Change | Detects a VPC configuration change |
| LW_CT_VPC_4 | Security Group Change | Detects an AWS Security Group change |
| LW_CT_VPC_5 | NACL Change | Detects an AWS Network ACL change |
| LW_CT_VPC_6 | New VPN Connection | Detects the creation of a new VPN connection. |
| LW_CT_VPC_7 | Network Gateway Change | Detects a Network Gateway change |
| LW_CT_VPC_8 | VPN Gateway Change | Detects a VPN Gateway change |
| LW_CT_VPC_9 | Route Table Change | Detects a Route Table change |
Azure Compliance Rules
The table below specifies the predefined Azure Compliance Lacework rules.
| Rule ID | Event Generated by Rule | Description |
|---|---|---|
| LW_AL_APP_40 | Security Solution Created/Updated | Detects if Security Solution has been created or updated |
| LW_AL_APP_41 | Security Solution Deleted | Detects if Security Solution has been deleted |
| LW_AL_Firewall_42 | SQL Server Firewall Rule Created/Updated | Detects if SQL Server Firewall Rule has been created or updated |
| LW_AL_Firewall_43 | SQL Server Firewall Rule Deleted | Detects if SQL Server Firewall Rule has been deleted |
| LW_AL_IAM_35 | Policy Assignment Created | Detects if Policy Assignment has been created |
| LW_AL_IAM_44 | Security Policy Updated | Detects if Security Policy has been updated |
| LW_AL_NETWORK_36 | Network Security Group Created/Updated | Detects if Network Security Group has been Created or Updated |
| LW_AL_NETWORK_37 | Network Security Group Deleted | Detects if Network Security Group has been deleted |
| LW_AL_NETWORK_38 | Network Security Group Rule Created/Updated | Detects if Network Security Group Rule has been created or updated |
| LW_AL_NETWORK_39 | Network Security Group Rule Deleted | Detects if Network Security Group Rule has been deleted |
GCP Compliance Rules
The table below specifies the predefined GCP Compliance Lacework rules.
| Rule ID | Event Generated by Rule | Description |
|---|---|---|
| LW_AT_IAM_51 | Cloud Storage IAM Permission Changed | Detects if Cloud Storage IAM permission has been changed |
| LW_AT_RESOURCE_45 | Project Ownership Assignments Changed | Detects Project Ownership Assignments has been changed |
| LW_AT_RESOURCE_46 | Audit Configuration Changed | Detects if Audit Configuration has been Changed |
| LW_AT_RESOURCE_47 | Custom Role Changed | Detects if Custom Role has been changed |
| LW_AT_SQL_52 | SQL Instance Configuration Changed | Detects if SQL Instance Configuration has been changed |
| LW_AT_VPC_48 | VPC Network Firewall Rule Changed | Detects if VPC Network Firewall Rule has been changed |
| LW_AT_VPC_49 | VPC Network Route Changed | Detects if VPC Network Route has been changed |
| LW_AT_VPC_50 | VPC Network Changed | Detects if VPC Network has been changed |