Lacework supports the following types of rules:
- Lacework rules - Lacework provides a set of predefined Lacework rules that are visible from the Lacework Console. You can use the Lacework rules to suppress the generation of unwanted events in your environment. Lacework rules start with the LW_ prefix. For more information, see Disable Rules.
- Custom rules - You may want to create custom rules that check for unwanted behavior in your environment such as Telnet being used in your environment. You can also customize the triggers and severities for custom rules. Custom rules start with the CUSTOM_ prefix.
NOTE: This feature is immediately available, and you do not need to update your Lacework agents to use this functionality.
The Lacework and custom rules can be enabled or disabled. Lacework and custom rules are grouped in Policies. To view another set of rules, select a policy from the POLICY TYPE drop-down.
To find out if a rule can be cloned and therefore customized, expand the rule and look for the CLONE button. If the CLONE button does not appear, this rule cannot be cloned or this rule has already been cloned the maximum number of times (4 clones).
NOTE: Each rule has a default severity, but the actual event severity could be higher or lower based on different risk factors determined by the Lacework risk engine.
To create a custom rule:
- Select MONITOR > Policies.
- From the POLICY TYPE drop-down, select the rule type, such as Workload.
- Expand the Rule and look for the CLONE button.
- If the CLONE button displays, you can create a custom rule by clicking CLONE.
- If the CLONE button does not appear, this rule cannot be cloned or this rule has already been cloned the maximum number of times (4 clones).
- In the Event Name field, enter an appropriate title for the event generated when the rule fires because all the conditions are true.
- Enter one or more AND conditions.
When creating custom rules, note the following: 1) Lacework recommends limiting the number of conditions to three or less. 2) By design, Lacework captures the names of processes that engage in network activities. If you create a rule with a condition such as 'Executable path INCLUDE */whoami', the `whoami` usage is not captured and therefore, this condition is never true.- From the left drop-down select a parameter type such as Executable path.
- From the middle drop-down select an operator type such as INCLUDE.
- In the right field, enter a value for the operator to compare against the value in the specified parameter.
- Select the rule Severity.
- Toggle Enabled. When the trigger to run rules occurs, Lacework only runs those rules that are enabled. For more information, see Workload Rules and AWS Compliance Rules.
NOTE: You can also edit a custom rule directly from an event that was generated by the custom rule. From the timeline in MONITOR > Events, find the event generated from a custom rule. Click the 
Open Event Dossier icon and the Event details are displayed. In the top right corner, locate and click the 
Edit Rule icon to edit the custom rule that generated the event. Make any changes to the rule if desired and click Save.
String Type Behavior
When you specify a string in a condition, partial matches are not supported unless you specify the * wildcard, as shown by the following examples:
- If you specify the ‘Username INCLUDE sue’ condition and the current value of Username is suehunt, the condition is not true, the rule does not trigger or generate alerts.
- If you specify the ‘Username INCLUDE sue*’ condition (with the * wildcard) and the current value of Username is suehunt, the condition is true, the rule triggers and generates alerts.
You can specify multiple possible matches using a comma-separated list. For example, If you specify the ‘Username INCLUDE suehunt,joesmith’ condition and the current value of Username is suehunt or joesmith, the condition is true, the rule triggers and generates alerts.
Disable Rules to Suppress Events
You can optionally disable rules if some rules do not apply to your environment. For example, if you use third-party MFA (Multi-Factor Authentication) tool instead of AWS MFA, the Successful Console Login Without MFA rule generates events for every AWS login. You can disable the Successful Console Login Without MFA rule to suppress this rule from generating alerts.
To disable a rule:
- Select MONITOR > Policies.
- From the POLICY TYPE drop-down, select the rule type, such as Workload.
- Find and expand the rule to disable.
- Toggle to Disabled.
Workload Rules
The table below specifies the predefined Workload rules.
If Lacework detects that a process or application has run, Lacework evaluates all the enabled Lacework and custom Workload rules. During this rule evaluation, Lacework checks if all the conditions in a Workload rule evaluate to true and if they do, an event is generated that is visible from the Lacework Console. This rule evaluation is repeated for each enabled rule.
If the same rule triggers again within the next hour, the existing event is updated with summary information about what triggered the subsequent trigger. After one hour if the same rule triggers again, another event is created.
In addition to the Lacework and custom rules, Lacework has a set of internal conditions that also generate Workload events that are visible from the Lacework console, for example, if a file with a suspicious hash is found a Malicious File event is generated. These internal detections and event generation occur concurrently with the detection and event generation done by the custom and Lacework rules.
| Rule ID | Event Generated by Rule | Description |
| LW_APP_1 | Suspicious Applications | Detects potential suspicious applications |
| LW_FIM_33 | Files Changed | Detects changes in files that may indicate suspicious activity |
| LW_FIM_34 | Suspicious Files | Detects suspicious files |
| LW_USER_31 | Suspicious Logins from multiple GEOs | Detects suspicious logins from multiple countries |
| LW_USER_32 | Suspicious Logins | Detects suspicious logins |
Parameters for the Application Rules (Prefix: LW_APP)
| Parameter Type | Type | Description |
| Account | String | Specify the unique 12-digit ID number that identifies the AWS account. For more information, see https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html. |
| Executable path | String | Specify a full absolute directory path to an executable which includes the name of the executable. Typically you want to specify the exact directory path without wildcards to limit the number of matching conditions. |
| Hostname | String | Specify the machine hostname. |
| Username | String | Specify the username of the local user that is running the process. For example, if josesmith securely logs into a machine as suehunt and runs a process, suehunt is the username. |
Parameters for the File Integrity Monitoring (FIM) Rules (Prefix: LW_FIM)
| Parameter Type | Type | Description |
| Account | String | Specify the unique 12-digit ID number that identifies the AWS account. For more information, see https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html. |
| File Change type | String | Specify one of the following file change types: 1) New—files were added. 2) Removed—files were deleted. 3) Changed—files were modified, added, or deleted. Do not specify quotes around the type. This parameter is used in combination with the File path parameter to determine if the files matching the File path condition have been added, removed or changed. For example, if a rule has a File path INCLUDE /usr/lib/* condition, a File Change INCLUDE Changed condition, and files are modified in the /usr/lib directory, the rule triggers. |
| File path | String | Specify a file path or file paths to a set of files. This parameter is used in combination with the File Change type parameter to determine if files are modified, added, or deleted. |
| File owner | String | Specify the owner of a file, such as root. |
| File size | Number | Specify the number of bytes to compare against the specified operator such as GREATER THAN. |
| File hash | String | Specify a single hash value that matches one or more files. For example, you could specify a hash that matches a set of suspicious files. |
| Hostname | String | Specify the machine hostname. |
Parameters for the User Login Activity Rules (Prefix: LW_USER)
| Parameter Type | Type | Description |
| Machine Name | String | Specify a unique identifier given to a machine. |
| Number of countries from where logins detected | Number | Specify the total number of different countries where logins have been detected originating from, per user and machine within the last hour. |
| Number of distinct source/originating IPs | Number | Specify the total number of IP addresses where logins have been detected originating from, within the last hour. |
| Number of failed logins | Number | Specify the total number of failed login attempts that have been detected on a machine, within the last hour. |
| Number of successful logins | Number | Specify the total number of successful login attempts that have been detected on a machine, within the last hour. |
| Username | String | Specify the username that is logging into a machine. |
AWS Compliance Rules
The table below specifies the predefined AWS Compliance Lacework rules.
Lacework generates the data needed to populate the AWS compliance reports on a regular schedule, typically once a day. After the report data is generated, Lacework evaluates all the enabled AWS compliance rules. During this rule evaluation, Lacework checks if all the conditions in an AWS compliance rule evaluate to true and if they do, an event is generated. This rule evaluation is repeated for each enabled rule.
If the same rule triggers again within the next hour, the existing event is updated with summary information about what triggered the subsequent trigger. After one hour if the same rule triggers again, another event is created.
| Rule ID | Event Generated by Rule | Description |
| LW_CT_AWSConfig_30 | Config Service Change | Detects an AWS Config Service change |
| LW_CT_CloudTrail_18 | CloudTrail Changed | Detects an AWS CloudTrail change |
| LW_CT_CloudTrail_19 | CloudTrail Stopped | Detects if the logging of an AWS CloudTrail has been stopped |
| LW_CT_CloudTrail_20 | CloudTrail Deleted | Detects if an AWS CloudTrail has been deleted |
| LW_CT_IAM_13 | IAM Access Key Changed | Detects AWS IAM access keys changes |
| LW_CT_IAM_14 | IAM Policy Changed | Detects AWS IAM policy changes |
| LW_CT_IAM_16 | New Access Key | Detects the creation of a new AWS New Access Key |
| LW_CT_IAM_17 | Access Key Deleted | Detects the deletion of an AWS Access Key |
| LW_CT_IAM_26 | Successful Console Login Without MFA | Detects a successful AWS console login without MFA (multi-factor authentication) |
| LW_CT_IAM_27 | Failed Console Login | Detects a failed AWS console login |
| LW_CT_IAM_28 | Usage of Root Account | Detects the usage of a root account in AWS |
| LW_CT_IAM_29 | Unauthorized API Call | Detects an unauthorized AWS API call |
| LW_CT_KMS_21 | New Customer Master Key | Detects if a new AWS New Customer Master Key is created |
| LW_CT_KMS_22 | New Customer Master Key Alias | Detects if a new AWS Customer Master Key Alias is created |
| LW_CT_KMS_23 | Customer Master Key Disabled | Detects if the AWS Customer Master Key is disabled |
| LW_CT_KMS_24 | New Grant Added To Customer Master Key | Detects if a new grant is added to an AWS Customer Master Key |
| LW_CT_KMS_25 | Customer Master Key Scheduled For Deletion | Detects if an AWS Customer Master Key is scheduled for deletion |
| LW_CT_S3_10 | New S3 Bucket | Detects the creation of a new AWS S3 Bucket |
| LW_CT_S3_11 | AWS S3 Bucket deleted | Detects the deletion of an S3 Bucket in any AWS account |
| LW_CT_S3_12 | S3 Bucket Policy Changed | Detects AWS S3 Bucket policy changes |
| LW_CT_S3_15 | S3 Bucket ACL Changed | Detects AWS S3 Bucket ACL changes |
| LW_CT_VPC_2 | New VPC | Detects the creation of a new VPC |
| LW_CT_VPC_3 | VPC Change | Detects a VPC configuration change |
| LW_CT_VPC_4 | Security Group Change | Detects an AWS Security Group change |
| LW_CT_VPC_5 | NACL Change | Detects an AWS Network ACL change |
| LW_CT_VPC_6 | New VPN Connection | Detects the creation of a new VPN connection. |
| LW_CT_VPC_7 | Network Gateway Change | Detects a Network Gateway change |
| LW_CT_VPC_8 | VPN Gateway Change | Detects a VPN Gateway change |
| LW_CT_VPC_9 | Route Table Change | Detects a Route Table change |