The following cloudformation will create an Agent token. This is used when installing agents within your aplications infrastructure.
AWSTemplateFormatVersion: '2010-09-09'
Description: |
The following CloudFormation Lacework resource types set up your Lacework environment
Resources:
AgentsToken:
Type: Lacework::Agents::Token
Properties:
Props:
Description: My CFN Provisioned Token
TokenEnabled: 1
TokenAlias: My_CFN Token DevFrom the Lacework Docs - "Lacework combines alert channels and alert rules to provide a flexible method for routing alerts. For alert channels, you define information about where to send alerts, such as to Jira, Slack, or email. For alert rules, you define information about which alert types to send, such as critical and high severity compliance alerts."
"An alert profile is a set of metadata that defines how your LQL queries get consumed into events and alerts.
Alert profiles exist as a system. Lacework provides a set of predefined alert profiles to ensure that policy evaluation gives you useful results out of the box. To create your own customized profiles, you extend an existing alert profile and add your custom definitions to it. The predefined alert profiles and operations for defining and editing your own are exposed via Lacework API calls."
We use the following Cloudformation yaml to set up Lacework alerts.
AlertsChannel:
Type: Lacework::Alerts::Channel
Properties:
Name: Test Email
Type: EmailUser
Enabled: 1
Data:
channelProps:
recipients:
- "[email protected]"
AlertsProfile:
Type: Lacework::Alerts::Profile
Properties:
AlertProfileId: Custom_Test_AlertProfile
Extends: LW_HE_MACHINES_DEFAULT_PROFILE
Alerts:
- Name: HE_Machine_NewViolation
EventName: Custom LW Host Entity Machine New Violation Alert
Description: Custom New Violation for machine
Subject: Custom New violation detected for machine
AlertsRule:
Type: Lacework::Alerts::Rule
Properties:
Filters:
Name: MyRule
Description: A description
Enabled: 1
Severity:
- 1
IntgGuidList:
- !GetAtt AlertsChannel.IntgGuid
Type: Event
"Queries are the mechanism used to interactively request information from a specific curated datasource. Queries have a defined structure for authoring detections."
Query:
Type: Lacework::Queries::Query
Properties:
QueryId: myTestId
QueryText: "{ source { CloudTrailRawEvents } filter { EVENT_SOURCE = 'ec2.amazonaws.com' and EVENT_NAME in ( 'CreateNetworkAcl', 'CreateNetworkAclEntry', 'DeleteNetworkAcl', 'DeleteNetworkAclEntry', 'ReplaceNetworkAclEntry', 'ReplaceNetworkAclAssociation' ) and ERROR_CODE is null } return distinct { INSERT_ID, INSERT_TIME, EVENT_TIME, EVENT }}""Policies are a mechanism used to add annotated metadata to queries for improving the context of alerts, reports, and information displayed in the Lacework Console. You can fully customize policies."
Policy:
Type: Lacework::Policies::Policy
Properties:
QueryId: !Ref Query
Title: Test Title
Enabled: true
Description: Test Description
Remediation: Test remediation
Severity: info
Limit: 1000
AlertEnabled: true
AlertProfile: LW_CloudTrail_Alerts.CloudTrailDefaultAlert_AwsResource
Tags:
- Test Tag
- domain:AWS
- subdomain:Cloudtrail
PolicyId: aws-cfn-pub-reg-x-test-100You can deploy the above using the example.yaml