New in Lacework Release 1.5


Compliance Customization

Users now have the option of customizing compliance rules by adding user-defined exceptions. Depending on the resource being audited, users have several options for creating exceptions, including resource names, tags and wildcards.


Example 1

Lacework looks at both user created and AWS default policies during benchmark scoring. Accordingly, the AWS default AdministratorAccess policy will cause CIS Benchmark 1.24 -Ensure IAM policies that allow full "*:*" administrative privileges are not created - to be marked as non-compliant as a user-defined exception to benchmark 1.24. Most users will want to create an exception for the AdministratorAccess policy. Here is how to do it:


  • Open the latest S3 and CIS Benchmark Report for AWS
  • Scroll down to AWS_CIS_1_24 and click on the red alert button
  • From the AWS ARN, copy the policy name - AdministratorAccess - into your clipboard
  • From the left navigation pane, open the new Reportsbeta page in the Lacework UI
  • Click on the ‘Gear’ icon in the upper right corner, which opens the suppression settings page
  • Open the AWS_CIS_1_24 tab and click '+Add Exception'
  • Select an account or All Accounts and enter AdministratorAccess

  • Click 'Add'
  • Add a comment to explain the exception
  • Click ‘Save’

  • If you now run the report again, which may take several minutes to complete, AWS_CIS_1_24, will now show compliant with exceptions


Example 2

S3 buckets must be closely monitored to ensure that full access by all users is never granted in error. Users can use tags with Lacework to ensure security while providing the ability to scale efficiently. An S3 'public' tag can be configured as an exception to LW_S3_5 - all users do not have full access to the S3 buckets - which allows users to add buckets tagged as public without having to update exceptions. Here is how to do it:


  • From the left navigation pane, open the new Reportsbeta page in the Lacework UI
  • Click on the ‘Gear’ icon in the upper right corner, which opens the suppression settings page
  • Open the LW_S3_5  tab and click '+Add Exception'
  • Select an account or All Accounts and enter a tag key and value [type-public]

  • Click 'Add Tag' followed by 'Add'
  • Add a comment to explain the exception
  • Click ‘Save’


If you now run the report again, which may take several minutes to complete, LW_S3_5, will now treat any S3 buckets with the key-value pair of 'type-public' as compliant.


Cisco Spark Integration

Lacework events can now be forwarded to Spark spaces. Simply create an incoming webhook in your Spark account and complete the integration in the Lacework UI using the webhook URL.


Increased Network Visibility

On the Networks page, we have added two new tables for increased visibility:


  • List of External Facing Server Machines: Users can now easily identify what ports on which hosts are open and receiving inbound connections from the Internet
  • Client Machines Making External Connections: Users can now easily identify which machines are initiating outbound connections to the Internet.


Data from both tables is searchable using custom intervals and downloadable in .csv format