python-sdk/examples/example_syscall_query_policy.py at main · lacework/python-sdk · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# -*- coding: utf-8 -*-
"""
Example script showing how to use the LaceworkClient class with Syscall data sources.
Note: As of this commit, the Lacework Syscall agent is not GA. Please contact your Lacework rep for more information
"""

import logging
import random
import string

from dotenv import load_dotenv
from laceworksdk import LaceworkClient

logging.basicConfig(level=logging.DEBUG)

load_dotenv()

RANDOM_TEXT = "".join(random.choices(string.ascii_uppercase, k=4))
QUERY_ID = f"Custom_Syscall_Query_{RANDOM_TEXT}"
POLICY_TITLE = f"Custom_Syscall_Policy_{RANDOM_TEXT}"

if __name__ == "__main__":

    # Instantiate a LaceworkClient instance
    lacework_client = LaceworkClient()

    # Queries/Policies API

    # Create a Query
    query_response = lacework_client.queries.create(
        query_id=QUERY_ID,
        query_text="""{
          source {
                LW_HA_SYSCALLS_FILE
          }
          filter {
                TARGET_OP like any('create','modify') AND TARGET_PATH like any('%/.ssh/authorized_keys','%/ssh/sshd_config')
          }
          return distinct {
                RECORD_CREATED_TIME,
                MID,
                TARGET_OP,
                TARGET_PATH
          }
        }
        """
    )

    # Create a Policy, uncomment alternate alert_profiles as required
    lacework_client.policies.create(
        policy_type="Violation",
        query_id=query_response["data"]["queryId"],
        enabled=True,
        title=POLICY_TITLE,
        description="Description here..",
        remediation="Policy remediation here..",
        severity="high",
        alert_enabled=True,
        alert_profile="LW_HA_SYSCALLS_FILE_DEFAULT_PROFILE.Violation"
    )