laceworksdk.api.v2.policies

Lacework Policies API wrapper.

Module Contents

Classes

PoliciesAPI

A class used to represent the Policies API endpoint
class laceworksdk.api.v2.policies.PoliciesAPI(session)[source]

Bases: laceworksdk.api.crud_endpoint.CrudEndpoint

A class used to represent the Policies API endpoint

Policies are a mechanism used to add annotated metadata to queries for improving the context of alerts, reports, and information displayed in the Lacework Console. You can fully customize policies.

property session

Get the HttpSession instance the object is using.

create(policy_type, query_id, enabled, title, description, remediation, severity, alert_enabled, alert_profile, limit=1000, eval_frequency=None, tags=[], **request_params)[source]

A method to create a new Policies object.

Parameters:

  • policy_type (str, optional) – The policy type. Valid values are: “Violation”

  • query_id (str) – The policy query ID.

  • enabled (bool) – Whether the policy is enabled.

  • title (str) – The policy title.

  • description (str) – The policy description.

  • remediation (str) – The remediation strategy for the object.

  • severity (str) – A string representing the object severity. Valid values are : “info”, “low”, “medium”, “high”, “critical”

  • alert_enabled (bool) – A boolean representing whether alerting is enabled.

  • alert_profile (str, optional) – A string representing the alert profile.

  • limit (int, optional) – An integer representing the number of results to return. (Default value = 1000)

  • tags (list of str) – A list of policy tags

  • eval_frequency (str, optional, deprecated) – A string representing the frequency in which to evaluate the object. Valid values are: “Hourly”, “Daily”

  • request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The newly created policy.

Return type:

dict

get(policy_id=None)[source]

A method to get Policies objects. Using no args will get all policies.

Parameters:

policy_id (str, optional) – A string representing the object policy ID.

Returns:

The requested policies

Return type:

dict

get_by_id(policy_id)[source]

A method to get a Policies object by policy ID.

Parameters:

policy_id (str) – A string representing the object policy ID.

Returns:

The requested policy

Return type:

dict

update(policy_id, policy_type=None, query_id=None, enabled=None, title=None, description=None, remediation=None, severity=None, alert_enabled=None, alert_profile=None, limit=None, tags=[], eval_frequency=None, **request_params)[source]

A method to update a Lacework Query Language (LQL) policy.

Parameters:

  • policy_id (str) – A string representing the object policy ID.

  • policy_type (str, optional) – The policy type. Valid values are: “Violation”

  • query_id (str, optional) – The policy query ID.

  • enabled (bool, optional) – Whether the policy is enabled.

  • title (str, optional) – The policy title.

  • description (str, optional) – The policy description.

  • remediation (str, optional) – The remediation strategy for the object.

  • severity (str, optional) – A string representing the object severity. Valid values are : “info”, “low”, “medium”, “high”, “critical”

  • alert_enabled (bool, optional) – A boolean representing whether alerting is enabled.

  • alert_profile (str, optional) – A string representing the alert profile.

  • limit (int, optional) – An integer representing the number of results to return. (Default value = 1000)

  • tags (list of str, optional) – A list of policy tags

  • eval_frequency (str, optional, deprecated) – A string representing the frequency in which to evaluate the object. Valid values are: “Hourly”, “Daily”

  • request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The newly created policy.

Return type:

dict

bulk_update(json)[source]

A method to update Policy objects in bulk.

Parameters:

json (list of dicts) – A list of dictionaries containing policy configuration. - policyId (str): The ID of the policy. - enabled (bool): The status of the policy. - severity (str): The severity of the policy. Valid values: “info”, “low”, “medium”, “high”, “critical”

Returns:

The updated policies.

Return type:

dict

delete(policy_id)[source]

A method to delete a policy.

Parameters:

policy_id (str) – A string representing the policy ID.

Returns:

a Requests response object containing the response code

Return type:

requests.models.Response

search(json=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –

The desired search parameters:

  • timeFilter (dict, optional): A dict containing the time frame for the search:

    • startTime (str): The start time for the search

    • endTime (str): The end time for the search

  • filters (list of dict, optional): Filters based on field contents:

    • field (str): The name of the data field to which the condition applies

    • expression (str): The comparison operator for the filter condition. Valid values are:

    ”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”

    • value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.

    • values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.

  • returns (list of str, optional): The fields to return

Returns:

returns a dict containing the search results

Return type:

dict