Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 25.2.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    Home FortiCNAPP CLI Reference

    Create Policies with the CLI

    Create Policies with the CLI

    Note

    PREVIEW FEATURE This article describes functionality that is currently in preview. Access to Azure, Google Cloud, and OCI datasources is in preview status.

    This topic walks you through using the FortiCNAPP CLI to create a custom violation policy that detects unrestricted ingress to TCP port 445. Port 445 is conventionally used for SMB communication, and should not be open to external networks.

    If you are new to the FortiCNAPP CLI, see Get Started to learn about installing and configuring the CLI.

    This walkthrough follows a basic end-to-end workflow to create a custom policy. For additional options when creating queries and policies, see LQL Queries and Policies. For information about policy types, see Custom Policy Types.

    Create a Query

    What Datasources Are Available

    The easiest way to learn about the LQL datasources is to discover the names of the datasources and then get details about the one you are interested in.

    Run the command that corresponds to your cloud provider:

    lacework query list-sources | grep AWS
    lacework query list-sources | grep GCP
    lacework query list-sources | grep AZURE
    lacework query list-sources | grep OCI

    What Fields Can I Use from a Datasource

    In order to learn which fields to use in your query, run the lacework query show-source command for a description of the fields. For some datasources, you can run the lacework query preview-source command (not available for all datasources).

    The following command shows the details for the LW_CFG_AWS_EC2_SECURITY_GROUPS datasource.

    lacework query show-source LW_CFG_AWS_EC2_SECURITY_GROUPS

                DATASOURCE                      DESCRIPTION
---------------------------------+---------------------------------
  LW_CFG_AWS_EC2_SECURITY_GROUPS   Results from AWS EC2
                                   'describe-security-groups'

     FIELD NAME      DATA TYPE            DESCRIPTION
-------------------+-----------+---------------------------------
  BATCH_START_TIME   Timestamp   Beginning of time interval
  BATCH_END_TIME     Timestamp   End of time interval
  QUERY_START_TIME   Timestamp   Start time of query for this
                                 resource
  QUERY_END_TIME     Timestamp   End time of query for this
                                 resource
  ARN                String      ARN for the resource
  API_KEY            String      Key describing the API used to
                                 fetch data for this resource
  SERVICE            String      Service this resource belongs
                                 to
  ACCOUNT_ID         String      AWS Account ID
  ACCOUNT_ALIAS      String      User friendly alias for AWS
                                 Account
  RESOURCE_TYPE      String      Type of this resource
  RESOURCE_ID        String      Identifier for this resource
  RESOURCE_REGION    String      Region this resource belongs
                                 to
  RESOURCE_CONFIG    JSON        JSON Definition of this
                                 resource
  RESOURCE_TAGS      JSON        Tags associated with this
                                 resource

    The RESOURCE_CONFIG field is frequently used in LQL. Because it is a JSON datasource, the LQL query must first convert the field using the array_to_rows() function. To know exactly which JSON fields you need, you can either read the cloud provider's API documentation, or write an LQL query to explore the full content before writing the actual policy.

    Explore Datasources Using LQL

    This example explores the LW_CFG_AWS_EC2_SECURITY_GROUPS datasource. Replace the datasource with LW_CFG_GCP_COMPUTE_FIREWALL or LW_CFG_AZURE_NETWORK_NETWORKSECURITYGROUPS if using Google Cloud or Azure, respectively.

    1. Open your text editor, create a new file, and add the following content:

      ---
queryId: Explore_AWS_EC2_SECURITY_GROUPS
queryText: |-
  {
      source {
         LW_CFG_AWS_EC2_SECURITY_GROUPS
      }
      return {
         RESOURCE_CONFIG
      }
  }

    2. Save the file as YAML with the filename Explore_AWS_EC2_SECURITY_GROUPS.yaml. Note the file's location.

    3. In the FortiCNAPP CLI, run this command:

      lacework query run -f <path_to>/Explore_AWS_EC2_SECURITY_GROUPS.yaml
      {
 "RESOURCE_CONFIG": {
   "Description": "default VPC security group",
   "GroupId": "sg-000",
   "GroupName": "default",
   "IpPermissions": [
     {
       "IpProtocol": "-1",
       "IpRanges": [],
       "Ipv6Ranges": [],
       "PrefixListIds": [],
       "UserIdGroupPairs": [
         {
           "GroupId": "sg-000",
           "UserId": "111"
         }
       ]
     }
   ],
   "IpPermissionsEgress": [
     {
       "IpProtocol": "-1",
       "IpRanges": [
         {
           "CidrIp": "0.0.0.0/0"
         }
       ],
       "Ipv6Ranges": [],
       "PrefixListIds": [],
       "UserIdGroupPairs": []
     }
   ],
   "OwnerId": "111",
   "VpcId": "vpc-000"
 }
}

    Create a Query

    1. Open your text editor, create a new file, and add the content that corresponds to your cloud provider:

      ---
queryId: LW_Custom_UnrestrictedIngressToTCP445
queryText: |-
  {
      source {
          LW_CFG_AWS_EC2_SECURITY_GROUPS a,
          array_to_rows(a.RESOURCE_CONFIG:IpPermissions) as (ip_permissions),
          array_to_rows(ip_permissions:IpRanges) as (ip_ranges)
      }
      filter {
          ip_permissions:IpProtocol = 'tcp'
          and ip_permissions:FromPort = 445
          and ip_permissions:ToPort = 445
          and ip_ranges:CidrIp = '0.0.0.0/0'
      }
      return distinct {
          ACCOUNT_ALIAS,
          ACCOUNT_ID,
          ARN as RESOURCE_KEY,
          RESOURCE_REGION,
          RESOURCE_TYPE,
          SERVICE
      }
  }

      ---
queryId: LW_Custom_UnrestrictedIngressToTCP445
queryText: |-
  {
      source {
          LW_CFG_GCP_COMPUTE_FIREWALL firewall,
          array_to_rows(firewall.RESOURCE_CONFIG:allowed) as (allowed),
          array_to_rows(allowed:ports) as (ports),
          array_to_rows(firewall.RESOURCE_CONFIG:sourceRanges) as (ranges)
      }
      filter {
          RESOURCE_CONFIG:direction = 'INGRESS'
          and allowed:IPProtocol = 'tcp'
          and ports = '445'
          and ranges = '0.0.0.0/0'
      }
      return distinct {
          ORGANIZATION_ID,
          PROJECT_NUMBER,
          PROJECT_ID,
          FOLDER_IDS,
          URN as RESOURCE_KEY,
          RESOURCE_REGION,
          RESOURCE_TYPE,
          SERVICE
      }
  }

      ---
queryId: LW_Custom_UnrestrictedIngressToTCP445
queryText: |-
  {
      source {
          LW_CFG_AZURE_NETWORK_NETWORKSECURITYGROUPS a,
          array_to_rows(a.RESOURCE_CONFIG:securityRules) as (rules)
      }
      filter {
          rules:"properties".access = 'Allow'
          and rules:"properties".direction = 'Inbound'
          and rules:"properties".protocol = 'Tcp'
          and rules:"properties".destinationPortRange = '445'
          and rules:"properties".sourceAddressPrefix = '*'
      }
      return distinct {
          TENANT_ID,
          TENANT_NAME,
          SUBSCRIPTION_ID,
          SUBSCRIPTION_NAME,
          URN as RESOURCE_KEY,
          RESOURCE_REGION,
          RESOURCE_TYPE
      }
  }

      ---
queryId: LW_Custom_UnrestrictedIngressToTCP445
queryText: |-
   {
      source {
            LW_CFG_OCI_NETWORK_NETWORK_SECURITY_GROUPS
      }
      filter {
            RESOURCE_ID in {
               source {
                  LW_CFG_OCI_NETWORK_NETWORK_SECURITY_GROUP_RULES
               }
               filter {
                  RESOURCE_CONFIG:direction = 'INGRESS'
                  and RESOURCE_CONFIG:"source" = '0.0.0.0/0'
                  and RESOURCE_CONFIG:protocol = '6'
                  and RESOURCE_CONFIG:tcp_options.destination_port_range.min <= 445
                  and RESOURCE_CONFIG:tcp_options.destination_port_range.max >= 445
               }
               return distinct {
                  RESOURCE_ID
               }
            }
      }
      return distinct {
            COMPARTMENT_ID,
            RESOURCE_KEY,
            RESOURCE_REGION,
            RESOURCE_TYPE,
            SERVICE,
      }
   }

    2. Save the file as YAML with the filename LW_Custom_UnrestrictedIngressToTCP445.yaml. Note the file's location.

    3. In the FortiCNAPP CLI, run this command:

      lacework query create -f <path_to>/LW_Custom_UnrestrictedIngressToTCP445.yaml

      The query LW_Custom_UnrestrictedIngressToTCP445 was created.

    Test Using Collected Data

    In the FortiCNAPP CLI, run this command:

    lacework query run LW_Custom_UnrestrictedIngressToTCP445

    [
  {
     "ACCOUNT_ALIAS": "",
     "ACCOUNT_ID": "aaa",
     "RESOURCE_KEY": "arn:aws:ec2:us-east-2:aaa:security-group/sg-bbb",
     "RESOURCE_REGION": "us-east-2",
     "RESOURCE_TYPE": "ec2:security-group",
     "SERVICE": "ec2"
  }
]

    [
  {
     "FOLDER_IDS": [],
     "ORGANIZATION_ID": "aaa",
     "PROJECT_ID": "ccc",
     "PROJECT_NUMBER": "bbb",
     "RESOURCE_KEY": "gcp:bbb://compute.googleapis.com/projects/ccc/global/firewalls/ddd",
     "RESOURCE_REGION": "global",
     "RESOURCE_TYPE": "compute.googleapis.com/Firewall",
     "SERVICE": "compute"
  }
]

    [
  {
     "RESOURCE_KEY": "/subscriptions/aaa/resourceGroups/bbb/providers/Microsoft.Network/networkSecurityGroups/ddd",
     "RESOURCE_REGION": "westus",
     "RESOURCE_TYPE": "microsoft.network/networksecuritygroups",
     "SUBSCRIPTION_ID": "aaa",
     "SUBSCRIPTION_NAME": "eee",
     "TENANT_ID": "ccc",
     "TENANT_NAME": "fff"
  }
]

    [
  {
     "COMPARTMENT_ID": "ocid1.tenancy.oc1..aaa",
     "RESOURCE_KEY": "ocid1.networksecuritygroup.oc1.us-sanjose-1.aaa",
     "RESOURCE_REGION": "us-sanjose-1",
     "RESOURCE_TYPE": "nsg",
     "SERVICE": "network"
  }
]

    Create a Policy

    1. Open your text editor, create a new file, and add the content that corresponds to your cloud provider:

      ---
title: Security Groups Should Not Allow Unrestricted Ingress to TCP Port 445
enabled: false
policyType: Violation
alertEnabled: false
alertProfile: LW_CFG_AWS_DEFAULT_PROFILE.CFG_AWS_Violation
evalFrequency: Daily
queryId: LW_Custom_UnrestrictedIngressToTCP445
severity: high   
description: Security groups should not allow unrestricted ingress to TCP port 445
remediation: Policy remediation

      ---
title: Security Groups Should Not Allow Unrestricted Ingress to TCP Port 445
enabled: false
policyType: Violation
alertEnabled: false
alertProfile: LW_CFG_GCP_DEFAULT_PROFILE.Violation
evalFrequency: Daily
queryId: LW_Custom_UnrestrictedIngressToTCP445
severity: high
description: Security groups should not allow unrestricted ingress to TCP port 445
remediation: Policy remediation

      ---
title: Network Security Groups Should Not Allow Unrestricted Ingress to TCP Port 445
enabled: false
policyType: Violation
alertEnabled: false
alertProfile: LW_CFG_AZURE_DEFAULT_PROFILE.Violation
evalFrequency: Daily
queryId: LW_Custom_UnrestrictedIngressToTCP445
severity: high
description: Network security groups should not allow unrestricted ingress to TCP port 445
remediation: Policy remediation

      ---
title: Network Security Groups Should Not Allow Unrestricted Ingress to TCP Port 445
enabled: false
policyType: Violation
alertEnabled: false
alertProfile: LW_CFG_OCI_DEFAULT_PROFILE.Violation
evalFrequency: Daily
queryId: LW_Custom_UnrestrictedIngressToTCP445
severity: high
description: Network security groups should not allow unrestricted ingress to TCP port 445
remediation: Policy remediation

      The fields in the policy definition are:

      • title: Customize the event title.

      • enabled: Enable or disable the policy (true|false).

      • policyType: Enter Violation as the policyType.

      • alertEnabled: Enable or disable alerts (true|false).

      • alertProfile: Provide the alertProfile and alert template name within the alert profile. It follows the format alertProfileId.alert_template_name.

      • evalFrequency: Optional. Set the evalFrequency (Hourly|Daily).

      • queryId: Provide the queryID. It must match the ID of the query you want to use.

      • severity: Set the desired severity (critical|high|medium|low|info).

      • description: Customize the description to display.

      • remediation: Customize the remediation message to display.

    2. Save the file as YAML with the filename UnrestrictedIngressToTCP445.yaml. Note the file's location.

    3. In the FortiCNAPP CLI, run this command:

      lacework policy create -f <path_to>/UnrestrictedIngressToTCP445.yaml

      The policy <policy_name> was created.

    Enable Alerts

    The policy you just created is not enabled and does not yet raise alerts when violations occur. The following enables alerts for the policy.

    1. In your text editor, open the UnrestrictedIngressToTCP445.yaml file and update these fields:

      • enabled: false to enabled: true

      • alertEnabled: false to alertEnabled: true

    2. Save your changes.

    3. In the FortiCNAPP CLI, run this command:

      lacework policy update -f <path_to>/UnrestrictedIngressToTCP445.yaml

      The policy <policy_name> was updated.
    Previous
    Next

    Create Policies with the CLI

    Create Policies with the CLI

    Note

    PREVIEW FEATURE This article describes functionality that is currently in preview. Access to Azure, Google Cloud, and OCI datasources is in preview status.

    This topic walks you through using the FortiCNAPP CLI to create a custom violation policy that detects unrestricted ingress to TCP port 445. Port 445 is conventionally used for SMB communication, and should not be open to external networks.

    If you are new to the FortiCNAPP CLI, see Get Started to learn about installing and configuring the CLI.

    This walkthrough follows a basic end-to-end workflow to create a custom policy. For additional options when creating queries and policies, see LQL Queries and Policies. For information about policy types, see Custom Policy Types.

    Create a Query

    What Datasources Are Available

    The easiest way to learn about the LQL datasources is to discover the names of the datasources and then get details about the one you are interested in.

    Run the command that corresponds to your cloud provider:

    lacework query list-sources | grep AWS
    lacework query list-sources | grep GCP
    lacework query list-sources | grep AZURE
    lacework query list-sources | grep OCI

    What Fields Can I Use from a Datasource

    In order to learn which fields to use in your query, run the lacework query show-source command for a description of the fields. For some datasources, you can run the lacework query preview-source command (not available for all datasources).

    The following command shows the details for the LW_CFG_AWS_EC2_SECURITY_GROUPS datasource.

    lacework query show-source LW_CFG_AWS_EC2_SECURITY_GROUPS

                DATASOURCE                      DESCRIPTION
---------------------------------+---------------------------------
  LW_CFG_AWS_EC2_SECURITY_GROUPS   Results from AWS EC2
                                   'describe-security-groups'

     FIELD NAME      DATA TYPE            DESCRIPTION
-------------------+-----------+---------------------------------
  BATCH_START_TIME   Timestamp   Beginning of time interval
  BATCH_END_TIME     Timestamp   End of time interval
  QUERY_START_TIME   Timestamp   Start time of query for this
                                 resource
  QUERY_END_TIME     Timestamp   End time of query for this
                                 resource
  ARN                String      ARN for the resource
  API_KEY            String      Key describing the API used to
                                 fetch data for this resource
  SERVICE            String      Service this resource belongs
                                 to
  ACCOUNT_ID         String      AWS Account ID
  ACCOUNT_ALIAS      String      User friendly alias for AWS
                                 Account
  RESOURCE_TYPE      String      Type of this resource
  RESOURCE_ID        String      Identifier for this resource
  RESOURCE_REGION    String      Region this resource belongs
                                 to
  RESOURCE_CONFIG    JSON        JSON Definition of this
                                 resource
  RESOURCE_TAGS      JSON        Tags associated with this
                                 resource

    The RESOURCE_CONFIG field is frequently used in LQL. Because it is a JSON datasource, the LQL query must first convert the field using the array_to_rows() function. To know exactly which JSON fields you need, you can either read the cloud provider's API documentation, or write an LQL query to explore the full content before writing the actual policy.

    Explore Datasources Using LQL

    This example explores the LW_CFG_AWS_EC2_SECURITY_GROUPS datasource. Replace the datasource with LW_CFG_GCP_COMPUTE_FIREWALL or LW_CFG_AZURE_NETWORK_NETWORKSECURITYGROUPS if using Google Cloud or Azure, respectively.

    1. Open your text editor, create a new file, and add the following content:

      ---
queryId: Explore_AWS_EC2_SECURITY_GROUPS
queryText: |-
  {
      source {
         LW_CFG_AWS_EC2_SECURITY_GROUPS
      }
      return {
         RESOURCE_CONFIG
      }
  }

    2. Save the file as YAML with the filename Explore_AWS_EC2_SECURITY_GROUPS.yaml. Note the file's location.

    3. In the FortiCNAPP CLI, run this command:

      lacework query run -f <path_to>/Explore_AWS_EC2_SECURITY_GROUPS.yaml
      {
 "RESOURCE_CONFIG": {
   "Description": "default VPC security group",
   "GroupId": "sg-000",
   "GroupName": "default",
   "IpPermissions": [
     {
       "IpProtocol": "-1",
       "IpRanges": [],
       "Ipv6Ranges": [],
       "PrefixListIds": [],
       "UserIdGroupPairs": [
         {
           "GroupId": "sg-000",
           "UserId": "111"
         }
       ]
     }
   ],
   "IpPermissionsEgress": [
     {
       "IpProtocol": "-1",
       "IpRanges": [
         {
           "CidrIp": "0.0.0.0/0"
         }
       ],
       "Ipv6Ranges": [],
       "PrefixListIds": [],
       "UserIdGroupPairs": []
     }
   ],
   "OwnerId": "111",
   "VpcId": "vpc-000"
 }
}

    Create a Query

    1. Open your text editor, create a new file, and add the content that corresponds to your cloud provider:

      ---
queryId: LW_Custom_UnrestrictedIngressToTCP445
queryText: |-
  {
      source {
          LW_CFG_AWS_EC2_SECURITY_GROUPS a,
          array_to_rows(a.RESOURCE_CONFIG:IpPermissions) as (ip_permissions),
          array_to_rows(ip_permissions:IpRanges) as (ip_ranges)
      }
      filter {
          ip_permissions:IpProtocol = 'tcp'
          and ip_permissions:FromPort = 445
          and ip_permissions:ToPort = 445
          and ip_ranges:CidrIp = '0.0.0.0/0'
      }
      return distinct {
          ACCOUNT_ALIAS,
          ACCOUNT_ID,
          ARN as RESOURCE_KEY,
          RESOURCE_REGION,
          RESOURCE_TYPE,
          SERVICE
      }
  }

      ---
queryId: LW_Custom_UnrestrictedIngressToTCP445
queryText: |-
  {
      source {
          LW_CFG_GCP_COMPUTE_FIREWALL firewall,
          array_to_rows(firewall.RESOURCE_CONFIG:allowed) as (allowed),
          array_to_rows(allowed:ports) as (ports),
          array_to_rows(firewall.RESOURCE_CONFIG:sourceRanges) as (ranges)
      }
      filter {
          RESOURCE_CONFIG:direction = 'INGRESS'
          and allowed:IPProtocol = 'tcp'
          and ports = '445'
          and ranges = '0.0.0.0/0'
      }
      return distinct {
          ORGANIZATION_ID,
          PROJECT_NUMBER,
          PROJECT_ID,
          FOLDER_IDS,
          URN as RESOURCE_KEY,
          RESOURCE_REGION,
          RESOURCE_TYPE,
          SERVICE
      }
  }

      ---
queryId: LW_Custom_UnrestrictedIngressToTCP445
queryText: |-
  {
      source {
          LW_CFG_AZURE_NETWORK_NETWORKSECURITYGROUPS a,
          array_to_rows(a.RESOURCE_CONFIG:securityRules) as (rules)
      }
      filter {
          rules:"properties".access = 'Allow'
          and rules:"properties".direction = 'Inbound'
          and rules:"properties".protocol = 'Tcp'
          and rules:"properties".destinationPortRange = '445'
          and rules:"properties".sourceAddressPrefix = '*'
      }
      return distinct {
          TENANT_ID,
          TENANT_NAME,
          SUBSCRIPTION_ID,
          SUBSCRIPTION_NAME,
          URN as RESOURCE_KEY,
          RESOURCE_REGION,
          RESOURCE_TYPE
      }
  }

      ---
queryId: LW_Custom_UnrestrictedIngressToTCP445
queryText: |-
   {
      source {
            LW_CFG_OCI_NETWORK_NETWORK_SECURITY_GROUPS
      }
      filter {
            RESOURCE_ID in {
               source {
                  LW_CFG_OCI_NETWORK_NETWORK_SECURITY_GROUP_RULES
               }
               filter {
                  RESOURCE_CONFIG:direction = 'INGRESS'
                  and RESOURCE_CONFIG:"source" = '0.0.0.0/0'
                  and RESOURCE_CONFIG:protocol = '6'
                  and RESOURCE_CONFIG:tcp_options.destination_port_range.min <= 445
                  and RESOURCE_CONFIG:tcp_options.destination_port_range.max >= 445
               }
               return distinct {
                  RESOURCE_ID
               }
            }
      }
      return distinct {
            COMPARTMENT_ID,
            RESOURCE_KEY,
            RESOURCE_REGION,
            RESOURCE_TYPE,
            SERVICE,
      }
   }

    2. Save the file as YAML with the filename LW_Custom_UnrestrictedIngressToTCP445.yaml. Note the file's location.

    3. In the FortiCNAPP CLI, run this command:

      lacework query create -f <path_to>/LW_Custom_UnrestrictedIngressToTCP445.yaml

      The query LW_Custom_UnrestrictedIngressToTCP445 was created.

    Test Using Collected Data

    In the FortiCNAPP CLI, run this command:

    lacework query run LW_Custom_UnrestrictedIngressToTCP445

    [
  {
     "ACCOUNT_ALIAS": "",
     "ACCOUNT_ID": "aaa",
     "RESOURCE_KEY": "arn:aws:ec2:us-east-2:aaa:security-group/sg-bbb",
     "RESOURCE_REGION": "us-east-2",
     "RESOURCE_TYPE": "ec2:security-group",
     "SERVICE": "ec2"
  }
]

    [
  {
     "FOLDER_IDS": [],
     "ORGANIZATION_ID": "aaa",
     "PROJECT_ID": "ccc",
     "PROJECT_NUMBER": "bbb",
     "RESOURCE_KEY": "gcp:bbb://compute.googleapis.com/projects/ccc/global/firewalls/ddd",
     "RESOURCE_REGION": "global",
     "RESOURCE_TYPE": "compute.googleapis.com/Firewall",
     "SERVICE": "compute"
  }
]

    [
  {
     "RESOURCE_KEY": "/subscriptions/aaa/resourceGroups/bbb/providers/Microsoft.Network/networkSecurityGroups/ddd",
     "RESOURCE_REGION": "westus",
     "RESOURCE_TYPE": "microsoft.network/networksecuritygroups",
     "SUBSCRIPTION_ID": "aaa",
     "SUBSCRIPTION_NAME": "eee",
     "TENANT_ID": "ccc",
     "TENANT_NAME": "fff"
  }
]

    [
  {
     "COMPARTMENT_ID": "ocid1.tenancy.oc1..aaa",
     "RESOURCE_KEY": "ocid1.networksecuritygroup.oc1.us-sanjose-1.aaa",
     "RESOURCE_REGION": "us-sanjose-1",
     "RESOURCE_TYPE": "nsg",
     "SERVICE": "network"
  }
]

    Create a Policy

    1. Open your text editor, create a new file, and add the content that corresponds to your cloud provider:

      ---
title: Security Groups Should Not Allow Unrestricted Ingress to TCP Port 445
enabled: false
policyType: Violation
alertEnabled: false
alertProfile: LW_CFG_AWS_DEFAULT_PROFILE.CFG_AWS_Violation
evalFrequency: Daily
queryId: LW_Custom_UnrestrictedIngressToTCP445
severity: high   
description: Security groups should not allow unrestricted ingress to TCP port 445
remediation: Policy remediation

      ---
title: Security Groups Should Not Allow Unrestricted Ingress to TCP Port 445
enabled: false
policyType: Violation
alertEnabled: false
alertProfile: LW_CFG_GCP_DEFAULT_PROFILE.Violation
evalFrequency: Daily
queryId: LW_Custom_UnrestrictedIngressToTCP445
severity: high
description: Security groups should not allow unrestricted ingress to TCP port 445
remediation: Policy remediation

      ---
title: Network Security Groups Should Not Allow Unrestricted Ingress to TCP Port 445
enabled: false
policyType: Violation
alertEnabled: false
alertProfile: LW_CFG_AZURE_DEFAULT_PROFILE.Violation
evalFrequency: Daily
queryId: LW_Custom_UnrestrictedIngressToTCP445
severity: high
description: Network security groups should not allow unrestricted ingress to TCP port 445
remediation: Policy remediation

      ---
title: Network Security Groups Should Not Allow Unrestricted Ingress to TCP Port 445
enabled: false
policyType: Violation
alertEnabled: false
alertProfile: LW_CFG_OCI_DEFAULT_PROFILE.Violation
evalFrequency: Daily
queryId: LW_Custom_UnrestrictedIngressToTCP445
severity: high
description: Network security groups should not allow unrestricted ingress to TCP port 445
remediation: Policy remediation

      The fields in the policy definition are:

      • title: Customize the event title.

      • enabled: Enable or disable the policy (true|false).

      • policyType: Enter Violation as the policyType.

      • alertEnabled: Enable or disable alerts (true|false).

      • alertProfile: Provide the alertProfile and alert template name within the alert profile. It follows the format alertProfileId.alert_template_name.

      • evalFrequency: Optional. Set the evalFrequency (Hourly|Daily).

      • queryId: Provide the queryID. It must match the ID of the query you want to use.

      • severity: Set the desired severity (critical|high|medium|low|info).

      • description: Customize the description to display.

      • remediation: Customize the remediation message to display.

    2. Save the file as YAML with the filename UnrestrictedIngressToTCP445.yaml. Note the file's location.

    3. In the FortiCNAPP CLI, run this command:

      lacework policy create -f <path_to>/UnrestrictedIngressToTCP445.yaml

      The policy <policy_name> was created.

    Enable Alerts

    The policy you just created is not enabled and does not yet raise alerts when violations occur. The following enables alerts for the policy.

    1. In your text editor, open the UnrestrictedIngressToTCP445.yaml file and update these fields:

      • enabled: false to enabled: true

      • alertEnabled: false to alertEnabled: true

    2. Save your changes.

    3. In the FortiCNAPP CLI, run this command:

      lacework policy update -f <path_to>/UnrestrictedIngressToTCP445.yaml

      The policy <policy_name> was updated.
    Previous
    Next