Tags in Policies
When building Access and Policies, Lacework Edge has a set of tags you can use to characterize the users and/or traffic that you want to match.
Resource Tags
Resource Tags can be used in the "Applications" filter of a given Policy, to define which resources for which you are controlling access. Policies meant for routing traffic (Connector|Direct|Lacework Edge Routing) can only use certain tags, which are indicated in this list.
| Tag | Value | Example | Routing Policies |
|---|---|---|---|
| app | uuid, not_found or * | app:yourco.tcp.0.yourapp.com app:not_found | ✔️ |
| appgroup | appgroup_name | appgroup:internal_apps | |
| classification | classification_name | classification:Gambling | |
| connector | connector_unique_name | connector:internal-connector | |
| domain | domain_name | domain:internal.yourco.com | ✔️ |
| host | host_name | host:myhost.internal.yourco.com | ✔️ |
| network | network_cidr | network:192.168.1.0/24 | ✔️ |
| port | port_num | port:8080 | |
| url_in | list_uuid | url_in:listuuid | |
| webapp | webapp_name | webapp:google | ✔️ |
Session Tags
Session Tags are used in the "Users" filter of a given Policy, to qualify which user sessions will map to that Policy. These include tags pertaining to a user, their physical and networking location, and the device they are using.
| Tag | Value | Example |
|---|---|---|
| anomalous | boolean or string | anomalous:true anomalous:location |
| anonymous_user | true | anonymous_user:true |
| browser | string | browser:Firefox |
| browser_version | string | browser_version:113.0 |
| client_ip | client_nat_ip | client_ip:10.11.12.13 |
| country | country_code | country:US |
| country_in | list_uuid | country_in:yourlistsuuid |
| device_activation_lock_enabled | boolean | device_activation_lock_enabled:true |
| device_risk | low/medium/high | device_risk:medium |
| disk_encryption_enabled | boolean | disk_encryption_enabled:true |
| event_review | boolean or string | event_review:true |
| group | group_uuid | group:someuuid |
| idp_attr | string | idp_attr:title:Contractor |
| os | string | os:Windows |
| os_version | string | os_version:13.1 |
| posture | high/medium/low/none | posture:medium |
| posture_ge | high/medium/low/none | posture_ge:medium |
| posture_le | high/medium/low/none | posture_le:medium |
| user | user_uuid or * | user:uuid |
| user_risk | low/medium/high | user_risk:high |
| wifi_bssid | wap_mac_address | wifi_bssid:00:B0:D0:63:C2:26 |
| wifi_ssid | wap_ssid | wifi_ssid:yourco-5ghz |
Tags Details
anomalous
Description: When set to true, Lacework Edge's AI detected unusual patterns of activity for this user.
Two tags will be added to the user's session: one that indicates there is anomalous behavior (anomalous:true)
as well as the type of behavior (anomalous:location). This facilitates writing a policy to match on the
specific behavior, or on any behavior.
Value: boolean or string. Possible string values are activity, location, new_ip or new_location
Example: anomalous:true anomalous:location
Used In: User/Session filters
app
Description: Any Application defined in Lacework Edge.
Value: Either an application UUID in Lacework Edge, or the special value not_found. The tag app:not_found
is typically used to match on Internet traffic routed to the Lacework Edge cloud that does not go through
a connector. The special value app:* will always match. A policy must have at least one entry in its
resource filter for it to be valid. If policy should match any resource, use the resource tag app:*.
Example: app:yourco.tcp.0.internal-file-share.egc
Used In: Application/Resource filters, including routing policies
appgroup
Description: The appgroup tag is applied to multiple Applications to save time and simplify the configuration access and policies. A common use of them is for when a single App has multiple endpoints.
Value: appgroup tag name
Example: appgroup:internal_apps
Used In: Application/Resource filters
anonymous_user
Description: Under some circumstances (e.g., access to internal windows domain controller for authentication)
sessions will have access to resources before the user is logged in. Such a session will have the
anonymous_user:true tag set.
Value: true
Example: anonymous_user:true
Used In: User/Session filters
browser
Description: Tag that is set only when the browser extension is used, identifying which browser.
Value: Either Chrome or Firefox
Example: browser:Firefox
Used In: User/Session filters
browser_version
Description: Tag that identifies the browser version number for browser extension.
Value: browser semver version
Example: browser_version:113.0
Used In: User/Session filters
classification
Description: Common categories of web sites. Can be used to allow/block traffic to an entire category, i.e. Social Media or Phishing sites. A complete list can be found here.
Value: Classification name
Example: classification:Gambling
Used In: Application/Resource filters
client_ip
Description: Public IP of the client's workstation, usually that of the Router/NAT.
Value: Client IP
Example: client_ip:10.11.12.13
Used In: User/Session filters
connector
Description: Matches any applications or networks that designate a specific Lacework Edge Connector for routing.
For example, to grant access to all applications that route through internal-connector, use connector:internal-connector
as the resource match.
Value: Unique Name in Lacework Edge
Example: connector:internal-connector
Used In: Application/Resource filters
country
Description: The country a user's client is connecting from. To deny all client traffic originating
from China, use a DENY policy with user filter set to country:CN.
Value: Country Code
Example: country:US
Used In: User/Session filters
country_in
Description: Refers to a Lacework Edge List that contains a list of Countries, matching on the country a user's client is connected from.
Value: List UUID in Lacework Edge
Example: country_in:yourlistsuuid
Used In: User/Session filters
device_activation_lock_enabled
Description: Whether the client device has activation lock enabled (an anti-theft protection).
Value: true/false
Example: device_activation_lock_enabled:true
Used In: User/Session filters
device_risk
Description: The calculated risk level of that user's device.
Value: low/medium/high
Example: device_risk:medium
Used In: User/Session filters
disk_encryption_enabled
Description: Whether the client device has OS disk encryption (e.g., BitLocker, FileVault) enabled.
Value: true/false
Example: disk_encryption_enabled:true
Used In: User/Session filters
domain
Description: Any domain name. Includes all sub-domains.
Value: Domain name
Example: domain:internal.yourco.com
Used In: Application/Resource filters, including routing policies
event_review
Description: Used for workflows. The tag event_review:true is added to a user's session when a new notification is sent out. Using this tag, you can block access to a resource until that user has reviewed and cleared events. A second tag with the specific type of notification is added as well, for example event_review:documentsharedexternally.
Value: boolean or string. Possible string values are: alert_config:uuid, anomalouslocationbyuser, documentsharedexternally, newexebyuser,
suspiciousaccessdenied, unusualnumberofalertsbyuser, useronvpn, usertravelling, weird_user, workflowdeniedbyuser
Example: event_review:true event_review:documentsharedexternally
Used In: User/Session filters
group
Description: Any group the user belongs to will be added as a group:uuid tag for the session.
Value: group-uuid
Example: group:okta.id
Used In: User/Session filters
host
Description: Any host name. Does not include subdomains.
Value: Host name
Example: host:myhost.internal.yourco.com
Used In: Application/Resource filters, including routing policies
idp_attr
Description: Any attributes returned by the identity provider are added to the user's session
as a idp_attr:string tag.
Value: string
Example: idp_attr:title:SDET
Used In: User/Session filters
network
Description: Any subnet to which you want to control access.
Value: Subnet in CIDR notation
Example: network:192.168.1.0/24
Used In: Application/Resource filters, for routing policies only
os
Description: The operating system family the client is running.
Value: The value Windows, macOS or iOS
Example: os:Windows
Used In: User/Session filters
os_version
Description: The operating system version the client is running.
Value: The semver version number
Example: os_version:13.3.1
Used In: User/Session filters
posture
Description: Indicates the highest level of Device Posture that a device currently matches. posture matches on an exact Posture Level.
Value: The value high, medium or low or none
Example: posture:medium
Used In: User/Session filters
posture_ge
Description: Indicates the highest level of Device Posture that this device currently matches. posture_ge matches Posture Levels greater than or equal to the value entered.
Value: The value high, medium or low or none
Example: posture_ge:medium
Used In: User/Session filters
posture_le
Description: Indicates the highest level of Device Posture that this device currently matches. posture_le matches Posture Levels less than or equal to the value entered.
Value: The value high, medium or low or none
Example: posture_le:low
Used In: User/Session filters
port
Description: Incoming port of a user's traffic
Value: port_num
Example: port:8080
Used In: Application/Resource filters
url_in
Description: Refers to a Lacework Edge List that contains a list of domains, hostnames and URLs.
The current request is matched against the entries in the list. An entry of the form xyz.com will
match all hosts and URLs that have the xyz.com domain. An entry of the form xyz.com/ will match only
URLs that have the exact hostname xyz.com. An entry of the form xyz.com/static will match only URLs
with an exact hostname match on xyz.com and that have a path prefix of /static.
Value: List UUID in Lacework Edge
Example: url_in:listuuid
Used In: Application/Resource filters
user
Description: Every user has the tag user:uuid added to their session. To match on a specific user
use a user:uuid tag. Similar to app:* it's possible to use user:* as a wildcard to indicate that
a user filter on a policy should always match.
Value: uuid
Example: user:uuid
Used In: User/Session filters
user_risk
Description: The calculated risk level of a user.
Value: low/medium/high
Example: user_risk:high
Used In: User/Session filters
webapp
Description: Netify maintains a list of common webapps that encompass the domains that app uses (i.e. Zoom runs in zoom.com, zomgov.com, zoom.us, etc.).
Value: Webapp Name - see the list here
Example: webapp:zoom
Used In: Application/Resource filters, including routing policies
wifi_bssid
Description: MAC Address of the Wireless Access Point to which this device is connected.
Value: MAC Address
Example: wifi_bssid:00:B0:D1:63:C2:26
Used In: User/Session filters, for config and routing policies only
wifi_ssid
Description: SSID of the Wireless Access Point to which this device is connected.
Value: SSID
Example: wifi_ssid:yourco-5ghz
Used In: User/Session filters, for config and routing policies only