AWSTemplateFormatVersion: '2010-09-09' Description: | The following CloudFormation Lacework resource types set up Lacework Profile Resources: AgentsToken: Type: Lacework::Agents::Token Properties: Props: Description: My CFN Provisioned Token TokenEnabled: 1 TokenAlias: My_CFN Token Dev AlertsChannel: Type: Lacework::Alerts::Channel Properties: Name: Test Email Type: EmailUser Enabled: 1 Data: channelProps: recipients: - "alert-recipient@example.com" AlertsProfile: Type: Lacework::Alerts::Profile Properties: AlertProfileId: Custom_Test_AlertProfile Extends: LW_HE_MACHINES_DEFAULT_PROFILE Alerts: - Name: HE_Machine_NewViolation EventName: Custom LW Host Entity Machine New Violation Alert Description: Custom New Violation for machine Subject: Custom New violation detected for machine AlertsRule: Type: Lacework::Alerts::Rule Properties: Filters: Name: MyRule Description: A description Enabled: 1 Severity: - 1 IntgGuidList: - !GetAtt AlertsChannel.IntgGuid Type: Event Policy: Type: Lacework::Policies::Policy Properties: QueryId: !Ref Query Title: Test Title Enabled: true Description: Test Description Remediation: Test remediation Severity: info Limit: 1000 AlertEnabled: true AlertProfile: LW_CloudTrail_Alerts.CloudTrailDefaultAlert_AwsResource Tags: - Test Tag - domain:AWS - subdomain:Cloudtrail PolicyId: aws-cfn-pub-reg-x-test-100 Query: Type: Lacework::Queries::Query Properties: QueryId: myTestId QueryText: "{ source { CloudTrailRawEvents } filter { EVENT_SOURCE = 'ec2.amazonaws.com' and EVENT_NAME in ( 'CreateNetworkAcl', 'CreateNetworkAclEntry', 'DeleteNetworkAcl', 'DeleteNetworkAclEntry', 'ReplaceNetworkAclEntry', 'ReplaceNetworkAclAssociation' ) and ERROR_CODE is null } return distinct { INSERT_ID, INSERT_TIME, EVENT_TIME, EVENT }}"