Lacework¶
About¶
The Data-Driven Security Platform for the Cloud -
Lacework takes millions of incoming data points, correlates them into behaviors, detects all potential security events, and then helps you focus on the critical security risks that you need to take action on.
Product Details¶
Vendor URL: Lacework
Product Type: CASB
Product Tier: Tier II
Integration Method: Custom
Integration URL: Lacework Webhook
Log Guide: Field Names
Parser Details¶
Log Format: JSON
Expected Normalization Rate: near 100%
Data Label: LACEWORK
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| “GENERIC_EVENT” | metadata.event_type |
| event_type | metadata.product_event_type |
| Lacework Cloud Security | metadata.product_name |
| event_description | network.ip_protocol |
| Application | principal.application |
| user, IAMUser, runing as | principal.user.userid |
| AWS Account | security_result.about.labels.key = AWSAccount |
| event_description | security_result.about.labels.key = AWSRegion |
| event_id | security_result.about.labels.key = EventId |
| event_severity | security_result.about.labels.key = EventSeverity |
| event_source | security_result.about.labels.key = LaceworkAccount |
| event_description | security_result.about.labels.key = SecurityGroup |
| event_description | security_result.description |
| event_title | security_result.summary |
| event_link | security_result.url_back_to_product |
| accessed service | target.application |
| event_type | target.asset.attribute.cloud.environment |
| File | target.file.full_path |
| hash | target.file.sha256 |
| on host | target.hostname |
| target_hostname | target.ip |
| event_description | target.port |
Product Event Types¶
| Product Event | Description | UDM Event |
|---|---|---|
| APP | Application Access | GENERIC_EVENT |
| AWS | AWS Cloud Access | GENERIC_EVENT |
| Compliance | Compliance Activity | GENERIC_EVENT |
| File | File Access | GENERIC_EVENT |
| User | User Action | GENERIC_EVENT |
Log Sample¶
{"event_title": "Service called API", "event_link": "https://url.lacework.net/?startTime=&endTime=", "lacework_account": "ACCOUNT", "event_source": CloudTrail", "event_description": " For account: account-number : User AssumedRole:role accessed service ec2.amazonaws.com using api DeleteTags (and 26 more) in the region us-east using calltype AwsApiCall ", "event_timestamp": "21 Sep 2021 23:00 GMT", "event_type": "Aws", "event_id": "id", "event_severity": "5"}
Sample Parsing¶
metadata.event_timestamp = "2021-09-21T23:00:00Z"
metadata.event_type = "GENERIC_EVENT"
metadata.product_name = "Lacework Cloud Security"
metadata.product_event_type = "Aws"
metadata.ingested_timestamp = "2021-09-22T00:25:47.873034Z"
target.application = "ec2.amazonaws.com"
target.asset.attribute.cloud.environment = "AMAZON_WEB_SERVICES"
security_result.about.labels.key = "AWSAccount"
security_result.about.labels.value = "account-number"
security_result.about.labels.key = "AWSRegion"
security_result.about.labels.value = "us-east"
security_result.about.labels.key = "EventSource"
security_result.about.labels.value = "CloudTrail"
security_result.about.labels.key = "LaceworkAccount"
security_result.about.labels.value = "ACCOUNT"
security_result.about.labels.key = "EventId"
security_result.about.labels.value = "id"
security_result.about.labels.key = "EventSeverity"
security_result.about.labels.value = "5"
security_result.summary = "Service called API"
security_result.description = " For account: account-number : User AssumedRole:role accessed service ec2.amazonaws.com using api DeleteTags (and 26 more) in the region us-east using calltype AwsApiCall
security_result.url_back_to_product = "https://url.lacework.net/?startTime=&endTime="
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon