Lacework Logs
Connecting Lacework logs to your Panther Console
Panther supports ingesting Lacework logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS.
To connect these logs into Panther:
- 1.Set up your Data Transport in the Panther Console.
- Please follow Panther's documentation for configuring the Data Transport option you will use:
- 2.Configure Lacework to push logs to the Data Transport source.
- See Lacework's documentation for instructions on pushing logs to your selected Data Transport source.
Required fields in the schema are listed as "required: true" just below the "name" field.
Lacework.AgentManagement gathers Lacework agent management information.
fields:
- name: AGENT_VERSION
required: true
type: string
- name: CREATED_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: HOSTNAME
required: true
type: string
- name: IP_ADDR
required: true
type: string
indicators:
- ip
- name: LAST_UPDATE
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
- name: MID
required: true
type: bigint
- name: MODE
required: true
type: string
- name: OS
required: true
type: string
- name: STATUS
required: true
type: string
- name: TAGS
type: json
Lacework.AlertDetails provides information about generated alerts.
fields:
- name: END_TIME
required: true
type: timestamp
timeFormats:
- '%a, %d %b %Y %H:%M:%S %z'
- '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: ENTITY_MAP
required: true
type: object
fields:
- name: NewViolation
type: array
element:
type: object
fields:
- name: KEY
type: object
fields:
- name: reason
type: string
- name: reason_id
type: string
- name: rec_id
type: string
- name: resource
type: string
indicators:
- aws_arn
- name: PROPS
type: json
- name: RecId
type: array
element:
type: object
fields:
- name: KEY
type: object
fields:
- name: eval_guid
type: string
- name: rec_id
type: string
- name: PROPS
type: json
- name: Resource
type: array
element:
type: object
fields:
- name: KEY
type: object
fields:
- name: name
type: string
- name: value
type: string
indicators:
- aws_arn
- name: ViolationReason
type: array
element:
type: object
fields:
- name: KEY
type: object
fields:
- name: reason
type: string
- name: reason_id
type: string
- name: rec_id
type: string
- name: PROPS
type: json
- name: EVENT_ACTOR
required: true
type: string
- name: EVENT_ID
required: true
type: bigint
- name: EVENT_MODEL
required: true
type: string
- name: EVENT_TYPE
required: true
type: string
- name: START_TIME
required: true
type: timestamp
timeFormats:
- '%a, %d %b %Y %H:%M:%S %z'
- '%Y-%m-%d %H:%M:%S.%f'
Lacework.AllFiles tracks every time Lacework detects a file.
fields:
- name: CREATED_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: FILEDATA_HASH
required: true
type: string
indicators:
- sha256
- name: FILE_PATH
required: true
type: string
- name: MID
required: true
type: bigint
- name: MTIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
- name: SIZE
required: true
type: bigint
Lacework.ChangeFiles tracks every time a file is changed in your environment.
fields:
- name: END_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: FILEDATA_HASH
required: true
type: string
indicators:
- sha256
- name: FILE_PATH
required: true
type: string
- name: MID
required: true
type: bigint
- name: MTIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
- name: SIZE
required: true
type: bigint
- name: START_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
Lacework.CloudCompliance tracks compliance violations identified by Lacework cloud assessments.
fields:
- name: REASON
type: string
- name: REGION
type: string
- name: RESOURCE
type: string
indicators:
- aws_arn
- name: ACCOUNT
required: true
type: object
fields:
- name: AccountId
type: string
indicators:
- aws_account_id
- name: Account_Alias
type: string
- name: EVAL_TYPE
required: true
type: string
- name: ID
required: true
type: string
- name: RECOMMENDATION
type: string
- name: REPORT_TIME
required: true
type: timestamp
timeFormats:
- '%Y-%m-%d %H:%M:%S.%f'
- '%a, %d %b %Y %H:%M:%S %z'
isEventTime: true
- name: SECTION
type: string
- name: SEVERITY
required: true
type: string
- name: STATUS
required: true
type: string
Lacework.Cmdline monitors any command line invocations in your environment.
fields:
- name: CMDLINE
required: true
type: string
- name: CMDLINE_HASH
required: true
type: string
indicators:
- md5
- name: CREATED_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
Lacework.Connections monitors for connections in your environment.
fields:
- name: DST_ENTITY_ID
required: true
type: object
fields:
- name: pid_hash
type: string
- name: port
type: bigint
- name: protocol
type: string
- name: mid
type: bigint
- name: DST_ENTITY_TYPE
required: true
type: string
- name: DST_IN_BYTES
required: true
type: bigint
- name: DST_OUT_BYTES
required: true
type: bigint
- name: ENDPOINT_DETAILS
required: true
type: array
element:
type: object
fields:
- name: dst_ip_addr
required: true
type: string
indicators:
- ip
- name: dst_port
required: true
type: bigint
- name: protocol
required: true
type: string
- name: src_ip_addr
required: true
type: string
indicators:
- ip
- name: END_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: NUM_CONNS
required: true
type: bigint
- name: SRC_ENTITY_ID
required: true
type: object
fields:
- name: mid
required: true
type: bigint
- name: pid_hash
required: true
type: string
- name: SRC_ENTITY_TYPE
required: true
type: string
- name: SRC_IN_BYTES
required: true
type: bigint
- name: SRC_OUT_BYTES
required: true
type: bigint
- name: START_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
Lacework.ContainerSummary monitors for containers in your environment.
fields:
- name: POD_NAME
type: string
- name: CONTAINER_NAME
required: true
type: string
- name: END_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: IMAGE_ID
required: true
type: string
- name: MID
required: true
type: bigint
- name: PROPS_CONTAINER
required: true
type: object
fields:
- name: VOLUME_MAP
type: json
- name: POD_IP_ADDR
type: string
indicators:
- ip
- name: LISTEN_PORT_MAP
type: json
- name: POD_TYPE
type: string
- name: PROPS_LABEL
type: json
- name: CONTAINER_START_TIME
required: true
type: timestamp
timeFormat: unix_ms
- name: CONTAINER_TYPE
required: true
type: string
- name: IMAGE_AUTHOR
required: true
type: string
- name: IMAGE_CREATED_TIME
required: true
type: timestamp
timeFormat: unix_ms
- name: IMAGE_ID
required: true
type: string
- name: IMAGE_PARENT_ID
required: true
type: string
- name: IMAGE_REPO
required: true
type: string
- name: IMAGE_SIZE
required: true
type: bigint
- name: IMAGE_TAG
required: true
type: string
- name: IMAGE_VERSION
required: true
type: string
- name: IMAGE_VIRTUAL_SIZE
required: true
type: bigint
- name: IPV4
required: true
type: string
indicators:
- ip
- name: NAME
required: true
type: string
- name: NETWORK_MODE
required: true
type: string
- name: PID_MODE
required: true
type: string
- name: PRIVILEGED
required: true
type: bigint
- name: START_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
- name: TAGS
required: true
type: json
Lacework.ContainerVulnDetails monitors for container vulnerabilities in your environment.
fields:
- name: SEVERITY
type: string
- name: VULN_ID
type: string
- name: EVAL_CTX
required: true
type: object
fields:
- name: cve_batch_info
required: true
type: array
element:
type: object
fields:
- name: cve_batch_id
required: true
type: string
- name: cve_created_time
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f000'
- name: image_info
required: true
type: object
fields:
- name: created_time
required: true
type: timestamp
timeFormat: unix_ms
- name: digest
required: true
type: string
- name: id
required: true
type: string
- name: registry
required: true
type: string
- name: repo
required: true
type: string
- name: scan_created_time
required: true
type: timestamp
timeFormat: unix
- name: size
required: true
type: bigint
- name: status
required: true
type: string
- name: tags
required: true
type: array
element:
type: string
- name: type
required: true
type: string
- name: integration_props
required: true
type: object
fields:
- name: INTG_GUID
type: string
- name: NAME
type: string
- name: REGISTRY_TYPE
type: string
- name: is_reeval
required: true
type: boolean
- name: request_source
required: true
type: string
- name: scan_batch_id
required: true
type: string
- name: scan_request_props
required: true
type: object
fields:
- name: reqId
type: string
- name: data_format_version
required: true
type: string
- name: props
required: true
type: object
fields:
- name: data_format_version
required: true
type: string
- name: scanner_version
required: true
type: string
- name: scanCompletionUtcTime
required: true
type: timestamp
timeFormat: unix
- name: scan_start_time
required: true
type: timestamp
timeFormat: unix
- name: scanner_version
required: true
type: string
- name: vuln_batch_id
required: true
type: string
- name: vuln_created_time
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f000'
- name: FEATURE_KEY
required: true
type: object
fields:
- name: name
required: true
type: string
- name: namespace
required: true
type: string
- name: version
required: true
type: string
- name: FEATURE_PROPS
required: true
type: object
fields:
- name: introduced_in
required: true
type: string
- name: layer
required: true
type: string
- name: src
required: true
type: string
- name: version_format
required: true
type: string
- name: FIX_INFO
required: true
type: object
fields:
- name: compare_result
required: true
type: string
- name: fix_available
required: true
type: string
- name: fixed_version
required: true
type: string
- name: IMAGE_ID
required: true
type: string
- name: START_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: STATUS
required: true
type: string
Lacework.DNSQuery monitors for any DNS queries in your environment.
fields:
- name: CREATED_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: DNS_SERVER_IP
required: true
type: string
indicators:
- ip
- name: FQDN
required: true
type: string
indicators:
- domain
- name: HOST_IP_ADDR
required: true
type: string
indicators:
- ip
- name: MID
required: true
type: bigint
- name: TTL
required: true
type: bigint
Lacework.Events represents the content of an exported Lacework Alert S3 Object.
- name: EVENT_CATEGORY
required: true
description: The category the event falls into
type: string
- name: EVENT_DETAILS
required: true
description: The event details
type: object
fields:
- name: data
description: The array of event data
type: array
element:
type: object
fields:
- name: START_TIME
description: The event start time.
type: timestamp
timeFormat: rfc3339
- name: END_TIME
description: The event end time.
type: timestamp
timeFormat: rfc3339
- name: EVENT_TYPE
description: The event type description eg - launched new binary.
type: string
- name: EVENT_ID
description: The event alert ID.
type: string
- name: EVENT_ACTOR
description: The origin of the event eg - AWS, User.
type: string
- name: EVENT_MODEL
description: The model that triggered an alert.
type: string
- name: ENTITY_MAP
description: The map of related fields to the detection alert.
type: object
fields:
- name: User
description: Any user based info involved in an alert.
type: array
element:
type: object
fields:
- name: MACHINE_HOSTNAME
description: Hostname field
type: string
- name: USERNAME
description: Username field
type: string
indicators:
- username
- name: Application
description: Any application based info involved in an alert.
type: array
element:
type: object
fields:
- name: APPLICATION
description: Application field
type: string
- name: HAS_EXTERNAL_CONNS
description: HasExternalConns field
type: bigint
- name: IS_CLIENT
description: IsClient field
type: bigint
- name: IS_SERVER
description: IsServer field
type: bigint
- name: EARLIEST_KNOWN_TIME
description: EarliestKnownTime field
type: timestamp
timeFormat: rfc3339
- name: Machine
description: Any machine based info involved in an alert.
type: array
element:
type: object
fields:
- name: HOSTNAME
description: Hostname field
type: string
- name: EXTERNAL_IP
description: ExternalIP field
type: string
indicators:
- ip
- name: INSTANCE_ID
description: InstanceID field
type: string
- name: INSTANCE_NAME
description: InstanceName field
type: string
- name: CPU_PERCENTAGE
description: CPUPercentage field
type: float
- name: INTERNAL_IP_ADDR
description: InternalIPAddress field
type: string
indicators:
- ip
- name: IS_EXTERNAL
description: IsExternal field
type: bigint
- name: Container
description: Any container based info involved in an alert.
type: array
element:
type: object
fields:
- name: IMAGE_REPO
description: ImageRepo field
type: string
- name: IMAGE_TAG
description: ImageTag field
type: string
- name: HAS_EXTERNAL_CONNS
description: HasExternalConns field
type: bigint
- name: IS_CLIENT
description: IsClient field
type: bigint
- name: IS_SERVER
description: IsServer field
type: bigint
- name: FIRST_SEEN_TIME
description: FirstSeenTime field
type: timestamp
timeFormat: rfc3339
- name: POD_NAMESPACE
description: PodNamespace field
type: string
- name: POD_IP_ADDR
description: PodIPAddress field
type: string
indicators:
- ip
- name: DnsName
description: Any dns based info involved in an alert.
type: array
element:
type: object
fields:
- name: HOSTNAME
description: Hostname field
type: string
- name: PORT_LIST
description: PortList field
type: array
element:
type: int
- name: TOTAL_IN_BYTES
description: TotalINBytes field
type: float
- name: TOTAL_OUT_BYTES
description: TotalOUTBytes field
type: float
- name: IpAddress
description: Any ip based info involved in an alert.
type: array
element:
type: object
fields:
- name: IP_ADDRESS
description: SourceIPAddress field
type: string
indicators:
- ip
- name: TOTAL_IN_BYTES
description: TotalINBytes field
type: float
- name: TOTAL_OUT_BYTES
description: TotalOUTBytes field
type: float
- name: THREAT_TAGS
description: ThreatTags field
type: array
element:
type: string
- name: THREAT_SOURCE
description: ThreatSource field
type: json
- name: COUNTRY
description: Country field
type: string
- name: REGION
description: Region field
type: string
- name: PORT_LIST
description: PortList field
type: array
element:
type: int
- name: FIRST_SEEN_TIME
description: FirstSeenTime field
type: string
- name: Process
description: Any process based info involved in an alert.
type: array
element:
type: object
fields:
- name: HOSTNAME
description: Hostname field
type: string
- name: PROCESS_ID
description: ProcessID field
type: bigint
- name: PROCESS_START_TIME
description: ProcessStartTime field
type: timestamp
timeFormat: rfc3339
- name: CMDLINE
description: CommandLine field
type: string
- name: CPU_PERCENTAGE
description: CPUPercentage field
type: float
- name: FileDataHash
description: Any filehash based info involved in an alert.
type: array
element:
type: object
fields:
- name: FILEDATA_HASH
description: FiledataHash field
type: string
- name: MACHINE_COUNT
description: MachineCount field
type: bigint
- name: EXE_PATH_LIST
description: EXEPathList field
type: array
element:
type: string
- name: FIRST_SEEN_TIME
description: FirstSeenTime field
type: timestamp
timeFormat: rfc3339
- name: IS_KNOWN_BAD
description: ISKnownBad field
type: bigint
- name: FileExePath
description: Any executable filepath information.
type: array
element:
type: object
fields:
- name: EXE_PATH
description: EXEPath field