Overview
Panther supports ingesting Lacework export logs common Data Transport options: Amazon Web Services (AWS) S3, Google Cloud Storage (GCS), and Azure Blob.
If you are looking for instructions on ingesting Lacework.Events logs, please see the Lacework Alert Channel Webhook documentation .
How to onboard Lacework Export logs to Panther
To connect these logs into Panther:
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources .
Search for "Lacework Export,", then click its tile.
In the Transport Mechanism drop-down, select the Data Transport method you wish to use for this integration.
Follow Panther's instructions for configuring the selected Data Transport method:
Configure Lacework to push logs to the Data Transport source.
Supported log types
Lacework.AgentManagement
Lacework.AgentManagement gathers Lacework agent management information.
Reference: Lacework Documentation on AgentManagement .
Copy fields:
- name: AGENT_VERSION
required: true
type: string
- name: CREATED_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: HOSTNAME
required: true
type: string
- name: IP_ADDR
required: true
type: string
indicators:
- ip
- name: LAST_UPDATE
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
- name: MID
required: true
type: string
- name: MODE
required: true
type: string
- name: OS
required: true
type: string
- name: STATUS
required: true
type: string
- name: TAGS
type: json Lacework.AlertDetails
Lacework.AlertDetails provides information about generated alerts.
Reference: Lacework Documentation on AlertDetails.
Copy fields:
- name: END_TIME
required: true
type: timestamp
timeFormats:
- '%a, %d %b %Y %H:%M:%S %z'
- '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: ENTITY_MAP
required: true
type: object
fields:
- name: NewViolation
type: array
element:
type: object
fields:
- name: KEY
type: object
fields:
- name: reason
type: string
- name: reason_id
type: string
- name: rec_id
type: string
- name: resource
type: string
indicators:
- aws_arn
- name: PROPS
type: json
- name: RecId
type: array
element:
type: object
fields:
- name: KEY
type: object
fields:
- name: eval_guid
type: string
- name: rec_id
type: string
- name: PROPS
type: json
- name: Resource
type: array
element:
type: object
fields:
- name: KEY
type: object
fields:
- name: name
type: string
- name: value
type: string
indicators:
- aws_arn
- name: ViolationReason
type: array
element:
type: object
fields:
- name: KEY
type: object
fields:
- name: reason
type: string
- name: reason_id
type: string
- name: rec_id
type: string
- name: PROPS
type: json
- name: EVENT_ACTOR
required: true
type: string
- name: EVENT_ID
required: true
type: bigint
- name: EVENT_MODEL
required: true
type: string
- name: EVENT_TYPE
required: true
type: string
- name: START_TIME
required: true
type: timestamp
timeFormats:
- '%a, %d %b %Y %H:%M:%S %z'
- '%Y-%m-%d %H:%M:%S.%f' Lacework.AllFiles
Lacework.AllFiles tracks every time Lacework detects a file.
Reference: Lacework Documentation on AllFiles .
Copy fields:
- name: CREATED_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: FILEDATA_HASH
required: true
type: string
indicators:
- sha256
- name: FILE_PATH
required: true
type: string
- name: MID
required: true
type: string
- name: MTIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
- name: SIZE
required: true
type: bigint Lacework.Applications
Lacework.Applications contains applications information running on the machine with an agent installed with details (such as application name, user name, machine, etc.).
Reference: Lacework Documentation on Applications.
Copy fields:
- name: APP_NAME
required: true
description: The application name detected by the Lacework agent installed on the machine.
type: string
- name: CONTAINER_INFO
description: The container info provides details about the container where the application is running.
type: json
- name: END_TIME
required: true
description: The time and date when the hourly aggregation time period ends.
type: timestamp
timeFormats:
- '%a, %d %b %Y %H:%M:%S %z'
- '%Y-%m-%d %H:%M:%S.%f'
- name: EXE_PATH
required: true
description: The executable path for the detected application.
type: string
- name: MID
description: The Lacework-generated machine identifier that uniquely identifies the machine.
type: string
- name: NET_STATS
description: The network stats about the application including the number of bytes in and out of the network.
type: json
- name: PROPS_MACHINE
description: The machine properties such as host name, ip address, machine tags, etc.
type: object
fields:
- name: hostname
description: hostname
type: string
indicators:
- hostname
- name: ip_addr
description: ip_addr
type: string
indicators:
- ip
- name: mem_kbytes
description: mem_kbytes
type: bigint
- name: num_users
description: num_users
type: bigint
- name: primary_tags
description: primary_tags
type: json
- name: tags
description: tags
type: json
- name: up_time
description: up_time
type: bigint
- name: START_TIME
required: true
description: The time and date when the hourly aggregation time period starts.
type: timestamp
timeFormats:
- '%a, %d %b %Y %H:%M:%S %z'
- '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: USERNAME
description: The username running the application on the machine.
type: object
fields:
- name: effective
description: effective
type: string
indicators:
- username
- name: original
description: original
type: string
indicators:
- username Lacework.ChangeFiles
Lacework.ChangeFiles tracks every time a file is changed in your environment.
Reference: Lacework Documentation on ChangeFiles .
Copy fields:
- name: END_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: FILEDATA_HASH
required: true
type: string
indicators:
- sha256
- name: FILE_PATH
required: true
type: string
- name: MID
required: true
type: string
- name: MTIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
- name: SIZE
required: true
type: bigint
- name: START_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f' Lacework.CloudCompliance
Lacework.CloudCompliance tracks compliance violations identified by Lacework cloud assessments.
Reference: Lacework Documentation on CloudCompliance.
Copy fields:
- name: REASON
type: string
- name: REGION
type: string
- name: RESOURCE
type: string
indicators:
- aws_arn
- name: ACCOUNT
required: true
type: object
fields:
- name: AccountId
type: string
indicators:
- aws_account_id
- name: Account_Alias
type: string
- name: EVAL_TYPE
required: true
type: string
- name: ID
required: true
type: string
- name: RECOMMENDATION
type: string
- name: REPORT_TIME
required: true
type: timestamp
timeFormats:
- '%Y-%m-%d %H:%M:%S.%f'
- '%a, %d %b %Y %H:%M:%S %z'
isEventTime: true
- name: SECTION
type: string
- name: SEVERITY
required: true
type: string
- name: STATUS
required: true
type: string Lacework.CloudConfiguration
Lacework.CloudConfiguration contains details about supported and configured cloud resources.
Reference: Lacework Documentation on CloudConfiguration.
Copy fields:
- name: START_TIME
required: true
description: The time and date when the hourly aggregation time period starts.
type: timestamp
timeFormats:
- '%a, %d %b %Y %H:%M:%S %z'
- '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: END_TIME
required: true
description: The time and date when the hourly aggregation time period ends.
type: timestamp
timeFormats:
- '%a, %d %b %Y %H:%M:%S %z'
- '%Y-%m-%d %H:%M:%S.%f'
- name: URN
required: true
description: URN of the resource.
type: string
indicators:
- aws_arn
- name: SERVICE
description: The service that the resource belongs to.
type: string
- name: STATUS
description: The status of the resource.
type: json
- name: CLOUD_DETAILS
description: Cloud details.
type: json
- name: RESOURCE_TYPE
description: The resource type.
type: string
- name: RESOURCE_ID
required: true
description: The ID of the resource.
type: string
- name: RESOURCE_REGION
description: The region that the resource belongs to.
type: string
- name: RESOURCE_CONFIG
description: The configuration of the resource.
type: json
- name: RESOURCE_TAGS
description: The tags associated with the resource.
type: json
- name: CSP
description: The cloud provider.
type: string
- name: API_KEY
description: The key describing the API used to fetch data for the resource.
type: string Lacework.Cmdline
Lacework.Cmdline monitors any command line invocations in your environment.
Reference: Lacework Documentation on Cmdline .
Copy fields:
- name: CMDLINE
required: true
type: string
- name: CMDLINE_HASH
required: true
type: string
indicators:
- md5
- name: CREATED_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true Lacework.Connections
Lacework.Connections monitors for connections in your environment.
Reference: Lacework Documentation on Connections .
Copy fields:
- name: DST_ENTITY_ID
required: true
type: json
- name: DST_ENTITY_TYPE
required: true
type: string
- name: DST_IN_BYTES
required: true
type: bigint
- name: DST_OUT_BYTES
required: true
type: bigint
- name: ENDPOINT_DETAILS
required: true
type: json
- name: END_TIME
type: timestamp
timeFormats:
- '%a, %d %b %Y %H:%M:%S %z'
- '%Y-%m-%d %H:%M:%S.%f'
- '%Y-%m-%d %H:%M:%S.%f Z'
- name: NUM_CONNS
type: bigint
- name: SRC_ENTITY_ID
required: true
type: json
- name: SRC_ENTITY_TYPE
required: true
type: string
- name: SRC_IN_BYTES
required: true
type: bigint
- name: SRC_OUT_BYTES
required: true
type: bigint
- name: START_TIME
required: true
type: timestamp
isEventTime: true
timeFormats:
- '%a, %d %b %Y %H:%M:%S %z'
- '%Y-%m-%d %H:%M:%S.%f'
- '%Y-%m-%d %H:%M:%S.%f Z' Lacework.ContainerSummary
Lacework.ContainerSummary monitors for containers in your environment.
Reference: Lacework Documentation on ContainerSummary .
Copy fields:
- name: POD_NAME
type: string
- name: CONTAINER_NAME
required: true
type: string
- name: END_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: IMAGE_ID
required: true
type: string
- name: MID
required: true
type: string
- name: PROPS_CONTAINER
required: true
type: object
fields:
- name: VOLUME_MAP
type: json
- name: POD_IP_ADDR
type: string
indicators:
- ip
- name: LISTEN_PORT_MAP
type: json
- name: POD_TYPE
type: string
- name: PROPS_LABEL
type: json
- name: CONTAINER_START_TIME
required: true
type: timestamp
timeFormat: unix_ms
- name: CONTAINER_TYPE
required: true
type: string
- name: IMAGE_AUTHOR
required: true
type: string
- name: IMAGE_CREATED_TIME
required: true
type: timestamp
timeFormat: unix_ms
- name: IMAGE_ID
required: true
type: string
- name: IMAGE_PARENT_ID
required: true
type: string
- name: IMAGE_REPO
required: true
type: string
- name: IMAGE_SIZE
required: true
type: bigint
- name: IMAGE_TAG
required: true
type: string
- name: IMAGE_VERSION
required: true
type: string
- name: IMAGE_VIRTUAL_SIZE
required: true
type: bigint
- name: IPV4
required: true
type: string
indicators:
- ip
- name: NAME
required: true
type: string
- name: NETWORK_MODE
required: true
type: string
- name: PID_MODE
required: true
type: string
- name: PRIVILEGED
required: true
type: bigint
- name: START_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
- name: TAGS
required: true
type: json Lacework.ContainerVulnDetails
Lacework.ContainerVulnDetails monitors for container vulnerabilities in your environment.
Reference: Lacework Documentation on ContainerVulnDetails .
Copy fields:
- name: SEVERITY
type: string
- name: VULN_ID
type: string
- name: EVAL_CTX
required: true
type: object
fields:
- name: cve_batch_info
required: true
type: array
element:
type: object
fields:
- name: cve_batch_id
required: true
type: string
- name: cve_created_time
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f000'
- name: image_info
required: true
type: object
fields:
- name: created_time
required: true
type: timestamp
timeFormat: unix_ms
- name: digest
required: true
type: string
- name: id
required: true
type: string
- name: registry
required: true
type: string
- name: repo
required: true
type: string
- name: scan_created_time
required: true
type: timestamp
timeFormat: unix
- name: size
required: true
type: bigint
- name: status
required: true
type: string
- name: tags
required: true
type: array
element:
type: string
- name: type
required: true
type: string
- name: integration_props
required: true
type: object
fields:
- name: INTG_GUID
type: string
- name: NAME
type: string
- name: REGISTRY_TYPE
type: string
- name: is_reeval
required: true
type: boolean
- name: request_source
required: true
type: string
- name: scan_batch_id
required: true
type: string
- name: scan_request_props
required: true
type: object
fields:
- name: reqId
type: string
- name: data_format_version
required: true
type: string
- name: props
required: true
type: object
fields:
- name: data_format_version
required: true
type: string
- name: scanner_version
required: true
type: string
- name: scanCompletionUtcTime
required: true
type: timestamp
timeFormat: unix
- name: scan_start_time
required: true
type: timestamp
timeFormat: unix
- name: scanner_version
required: true
type: string
- name: vuln_batch_id
required: true
type: string
- name: vuln_created_time
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f000'
- name: FEATURE_KEY
required: true
type: object
fields:
- name: name
required: true
type: string
- name: namespace
required: true
type: string
- name: version
required: true
type: string
- name: FEATURE_PROPS
required: true
type: object
fields:
- name: introduced_in
required: true
type: string
- name: layer
required: true
type: string
- name: src
required: true
type: string
- name: version_format
required: true
type: string
- name: FIX_INFO
required: true
type: object
fields:
- name: compare_result
required: true
type: string
- name: fix_available
required: true
type: string
- name: fixed_version
required: true
type: string
- name: IMAGE_ID
required: true
type: string
- name: START_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: STATUS
required: true
type: string Lacework.DNSQuery
Lacework.DNSQuery monitors for any DNS queries in your environment.
Reference: Lacework Documentation on DNSQuery .
Copy fields:
- name: CREATED_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: DNS_SERVER_IP
required: true
type: string
indicators:
- ip
- name: FQDN
required: true
type: string
indicators:
- domain
- name: HOST_IP_ADDR
required: true
type: string
indicators:
- ip
- name: MID
required: true
type: string
- name: TTL
required: true
type: bigint Lacework.HostVulnDetails
Lacework.HostVulnDetails provides details around any vulnerabilities on hosts across your environment.
Reference: Lacework Documentation on HostVulnDetails .
Copy fields:
- name: FIX_INFO
type: object
fields:
- name: compare_result
required: true
type: string
- name: eval_status
required: true
type: string
- name: fix_available
required: true
type: string
- name: fixed_version
required: true
type: string
- name: fixed_version_comparison_infos
required: true
type: array
element:
type: object
fields:
- name: curr_fix_ver
required: true
type: string
- name: is_curr_fix_ver_greater_than_other_fix_ver
required: true
type: string
- name: other_fix_ver
required: true
type: string
- name: fixed_version_comparison_score
required: true
type: bigint
- name: version_installed
required: true
type: string
- name: SEVERITY
type: string
- name: STATUS
type: string
- name: VULN_ID
type: string
- name: CVE_PROPS
required: true
type: object
fields:
- name: cve_batch_id
type: string
- name: description
type: string
- name: link
type: string
indicators:
- url
- name: END_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: EVAL_CTX
required: true
type: object
fields:
- name: data_source
required: true
type: string
- name: hostname
required: true
type: string
- name: mc_eval_guid
required: true
type: string
- name: FEATURE_KEY
required: true
type: object
fields:
- name: name
required: true
type: string
- name: namespace
required: true
type: string
- name: package_active
required: true
type: boolean
- name: package_path
required: true
type: string
- name: version_installed
required: true
type: string
- name: MACHINE_TAGS
required: true
type: json
- name: MID
required: true
type: string
- name: START_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f' Lacework.Image
Lacework.Image provides details about any container images in your environment.
Reference: Lacework Documentation on Images .
Copy fields:
- name: CONTAINER_TYPE
required: true
type: string
- name: CREATED_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: IMAGE_ID
required: true
type: string
- name: MID
required: true
type: string
- name: REPO
required: true
type: string
- name: SIZE
required: true
type: bigint
- name: TAG
required: true
type: string Lacework.Interfaces
Lacework.Interfaces monitors any discovered network interfaces across your environment.
Reference: Lacework Documentation on Interfaces .
Copy fields:
- name: CREATED_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: HW_ADDR
required: true
type: string
- name: IP_ADDR
required: true
type: string
indicators:
- ip
- name: MID
required: true
type: string
- name: NAME
required: true
type: string Lacework.InternalIPA
Lacework.InternalIPA monitors any internal IP addresses across your environment.
Reference: Lacework Documentation on InternalIPA .
Copy fields:
- name: END_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: IP_ADDR
required: true
type: string
indicators:
- ip
- name: MID
required: true
type: string
- name: START_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f' Lacework.MachineDetails
Lacework.MachineDetails aggregates historical data about any machines found in your environment.
Reference: Lacework Documentation on MachineDetails .
Copy fields:
- name: AWS_INSTANCE_ID
type: string
indicators:
- aws_instance_id
- name: AWS_ZONE
type: string
- name: TAGS
type: json
- name: CREATED_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: DOMAIN
required: true
type: string
indicators:
- domain
- name: HOSTNAME
required: true
type: string
indicators:
- hostname
- name: KERNEL
required: true
type: string
- name: KERNEL_RELEASE
required: true
type: string
- name: KERNEL_VERSION
required: true
type: string
- name: MID
required: true
type: string
- name: OS
required: true
type: string
- name: OS_VERSION
required: true
type: string Lacework.MachineSummary
Lacework.MachineSummary summarizes and aggregates details about machines in your environment.
Reference: Lacework Documentation on MachineSummary .
Copy fields:
- name: END_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: ENTITY_TYPE
required: true
type: string
- name: HOSTNAME
required: true
type: string
- name: MACHINE_TAGS
required: true
type: json
- name: MID
required: true
type: string
- name: PRIMARY_IP_ADDR
required: true
type: string
indicators:
- ip
- name: START_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f' Lacework.NewHashes
Lacework.NewHashes tracks any new file hashes in your environment.
Reference: Lacework Documentation on NewHashes .
Copy fields:
- name: END_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: FILEDATA_HASH
required: true
type: string
indicators:
- sha256
- name: START_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f' Lacework.Package
Lacework.Package tracks any packages in your environment.
Reference: Lacework Documentation on Packages .
Copy fields:
- name: ARCH
required: true
type: string
- name: CREATED_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: MID
required: true
type: string
- name: PACKAGE_NAME
required: true
type: string
- name: VERSION
required: true
type: string Lacework.PodSummary
Lacework.PodSummary tracks any pods (collections of one or more containers) in your environment.
Reference: Lacework Documentation on PodSummary .
Copy fields:
- name: END_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: MID
required: true
type: string
- name: POD_NAME
required: true
type: string
- name: PRIMARY_IP_ADDR
required: true
type: string
indicators:
- ip
- name: PROPS_CONTAINER
required: true
type: json
- name: START_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f' Lacework.ProcessSummary
Lacework.ProcessSummary tracks any processes running in your environment.
Reference: Lacework Documentation on ProcessSummary .
Copy fields:
- name: POD_NAME
type: string
- name: CONTAINER_ID
type: string
- name: CMDLINE_HASH
required: true
type: string
indicators:
- md5
- name: END_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: FILE_PATH
required: true
type: string
- name: MID
required: true
type: string
- name: PID
required: true
type: string
- name: PPID
required: true
type: string
- name: PROCESS_START_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
- name: START_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
- name: UID
required: true
type: string
- name: USERNAME
required: true
type: string
indicators:
- username Lacework.UserDetails
Lacework.UserDetails tracks historical data about any users in your environment.
Reference: Lacework Documentation on UserDetails .
Copy fields:
- name: OTHER_GROUP_NAMES
type: array
element:
type: string
- name: CREATED_TIME
required: true
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S.%f'
isEventTime: true
- name: MID
required: true
type: string
- name: PRIMARY_GROUP_NAME
required: true
type: string
- name: UID
required: true
type: string
- name: USERNAME
required: true
type: string
indicators:
- username 
