# Lacework Export ## Overview Panther supports ingesting Lacework export logs common [Data Transport](https://docs.panther.com/data-onboarding/data-transports) options: Amazon Web Services (AWS) S3, Google Cloud Storage (GCS), and Azure Blob. If you are looking for instructions on ingesting `Lacework.Events` logs, please see the [Lacework Alert Channel Webhook documentation](https://docs.panther.com/data-onboarding/supported-logs/lacework/webhook). ## How to onboard Lacework Export logs to Panther To connect these logs into Panther: 1. In the left-hand navigation bar of your Panther Console, click **Configure > Log Sources**. 2. Click **Create New**. 3. Search for "Lacework Export,", then click its tile. 4. In the **Transport Mechanism** drop-down, select the Data Transport method you wish to use for this integration.\ ![After choosing Lacework Export, the slideout tile is displayed. There is a dropdown in the upper right where you can select the Transport Mechanism.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-131cf851ccbc6dab17fdef9e147e1418751b6dd9%2FScreenshot%202024-02-21%20at%2011.45.00%20AM.png?alt=media) 5. Click **Start Setup**. 6. Follow Panther's instructions for configuring the selected Data Transport method: * [AWS S3 bucket](https://docs.panther.com/data-onboarding/data-transports/aws/s3) * [Google Cloud Storage (GCS)](https://docs.panther.com/data-onboarding/data-transports/google/cloud-storage) * [Azure Blob](https://docs.panther.com/data-onboarding/data-transports/azure-blob-storage) 7. Configure Lacework to push logs to the Data Transport source. * See [Lacework's documentation](https://docs.lacework.com/console/category/data-shares--export) for instructions on pushing logs to your selected Data Transport source. ## Supported log types ### Lacework.AgentManagement Lacework.AgentManagement gathers Lacework agent management information. Reference: [Lacework Documentation on AgentManagement](https://docs.lacework.com/console/agentmanagementv-view). ```yaml fields: - name: AGENT_VERSION required: true type: string - name: CREATED_TIME required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f' isEventTime: true - name: HOSTNAME required: true type: string - name: IP_ADDR required: true type: string indicators: - ip - name: LAST_UPDATE type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f' - name: MID required: true type: string - name: MODE required: true type: string - name: OS required: true type: string - name: STATUS required: true type: string - name: TAGS type: json ``` ### Lacework.AlertDetails Lacework.AlertDetails provides information about generated alerts. Reference: [Lacework Documentation on AlertDetails.](https://docs.lacework.com/console/alertdetailsv-view) ```yaml fields: - name: END_TIME required: true type: timestamp timeFormats: - '%a, %d %b %Y %H:%M:%S %z' - '%Y-%m-%d %H:%M:%S.%f' isEventTime: true - name: ENTITY_MAP required: true type: object fields: - name: NewViolation type: array element: type: object fields: - name: KEY type: object fields: - name: reason type: string - name: reason_id type: string - name: rec_id type: string - name: resource type: string indicators: - aws_arn - name: PROPS type: json - name: RecId type: array element: type: object fields: - name: KEY type: object fields: - name: eval_guid type: string - name: rec_id type: string - name: PROPS type: json - name: Resource type: array element: type: object fields: - name: KEY type: object fields: - name: name type: string - name: value type: string indicators: - aws_arn - name: ViolationReason type: array element: type: object fields: - name: KEY type: object fields: - name: reason type: string - name: reason_id type: string - name: rec_id type: string - name: PROPS type: json - name: EVENT_ACTOR required: true type: string - name: EVENT_ID required: true type: bigint - name: EVENT_MODEL required: true type: string - name: EVENT_TYPE required: true type: string - name: START_TIME required: true type: timestamp timeFormats: - '%a, %d %b %Y %H:%M:%S %z' - '%Y-%m-%d %H:%M:%S.%f' ``` ### Lacework.AllFiles Lacework.AllFiles tracks every time Lacework detects a file. Reference: [Lacework Documentation on AllFiles](https://docs.lacework.com/console/allfilesv-view). ```yaml fields: - name: CREATED_TIME required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f' isEventTime: true - name: FILEDATA_HASH required: true type: string indicators: - sha256 - name: FILE_PATH required: true type: string - name: MID required: true type: string - name: MTIME required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f' - name: SIZE required: true type: bigint ``` ### Lacework.Applications Lacework.Applications contains applications information running on the machine with an agent installed with details (such as application name, user name, machine, etc.). Reference: [Lacework Documentation on Applications.](https://docs.lacework.com/console/applicationsv-view) ```yaml fields: - name: APP_NAME required: true description: The application name detected by the Lacework agent installed on the machine. type: string - name: CONTAINER_INFO description: The container info provides details about the container where the application is running. type: json - name: END_TIME required: true description: The time and date when the hourly aggregation time period ends. type: timestamp timeFormats: - '%a, %d %b %Y %H:%M:%S %z' - '%Y-%m-%d %H:%M:%S.%f' - name: EXE_PATH required: true description: The executable path for the detected application. type: string - name: MID description: The Lacework-generated machine identifier that uniquely identifies the machine. type: string - name: NET_STATS description: The network stats about the application including the number of bytes in and out of the network. type: json - name: PROPS_MACHINE description: The machine properties such as host name, ip address, machine tags, etc. type: object fields: - name: hostname description: hostname type: string indicators: - hostname - name: ip_addr description: ip_addr type: string indicators: - ip - name: mem_kbytes description: mem_kbytes type: bigint - name: num_users description: num_users type: bigint - name: primary_tags description: primary_tags type: json - name: tags description: tags type: json - name: up_time description: up_time type: bigint - name: START_TIME required: true description: The time and date when the hourly aggregation time period starts. type: timestamp timeFormats: - '%a, %d %b %Y %H:%M:%S %z' - '%Y-%m-%d %H:%M:%S.%f' isEventTime: true - name: USERNAME description: The username running the application on the machine. type: object fields: - name: effective description: effective type: string indicators: - username - name: original description: original type: string indicators: - username ``` ### Lacework.ChangeFiles Lacework.ChangeFiles tracks every time a file is changed in your environment. Reference: [Lacework Documentation on ChangeFiles](https://docs.lacework.com/console/changefilesv-view). ```yaml fields: - name: END_TIME required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f' isEventTime: true - name: FILEDATA_HASH required: true type: string indicators: - sha256 - name: FILE_PATH required: true type: string - name: MID required: true type: string - name: MTIME required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f' - name: SIZE required: true type: bigint - name: START_TIME required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f' ``` ### Lacework.CloudCompliance Lacework.CloudCompliance tracks compliance violations identified by Lacework cloud assessments. Reference: [Lacework Documentation on CloudCompliance.](https://docs.lacework.com/console/cloudcompliancev-view) ```yaml fields: - name: REASON type: string - name: REGION type: string - name: RESOURCE type: string indicators: - aws_arn - name: ACCOUNT required: true type: object fields: - name: AccountId type: string indicators: - aws_account_id - name: Account_Alias type: string - name: EVAL_TYPE required: true type: string - name: ID required: true type: string - name: RECOMMENDATION type: string - name: REPORT_TIME required: true type: timestamp timeFormats: - '%Y-%m-%d %H:%M:%S.%f' - '%a, %d %b %Y %H:%M:%S %z' isEventTime: true - name: SECTION type: string - name: SEVERITY required: true type: string - name: STATUS required: true type: string ``` ### Lacework.CloudConfiguration Lacework.CloudConfiguration contains details about supported and configured cloud resources. Reference: [Lacework Documentation on CloudConfiguration.](https://docs.lacework.com/console/cloudconfigurationv-view) ```yaml fields: - name: START_TIME required: true description: The time and date when the hourly aggregation time period starts. type: timestamp timeFormats: - '%a, %d %b %Y %H:%M:%S %z' - '%Y-%m-%d %H:%M:%S.%f' isEventTime: true - name: END_TIME required: true description: The time and date when the hourly aggregation time period ends. type: timestamp timeFormats: - '%a, %d %b %Y %H:%M:%S %z' - '%Y-%m-%d %H:%M:%S.%f' - name: URN required: true description: URN of the resource. type: string indicators: - aws_arn - name: SERVICE description: The service that the resource belongs to. type: string - name: STATUS description: The status of the resource. type: json - name: CLOUD_DETAILS description: Cloud details. type: json - name: RESOURCE_TYPE description: The resource type. type: string - name: RESOURCE_ID required: true description: The ID of the resource. type: string - name: RESOURCE_REGION description: The region that the resource belongs to. type: string - name: RESOURCE_CONFIG description: The configuration of the resource. type: json - name: RESOURCE_TAGS description: The tags associated with the resource. type: json - name: CSP description: The cloud provider. type: string - name: API_KEY description: The key describing the API used to fetch data for the resource. type: string ``` ### Lacework.Cmdline Lacework.Cmdline monitors any command line invocations in your environment. Reference: [Lacework Documentation on Cmdline](https://docs.lacework.com/console/cmdlinev-view). ```yaml fields: - name: CMDLINE required: true type: string - name: CMDLINE_HASH required: true type: string indicators: - md5 - name: CREATED_TIME required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f' isEventTime: true ``` ### Lacework.Connections Lacework.Connections monitors for connections in your environment. Reference: [Lacework Documentation on Connections](https://docs.lacework.com/console/connectionsv-view). ```yaml fields: - name: DST_ENTITY_ID required: true type: json - name: DST_ENTITY_TYPE required: true type: string - name: DST_IN_BYTES required: true type: bigint - name: DST_OUT_BYTES required: true type: bigint - name: ENDPOINT_DETAILS required: true type: json - name: END_TIME type: timestamp timeFormats: - '%a, %d %b %Y %H:%M:%S %z' - '%Y-%m-%d %H:%M:%S.%f' - '%Y-%m-%d %H:%M:%S.%f Z' - name: NUM_CONNS type: bigint - name: SRC_ENTITY_ID required: true type: json - name: SRC_ENTITY_TYPE required: true type: string - name: SRC_IN_BYTES required: true type: bigint - name: SRC_OUT_BYTES required: true type: bigint - name: START_TIME required: true type: timestamp isEventTime: true timeFormats: - '%a, %d %b %Y %H:%M:%S %z' - '%Y-%m-%d %H:%M:%S.%f' - '%Y-%m-%d %H:%M:%S.%f Z' ``` ### Lacework.ContainerSummary Lacework.ContainerSummary monitors for containers in your environment. Reference: [Lacework Documentation on ContainerSummary](https://docs.lacework.com/console/containersummaryv-view). ```yaml fields: - name: POD_NAME type: string - name: CONTAINER_NAME required: true type: string - name: END_TIME required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f' isEventTime: true - name: IMAGE_ID required: true type: string - name: MID required: true type: string - name: PROPS_CONTAINER required: true type: object fields: - name: VOLUME_MAP type: json - name: POD_IP_ADDR type: string indicators: - ip - name: LISTEN_PORT_MAP type: json - name: POD_TYPE type: string - name: PROPS_LABEL type: json - name: CONTAINER_START_TIME required: true type: timestamp timeFormat: unix_ms - name: CONTAINER_TYPE required: true type: string - name: IMAGE_AUTHOR required: true type: string - name: IMAGE_CREATED_TIME required: true type: timestamp timeFormat: unix_ms - name: IMAGE_ID required: true type: string - name: IMAGE_PARENT_ID required: true type: string - name: IMAGE_REPO required: true type: string - name: IMAGE_SIZE required: true type: bigint - name: IMAGE_TAG required: true type: string - name: IMAGE_VERSION required: true type: string - name: IMAGE_VIRTUAL_SIZE required: true type: bigint - name: IPV4 required: true type: string indicators: - ip - name: NAME required: true type: string - name: NETWORK_MODE required: true type: string - name: PID_MODE required: true type: string - name: PRIVILEGED required: true type: bigint - name: START_TIME required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f' - name: TAGS required: true type: json ``` ### Lacework.ContainerVulnDetails Lacework.ContainerVulnDetails monitors for container vulnerabilities in your environment. Reference: [Lacework Documentation on ContainerVulnDetails](https://docs.lacework.com/console/containervulndetailsv-view). ```yaml fields: - name: SEVERITY type: string - name: VULN_ID type: string - name: EVAL_CTX required: true type: object fields: - name: cve_batch_info required: true type: array element: type: object fields: - name: cve_batch_id required: true type: string - name: cve_created_time required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f000' - name: image_info required: true type: object fields: - name: created_time required: true type: timestamp timeFormat: unix_ms - name: digest required: true type: string - name: id required: true type: string - name: registry required: true type: string - name: repo required: true type: string - name: scan_created_time required: true type: timestamp timeFormat: unix - name: size required: true type: bigint - name: status required: true type: string - name: tags required: true type: array element: type: string - name: type required: true type: string - name: integration_props required: true type: object fields: - name: INTG_GUID type: string - name: NAME type: string - name: REGISTRY_TYPE type: string - name: is_reeval required: true type: boolean - name: request_source required: true type: string - name: scan_batch_id required: true type: string - name: scan_request_props required: true type: object fields: - name: reqId type: string - name: data_format_version required: true type: string - name: props required: true type: object fields: - name: data_format_version required: true type: string - name: scanner_version required: true type: string - name: scanCompletionUtcTime required: true type: timestamp timeFormat: unix - name: scan_start_time required: true type: timestamp timeFormat: unix - name: scanner_version required: true type: string - name: vuln_batch_id required: true type: string - name: vuln_created_time required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f000' - name: FEATURE_KEY required: true type: object fields: - name: name required: true type: string - name: namespace required: true type: string - name: version required: true type: string - name: FEATURE_PROPS required: true type: object fields: - name: introduced_in required: true type: string - name: layer required: true type: string - name: src required: true type: string - name: version_format required: true type: string - name: FIX_INFO required: true type: object fields: - name: compare_result required: true type: string - name: fix_available required: true type: string - name: fixed_version required: true type: string - name: IMAGE_ID required: true type: string - name: START_TIME required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f' isEventTime: true - name: STATUS required: true type: string ``` ### Lacework.DNSQuery Lacework.DNSQuery monitors for any DNS queries in your environment. Reference: [Lacework Documentation on DNSQuery](https://docs.lacework.com/console/dnsqueryv-view). ```yaml fields: - name: CREATED_TIME required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f' isEventTime: true - name: DNS_SERVER_IP required: true type: string indicators: - ip - name: FQDN required: true type: string indicators: - domain - name: HOST_IP_ADDR required: true type: string indicators: - ip - name: MID required: true type: string - name: TTL required: true type: bigint ``` ### Lacework.HostVulnDetails Lacework.HostVulnDetails provides details around any vulnerabilities on hosts across your environment. Reference: [Lacework Documentation on HostVulnDetails](https://docs.lacework.com/console/hostvulndetailsv-view). ```yaml fields: - name: FIX_INFO type: object fields: - name: compare_result required: true type: string - name: eval_status required: true type: string - name: fix_available required: true type: string - name: fixed_version required: true type: string - name: fixed_version_comparison_infos required: true type: array element: type: object fields: - name: curr_fix_ver required: true type: string - name: is_curr_fix_ver_greater_than_other_fix_ver required: true type: string - name: other_fix_ver required: true type: string - name: fixed_version_comparison_score required: true type: bigint - name: version_installed required: true type: string - name: SEVERITY type: string - name: STATUS type: string - name: VULN_ID type: string - name: CVE_PROPS required: true type: object fields: - name: cve_batch_id type: string - name: description type: string - name: link type: string indicators: - url - name: END_TIME required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f' isEventTime: true - name: EVAL_CTX required: true type: object fields: - name: data_source required: true type: string - name: hostname required: true type: string - name: mc_eval_guid required: true type: string - name: FEATURE_KEY required: true type: object fields: - name: name required: true type: string - name: namespace required: true type: string - name: package_active required: true type: boolean - name: package_path required: true type: string - name: version_installed required: true type: string - name: MACHINE_TAGS required: true type: json - name: MID required: true type: string - name: START_TIME required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f' ``` ### Lacework.Image Lacework.Image provides details about any container images in your environment. Reference: [Lacework Documentation on Images](https://docs.lacework.com/console/imagev-view). ```yaml fields: - name: CONTAINER_TYPE required: true type: string - name: CREATED_TIME required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f' isEventTime: true - name: IMAGE_ID required: true type: string - name: MID required: true type: string - name: REPO required: true type: string - name: SIZE required: true type: bigint - name: TAG required: true type: string ``` ### Lacework.Interfaces Lacework.Interfaces monitors any discovered network interfaces across your environment. Reference: [Lacework Documentation on Interfaces](https://docs.lacework.com/console/interfacesv-view). ```yaml fields: - name: CREATED_TIME required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f' isEventTime: true - name: HW_ADDR required: true type: string - name: IP_ADDR required: true type: string indicators: - ip - name: MID required: true type: string - name: NAME required: true type: string ``` ### Lacework.InternalIPA Lacework.InternalIPA monitors any internal IP addresses across your environment. Reference: [Lacework Documentation on InternalIPA](https://docs.lacework.com/console/internalipav-view). ```yaml fields: - name: END_TIME required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f' isEventTime: true - name: IP_ADDR required: true type: string indicators: - ip - name: MID required: true type: string - name: START_TIME required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f' ``` ### Lacework.MachineDetails Lacework.MachineDetails aggregates historical data about any machines found in your environment. Reference: [Lacework Documentation on MachineDetails](https://docs.lacework.com/console/machinedetailsv-view). ```yaml fields: - name: AWS_INSTANCE_ID type: string indicators: - aws_instance_id - name: AWS_ZONE type: string - name: TAGS type: json - name: CREATED_TIME required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f' isEventTime: true - name: DOMAIN required: true type: string indicators: - domain - name: HOSTNAME required: true type: string indicators: - hostname - name: KERNEL required: true type: string - name: KERNEL_RELEASE required: true type: string - name: KERNEL_VERSION required: true type: string - name: MID required: true type: string - name: OS required: true type: string - name: OS_VERSION required: true type: string ``` ### Lacework.MachineSummary Lacework.MachineSummary summarizes and aggregates details about machines in your environment. Reference: [Lacework Documentation on MachineSummary](https://docs.lacework.com/console/machinesummaryv-view). ```yaml fields: - name: END_TIME required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f' isEventTime: true - name: ENTITY_TYPE required: true type: string - name: HOSTNAME required: true type: string - name: MACHINE_TAGS required: true type: json - name: MID required: true type: string - name: PRIMARY_IP_ADDR required: true type: string indicators: - ip - name: START_TIME required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f' ``` ### Lacework.NewHashes Lacework.NewHashes tracks any new file hashes in your environment. Reference: [Lacework Documentation on NewHashes](https://docs.lacework.com/console/newhashesv-view). ```yaml fields: - name: END_TIME required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f' isEventTime: true - name: FILEDATA_HASH required: true type: string indicators: - sha256 - name: START_TIME required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f' ``` ### Lacework.Package Lacework.Package tracks any packages in your environment. Reference: [Lacework Documentation on Packages](https://docs.lacework.com/console/packagev-view). ```yaml fields: - name: ARCH required: true type: string - name: CREATED_TIME required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f' isEventTime: true - name: MID required: true type: string - name: PACKAGE_NAME required: true type: string - name: VERSION required: true type: string ``` ### Lacework.PodSummary Lacework.PodSummary tracks any pods (collections of one or more containers) in your environment. Reference: [Lacework Documentation on PodSummary](https://docs.lacework.com/console/podsummaryv-view). ```yaml fields: - name: END_TIME required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f' isEventTime: true - name: MID required: true type: string - name: POD_NAME required: true type: string - name: PRIMARY_IP_ADDR required: true type: string indicators: - ip - name: PROPS_CONTAINER required: true type: json - name: START_TIME required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f' ``` ### Lacework.ProcessSummary Lacework.ProcessSummary tracks any processes running in your environment. Reference: [Lacework Documentation on ProcessSummary](https://docs.lacework.com/console/processsummaryv-view). ```yaml fields: - name: POD_NAME type: string - name: CONTAINER_ID type: string - name: CMDLINE_HASH required: true type: string indicators: - md5 - name: END_TIME required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f' isEventTime: true - name: FILE_PATH required: true type: string - name: MID required: true type: string - name: PID required: true type: string - name: PPID required: true type: string - name: PROCESS_START_TIME required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f' - name: START_TIME required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f' - name: UID required: true type: string - name: USERNAME required: true type: string indicators: - username ``` ### Lacework.UserDetails Lacework.UserDetails tracks historical data about any users in your environment. Reference: [Lacework Documentation on UserDetails](https://docs.lacework.com/console/userdetailsv-view). ```yaml fields: - name: OTHER_GROUP_NAMES type: array element: type: string - name: CREATED_TIME required: true type: timestamp timeFormat: '%Y-%m-%d %H:%M:%S.%f' isEventTime: true - name: MID required: true type: string - name: PRIMARY_GROUP_NAME required: true type: string - name: UID required: true type: string - name: USERNAME required: true type: string indicators: - username ```