Lacework Export

Export Lacework logs to Panther via S3, Google Cloud Storage, or Azure

Overview

Panther supports ingesting Lacework export logs common Data Transport options: Amazon Web Services (AWS) S3, Google Cloud Storage (GCS), and Azure Blob.

If you are looking for instructions on ingesting Lacework.Events logs, please see the Lacework Alert Channel Webhook documentation.

How to onboard Lacework Export logs to Panther

To connect these logs into Panther:

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for "Lacework Export,", then click its tile.

  4. Click Start Setup.

  5. Follow Panther's instructions for configuring the selected Data Transport method:

  6. Configure Lacework to push logs to the Data Transport source.

Supported log types

Lacework.AgentManagement

Lacework.AgentManagement gathers Lacework agent management information.

Reference: Lacework Documentation on AgentManagement.

fields:
  - name: AGENT_VERSION
    required: true
    type: string
  - name: CREATED_TIME
    required: true
    type: timestamp
    timeFormat: '%Y-%m-%d %H:%M:%S.%f'
    isEventTime: true
  - name: HOSTNAME
    required: true
    type: string
  - name: IP_ADDR
    required: true
    type: string
    indicators:
      - ip
  - name: LAST_UPDATE
    type: timestamp
    timeFormat: '%Y-%m-%d %H:%M:%S.%f'
  - name: MID
    required: true
    type: string
  - name: MODE
    required: true
    type: string
  - name: OS
    required: true
    type: string
  - name: STATUS
    required: true
    type: string
  - name: TAGS
    type: json

Lacework.AlertDetails

Lacework.AlertDetails provides information about generated alerts.

Reference: Lacework Documentation on AlertDetails.

fields:
  - name: END_TIME
    required: true
    type: timestamp
    timeFormats:
      - '%a, %d %b %Y %H:%M:%S %z'
      - '%Y-%m-%d %H:%M:%S.%f'
    isEventTime: true
  - name: ENTITY_MAP
    required: true
    type: object
    fields:
      - name: NewViolation
        type: array
        element:
          type: object
          fields:
            - name: KEY
              type: object
              fields:
                - name: reason
                  type: string
                - name: reason_id
                  type: string
                - name: rec_id
                  type: string
                - name: resource
                  type: string
                  indicators:
                    - aws_arn
            - name: PROPS
              type: json
      - name: RecId
        type: array
        element:
          type: object
          fields:
            - name: KEY
              type: object
              fields:
                - name: eval_guid
                  type: string
                - name: rec_id
                  type: string
            - name: PROPS
              type: json
      - name: Resource
        type: array
        element:
          type: object
          fields:
            - name: KEY
              type: object
              fields:
                - name: name
                  type: string
                - name: value
                  type: string
                  indicators:
                    - aws_arn
      - name: ViolationReason
        type: array
        element:
          type: object
          fields:
            - name: KEY
              type: object
              fields:
                - name: reason
                  type: string
                - name: reason_id
                  type: string
                - name: rec_id
                  type: string
            - name: PROPS
              type: json
  - name: EVENT_ACTOR
    required: true
    type: string
  - name: EVENT_ID
    required: true
    type: bigint
  - name: EVENT_MODEL
    required: true
    type: string
  - name: EVENT_TYPE
    required: true
    type: string
  - name: START_TIME
    required: true
    type: timestamp
    timeFormats:
      - '%a, %d %b %Y %H:%M:%S %z'
      - '%Y-%m-%d %H:%M:%S.%f'

Lacework.AllFiles

Lacework.AllFiles tracks every time Lacework detects a file.

Reference: Lacework Documentation on AllFiles.

fields:
  - name: CREATED_TIME
    required: true
    type: timestamp
    timeFormat: '%Y-%m-%d %H:%M:%S.%f'
    isEventTime: true
  - name: FILEDATA_HASH
    required: true
    type: string
    indicators:
      - sha256
  - name: FILE_PATH
    required: true
    type: string
  - name: MID
    required: true
    type: string
  - name: MTIME
    required: true
    type: timestamp
    timeFormat: '%Y-%m-%d %H:%M:%S.%f'
  - name: SIZE
    required: true
    type: bigint

Lacework.Applications

Lacework.Applications contains applications information running on the machine with an agent installed with details (such as application name, user name, machine, etc.).

Reference: Lacework Documentation on Applications.

fields:
  - name: APP_NAME
    required: true
    description: The application name detected by the Lacework agent installed on the machine.
    type: string
  - name: CONTAINER_INFO
    description: The container info provides details about the container where the application is running.
    type: json
  - name: END_TIME
    required: true
    description: The time and date when the hourly aggregation time period ends.
    type: timestamp
    timeFormats:
      - '%a, %d %b %Y %H:%M:%S %z'
      - '%Y-%m-%d %H:%M:%S.%f'
  - name: EXE_PATH
    required: true
    description: The executable path for the detected application.
    type: string
  - name: MID
    description: The Lacework-generated machine identifier that uniquely identifies the machine.
    type: string
  - name: NET_STATS
    description: The network stats about the application including the number of bytes in and out of the network.
    type: json
  - name: PROPS_MACHINE
    description: The machine properties such as host name, ip address, machine tags, etc.
    type: object
    fields:
      - name: hostname
        description: hostname
        type: string
        indicators:
          - hostname
      - name: ip_addr
        description: ip_addr
        type: string
        indicators:
          - ip
      - name: mem_kbytes
        description: mem_kbytes
        type: bigint
      - name: num_users
        description: num_users
        type: bigint
      - name: primary_tags
        description: primary_tags
        type: json
      - name: tags
        description: tags
        type: json
      - name: up_time
        description: up_time
        type: bigint
  - name: START_TIME
    required: true
    description: The time and date when the hourly aggregation time period starts.
    type: timestamp
    timeFormats:
      - '%a, %d %b %Y %H:%M:%S %z'
      - '%Y-%m-%d %H:%M:%S.%f'
    isEventTime: true
  - name: USERNAME
    description: The username running the application on the machine.
    type: object
    fields:
      - name: effective
        description: effective
        type: string
        indicators:
          - username
      - name: original
        description: original
        type: string
        indicators:
          - username

Lacework.ChangeFiles

Lacework.ChangeFiles tracks every time a file is changed in your environment.

Reference: Lacework Documentation on ChangeFiles.

fields:
  - name: END_TIME
    required: true
    type: timestamp
    timeFormat: '%Y-%m-%d %H:%M:%S.%f'
    isEventTime: true
  - name: FILEDATA_HASH
    required: true
    type: string
    indicators:
      - sha256
  - name: FILE_PATH
    required: true
    type: string
  - name: MID
    required: true
    type: string
  - name: MTIME
    required: true
    type: timestamp
    timeFormat: '%Y-%m-%d %H:%M:%S.%f'
  - name: SIZE
    required: true
    type: bigint
  - name: START_TIME
    required: true
    type: timestamp
    timeFormat: '%Y-%m-%d %H:%M:%S.%f'

Lacework.CloudCompliance

Lacework.CloudCompliance tracks compliance violations identified by Lacework cloud assessments.

Reference: Lacework Documentation on CloudCompliance.

fields:
  - name: REASON
    type: string
  - name: REGION
    type: string
  - name: RESOURCE
    type: string
    indicators:
      - aws_arn
  - name: ACCOUNT
    required: true
    type: object
    fields:
      - name: AccountId
        type: string
        indicators:
          - aws_account_id
      - name: Account_Alias
        type: string
  - name: EVAL_TYPE
    required: true
    type: string
  - name: ID
    required: true
    type: string
  - name: RECOMMENDATION
    type: string
  - name: REPORT_TIME
    required: true
    type: timestamp
    timeFormats:
      - '%Y-%m-%d %H:%M:%S.%f'
      - '%a, %d %b %Y %H:%M:%S %z'
    isEventTime: true
  - name: SECTION
    type: string
  - name: SEVERITY
    required: true
    type: string
  - name: STATUS
    required: true
    type: string

Lacework.CloudConfiguration

Lacework.CloudConfiguration contains details about supported and configured cloud resources.

Reference: Lacework Documentation on CloudConfiguration.

fields:
  - name: START_TIME
    required: true
    description: The time and date when the hourly aggregation time period starts.
    type: timestamp
    timeFormats:
      - '%a, %d %b %Y %H:%M:%S %z'
      - '%Y-%m-%d %H:%M:%S.%f'
    isEventTime: true
  - name: END_TIME
    required: true
    description: The time and date when the hourly aggregation time period ends.
    type: timestamp
    timeFormats:
      - '%a, %d %b %Y %H:%M:%S %z'
      - '%Y-%m-%d %H:%M:%S.%f'
  - name: URN
    required: true
    description: URN of the resource.
    type: string
    indicators:
      - aws_arn
  - name: SERVICE
    description: The service that the resource belongs to.
    type: string
  - name: STATUS
    description: The status of the resource.
    type: json
  - name: CLOUD_DETAILS
    description: Cloud details.
    type: json
  - name: RESOURCE_TYPE
    description: The resource type.
    type: string
  - name: RESOURCE_ID
    required: true
    description: The ID of the resource.
    type: string
  - name: RESOURCE_REGION
    description: The region that the resource belongs to.
    type: string
  - name: RESOURCE_CONFIG
    description: The configuration of the resource.
    type: json
  - name: RESOURCE_TAGS
    description: The tags associated with the resource.
    type: json
  - name: CSP
    description: The cloud provider.
    type: string
  - name: API_KEY
    description: The key describing the API used to fetch data for the resource.
    type: string

Lacework.Cmdline

Lacework.Cmdline monitors any command line invocations in your environment.

Reference: Lacework Documentation on Cmdline.

fields:
  - name: CMDLINE
    required: true
    type: string
  - name: CMDLINE_HASH
    required: true
    type: string
    indicators:
      - md5
  - name: CREATED_TIME
    required: true
    type: timestamp
    timeFormat: '%Y-%m-%d %H:%M:%S.%f'
    isEventTime: true

Lacework.Connections

Lacework.Connections monitors for connections in your environment.

Reference: Lacework Documentation on Connections.

fields:
  - name: DST_ENTITY_ID
    required: true
    type: json
  - name: DST_ENTITY_TYPE
    required: true
    type: string
  - name: DST_IN_BYTES
    required: true
    type: bigint
  - name: DST_OUT_BYTES
    required: true
    type: bigint
  - name: ENDPOINT_DETAILS
    required: true
    type: json
  - name: END_TIME
    type: timestamp
    timeFormats:
      - '%a, %d %b %Y %H:%M:%S %z'
      - '%Y-%m-%d %H:%M:%S.%f'
      - '%Y-%m-%d %H:%M:%S.%f Z'
  - name: NUM_CONNS
    type: bigint
  - name: SRC_ENTITY_ID
    required: true
    type: json
  - name: SRC_ENTITY_TYPE
    required: true
    type: string
  - name: SRC_IN_BYTES
    required: true
    type: bigint
  - name: SRC_OUT_BYTES
    required: true
    type: bigint
  - name: START_TIME
    required: true
    type: timestamp
    isEventTime: true
    timeFormats:
      - '%a, %d %b %Y %H:%M:%S %z'
      - '%Y-%m-%d %H:%M:%S.%f'
      - '%Y-%m-%d %H:%M:%S.%f Z'           

Lacework.ContainerSummary

Lacework.ContainerSummary monitors for containers in your environment.

Reference: Lacework Documentation on ContainerSummary.

fields:
  - name: POD_NAME
    type: string
  - name: CONTAINER_NAME
    required: true
    type: string
  - name: END_TIME
    required: true
    type: timestamp
    timeFormat: '%Y-%m-%d %H:%M:%S.%f'
    isEventTime: true
  - name: IMAGE_ID
    required: true
    type: string
  - name: MID
    required: true
    type: string
  - name: PROPS_CONTAINER
    required: true
    type: object
    fields:
      - name: VOLUME_MAP
        type: json
      - name: POD_IP_ADDR
        type: string
        indicators:
          - ip
      - name: LISTEN_PORT_MAP
        type: json
      - name: POD_TYPE
        type: string
      - name: PROPS_LABEL
        type: json
      - name: CONTAINER_START_TIME
        required: true
        type: timestamp
        timeFormat: unix_ms
      - name: CONTAINER_TYPE
        required: true
        type: string
      - name: IMAGE_AUTHOR
        required: true
        type: string
      - name: IMAGE_CREATED_TIME
        required: true
        type: timestamp
        timeFormat: unix_ms
      - name: IMAGE_ID
        required: true
        type: string
      - name: IMAGE_PARENT_ID
        required: true
        type: string
      - name: IMAGE_REPO
        required: true
        type: string
      - name: IMAGE_SIZE
        required: true
        type: bigint
      - name: IMAGE_TAG
        required: true
        type: string
      - name: IMAGE_VERSION
        required: true
        type: string
      - name: IMAGE_VIRTUAL_SIZE
        required: true
        type: bigint
      - name: IPV4
        required: true
        type: string
        indicators:
          - ip
      - name: NAME
        required: true
        type: string
      - name: NETWORK_MODE
        required: true
        type: string
      - name: PID_MODE
        required: true
        type: string
      - name: PRIVILEGED
        required: true
        type: bigint
  - name: START_TIME
    required: true
    type: timestamp
    timeFormat: '%Y-%m-%d %H:%M:%S.%f'
  - name: TAGS
    required: true
    type: json

Lacework.ContainerVulnDetails

Lacework.ContainerVulnDetails monitors for container vulnerabilities in your environment.

Reference: Lacework Documentation on ContainerVulnDetails.

fields:
  - name: SEVERITY
    type: string
  - name: VULN_ID
    type: string
  - name: EVAL_CTX
    required: true
    type: object
    fields:
      - name: cve_batch_info
        required: true
        type: array
        element:
          type: object
          fields:
            - name: cve_batch_id
              required: true
              type: string
            - name: cve_created_time
              required: true
              type: timestamp
              timeFormat: '%Y-%m-%d %H:%M:%S.%f000'
      - name: image_info
        required: true
        type: object
        fields:
          - name: created_time
            required: true
            type: timestamp
            timeFormat: unix_ms
          - name: digest
            required: true
            type: string
          - name: id
            required: true
            type: string
          - name: registry
            required: true
            type: string
          - name: repo
            required: true
            type: string
          - name: scan_created_time
            required: true
            type: timestamp
            timeFormat: unix
          - name: size
            required: true
            type: bigint
          - name: status
            required: true
            type: string
          - name: tags
            required: true
            type: array
            element:
              type: string
          - name: type
            required: true
            type: string
      - name: integration_props
        required: true
        type: object
        fields:
          - name: INTG_GUID
            type: string
          - name: NAME
            type: string
          - name: REGISTRY_TYPE
            type: string
      - name: is_reeval
        required: true
        type: boolean
      - name: request_source
        required: true
        type: string
      - name: scan_batch_id
        required: true
        type: string
      - name: scan_request_props
        required: true
        type: object
        fields:
          - name: reqId
            type: string
          - name: data_format_version
            required: true
            type: string
          - name: props
            required: true
            type: object
            fields:
              - name: data_format_version
                required: true
                type: string
              - name: scanner_version
                required: true
                type: string
          - name: scanCompletionUtcTime
            required: true
            type: timestamp
            timeFormat: unix
          - name: scan_start_time
            required: true
            type: timestamp
            timeFormat: unix
          - name: scanner_version
            required: true
            type: string
      - name: vuln_batch_id
        required: true
        type: string
      - name: vuln_created_time
        required: true
        type: timestamp
        timeFormat: '%Y-%m-%d %H:%M:%S.%f000'
  - name: FEATURE_KEY
    required: true
    type: object
    fields:
      - name: name
        required: true
        type: string
      - name: namespace
        required: true
        type: string
      - name: version
        required: true
        type: string
  - name: FEATURE_PROPS
    required: true
    type: object
    fields:
      - name: introduced_in
        required: true
        type: string
      - name: layer
        required: true
        type: string
      - name: src
        required: true
        type: string
      - name: version_format
        required: true
        type: string
  - name: FIX_INFO
    required: true
    type: object
    fields:
      - name: compare_result
        required: true
        type: string
      - name: fix_available
        required: true
        type: string
      - name: fixed_version
        required: true
        type: string
  - name: IMAGE_ID
    required: true
    type: string
  - name: START_TIME
    required: true
    type: timestamp
    timeFormat: '%Y-%m-%d %H:%M:%S.%f'
    isEventTime: true
  - name: STATUS
    required: true