Lacework Alert Channel Webhook

Overview

You can ingest Lacework Event logs into Panther by configuring a Custom Webhook Alert Channel to post events to a Panther HTTP source.

If you are looking for instructions on ingesting Lacework log types other than Lacework.Events, please see the Lacework Export documentation.

How to onboard Alert Channel Webhook logs to Panther

Step 1: Create a Lacework Alert Channel Webhook log source in Panther

1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

2. Click Create New.

3. Search for "Lacework Alert Channel Webhook", then click its tile.

   • In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.

4. Click Start Setup.

   
5. Follow Panther's instructions for configuring an HTTP Source.

   • During setup, on the security configuration page, choose bearer authentication. You can generate a token value by clicking the circular arrows, or supply your own.

   • Payloads sent to this source are subject to the payload requirements for all HTTP sources.

   • Do not proceed to the next step until the creation of your HTTP endpoint has completed.

Step 2: Configure Lacework to push logs to your Panther HTTP source

• Follow Lacework's documentation to configure a Custom Webhook Alert Channel.

Supported log type

Lacework.Events

Lacework.Events represents the content of an exported Lacework Alert S3 Object.

Reference: Lacework Documentation on Events.