Last updated
Was this helpful?
Last updated
Was this helpful?
You can ingest Lacework Event logs into Panther by configuring a to post events to a Panther .
If you are looking for instructions on ingesting Lacework log types other than Lacework.Events, please see the .
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Lacework Alert Channel Webhook", then click its tile.
In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.
Click Start Setup.
Follow .
During setup, on the security configuration page, choose . You can generate a token value by clicking the circular arrows, or supply your own.
Payloads sent to this source are subject to the .
Do not proceed to the next step until the creation of your HTTP endpoint has completed.
Lacework.Events represents the content of an exported Lacework Alert S3 Object.
Follow to configure a Custom Webhook Alert Channel.
Reference: .
Lacework Alert S3 Objects often contain only a subset of the fields shown below in Panther's Lacework.Events schema. Many fields in this schema are included to accommodate edge cases. See example payloads in .
- name: EVENT_CATEGORY
required: true
description: The category the event falls into
type: string
- name: EVENT_DETAILS
required: true
description: The event details
type: object
fields:
- name: data
description: The array of event data
type: array
element:
type: object
fields:
- name: START_TIME
description: The event start time.
type: timestamp
timeFormat: rfc3339
- name: END_TIME
description: The event end time.
type: timestamp
timeFormat: rfc3339
- name: EVENT_TYPE
description: The event type description eg - launched new binary.
type: string
- name: EVENT_ID
description: The event alert ID.
type: string
- name: EVENT_ACTOR
description: The origin of the event eg - AWS, User.
type: string
- name: EVENT_MODEL
description: The model that triggered an alert.
type: string
- name: ENTITY_MAP
description: The map of related fields to the detection alert.
type: object
fields:
- name: User
description: Any user based info involved in an alert.
type: array
element:
type: object
fields:
- name: MACHINE_HOSTNAME
description: Hostname field
type: string
- name: USERNAME
description: Username field
type: string
indicators:
- username
- name: Application
description: Any application based info involved in an alert.
type: array
element:
type: object
fields:
- name: APPLICATION
description: Application field
type: string
- name: HAS_EXTERNAL_CONNS
description: HasExternalConns field
type: bigint
- name: IS_CLIENT
description: IsClient field
type: bigint
- name: IS_SERVER
description: IsServer field
type: bigint
- name: EARLIEST_KNOWN_TIME
description: EarliestKnownTime field
type: timestamp
timeFormat: rfc3339
- name: Machine
description: Any machine based info involved in an alert.
type: array
element:
type: object
fields:
- name: HOSTNAME
description: Hostname field
type: string
- name: EXTERNAL_IP
description: ExternalIP field
type: string
indicators:
- ip
- name: INSTANCE_ID
description: InstanceID field
type: string
- name: INSTANCE_NAME
description: InstanceName field
type: string
- name: CPU_PERCENTAGE
description: CPUPercentage field
type: float
- name: INTERNAL_IP_ADDR
description: InternalIPAddress field
type: string
indicators:
- ip
- name: IS_EXTERNAL
description: IsExternal field
type: bigint
- name: Container
description: Any container based info involved in an alert.
type: array
element:
type: object
fields:
- name: IMAGE_REPO
description: ImageRepo field
type: string
- name: IMAGE_TAG
description: ImageTag field
type: string
- name: HAS_EXTERNAL_CONNS
description: HasExternalConns field
type: bigint
- name: IS_CLIENT
description: IsClient field
type: bigint
- name: IS_SERVER
description: IsServer field
type: bigint
- name: FIRST_SEEN_TIME
description: FirstSeenTime field
type: timestamp
timeFormat: rfc3339
- name: POD_NAMESPACE
description: PodNamespace field
type: string
- name: POD_IP_ADDR
description: PodIPAddress field
type: string
indicators:
- ip
- name: DnsName
description: Any dns based info involved in an alert.
type: array
element:
type: object
fields:
- name: HOSTNAME
description: Hostname field
type: string
- name: PORT_LIST
description: PortList field
type: array
element:
type: int
- name: TOTAL_IN_BYTES
description: TotalINBytes field
type: float
- name: TOTAL_OUT_BYTES
description: TotalOUTBytes field
type: float
- name: IpAddress
description: Any ip based info involved in an alert.
type: array
element:
type: object
fields:
- name: IP_ADDRESS
description: SourceIPAddress field
type: string
indicators:
- ip
- name: TOTAL_IN_BYTES
description: TotalINBytes field
type: float
- name: TOTAL_OUT_BYTES
description: TotalOUTBytes field
type: float
- name: THREAT_TAGS
description: ThreatTags field
type: array
element:
type: string
- name: THREAT_SOURCE
description: ThreatSource field
type: json
- name: COUNTRY
description: Country field
type: string
- name: REGION
description: Region field
type: string
- name: PORT_LIST
description: PortList field
type: array
element:
type: int
- name: FIRST_SEEN_TIME
description: FirstSeenTime field
type: string
- name: Process
description: Any process based info involved in an alert.
type: array
element:
type: object
fields:
- name: HOSTNAME
description: Hostname field
type: string
- name: PROCESS_ID
description: ProcessID field
type: bigint
- name: PROCESS_START_TIME
description: ProcessStartTime field
type: timestamp
timeFormat: rfc3339
- name: CMDLINE
description: CommandLine field
type: string
- name: CPU_PERCENTAGE
description: CPUPercentage field
type: float
- name: FileDataHash
description: Any filehash based info involved in an alert.
type: array
element:
type: object
fields:
- name: FILEDATA_HASH
description: FiledataHash field
type: string
- name: MACHINE_COUNT
description: MachineCount field
type: bigint
- name: EXE_PATH_LIST
description: EXEPathList field
type: array
element:
type: string
- name: FIRST_SEEN_TIME
description: FirstSeenTime field
type: timestamp
timeFormat: rfc3339
- name: IS_KNOWN_BAD
description: ISKnownBad field
type: bigint
- name: FileExePath
description: Any executable filepath information.
type: array
element:
type: object
fields:
- name: EXE_PATH
description: EXEPath field
type: string
- name: FIRST_SEEN_TIME
description: FirstSeenTime field
type: timestamp
timeFormat: rfc3339
- name: LAST_FILEDATA_HASH
description: LastFileDataHash field
type: string
- name: LAST_PACKAGE_NAME
description: LastPackageName field
type: string
- name: LAST_VERSION
description: LastVersion field
type: string
- name: LAST_FILE_OWNER
description: LastFileOwner field
type: string
- name: SourceIpAddress
description: Source IP based information.
type: array
element:
type: object
fields:
- name: IP_ADDRESS
description: SourceIPAddress field
type: string
indicators:
- ip
- name: REGION
description: Region field
type: string
- name: COUNTRY
description: Country field
type: string
- name: API
description: The service and endpoint.
type: array
element:
type: object
fields:
- name: SERVICE
description: EventSource field
type: string
- name: API
description: EventName field
type: string
- name: Region
description: Regional based information.
type: array
element:
type: object
fields:
- name: REGION
description: Region field
type: string
- name: ACCOUNT_LIST
description: RecipientAccountID field
type: array
element:
type: string
- name: CT_User
description: Cloudtrail user information.
type: array
element:
type: object
fields:
- name: USERNAME
description: Username field
type: string
indicators:
- username
- name: ACCOUNT_ID
description: AccountID field
type: string
- name: MFA
description: MFA field
type: bigint
- name: API_LIST
description: APIList field
type: array
element:
type: string
- name: REGION_LIST
description: RegionList field
type: array
element:
type: string
- name: PRINCIPAL_ID
description: AccessKeyID field
type: string
- name: Resource
description: Resource values.
type: array
element:
type: object
fields:
- name: NAME
description: Name field
type: string
- name: VALUE
description: Value field
type: string
- name: RecId
description: Receiver account info.
type: array
element:
type: object
fields:
- name: REC_ID
description: RECID field
type: string
- name: ACCOUNT_ID
description: RecipientAccountID field
type: string
- name: ACCOUNT_ALIAS
description: AccountAlias field
type: string
- name: TITLE
description: Title field
type: string
- name: STATUS
description: Status field
type: string
- name: EVAL_TYPE
description: EVALType field
type: string
- name: EVAL_GUID
description: EVALGUID field
type: string
- name: CustomRule
description: Custom Rule info.
type: array
element:
type: object
fields:
- name: LAST_UPDATED_TIME
description: LastUpdatedTime field
type: timestamp
timeFormat: rfc3339
- name: LAST_UPDATED_USER
description: LastUpdatedUser field
type: string
- name: DISPLAY_FILTER
description: DisplayFilter field
type: string
- name: RULE_GUID
description: RuleGUID field
type: string
- name: NewViolation
description: Violation Ref.
type: array
element:
type: object
fields:
- name: REC_ID
description: RECID field
type: string
- name: REASON
description: Reason field
type: string
- name: RESOURCE
description: Resource field
type: string
- name: ViolationReason
description: A reason for the violation.
type: array
element:
type: object
fields:
- name: REC_ID
description: RECID field
type: string
- name: REASON
description: Reason field
type: string
- name: SEVERITY
required: true
description: The severity level of the alert
type: bigint
- name: START_TIME
required: true
description: The event start time.
type: timestamp
timeFormat: strftime=%d %b %Y %H:%M %Z
isEventTime: true
- name: SUMMARY
required: true
description: The alert title and quick summary
type: string
- name: EVENT_TYPE
required: true
description: The type of event
type: string
- name: EVENT_NAME
required: true
description: The event name
type: string
- name: LINK
required: true
description: A link to the Lacework dashboard for the event
type: string
- name: EVENT_ID
required: true
description: The eventID reference
type: bigint
- name: ACCOUNT
required: true
description: The Lacework tenant that created the event
type: string
- name: SOURCE
required: true
description: The data source the event triggered on
type: stringPanther supports receiving Lacework Event logs via webhook
