Lacework

this connector integrates with lacework api prerequisites the lacework connector requires a host, key id, and secret key capabilities the lacework connector has the following capabilities audit logs searching cloud accounts management get events get vulnerabilities queries management for further information about lql you can visit the https //docs lacework com/lql overview about filters filters can be optionally specified in the request body for more information about using filters, see the https //swimlane lacework net/api/v2/docs/#tag/overview this connector was last tested against product version 2 configurations lacework auth lacework configuration parameters parameter description type required url a url to the target host string required api key string required api secret string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions close alert close lacework alert with a comment endpoint url queries/execute method get input argument name type required description alert id string required unique identifier reason number required response reason phrase comment string optional parameter for close alert input example {"alert id" "12345","reason" 0,"comment" "closing as false positive "} output parameter type description message string response message output example {"message" "string"} create compliance exceptions create lacework compliance exceptions endpoint url /api/v2/vulnerabilityexceptions method post input argument name type required description params object optional parameter for create compliance exceptions params exceptionname string optional name of the resource params exceptionreason string optional response reason phrase params resourcescope object optional parameter for create compliance exceptions params resourcescope imageid array optional unique identifier params resourcescope imagetag array optional parameter for create compliance exceptions params resourcescope registry array optional parameter for create compliance exceptions params resourcescope repository array optional parameter for create compliance exceptions params resourcescope namespace array optional name of the resource params vulnerabilitycriteria object optional parameter for create compliance exceptions params vulnerabilitycriteria cve array optional parameter for create compliance exceptions params vulnerabilitycriteria package array optional parameter for create compliance exceptions params vulnerabilitycriteria severity array optional parameter for create compliance exceptions params vulnerabilitycriteria fixable array optional parameter for create compliance exceptions params expirytime string optional time value params state number optional parameter for create compliance exceptions params props object optional parameter for create compliance exceptions params props description string optional parameter for create compliance exceptions params props createdby string optional parameter for create compliance exceptions params props updatedby string optional parameter for create compliance exceptions params exceptiontype string optional type of the resource input example {"params" {"exceptionname" "string","exceptionreason" "false positive","resourcescope" {"imageid" \["string"],"imagetag" \["string"],"registry" \["string"],"repository" \["string"],"namespace" \["string"]},"vulnerabilitycriteria" {"cve" \["string"],"package" \[{}],"severity" \["info"],"fixable" \[0]},"expirytime" "string","state" 1,"props" {"description" "string","createdby" "string","updatedby" "string"},"exceptiontype" "container"}} output parameter type description data object response data data createdtime string response data data exceptionguid string response data data exceptionname string response data data exceptionreason string response data data exceptiontype string response data data expirytime string response data data props object response data data props description string response data data props createdby string response data data props updatedby string response data data resourcescope object response data data resourcescope registry array response data data state number response data data updatedtime string response data data vulnerabilitycriteria object response data data vulnerabilitycriteria severity array response data output example {"data" {"createdtime" "2021 12 18t08 30 00z","exceptionguid" "lwabc","exceptionname" "container vulnerability exception","exceptionreason" "accepted risk","exceptiontype" "container","expirytime" "2021 12 28t08 30 00z","props" {"description" "this is a container vulnerability exception","createdby" "abc\@xyz com","updatedby" "abc\@xyz com"},"resourcescope" {"registry" \[]},"state" 1,"updatedtime" "2021 12 18t08 30 00z","vulnerabilitycriteria" {"severity" \[]}}} create vulnerability exceptions create lacework vulnerability exceptions endpoint url /api/v2/vulnerabilityexceptions method post input argument name type required description params object optional parameter for create vulnerability exceptions params exceptionname string optional name of the resource params exceptionreason string optional response reason phrase params resourcescope object optional parameter for create vulnerability exceptions params resourcescope imageid array optional unique identifier params resourcescope imagetag array optional parameter for create vulnerability exceptions params resourcescope registry array optional parameter for create vulnerability exceptions params resourcescope repository array optional parameter for create vulnerability exceptions params resourcescope namespace array optional name of the resource params vulnerabilitycriteria object optional parameter for create vulnerability exceptions params vulnerabilitycriteria cve array optional parameter for create vulnerability exceptions params vulnerabilitycriteria package array optional parameter for create vulnerability exceptions params vulnerabilitycriteria severity array optional parameter for create vulnerability exceptions params vulnerabilitycriteria fixable array optional parameter for create vulnerability exceptions params expirytime string optional time value params state number optional parameter for create vulnerability exceptions params props object optional parameter for create vulnerability exceptions params props description string optional parameter for create vulnerability exceptions params props createdby string optional parameter for create vulnerability exceptions params props updatedby string optional parameter for create vulnerability exceptions params exceptiontype string optional type of the resource input example {"params" {"exceptionname" "string","exceptionreason" "false positive","resourcescope" {"imageid" \["string"],"imagetag" \["string"],"registry" \["string"],"repository" \["string"],"namespace" \["string"]},"vulnerabilitycriteria" {"cve" \["string"],"package" \[{}],"severity" \["info"],"fixable" \[0]},"expirytime" "string","state" 1,"props" {"description" "string","createdby" "string","updatedby" "string"},"exceptiontype" "container"}} output parameter type description data object response data data createdtime string response data data exceptionguid string response data data exceptionname string response data data exceptionreason string response data data exceptiontype string response data data expirytime string response data data props object response data data props description string response data data props createdby string response data data props updatedby string response data data resourcescope object response data data resourcescope registry array response data data state number response data data updatedtime string response data data vulnerabilitycriteria object response data data vulnerabilitycriteria severity array response data output example {"data" {"createdtime" "2021 12 18t08 30 00z","exceptionguid" "lwabc","exceptionname" "container vulnerability exception","exceptionreason" "accepted risk","exceptiontype" "container","expirytime" "2021 12 28t08 30 00z","props" {"description" "this is a container vulnerability exception","createdby" "abc\@xyz com","updatedby" "abc\@xyz com"},"resourcescope" {"registry" \[]},"state" 1,"updatedtime" "2021 12 18t08 30 00z","vulnerabilitycriteria" {"severity" \[]}}} get alert metadata lacework get alert metadata endpoint url /api/v2/alerts/ method get input argument name type required description alert id string required alert id to fetch scope from scope string required which scope to fetch input example {"alert id" "string","scope" "string"} output parameter type description alertid string unique identifier starttime string time value alerttype string type of the resource severity string output field severity internetexposure string output field internetexposure reachability string output field reachability derivedfields string output field derivedfields endtime string time value lastuserupdatedtime string time value status string status value alertname string name of the resource alertinfo string output field alertinfo policyid string unique identifier evolvingalert string output field evolvingalert entitymap object output field entitymap entitymap recid string unique identifier entitymap resource array output field entitymap resource entitymap resource key string output field entitymap resource key entitymap violationreason string response reason phrase output example {"alertid" "string","starttime" "string","alerttype" "string","severity" "string","internetexposure" "string","reachability" "string","derivedfields" {"category" "string","sub category" "string","source" "string"},"endtime" "string","lastuserupdatedtime" "string","status" "string","alertname" "string","alertinfo" {"subject" "string","description" "string"},"policyid" "string","evolvingalert" "string","entitymap" {"recid" "string","resource" \[{}],"violationreason" "string"}} get alerts lacework get alerts api endpoint url api/v2/alerts method get input argument name type required description start time string required start time to search for alerts end time string required end time to search for alerts alert filter string required add any alert types that should be fetched input example {"start time" "string","end time" "string","alert filter" "string"} get alerts and metadata get alerts from lacework endpoint url api/v2/alerts method get input argument name type required description start time string required start time to search for alerts end time string required end time to search for alerts alert filter string required add any alert types that should be fetched input example {"start time" "string","end time" "string","alert filter" "string"} get cloud accounts lacework get cloud accounts endpoint url api/v2/cloudaccounts method get get host vulnerabilities run a query against lacework endpoint url vulnerabilities/containers/search method get input argument name type required description primary query endpoint string optional parameter for get host vulnerabilities primary query filter array optional parameter for get host vulnerabilities primary query filter field string optional parameter for get host vulnerabilities primary query filter expression string optional parameter for get host vulnerabilities primary query filter values array optional value for the parameter primary query filter value string optional value for the parameter primary query return fields array optional parameter for get host vulnerabilities secondary query endpoint string optional parameter for get host vulnerabilities secondary query filter array optional parameter for get host vulnerabilities secondary query filter field string optional parameter for get host vulnerabilities secondary query filter expression string optional parameter for get host vulnerabilities secondary query filter values array optional value for the parameter secondary query filter value number optional value for the parameter master key string optional parameter for get host vulnerabilities field mappings object optional parameter for get host vulnerabilities field mappings agent id object optional unique identifier field mappings agent id referencelookup object optional unique identifier field mappings agent id referencelookup key string optional unique identifier field mappings agent id referencelookup field string optional unique identifier field mappings agent id referencelookup data string optional response data field mappings agent id referencelookup multi value boolean optional unique identifier field mappings cloud instance id object optional unique identifier field mappings cloud instance id referencelookup object optional unique identifier field mappings cloud instance id referencelookup key string optional unique identifier field mappings cloud instance id referencelookup field string optional unique identifier input example {"primary query endpoint" "entities/machines/search","primary query filter" \[{"field" "severity","expression" "in","values" \["critical","high","medium"]},{"field" "status","expression" "in","values" \["new","active"]},{"field" "fixinfo fix available","expression" "eq","value" 1}],"primary query return fields" \["mid","machinetags"],"secondary query endpoint" "vulnerabilities/hosts/search","secondary query filter" \[{"field" "severity","expression" "in","values" \["critical","high","medium"]},{"field" "status","expression" "in","values" \["new","active"]},{"field" "fixinfo fix available","expression" "eq","value" 1}],"master key" "vulnerability id","field mappings" {"agent id" {"referencelookup" {"key" "mid","field" "mid","data" "primary query","multi value"\ false}},"cloud instance id" {"referencelookup" {"key" "mid","field" "machinetags instanceid","data" "primary query","multi value"\ false}},"cloud account id" {"referencelookup" {"key" "mid","field" "machinetags account","data" "primary query","multi value"\ false}},"ami id" {"referencelookup" {"key" "mid","field" "machinetags amiid","data" "primary query","multi value"\ false}},"vulnerability id" "vulnid","vulnerability meta name" "featurekey name","vulnerability meta namespace" "featurekey namespace","vulnerability description text" "cveprops description","vulnerability reference" "cveprops link","vulnerability meta version current" "featurekey version installed","vulnerability meta version fixed" "fixinfo fixed version","vulnerability severity" "severity","vulnerability category" "status"}} get host vulnerabilities bad run a query against lacework endpoint url vulnerabilities/containers/search method get input argument name type required description start time string optional time value end time string optional time value filter array optional parameter for get host vulnerabilities bad filter field string optional parameter for get host vulnerabilities bad filter expression string optional parameter for get host vulnerabilities bad filter values array optional value for the parameter filter value string optional value for the parameter returns array optional parameter for get host vulnerabilities bad input example {"start time" " 7 days","end time" "now","filter" \[{"field" "severity","expression" "in","values" \["critical","high","medium"]},{"field" "status","expression" "in","values" \["new","active"]},{"field" "fixinfo fix available","expression" "eq","value" "1"}],"returns" \["mid","severity","vulnid","evalctx","fixinfo","featurekey"]} output example {"evalctx" {"exception props" \[],"hostname" "ip 10 160 5 194 ec2 internal","mc eval guid" "6398c97cd2e9172783de42186df1a694"},"featurekey" {"name" "p11 kit trust","namespace" "amzn 2","package active" 0,"package path" "","version installed" "0 0 23 22 1 amzn2 0 1"},"fixinfo" {},"mid" 6420720632738334000} get machines run a query against lacework endpoint url vulnerabilities/containers/search method get get report run a query against lacework to hunt for ips endpoint url reports method get input argument name type required description params object optional parameter for get report params primaryqueryid string optional unique identifier params secondaryqueryid string optional unique identifier params format string optional parameter for get report params reporttype string optional type of the resource input example {"params" {"primaryqueryid" "627166550282","secondaryqueryid" "","format" "json","reporttype" "aws soc rev2"}} output parameter type description data array response data data reporttype string response data data reporttitle string response data data custguid string response data data envguid string response data data recommendations array response data data recommendations account id string response data data recommendations account alias string response data data recommendations start time number response data data recommendations suppressions array response data data recommendations suppressions file name string response data data recommendations suppressions file string response data data recommendations info link string response data data recommendations assessed resource count number response data data recommendations status string response data data recommendations rec id string response data data recommendations category string response data data recommendations service string response data data recommendations title string response data data recommendations violations array response data data recommendations violations reasons array response data data recommendations violations resource string response data data recommendations resource count number response data data recommendations severity number response data data summary array response data output example {"data" \[],"ok"\ true,"message" "string"} post comments post a comment on the lacework alert endpoint url /api/v2/alerts/{alertid}/comment method get input argument name type required description alert id string required unique identifier comment string required parameter for post comments input example {"alert id" "12345","comment" "closing as false positive "} output parameter type description data object response data data id number response data data alertid number response data data createdtime string response data data entrytype string response data data entryauthortype string response data data message object response data data message value string response data data externaltime string response data data user object response data data user userguid string response data data user username string response data data updatecontext object response data output example {"data" {"id" 211250,"alertid" 871115,"createdtime" "2022 07 18t18 28 30 739z","entrytype" "comment","entryauthortype" "userupdate","message" {"value" "test comment"},"externaltime" "","user" {"userguid" "lw123 6fa99157890e373006f7ee3fa926b02c38d547bd6c79f1d","username" "support\@lacework net"},"updatecontext" {}}} query ip indicators run a query against lacework to hunt for ips endpoint url queries/execute method get input argument name type required description start time string optional time value end time string optional time value ips array optional parameter for query ip indicators input example {"start time" " 1 days","end time" "now","ips" \["8 8 8 8","9 9 9 9"]} query lacework run a query against lacework endpoint url vulnerabilities/containers/search method get input argument name type required description start time string required start time to search for alerts end time string required start time to search for alerts query endpoint string required endpoint to query data from filter array required parameter for query lacework filter expression string optional parameter for query lacework filter field string optional parameter for query lacework filter value string optional value for the parameter filter values array optional value for the parameter returns array optional which items to return from api call input example {"start time" "string","end time" "string","query endpoint" "string","filter" \[{"expression" "string","field" "string","value" "string","values" \["string"]}],"returns" \["string"]} search active containers search active containers api endpoint url api/v2/entities/containers/search method post input argument name type required description data body object optional data body headers object optional request headers input example {"path parameters" {},"parameters" {},"data body" {},"headers" {}} search agent information search agent information api endpoint url /api/v2/agentinfo/search method post input argument name type required description start time string optional time value end time string optional time value filters array optional parameter for search agent information filters field string optional parameter for search agent information filters expression string optional parameter for search agent information filters value string optional value for the parameter returns array optional parameter for search agent information input example {"start time" " 1 days","end time" "now","filters" \[{"field" "status","expression" "eq","value" "active"}],"returns" \["hostname","ipaddr","os","agentversion","status"]} search audit logs search audit logs api endpoint url api/v2/auditlogs/search method post input argument name type required description start time string optional time value end time string optional time value filter array optional parameter for search audit logs filter field string optional parameter for search audit logs filter expression string optional parameter for search audit logs filter value string optional value for the parameter filter values array optional value for the parameter returns array optional parameter for search audit logs input example {"start time" " 1 days","end time" "now","returns" \["accountname","createdtime","eventdescription","eventname","useraction","username"]} search compliance evaluations search compliance evaluations api endpoint url api/v2/configs/complianceevaluations/search method post input argument name type required description start time string optional time value end time string optional time value filter array optional parameter for search compliance evaluations filter field string optional parameter for search compliance evaluations filter expression string optional parameter for search compliance evaluations filter value string optional value for the parameter returns array optional parameter for search compliance evaluations dataset string optional response data input example {"start time" " 1 days","end time" "now","filter" \[{"field" "status","expression" "eq","value" "noncompliant"},{"field" "account accountid","expression" "eq","value" "812212113623"}],"returns" \["account","id","recommendation","severity","status"],"dataset" "awscompliance"} search container vulnerabilities search active containers api endpoint url api/v2/entities/containers/search method post input argument name type required description start time string optional time value end time string optional time value filter array optional parameter for search container vulnerabilities filter field string optional parameter for search container vulnerabilities filter expression string optional parameter for search container vulnerabilities filter value string optional value for the parameter returns array optional parameter for search container vulnerabilities input example {"start time" " 1 days","end time" "now","filter" \[{"field" "severity","expression" "eq","value" "medium"},{"field" "fixinfo fix available","expression" "eq","value" 1},{"field" "evalctx image info digest","expression" "eq","value" "sha256 07aea1edd530054adb739335edd8d9c7fc9c0cbbd982c7250b24442fefa0d0b8"}],"returns" \["imageid","severity","status","vulnid","evalctx","fixinfo","featurekey"]} search inventory lacework search inventory api endpoint url api/v2/inventory/search method get input argument name type required description start time string optional time value end time string optional time value filter array optional parameter for search inventory filter field string optional parameter for search inventory filter expression string optional parameter for search inventory filter value string optional value for the parameter filter values array optional value for the parameter returns array optional parameter for search inventory csp string optional parameter for search inventory input example {"start time" " 1 weeks","end time" "now","filter" \[{"field" "resourceregion","expression" "eq","value" "ap southeast 2"},{"field" "clouddetails accountid","expression" "eq","value" "16459126737"},{"field" "resourcetype","expression" "in","values" \["acm\ certificate","ec2\ customer gateway","ec2\ instance","ec2\ internet gateway","ec2\ natgateway","ec2\ security group","ec2\ subnet","ec2\ vpc","ec2\ vpc endpoint","ec2\ vpc flow log","ec2\ vpn connection","ec2\ vpn gateway","eks\ cluster","elbv2\ listener","elbv2\ listener rule","elbv2\ loadbalancer","elbv2\ target group","s3\ bucket"]}],"returns" \["urn","clouddetails","resourceconfig","resourceid","resourcetype"],"csp" "aws"} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt