Lacework Logo
      • Active topics
      • Unanswered questions
      • Getting Started
      • Community Welcome and Guidelines4
      • General Platform Administration and Configuration19
      • Lacework News and Notes10
      • General Security Discussion
      • What's Next in Security1
      • Cloud Security In Practice5
      • Hack'd Resources1
      • Lacework Platform Q&A
      • Vulnerability Management8
      • Cloud Workload Security8
      • Cloud Management Security3
      • Practitioner Tools (API/CLI /LQL) 9
      • Alert Investigation3
  • Product Updates
  • Hack'd
  • Live Security Workshops
Logo

Welcome to our community

Community Q&A and Discussion

Start discussions about cloud security or Lacework, ask questions, get answers

Product updates

Read the latest news from our product team

Support

File a Support Ticket

Lacework Academy

Essential information and instructions to set up and use Lacework

Featured topics

  • Recent activity
  • Help others
  • Categories
meagen.eisenberg
Lacer
meagen.eisenbergLacer
 Lacework News and Notes

New CISO Board Book

Hey everyone, Did you know that only nine percent of boards in the Fortune 500 companies have directors with strong cybersecurity knowledge? Combined with the meteoric rise of digital breaches, there’s a desperate need for cybersecurity expertise on company boards right now. And it’s only going to grow. Edition two of the CISO Board Book from Lacework fills that gap and provides a comprehensive library of security expertise ready for board appointment. Chock full of expert security leaders from leading companies like Rolls-Royce Power Systems AG, Hugo Boss, and SAP, the resource is an excellent source of expertise for boards large and small. New York Times - Welcome to the next class of Security leaders Next year’s Board Book is also already in the works. If you’re a CISO or other executive level cybersecurity expert that would like to be included, send us a note at boardbook@lacework.com and connect with me on LInkedIn. Meagen AgentN/APlatformUsing Lacework/OperationalizingCloudN/A

0
meagen.eisenberg
Lacer
9 hours ago
D
dariooshParticipant
 General Platform Administration and Configuration

AWS IdC monitoring

Hi, Is there a way, or is there a roadmap, to monitor IdC users in AWS. The users created in one public cloud sync to AWS IdC. We can imagine that with some high privileges, perhaps, some permissions could be modified. Can Lacework put an eyes on this? Thanks AgentLinux 6.6XPlatformUsing Lacework/OperationalizingCloudAWS

1
C
1 day ago
C
craigbeyerjrCommunity Manager
 Cloud Workload Security

How can Lacework help me triage identified IaC Security violations?

The Lacework IaC Security scanner continuously assess your Infrastructure as Code repository to identify misconfigurations before resources are instantiated in your cloud environment.  To ensure a swift and easy remediation process, the Lacework platform provides extensive information for each violation. To find more information on the violation click on the violation and reference the Guidelines tab. (screenshot attached)Here, you will find all relevant information about the violation enabling you to triage and how to effectively remediate the violation.    AgentN/APlatformUsing Lacework/OperationalizingCloudN/A

0
C
4 days ago
scott.russell
scott.russellCommunity Manager
 General Platform Administration and Configuration

"Failed to upload log" Error in Linux Agent Logs

 It has been found that if you deployed the Lacework Linux Agent (version 6.10.0) on GKE Autopilot using the Lacework Helm Chart, then you might see warning log messages similar to this popping up in your Cloud Logs:time="2023-11-26T21:45:15.811Z" level=warning msg="Failed to upload log: /var/log/lacework/datacollector.console.log, stat /var/log/lacework/datacollector.console.log: no such file or directory " caller="agentmgr.go:105" pid=5065 Assuming you can see data on your clusters, nodes, and pods from within your Lacework console, then we can say with a high level of certainty that this is expected behavior. This is dev specific logging that indicates no negative effect on your installation. That being said, if you are still worried or want to suppress the warning, feel free to submit a support ticket. While this information may be relevant to other agent versions or installation methods, it's important to note that we haven't reviewed or tested them. Consequently, we cannot confid

0
scott.russell
6 days ago
scott.russell
scott.russellCommunity Manager
 General Platform Administration and Configuration

Are real-time emailed alerts possible? I created an Alert Rule, but I'm not seeing that many alerts being sent to my Alert Channel.

 Yes and no... very few pieces of software are actually "real-time". That being said, it is possible to have alerts sent to your specific Alert Channel as soon as they are fired within Lacework. If you have an Alert Rule that isn't sending alerts to the Alert Channel you've specified, make sure to double check the filters you have defined for the Alert Rule. Sometimes, if you are too specific with your filters it can actually negatively impact the alerts that are sent to the Alert Channel. As a general rule of thumb, it is better to be more broad with your filters so that you can verify you are receiving alerts. Then, over time, you can introduce more granularity into the Alert Rule as per your requirements.  AgentN/APlatformUsing Lacework/OperationalizingCloudN/A

0
scott.russell
7 days ago
Grant Martin
Grant MartinCommunity Manager

Lacework AI Assist launches to simplify cloud security and level up your team

Lacework AI Assist, an assistive generative AI technology developed internally at Lacework, is a powerful new tool designed to help teams better understand cloud environments, gain insights faster and level up cybersecurity skills.Launched today, Lacework assistive technology that provides customers with the capability to ask questions in clear language such as:Why should I look at this alert?  What Lacework tools can I use to further investigate this?  How do I fix this misconfiguration using the AWS CLI? Does this violation affect my SOC2 compliance?Output from the tool is delivered in a simple, concise format designed to be both understood by the entry-level security analyst and with the technical depth to be actionable. Here’s what this conversation would look like with Lacework AI Assist: “Why does this alert matter?” “This alert is important because it involves enabling Role Based Access Control (RBAC) for Azure Key Vault, which is a crucial aspect of managing access permissions

160
Grant Martin
7 days ago
scott.russell
scott.russellCommunity Manager
 Vulnerability Management

I currently have two Cloud Account integrations: TF AWS CloudTrail and TF AWS Configuration. If I want to add Agentless Workload Scanning (AWLS), do I need to add a new Cloud Account, or should I modify/replace the existing TF Cloudtrail account?

 Short Answer: You can treat Agentless Workload Scanning as it's own integration. You don't need to modify anything in the existing integrations. You can just create a separate one using any of our Agentless Workload Scanning (AWLS) integration methods, found here: https://docs.lacework.net/onboarding/category/aws-agentless-workload-scanning-integrations We also offer Agentless Workload Scanning for GCP, which you can review here: https://docs.lacework.net/onboarding/gcp-integrate-agentless-workload-scanning-with-terraform  AgentAgentless (Workload Scanning)PlatformDeploy Lacework/InstallationCloudAWS

0
scott.russell
8 days ago
scott.russell
scott.russellCommunity Manager
 Practitioner Tools (API/CLI /LQL)

In an LQL query, can I use multiple fields in a Semi-join filter?

 Short answer: Absolutely! If using a Semi-join (in / not in) LQL query, there may come a time when you'll want to use multiple fields to filter on the "in / not in" value. To show you what I mean and how we can do it, let's use an example. First we'll look at a query that uses a simple Semi-join with just one field then we’ll evolve it to use multiple fields. Okay, let's say we want to get the names of containers that are making network requests to a specific IP address (e.g., 91.109.184.3). In order to do this, we'll use the following data sources and approach:LW_HA_CONNECTION_SUMMARY Contains summaries of all network connections. We'll use this to get the unique machine ID of the host machine(s) connecting to the specific IP address.   LW_HE_MACHINES Contains details about host machines. Using the returned machine ID(s) from the LW_HA_CONNECTION_SUMMARY data source, we can get additional details about the host machine(s).   LW_HE_CONTAINERS Contains details about containers running

0
scott.russell
8 days ago
C
craigbeyerjrCommunity Manager
 Alert Investigation

How do you respond when a New Vulnerable Application alert is raised by the Lacework platform?

Start your investigation by gaining an understanding of the vulnerability impacting the application. Ensure you know what exploitation activity for the vulnerability looks like in your environment.Then, focus your attention to the activity that triggered the alert which will typically be a network connection.  Investigate the connection details, the source and destination hosts, the IP Addresses, and the processes involved to determine if the connection is expected within your environment.  Utilize the Resources dossier to expand your search criteria to check for similar activity in other parts of the environment, also expand the date and time range to check for historical context. Once you understand the activity that triggered the alert, assess it to determine if the activity aligns to what you would expect to see if the vulnerability was exploited.If you do find evidence of vulnerability exploitation or other signs of malicious activity, escalate the alert to an official incident an

0
C
19 days ago
Grant Martin
Grant MartinCommunity Manager

Secure first party-party code with Static Application Security Testing (SAST)

Lacework static application security testing (SAST) empowers teams to rapidly scale their static code analysis, reduce noise, prioritize what matters most, and uncover hidden security defects. Developers gain fast and accurate results that minimize security obstacles as they write code. Lacework provides differential analysis each time code is updated to highlight new vulnerabilities and allow developers to focus on risks they’ve introduced.With Lacework, application security teams gain deep insights into critical risks within their most exposed applications. Lacework provides an in-depth model of each application’s control and data flows to uncover complex and hard to find vulnerabilities.Read more about the new SAST capabilities from Lacework here.

320
Grant Martin
21 days ago
D
dariooshParticipant
 General Platform Administration and Configuration

AWS IdC monitoring

Hi, Is there a way, or is there a roadmap, to monitor IdC users in AWS. The users created in one public cloud sync to AWS IdC. We can imagine that with some high privileges, perhaps, some permissions could be modified. Can Lacework put an eyes on this? Thanks AgentLinux 6.6XPlatformUsing Lacework/OperationalizingCloudAWS

1
C
1 day ago
C
craigbeyerjrCommunity Manager
 Cloud Workload Security

How can Lacework help me triage identified IaC Security violations?

The Lacework IaC Security scanner continuously assess your Infrastructure as Code repository to identify misconfigurations before resources are instantiated in your cloud environment.  To ensure a swift and easy remediation process, the Lacework platform provides extensive information for each violation. To find more information on the violation click on the violation and reference the Guidelines tab. (screenshot attached)Here, you will find all relevant information about the violation enabling you to triage and how to effectively remediate the violation.    AgentN/APlatformUsing Lacework/OperationalizingCloudN/A

0
C
4 days ago
scott.russell
scott.russellCommunity Manager
 General Platform Administration and Configuration

"Failed to upload log" Error in Linux Agent Logs

 It has been found that if you deployed the Lacework Linux Agent (version 6.10.0) on GKE Autopilot using the Lacework Helm Chart, then you might see warning log messages similar to this popping up in your Cloud Logs:time="2023-11-26T21:45:15.811Z" level=warning msg="Failed to upload log: /var/log/lacework/datacollector.console.log, stat /var/log/lacework/datacollector.console.log: no such file or directory " caller="agentmgr.go:105" pid=5065 Assuming you can see data on your clusters, nodes, and pods from within your Lacework console, then we can say with a high level of certainty that this is expected behavior. This is dev specific logging that indicates no negative effect on your installation. That being said, if you are still worried or want to suppress the warning, feel free to submit a support ticket. While this information may be relevant to other agent versions or installation methods, it's important to note that we haven't reviewed or tested them. Consequently, we cannot confid

0
scott.russell
6 days ago
scott.russell
scott.russellCommunity Manager
 General Platform Administration and Configuration

Are real-time emailed alerts possible? I created an Alert Rule, but I'm not seeing that many alerts being sent to my Alert Channel.

 Yes and no... very few pieces of software are actually "real-time". That being said, it is possible to have alerts sent to your specific Alert Channel as soon as they are fired within Lacework. If you have an Alert Rule that isn't sending alerts to the Alert Channel you've specified, make sure to double check the filters you have defined for the Alert Rule. Sometimes, if you are too specific with your filters it can actually negatively impact the alerts that are sent to the Alert Channel. As a general rule of thumb, it is better to be more broad with your filters so that you can verify you are receiving alerts. Then, over time, you can introduce more granularity into the Alert Rule as per your requirements.  AgentN/APlatformUsing Lacework/OperationalizingCloudN/A

0
scott.russell
7 days ago
scott.russell
scott.russellCommunity Manager
 Vulnerability Management

I currently have two Cloud Account integrations: TF AWS CloudTrail and TF AWS Configuration. If I want to add Agentless Workload Scanning (AWLS), do I need to add a new Cloud Account, or should I modify/replace the existing TF Cloudtrail account?

 Short Answer: You can treat Agentless Workload Scanning as it's own integration. You don't need to modify anything in the existing integrations. You can just create a separate one using any of our Agentless Workload Scanning (AWLS) integration methods, found here: https://docs.lacework.net/onboarding/category/aws-agentless-workload-scanning-integrations We also offer Agentless Workload Scanning for GCP, which you can review here: https://docs.lacework.net/onboarding/gcp-integrate-agentless-workload-scanning-with-terraform  AgentAgentless (Workload Scanning)PlatformDeploy Lacework/InstallationCloudAWS

0
scott.russell
8 days ago
scott.russell
scott.russellCommunity Manager
 Practitioner Tools (API/CLI /LQL)

In an LQL query, can I use multiple fields in a Semi-join filter?

 Short answer: Absolutely! If using a Semi-join (in / not in) LQL query, there may come a time when you'll want to use multiple fields to filter on the "in / not in" value. To show you what I mean and how we can do it, let's use an example. First we'll look at a query that uses a simple Semi-join with just one field then we’ll evolve it to use multiple fields. Okay, let's say we want to get the names of containers that are making network requests to a specific IP address (e.g., 91.109.184.3). In order to do this, we'll use the following data sources and approach:LW_HA_CONNECTION_SUMMARY Contains summaries of all network connections. We'll use this to get the unique machine ID of the host machine(s) connecting to the specific IP address.   LW_HE_MACHINES Contains details about host machines. Using the returned machine ID(s) from the LW_HA_CONNECTION_SUMMARY data source, we can get additional details about the host machine(s).   LW_HE_CONTAINERS Contains details about containers running

0
scott.russell
8 days ago
C
craigbeyerjrCommunity Manager
 Alert Investigation

How do you respond when a New Vulnerable Application alert is raised by the Lacework platform?

Start your investigation by gaining an understanding of the vulnerability impacting the application. Ensure you know what exploitation activity for the vulnerability looks like in your environment.Then, focus your attention to the activity that triggered the alert which will typically be a network connection.  Investigate the connection details, the source and destination hosts, the IP Addresses, and the processes involved to determine if the connection is expected within your environment.  Utilize the Resources dossier to expand your search criteria to check for similar activity in other parts of the environment, also expand the date and time range to check for historical context. Once you understand the activity that triggered the alert, assess it to determine if the activity aligns to what you would expect to see if the vulnerability was exploited.If you do find evidence of vulnerability exploitation or other signs of malicious activity, escalate the alert to an official incident an

0
C
19 days ago
LacerX
Lacer
LacerXLacer
 General Platform Administration and Configuration

Is it possible to allow a user to only see a single section in Lacework?

Recently I was asked by a someone if they could lock down the Lacework UI because they wanted their finance department to only see the licensing used page, so they could match the subscription to vCPU and their license usage.  The answer is YES.  You have granular control over the visibility of what a particular user can potentially access within the platform.The basic steps are, create a role that has only “read access to whatever you want them to access. (Login to lacework Login to Lacework Click on the settings menu at the bottom left In the “Access Control” section, click on “Roles” Click on “+Add New”  Type in the Name of your choice Select the Pages and level of access required for the role Click Create Create a user group and put that “role” in that group Navigate to Settings → User Groups in the “Access Control” Menu group Click on “+Add New”  Type in the Name of your choice Select the role from the dropdown menu Click the Next Button Select the users to be assigned

0
LacerX
Lacer
1 month ago
LacerX
Lacer
LacerXLacer
 General Platform Administration and Configuration

What changed in my configuration to cause the alert?

A Lacework Alert comes in and it is for compliance or configuration changes.  Once you get the alert, it is logical to want to investigate and figure out what caused it, when it happened, and keep investigating so you know when something happened and who made the change.  How can I, within Lacework, identify those changes and be able to compare the configurations so I can identify what changed and when it happend? AgentN/APlatformUsing Lacework/OperationalizingCloudAWS

1
LacerX
Lacer
2 months ago
E
erika.garciaParticipant
 General Platform Administration and Configuration

QUESTION ABOUT CHANGE OF ALIAS

Hi! I was modifying the aliases of the AWS accounts from Lacework and I noticed that two sections appear, one called Lacework-Control-Tower-Config-Member-"account" and another TF AWS EKS Audit Log, each of the accounts has these two sections . My question is whether I should modify the alias of both, or just one. I am making this change from settings > cloud accountsI wait your answer.Thank you.

1
C
2 months ago

Getting Started

All of the basics to get started in the Lacework Community
Community Welcome and Guidelines

Community Welcome and Guidelines

  • 4 topics
  • 20 Replies
General Platform Administration and Configuration

General Platform Administration and Configuration

  • 19 topics
  • 17 Replies
Lacework News and Notes

Lacework News and Notes

  • 10 topics
  • 1 Reply

General Security Discussion

Discussion and thought leadership on the cloud security industry

What's Next in Security

  • 1 topic
  • 1 Reply

Cloud Security In Practice

  • 5 topics
  • 9 Replies

Hack'd Resources

  • 1 topic
  • 0 Replies

Lacework Platform Q&A

Specific questions and discussions related to Lacework and cloud security environments
Vulnerability Management

Vulnerability Management

  • 8 topics
  • 10 Replies
Cloud Workload Security

Cloud Workload Security

  • 8 topics
  • 5 Replies
Cloud Management Security

Cloud Management Security

  • 3 topics
  • 1 Reply
Practitioner Tools (API/CLI /LQL)

Practitioner Tools (API/CLI /LQL)

  • 9 topics
  • 4 Replies
Alert Investigation

Alert Investigation

  • 3 topics
  • 1 Reply

Leaderboard

Show full leaderboard
Show full leaderboard

Recently awarded badges

  • Early Lacer
    meagen.eisenberghas earned the badge Early Lacer
  • Early Adopter
    I.H.has earned the badge Early Adopter
  • Spam
    JBNZhas earned the badge Spam
  • Early Lacer
    katherine.borzonehas earned the badge Early Lacer
  • Early Lacer
    Grant Martinhas earned the badge Early Lacer
Show all badges
Read more lacework reviews

Cloud Detection and Response: Market Growth as an Enterprise Requirement

Read the new report from the Enterprise Strategy Group (ESG) that surveys nearly 400 cybersecurity and IT professionals and puts cloud detection and response (CDR) under the microscope.

Download eBook

Need more help?

Documentation

Get more resources in the Lacework documentation center

Contact support

Contact our support team

Release Notes

Review recent product release notes

Powered by Gainsight
Terms of UseCookie settings

Sign up

Already have an account? Login

Login with SSO

Login with Saml2

Login to the community

Login with SSO

Login with Saml2

Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.

Back to overview

Scanning file for viruses.

Sorry, we're still checking this file's contents to make sure it's safe to download. Please try again in a few minutes.

OK

This file cannot be downloaded

Sorry, our virus scanner detected that this file isn't safe to download.

OK