Hack’d is a learning series run by Lacework that’s geared to help raise the global tide around cybersecurity awareness. Led by security experts like Úlfar Erlingsson, Lea Kissner and Niels Provos, the coursework is built to replicate and facilitate and share across the industry. Use the resources below to run your owh Hack’d session at your place of work, download content for your upcoming Lacework-led session or simply browse through the content on your own. Click the links below to review and download content:Hack’d facilitation guide: use this to facilitate a Hack’d session at your own place of work Hack’d homework template NotPetya Solarwinds
LQL Overviewhttps://docs.lacework.net/lql/restricted/lql-overviewThe Lacework Query Language (LQL) is an SQL-like query language for specifying the selection, filtering, and manipulation of data. Queries let you interactively request information from curated datasources. Queries have a defined structure for authoring detections.LQL enables you to find non-compliant resources or suspicious activity by querying data ingested from cloud providers, Kubernetes, CloudTrail activity logs, and the Lacework agent. Then you can associate queries with policies, which contain rich reporting metadata. LQL Operatorshttps://docs.lacework.net/lql/restricted/lql-operatorsLQL uses conventional SQL notation for arithmetic, comparisons, and logical operations. LQL Functionshttps://docs.lacework.net/lql/restricted/lql-functionsThis topic lists all Lacework Query Language functions alphabetically. Datasource Metadatahttps://docs.lacework.net/lql/restricted/datasource-metadataThis topic lists the datasources
We’re very excited to announce a new Pub/Sub-based integration to collect Google Cloud Audit Logs! This new integration unlocks a ton of new capabilities, including:Low-latency alerting, as events are delivered from Google Cloud much more quickly Composite alerts based on Google Cloud Audit Log events Custom LQL policies based on Google Cloud Audit Log eventsThis integration is currently in Public Preview as we monitor performance and collect customer feedback.If you are integrating Lacework with Google Cloud for the first time, then please reach out to me (spencer.engleson@lacework.net) to get the Pub/Sub integration enabled.If you have already integrated Lacework with Google Cloud, then you may need to migrate from the Storage-based integration to the new Pub/Sub architecture. See our product documentation for more information:Migrate using Terraform Migrate manuallyPlease comment here or reach out to me directly with questions and feedback. AgentN/APlatformCurrentCloudGCP
In AWS all ECS fargate tasks run in the “awsvpc” networking mode which means that each task gets its own Elastic Network Interface (ENI). Since each task gets an ENI, this means that a security group must also be attached to the task and we can search for this security group id using LQL. The query below will filter for any network interface that is associated to an ECS task and will return the security group associated to that ENI. queryId: LWCustomCompliance_ECS_fargate_security_groupsqueryText: |- { source { LW_CFG_AWS_EC2_NETWORK_INTERFACES as interface, array_to_rows(interface.RESOURCE_CONFIG:Groups) as groups } filter{ RESOURCE_ID::String in { source { LW_CFG_AWS_ECS_DESCRIBE_TASKS as task, array_to_rows(task.RESOURCE_CONFIG:attachments) as attachments, array_to_rows(attachments:details) as details } filter { details:value::String like any("eni-%") } return {
A lot of you may have noticed a button appearing on your alerts that says "Close as False Positive." But what does it actually do? Well, let me tell ya! For our reference, this is the button I'm referring to: So what does it do? Well, I'm sure you've probably clicked it thinking that it would prevent that type of alert from showing up again (believe me, I did the same thing). But that's not exactly what it does. When you click "Close as False Positive," you're essentially closing the alert in the same way you would if you clicked the "Close" button. The only difference is that when you click "Close as False Positive," you're actually providing Lacework with some extra feedback. This feedback is then sent to our ML/data team for further analysis. At which point they can make adjustments to the detection engine based on that feedback. That's all good and dandy, but what if I want to prevent that type of alert from showing up again? Well, in that case, you'll want to create exceptions for
Welcome to the communityHi everyone 👋🏼! If you’re here it’s because you want to build better cloud security — alongside all your peers. We’re excited to have you and look forward to some great discussions. This is the perfect time to introduce yourself and offer up a fun fact. Don’t be shy — it will help you connect with others, I promise. Happy hunting and happy connecting!
Several new features launched at Lacework this past month that drive unique value for enterprise-grade customers. With a focus on saving time and resources for security professionals, the features better visualize the relationship among risks risks, provide new visual dashboards, add new context to alerts, and expand our Composite Alert capabilities. Let’s take a look.Lacework Explorer Lacework Explorer combines a security graph (i.e., a graphical visualization of cloud assets) and resource explorer to show the complex relationships and associations among all of the resources and services in your cloud environment. With simple, interactive visuals, Lacework Explorer helps users quickly understand and prioritize the potential risk associated with each entity or resource. New DashboardsNew Lacework DashboardsLacework Security Dashboards provide security leaders immediate insights into how their security program is tracking against its overall goals and gives them the granular visibility
Instructions for how to create a proxy scanner integration can be found in the following documentation. However, it is important to note that the example config.yml provided in the "Configure the Proxy Scanner" section is intended for a connection to a single Nexus repository with one domain/port. If there is a need to have the proxy scanner to scan multiple repositories, the config.yml file for the proxy scanner needs to have multiple registry domains, one for each repository since in Nexus, repositories are configured and run on separate ports. An example of a proxy scanner config.yaml file for multiple repositories can be found below. scan_public_registries: falsestatic_cache_location: /opt/lacework/cachedefault_registry:lacework: account_name: lacework-account integration_access_token: ****registries: - domain: NEXUS-FQDN:<port> name: NEXUS1 ssl: true is_public: false credentials: user_name: "userinregistry" password: "*****" notification_type:
If this is you:I’ve recently come across one of Google Cloud’s offerings, Cloud Asset Inventory, and I’m curious what the difference is between that and what Lacework has to offer?Then check out the answer below! AgentN/APlatformUsing Lacework/OperationalizingCloudGCP
Already have an account? Login
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
Sorry, we're still checking this file's contents to make sure it's safe to download. Please try again in a few minutes.
Sorry, our virus scanner detected that this file isn't safe to download.
