Skip to main content

Unanswered questions

37 Topics
J
j0aqu1mParticipant
asked in General Platform Administration and Configuration
Okta SAML JIT configuration using groups for access

I’ve been able to successfully configure Lacework + Okta SAML JIT for individual accounts. Now, I’m wondering if I’m able to configure Lacework access via Okta group membership. For example, Lacework Admin group membership in Okta would grant admin access to the members in Lacework. There doesn’t seem to be documentation for this so I’m guessing it’s not possible? AgentundefinedPlatformundefinedCloudundefined

540
J
2 months ago
D
DaveParticipant
asked in Practitioner Tools (API/CLI /LQL)
Lacework CLI: Where is GCP's Network Interface defined, within the sources of LW_GCF_GCP?

I am trying to create a query that looks for where SSH/RDP open to the web within GCP, only when a network interface is attached the VM. I’m able to locate other platforms (ie: AWS/Azure) where Network Interface is defined within a source (ie: LW_CFG_AWS_EC2_NETWORK_INTERFACES), however, I can’t seem to locate it for GCP. Does anyone happen to have come across this in the past, for GCP specifically?  AgentLinux 6.6XPlatformUsing Lacework/OperationalizingCloudGCP

830
D
2 months ago
J
Lacer
jbonnerLacer
asked in Practitioner Tools (API/CLI /LQL)
Is there a visual representation / map of all available table joins for LQL/LPP data sources? 

For us visual learners 😎 AgentN/APlatformCurrentCloudN/A

3801
A
Lacer
5 months ago
S
Lacer
steven.sorannoLacer
asked in General Platform Administration and Configuration
How to set up Okta SAML JIT for a single account in Lacework?

General Instructions for setup:Complete the steps in the following documentation in order to set up an App Integration in Okta with all the Lacework Service Provider information.  Note: In following the above instructions make sure to add the following required attribute statements to the App Integration for JIT access:   If you are using a Lacework Organization with multiple accounts, additional attribute statements must also be added for Organization level roles. Lacework Organization Admin Role Lacework Organization User Role For more information about attribute statements, reference the following documentation: https://docs.lacework.net/onboarding/configure-saml-jit-with-okta Once the App integration is created in Okta with all the correct attribute statements, select the "View SAML setup instructions" option to view the SAML app details.  Log back into lacework and add these IDP metadata details to the Lacework Authentication page.   Navigate back to

2240
S
Lacer
5 months ago
therockvalley
therockvalleyParticipant
asked in Cloud Workload Security
Has anyone figured out a way to create resource groups based on pod labels?

I’m trying to create container resource groups based on pod labels, but these do not seem to be available.In specific I want to be able to create resource groups and queries based on the output of: kubectl get pod my_pod -n my_namespace -o=jsonpath='{.metadata.labels}'Below is an example of what I would like to do in query terms:filter { containers.PROPS_LABELS["my_pod_label_key"] = "my_pod_label_value" }(this won’t actually work afaik, just an illustration of what I’m after)Seems like a rather obvious thing to be able to do. Wondering is there is an apparent trick I’m missing.AgentN/APlatformTuning Lacework/CustomizationCloudN/A

4334
scott.russell
6 months ago
S
Lacer
steven.sorannoLacer
asked in Practitioner Tools (API/CLI /LQL)
How can I identify and list all security groups associated with ECS fargate tasks?

In AWS all ECS fargate tasks run in the “awsvpc” networking mode which means that each task gets its own Elastic Network Interface (ENI).  Since each task gets an ENI, this means that a security group must also be attached to the task and we can search for this security group id using LQL.  The query below will filter for any network interface that is associated to an ECS task and will return the security group associated to that ENI.  queryId: LWCustomCompliance_ECS_fargate_security_groupsqueryText: |- { source { LW_CFG_AWS_EC2_NETWORK_INTERFACES as interface, array_to_rows(interface.RESOURCE_CONFIG:Groups) as groups } filter{ RESOURCE_ID::String in { source { LW_CFG_AWS_ECS_DESCRIBE_TASKS as task, array_to_rows(task.RESOURCE_CONFIG:attachments) as attachments, array_to_rows(attachments:details) as details } filter { details:value::String like any("eni-%") } return {

3190
S
Lacer
7 months ago
scott.russell
scott.russellCommunity Manager
asked in General Platform Administration and Configuration
What does "Close as False Positive" button actually do?

A lot of you may have noticed a button appearing on your alerts that says "Close as False Positive." But what does it actually do? Well, let me tell ya! For our reference, this is the button I'm referring to: So what does it do? Well, I'm sure you've probably clicked it thinking that it would prevent that type of alert from showing up again (believe me, I did the same thing). But that's not exactly what it does. When you click "Close as False Positive," you're essentially closing the alert in the same way you would if you clicked the "Close" button. The only difference is that when you click "Close as False Positive," you're actually providing Lacework with some extra feedback. This feedback is then sent to our ML/data team for further analysis. At which point they can make adjustments to the detection engine based on that feedback. That's all good and dandy, but what if I want to prevent that type of alert from showing up again? Well, in that case, you'll want to create exceptions for

3730
scott.russell
7 months ago
S
Lacer
steven.sorannoLacer
asked in Vulnerability Management
How to set up the Lacework Proxy Scanner to integrate with a Sonatype Nexus Registry with multiple repositories?

Instructions for how to create a proxy scanner integration can be found in the following documentation.  However, it is important to note that the example config.yml provided in the "Configure the Proxy Scanner" section is intended for a connection to a single Nexus repository with one domain/port.  If there is a need to have the proxy scanner to scan multiple repositories, the config.yml file for the proxy scanner needs to have multiple registry domains, one for each repository since in Nexus, repositories are configured and run on separate ports.  An example of a proxy scanner config.yaml file for multiple repositories can be found below.  scan_public_registries: falsestatic_cache_location: /opt/lacework/cachedefault_registry:lacework: account_name: lacework-account integration_access_token: ****registries: - domain: NEXUS-FQDN:<port> name: NEXUS1 ssl: true is_public: false credentials: user_name: "userinregistry" password: "*****" notification_type:

2800
S
Lacer
7 months ago
C
CSA TeamCommunity Manager
asked in Cloud Management Security (CSPM, IaC Security, UEBA)
What are the differences between Lacework and GCP's Cloud Asset Inventory?

If this is you:I’ve recently come across one of Google Cloud’s offerings, Cloud Asset Inventory, and I’m curious what the difference is between that and what Lacework has to offer?Then check out the answer below!   AgentN/APlatformUsing Lacework/OperationalizingCloudGCP

3031
C
7 months ago
S
Lacer
steven.sorannoLacer
asked in Practitioner Tools (API/CLI /LQL)
How can I pull Kubernetes Compliance report data via the Lacework API?

The following Lacework API endpoint, “/api/v2/Configs/ComplianceEvaluations/search”,  will enable you to export Kubernetes Compliance report data in json format.   Below is an example using this endpoint to pull all Kubernetes Compliance data for a set timeframe.  When using this endpoint, ensure that the payload has dataset set to “K8sCompliance” to filter out any CSP compliance data.lacework api post "/api/v2/Configs/ComplianceEvaluations/search" -d '{ "timeFilter": { "startTime": "2024-03-12T20:30:00Z", "endTime": "2024-03-13T22:30:00Z"},"dataset": "K8sCompliance" }'The output of this command will be a json array of objects detailing all the Kubernetes Compliance Violations with each object looking similar to the example below:{ "account": { "AccountId": "XXXXXXXXXXXX", "accountId": "XXXXXXXXXXXX" }, "evalType": "LW_K8S_SA", "id": "lacework-global-315", "reason": "EKS cluster does not have all logging categories enabled", "recommendation":

3110
S
Lacer
8 months ago
S
Lacer
steven.sorannoLacer
asked in Cloud Management Security (CSPM, IaC Security, UEBA)
When investigating an identity in the identities dossier, how can I determine what AWS IAM policy a specific permission is a part of in AWS?

When reviewing an identity in the identity explorer, it is possible to export all entitlements tied to the identity being reviewed.  From this export additional fields can be seen one of which is the policy that each action is a part of along with the role/user it is attached to. To export an entitlements list as a CSV follow the below steps:Navigate to Identities > Explore: Identities, select the identity that you want to investigate. Select the Entitlements tab to display all the entitlements that identity has and select the service you want to export. Once the service is selected, click the download icon to download the csv export which includes the policy name in column F.     Example CSV Output: Principal ID Account ID Account Alias Service name Resource Policy name Updated time Actions Used Last Used Revoked Condition arn:aws:iam::XXXXXXXXXXXX:root XXXXXXXXXXXX  

3150
S
Lacer
8 months ago
C
Lacer
craigbeyerjrLacer
asked in General Platform Administration and Configuration
Can I customize Jira tickets created by Lacework alerts?

Yes, absolutely! If your organization configured Jira as a Lacework Alert Channel, you can easily apply a custom template. In this post, we will develop a custom Jira template that will accomplish the following:Map the severity of Lacework Alerts to Jira's severity field Customize the default Summary field naming convention Several of our customers take advantage of custom templates to override a variety of other default Jira settings. You can learn more about custom Jira templates here. To develop a custom Jira template, start by creating a .json file and copy/paste the following json content.{    "fields": {        "summary": "Lacework - $event_severity_str - $event_type"    },    "severity": {        "Critical": {            "id": "1"        },        "High": {            "id": "2"        },        "Medium": {            "id": "3"        },        "Low": {            "id": "4"        },        "Info": {            "id": "5"        }    }} In the above template, we are renaming the J

4930
C
Lacer
8 months ago
Christopher Black
Lacer
Christopher BlackLacer
asked in General Platform Administration and Configuration
Deploying Lacework using Terraform...without using the LW TF provider

Hello community! I’m working through an interesting scenario where I need to provision EKS audit logs...without using the LW provider. There are some internal constraints on how TF is used with the organization I’m working with. Curious if anyone has any perspective they’re willing to share, cheers! AgentN/APlatformDeploy Lacework/InstallationCloudAWS

3270
Christopher Black
Lacer
8 months ago
Ahmed Abugharbia
Lacer
Ahmed AbugharbiaLacer
asked in Cloud Management Security (CSPM, IaC Security, UEBA)
Using Terraform to Integrate with Lacework in AWS Organization

There are several ways to integrate Lacework with accounts in an AWS Organization. Lacework provides multiple Terraform modules for this purpose. In this post, we will focus on the aws_org_configuration module. Integration:The aws_org_configuration module offers seamless automation for integrating Lacework with AWS Configuration and CloudTrail. It simplifies the process by automatically configuring integration across the root account and all associated sub-accounts within the specified organizational unit (OU). Additionally, it creates an SNS topic and Lambda function, ensuring that any new AWS accounts added to the organization are seamlessly integrated with Lacework. The module will perform the following tasks:Create the CloudTrail integration at the root account level. Create AWS Configuration integration for each of the sub-accounts. Note that this is not the same as the AWS Config service. Lacework does not rely on the native AWS Config service.For Lacework to access configuration

4280
Ahmed Abugharbia
Lacer
9 months ago
N
Lacer
Nick-at-LaceworkLacer
asked in General Platform Administration and Configuration
Does Lacework have an Integration with Bitsight?

Currently, Lacework doesn’t have a direct integration with Bitsight.  With that being said - all of the data that Lacework ingests, Lacework should be able to have a comparison with overlapping areas, ultimately not needing Bitsight.  A great way to do this would be leveraging Lacework’s compliance reports / dashboard where risks are easily identifiable and actionable.  AgentN/APlatformUsing Lacework/OperationalizingCloudN/A

3410
N
Lacer
9 months ago
I
Lacer
imrandoraneyLacer
asked in Cloud Management Security (CSPM, IaC Security, UEBA)
How often is my cloud account tested for compliance violations? And when should I expect a configuration that violates a compliance policy be triggered as an alert?

Scenario: want to understand how often Lacework scans our environment and when we’ll be alerted to changes AgentN/APlatformUsing Lacework/OperationalizingCloudN/A

2711
I
Lacer
9 months ago
I
Lacer
imrandoraneyLacer
asked in Cloud Management Security (CSPM, IaC Security, UEBA)
How can I get a list of all violations per cloud account?

Scenario: I need to generate an excel document to share with the team who manages that account. AgentN/APlatformUsing Lacework/OperationalizingCloudN/A

3401
I
Lacer
9 months ago
D
dariooshParticipant
asked in General Platform Administration and Configuration
AWS IdC monitoring

Hi, Is there a way, or is there a roadmap, to monitor IdC users in AWS. The users created in one public cloud sync to AWS IdC. We can imagine that with some high privileges, perhaps, some permissions could be modified. Can Lacework put an eyes on this? Thanks AgentLinux 6.6XPlatformUsing Lacework/OperationalizingCloudAWS

4943
C
Lacer
11 months ago
LacerX
Lacer
LacerXLacer
asked in General Platform Administration and Configuration
Is it possible to allow a user to only see a single section in Lacework?

Recently I was asked by a someone if they could lock down the Lacework UI because they wanted their finance department to only see the licensing used page, so they could match the subscription to vCPU and their license usage.  The answer is YES.  You have granular control over the visibility of what a particular user can potentially access within the platform.The basic steps are, create a role that has only “read access to whatever you want them to access. (Login to lacework Login to Lacework Click on the settings menu at the bottom left In the “Access Control” section, click on “Roles” Click on “+Add New”  Type in the Name of your choice Select the Pages and level of access required for the role Click Create Create a user group and put that “role” in that group Navigate to Settings → User Groups in the “Access Control” Menu group Click on “+Add New”  Type in the Name of your choice Select the role from the dropdown menu Click the Next Button Select the users to be assigned

4810
LacerX
Lacer
1 year ago
LacerX
Lacer
LacerXLacer
asked in General Platform Administration and Configuration
What changed in my configuration to cause the alert?

A Lacework Alert comes in and it is for compliance or configuration changes.  Once you get the alert, it is logical to want to investigate and figure out what caused it, when it happened, and keep investigating so you know when something happened and who made the change.  How can I, within Lacework, identify those changes and be able to compare the configurations so I can identify what changed and when it happend? AgentN/APlatformUsing Lacework/OperationalizingCloudAWS

5011
LacerX
Lacer
1 year ago
E
erika.garciaParticipant
asked in General Platform Administration and Configuration
QUESTION ABOUT CHANGE OF ALIAS

Hi! I was modifying the aliases of the AWS accounts from Lacework and I noticed that two sections appear, one called Lacework-Control-Tower-Config-Member-"account" and another TF AWS EKS Audit Log, each of the accounts has these two sections . My question is whether I should modify the alias of both, or just one. I am making this change from settings > cloud accountsI wait your answer.Thank you.

5151
C
Lacer
1 year ago
R
robert5156Participant
asked in Vulnerability Management
How to identify Internet accessible nodes and container pods ( inbound from internet)?

Hi,Looking for some advice.Basically with-in lacework kubernetes , looking to see which pods & nodes are accessible from internet ( inbound from internet). What i found so far is we can use Resources → Kubernetes → Pod Network → External connections . You can select all columns and download a CSV. There is a similar view for actual nodes as well. Node→ Kubernetes → Node Network → Node External Connections I am not 100% sure if this is accurate. Also this does not tell what ports are open for inbound connections ( some of the ports listed are >65k which seems to be odd as well)Wondering if anyone had figured out the correct way to “Identify Internet accessible nodes and container pods ( inbound from internet)?”. Thanks in advanceAgentLinux 6.6XPlatformUsing Lacework/OperationalizingCloudGCP

5351
A
1 year ago
M
Lacer
mikedurrrLacer
asked in Practitioner Tools (API/CLI /LQL)
How can I exclude hosts that haven't been seen for over X hours when pulling vulnerability data from the API?

I only want to see vulnerabilities for hosts that have been running in last 8 hours in my vulnerability reports. How can I craft my API calls to achieve this? AgentN/APlatformN/ACloudN/A

5171
LacerX
Lacer
1 year ago
M
M AParticipant
asked in General Platform Administration and Configuration
New Agent URL

The api.lacework.net agent url will retire on October 31, 2023, and will be replaced with agent.lacework.net.Is there a way to have the agent change its own target? Is there a way to get a report on which IP addresses are using the old endpoint before the retirement?AgentN/APlatformUsing Lacework/OperationalizingCloudAWS

3551
C
Lacer
1 year ago
CISO Tim
Lacer
CISO TimLacer
asked in What's Next in Security
LMM and Security

I know that GenAI is a very popular topic in the security industry right now.  But I am curious, how does everyone see this technology becoming useful in the security (or even more specifically the cloud security) world?  To me, it’s about helping security teams do more with less.  Using the technology to automate response to tasks that take up the time of engineers. Or it could be the first level of triage for an alert that can response and know a specific action to take.  Other thoughts? AgentN/APlatformUsing Lacework/OperationalizingCloudAWS

6101
Ben Sherman
Lacer
1 year ago

Badge winners

Show all badges
Terms of UseCookie settings