In AWS all ECS fargate tasks run in the “awsvpc” networking mode which means that each task gets its own Elastic Network Interface (ENI). Since each task gets an ENI, this means that a security group must also be attached to the task and we can search for this security group id using LQL. The query below will filter for any network interface that is associated to an ECS task and will return the security group associated to that ENI. queryId: LWCustomCompliance_ECS_fargate_security_groupsqueryText: |- { source { LW_CFG_AWS_EC2_NETWORK_INTERFACES as interface, array_to_rows(interface.RESOURCE_CONFIG:Groups) as groups } filter{ RESOURCE_ID::String in { source { LW_CFG_AWS_ECS_DESCRIBE_TASKS as task, array_to_rows(task.RESOURCE_CONFIG:attachments) as attachments, array_to_rows(attachments:details) as details } filter { details:value::String like any("eni-%") } return {
A lot of you may have noticed a button appearing on your alerts that says "Close as False Positive." But what does it actually do? Well, let me tell ya! For our reference, this is the button I'm referring to: So what does it do? Well, I'm sure you've probably clicked it thinking that it would prevent that type of alert from showing up again (believe me, I did the same thing). But that's not exactly what it does. When you click "Close as False Positive," you're essentially closing the alert in the same way you would if you clicked the "Close" button. The only difference is that when you click "Close as False Positive," you're actually providing Lacework with some extra feedback. This feedback is then sent to our ML/data team for further analysis. At which point they can make adjustments to the detection engine based on that feedback. That's all good and dandy, but what if I want to prevent that type of alert from showing up again? Well, in that case, you'll want to create exceptions for
Instructions for how to create a proxy scanner integration can be found in the following documentation. However, it is important to note that the example config.yml provided in the "Configure the Proxy Scanner" section is intended for a connection to a single Nexus repository with one domain/port. If there is a need to have the proxy scanner to scan multiple repositories, the config.yml file for the proxy scanner needs to have multiple registry domains, one for each repository since in Nexus, repositories are configured and run on separate ports. An example of a proxy scanner config.yaml file for multiple repositories can be found below. scan_public_registries: falsestatic_cache_location: /opt/lacework/cachedefault_registry:lacework: account_name: lacework-account integration_access_token: ****registries: - domain: NEXUS-FQDN:<port> name: NEXUS1 ssl: true is_public: false credentials: user_name: "userinregistry" password: "*****" notification_type:
If this is you:I’ve recently come across one of Google Cloud’s offerings, Cloud Asset Inventory, and I’m curious what the difference is between that and what Lacework has to offer?Then check out the answer below! AgentN/APlatformUsing Lacework/OperationalizingCloudGCP
The following Lacework API endpoint, “/api/v2/Configs/ComplianceEvaluations/search”, will enable you to export Kubernetes Compliance report data in json format. Below is an example using this endpoint to pull all Kubernetes Compliance data for a set timeframe. When using this endpoint, ensure that the payload has dataset set to “K8sCompliance” to filter out any CSP compliance data.lacework api post "/api/v2/Configs/ComplianceEvaluations/search" -d '{ "timeFilter": { "startTime": "2024-03-12T20:30:00Z", "endTime": "2024-03-13T22:30:00Z"},"dataset": "K8sCompliance" }'The output of this command will be a json array of objects detailing all the Kubernetes Compliance Violations with each object looking similar to the example below:{ "account": { "AccountId": "XXXXXXXXXXXX", "accountId": "XXXXXXXXXXXX" }, "evalType": "LW_K8S_SA", "id": "lacework-global-315", "reason": "EKS cluster does not have all logging categories enabled", "recommendation":
When reviewing an identity in the identity explorer, it is possible to export all entitlements tied to the identity being reviewed. From this export additional fields can be seen one of which is the policy that each action is a part of along with the role/user it is attached to. To export an entitlements list as a CSV follow the below steps:Navigate to Identities > Explore: Identities, select the identity that you want to investigate. Select the Entitlements tab to display all the entitlements that identity has and select the service you want to export. Once the service is selected, click the download icon to download the csv export which includes the policy name in column F. Example CSV Output: Principal ID Account ID Account Alias Service name Resource Policy name Updated time Actions Used Last Used Revoked Condition arn:aws:iam::XXXXXXXXXXXX:root XXXXXXXXXXXX
Yes, absolutely! If your organization configured Jira as a Lacework Alert Channel, you can easily apply a custom template. In this post, we will develop a custom Jira template that will accomplish the following:Map the severity of Lacework Alerts to Jira's severity field Customize the default Summary field naming convention Several of our customers take advantage of custom templates to override a variety of other default Jira settings. You can learn more about custom Jira templates here. To develop a custom Jira template, start by creating a .json file and copy/paste the following json content.{ "fields": { "summary": "Lacework - $event_severity_str - $event_type" }, "severity": { "Critical": { "id": "1" }, "High": { "id": "2" }, "Medium": { "id": "3" }, "Low": { "id": "4" }, "Info": { "id": "5" } }} In the above template, we are renaming the J
Hello community! I’m working through an interesting scenario where I need to provision EKS audit logs...without using the LW provider. There are some internal constraints on how TF is used with the organization I’m working with. Curious if anyone has any perspective they’re willing to share, cheers! AgentN/APlatformDeploy Lacework/InstallationCloudAWS
There are several ways to integrate Lacework with accounts in an AWS Organization. Lacework provides multiple Terraform modules for this purpose. In this post, we will focus on the aws_org_configuration module. Integration:The aws_org_configuration module offers seamless automation for integrating Lacework with AWS Configuration and CloudTrail. It simplifies the process by automatically configuring integration across the root account and all associated sub-accounts within the specified organizational unit (OU). Additionally, it creates an SNS topic and Lambda function, ensuring that any new AWS accounts added to the organization are seamlessly integrated with Lacework. The module will perform the following tasks:Create the CloudTrail integration at the root account level. Create AWS Configuration integration for each of the sub-accounts. Note that this is not the same as the AWS Config service. Lacework does not rely on the native AWS Config service.For Lacework to access configuration
Currently, Lacework doesn’t have a direct integration with Bitsight. With that being said - all of the data that Lacework ingests, Lacework should be able to have a comparison with overlapping areas, ultimately not needing Bitsight. A great way to do this would be leveraging Lacework’s compliance reports / dashboard where risks are easily identifiable and actionable. AgentN/APlatformUsing Lacework/OperationalizingCloudN/A
Scenario: want to understand how often Lacework scans our environment and when we’ll be alerted to changes AgentN/APlatformUsing Lacework/OperationalizingCloudN/A
Scenario: I need to generate an excel document to share with the team who manages that account. AgentN/APlatformUsing Lacework/OperationalizingCloudN/A
Hi, Is there a way, or is there a roadmap, to monitor IdC users in AWS. The users created in one public cloud sync to AWS IdC. We can imagine that with some high privileges, perhaps, some permissions could be modified. Can Lacework put an eyes on this? Thanks AgentLinux 6.6XPlatformUsing Lacework/OperationalizingCloudAWS
Recently I was asked by a someone if they could lock down the Lacework UI because they wanted their finance department to only see the licensing used page, so they could match the subscription to vCPU and their license usage. The answer is YES. You have granular control over the visibility of what a particular user can potentially access within the platform.The basic steps are, create a role that has only “read access to whatever you want them to access. (Login to lacework Login to Lacework Click on the settings menu at the bottom left In the “Access Control” section, click on “Roles” Click on “+Add New” Type in the Name of your choice Select the Pages and level of access required for the role Click Create Create a user group and put that “role” in that group Navigate to Settings → User Groups in the “Access Control” Menu group Click on “+Add New” Type in the Name of your choice Select the role from the dropdown menu Click the Next Button Select the users to be assigned
A Lacework Alert comes in and it is for compliance or configuration changes. Once you get the alert, it is logical to want to investigate and figure out what caused it, when it happened, and keep investigating so you know when something happened and who made the change. How can I, within Lacework, identify those changes and be able to compare the configurations so I can identify what changed and when it happend? AgentN/APlatformUsing Lacework/OperationalizingCloudAWS
Hi! I was modifying the aliases of the AWS accounts from Lacework and I noticed that two sections appear, one called Lacework-Control-Tower-Config-Member-"account" and another TF AWS EKS Audit Log, each of the accounts has these two sections . My question is whether I should modify the alias of both, or just one. I am making this change from settings > cloud accountsI wait your answer.Thank you.
Hi,Looking for some advice.Basically with-in lacework kubernetes , looking to see which pods & nodes are accessible from internet ( inbound from internet). What i found so far is we can use Resources → Kubernetes → Pod Network → External connections . You can select all columns and download a CSV. There is a similar view for actual nodes as well. Node→ Kubernetes → Node Network → Node External Connections I am not 100% sure if this is accurate. Also this does not tell what ports are open for inbound connections ( some of the ports listed are >65k which seems to be odd as well)Wondering if anyone had figured out the correct way to “Identify Internet accessible nodes and container pods ( inbound from internet)?”. Thanks in advanceAgentLinux 6.6XPlatformUsing Lacework/OperationalizingCloudGCP
I only want to see vulnerabilities for hosts that have been running in last 8 hours in my vulnerability reports. How can I craft my API calls to achieve this? AgentN/APlatformN/ACloudN/A
The api.lacework.net agent url will retire on October 31, 2023, and will be replaced with agent.lacework.net.Is there a way to have the agent change its own target? Is there a way to get a report on which IP addresses are using the old endpoint before the retirement?AgentN/APlatformUsing Lacework/OperationalizingCloudAWS
I know that GenAI is a very popular topic in the security industry right now. But I am curious, how does everyone see this technology becoming useful in the security (or even more specifically the cloud security) world? To me, it’s about helping security teams do more with less. Using the technology to automate response to tasks that take up the time of engineers. Or it could be the first level of triage for an alert that can response and know a specific action to take. Other thoughts? AgentN/APlatformUsing Lacework/OperationalizingCloudAWS
I found the solutions brief: https://www.lacework.com/resource/solution-brief/cloud-infrastructure-entitlement-management-ciem/ and video: https://www.lacework.com/resource/video/lacework-cloud-infrastructure-entitlement-management-ciem/ AgentN/APlatformN/ACloudN/A
What are the specific ways the agentless workload scanning actually works to gather data? AgentAgentlessPlatformCurrentCloudGCP
AgentN/APlatformCurrentCloudN/A AgentN/APlatformCurrentCloudN/A
AgentN/APlatformCurrentCloudN/A
Once you are logged in the Lacework platform, List of active containers can be found via navigating to Resources > Containers > List of active containers under the Polygraph. AgentLinux 6.6XPlatformCurrentCloudHybrid
Already have an account? Login
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
Sorry, we're still checking this file's contents to make sure it's safe to download. Please try again in a few minutes.
Sorry, our virus scanner detected that this file isn't safe to download.
