3️⃣ Making your first Lacework API call!

API keys? Check! Postman? Check! All that’s left is to get some actual data yeehaw!:woman_technologist:


Now that you have your API keys and Postman collection configured, let’s run through a few calls.

What we’ll do is:

  • Simple See all the sub-accounts my API Key belongs to within Lacework
  • Advance Run custom CloudTrail queries. To learn more about custom policies, check out our docs guide!
    • Validate a query
    • Create a new query
    • Execute the query

:eyes:Always Always double check the environment is set to the Lacework one!

Let’s get started!

UserProfile

:movie_camera::popcorn:Step-by-step video: Using Postman to make a UserProfile Lacework API call

Our Postman collection comes with a pre-script that will automatically obtain an authentication bearer token from your API credentials and refresh it as necessary so you can get going a lot quicker!

  • GET List sub-accounts – This endpoint is under the UserProfile folder; it allows us to see the sub-accounts associated with the API Key being used.
    1. Send the request
    2. Verify the response gets back a 200 OK status code
    3. In Postman, you should see a response similar to this one:
    {
        "data": [
            {
                "username": "diana.esteves@lacework.net",
                "orgAccount": true,
                "url": "customerdemo.lacework.net",
                "orgAdmin": true,
                "orgUser": false,
                "accounts": [
                    {
                        "admin": true,
                        "accountName": "CUSTOMERDEMO",
                        "custGuid": "CUSTOMER_721595854C4272A5AC58B9FAA369C0ABB05564A91DA0ED9",
                        "userGuid": "CUSTOMER_2FA43544DA84F179F2F39AAB7D4ADC0E507BD823982E310",
                        "userEnabled": 1
                    }
                ]
            }
        ]
    }
    

Congrats, you’ve just made your first API call :slight_smile:

Queries

As a more advanced example, we can use the Query endpoints to validate, create, and execute custom queries. We’ll be using CloudTrail as our example. All the following endpoints are found in the Queries folder.

:movie_camera::popcorn:Step-by-step video: Using Postman to make Query API calls

  • POST Validate Queries – we call this endpoint to ensure our newly created query is valid
    1. Set the body of the request to the following:
    {
     "queryText": "LW_Global_AWS_CTA_UsageOfRootAccountSevHigh {source {CloudTrailRawEvents} filter {UPPER(EVENT:userIdentity.\"type\"::String) = 'ROOT' AND EVENT:userIdentity.invokedBy::String IS NULL AND EVENT:eventType::String <> 'AwsServiceEvent' AND ERROR_CODE IS NULL} return distinct {INSERT_ID, INSERT_TIME, EVENT_TIME, EVENT}}"
    }
    
    1. Send the request
    2. Verify the response shows your expected results and we get a 200 OK status code
    3. In Postman, you should see a response similar to this one:
    {
       "data": {
           "queryId": "LW_Global_AWS_CTA_UsageOfRootAccountSevHigh3",
           "queryText": "LW_Global_AWS_CTA_UsageOfRootAccountSevHigh3 {source {CloudTrailRawEvents} filter {UPPER(EVENT:userIdentity.\"type\"::String) = 'ROOT' AND EVENT:userIdentity.invokedBy::String IS NULL AND EVENT:eventType::String <> 'AwsServiceEvent' AND ERROR_CODE IS NULL} return distinct {INSERT_ID, INSERT_TIME, EVENT_TIME, EVENT}}",
           "resultSchema": [
               {
                   "name": "INSERT_ID",
                   "dataType": "Number",
                   "description": null
               },
               {
                   "name": "INSERT_TIME",
                   "dataType": "Timestamp",
                   "description": null
               },
               {
                   "name": "EVENT_TIME",
                   "dataType": "Timestamp",
                   "description": null
               },
               {
                   "name": "EVENT",
                   "dataType": "JSON",
                   "description": null
               }
           ]
       }
    }
    
  • POST Create Queries – we can go ahead and create the validated query
    1. Set the body of the request to the following:
    {
     "queryText": "LW_Global_AWS_CTA_UsageOfRootAccountSevHigh {source {CloudTrailRawEvents} filter {UPPER(EVENT:userIdentity.\"type\"::String) = 'ROOT' AND EVENT:userIdentity.invokedBy::String IS NULL AND EVENT:eventType::String <> 'AwsServiceEvent' AND ERROR_CODE IS NULL} return distinct {INSERT_ID, INSERT_TIME, EVENT_TIME, EVENT}}",
     "queryId": "LW_Global_AWS_CTA_UsageOfRootAccountSevHigh"
    }
    
    1. Send the request
    2. Verify the response shows your expected results and we get a 201 Created status code
    3. In Postman, you should see a response similar to this one:
    {
       "data": {
           "queryId": "LW_Global_AWS_CTA_UsageOfRootAccountSevHigh3",
           "queryText": "LW_Global_AWS_CTA_UsageOfRootAccountSevHigh3 {source {CloudTrailRawEvents} filter {UPPER(EVENT:userIdentity.\"type\"::String) = 'ROOT' AND EVENT:userIdentity.invokedBy::String IS NULL AND EVENT:eventType::String <> 'AwsServiceEvent' AND ERROR_CODE IS NULL} return distinct {INSERT_ID, INSERT_TIME, EVENT_TIME, EVENT}}",
           "evaluatorId": "Cloudtrail",
           "owner": "diana.esteves@lacework.net",
           "lastUpdateTime": "2022-03-31T03:44:09.000Z",
           "lastUpdateUser": "diana.esteves@lacework.net",
           "resultSchema": [
               {
                   "name": "INSERT_ID",
                   "dataType": "Number",
                   "description": null
               },
               {
                   "name": "INSERT_TIME",
                   "dataType": "Timestamp",
                   "description": null
               },
               {
                   "name": "EVENT_TIME",
                   "dataType": "Timestamp",
                   "description": null
               },
               {
                   "name": "EVENT",
                   "dataType": "JSON",
                   "description": null
               }
           ]
       }
    }
    
  • POST Execute Queries by ID - Show me the data! Time to execute our newly created query and get the precise information we want.
    1. Set the body of the request to the following:
    {
     "queryText": "LW_Global_AWS_CTA_UsageOfRootAccountSevHigh {source {CloudTrailRawEvents} filter {UPPER(EVENT:userIdentity.\"type\"::String) = 'ROOT' AND EVENT:userIdentity.invokedBy::String IS NULL AND EVENT:eventType::String <> 'AwsServiceEvent' AND ERROR_CODE IS NULL} return distinct {INSERT_ID, INSERT_TIME, EVENT_TIME, EVENT}}",
     "queryId": "LW_Global_AWS_CTA_UsageOfRootAccountSevHigh"
    }
    
    1. Send the request
    2. Verify the response, If your account is fresh, it may be empty. Either way ensure it’s a200 OK status code

For detailed information on the fields returned, review our Queries API reference documentation.

:tada:And Viola! You’ve run your first set of Lacework API calls

Next steps

Now that you’ve tested out a simple flow, you should definitely:

  • Get more familiar with the API by browsing our docs within Postman or here
  • Also, check out our awesome cli
  • Built something cool? Share it with the community!
2 Likes