We’d like to set up an event/alert for when a new ec2 instance without the Lacework agent is detected. Is this possible?
Hi Jason, this is possible but will require some effort on your part.
Our best recommendation is to use the LW_HE_MACHINES table or
lacework agent list to get a current inventory of agents and then reconcile that with LW_CFG_AWS_EC2_INSTANCES for a comprehensive listing of known EC2. That would be accurate as of the daily collection, and any instances without an agent would be readily identifiable.
Between both collections, you could possibly do a CloudTrailRaw query for EC2 instance, create events on 5/10/15 minute intervals and identify net new EC2s that don’t have the agent, and then force install.
It is possible but will definitely require additional effort on your part.
We don’t currently have an API for instances without the Lacework agent.
Let me know if this helps or if you need further assistance!
Hi @rsunderland ,
I think we’re looking for something a little easier to implement, but thank you for taking the time to come up with a potential solution!