Lacework API 2.0 Documentation (2.0)
Download OpenAPI specification:Download
The Lacework API documentation is available directly from your Lacework application at the following URI:
https://YourLacework.lacework.net/api/v2/docs
, where YourLacework
is your Lacework application.
No login to the Lacework Console is required. However, there is a link to the Lacework API 2.0 documentation from the Lacework Console. From the Help drop-down, select API Documentation and then API 2.0 Documentation.
All the Lacework API operations listed below require an API Access Token to allow access to the Lacework API. For more information about getting a temporary API Access Token to pass into these operations as a header, see https://docs.lacework.com/generate-api-access-keys-and-tokens.
You can run the Lacework APIs using your favorite REST API tools, such as curl or Postman. You can also run the Lacework API from the Lacework CLI. For more information, see Get Started with the Lacework CLI.
Conventions
Parameters: Parameters follow the JSON conventions, i.e., camelcase or lowerCamelcase notation, for all parameter names in the query, request and response bodies, for example,
startTime
,endTime
.Data Types: For the constant types of data sets, integrations, assets, and other resources, the convention is to use UpperCamelcase notation, for example,
AlertChannels
,AuditLogs
,CloudActivities
.Response Schema: A successful response returns either the HTTP 200 or 201 Status Code and a top-level property called
data
, which contains the result in the JSON format. A response returning the HTTP 4xx or 5xx Status Code returns the top-level property calledmessage
, which contains an error message.additionalProperties
Keyword: For all response schemas, theadditionalProperties
keyword is set totrue
. This means additional fields or properties can be added to responses in the future. For information about theadditionalProperties
keyword, see the JSON Schema online documentation.
Simple & Advanced Search
The Lacework API provides simple and advanced searches for retrieving information.
For simple searches, specify a HTTP GET method with simple query parameters, for example, startTime
, endTime
.
For advanced searches, specify a HTTP POST method with filters in the request body. The filters in requests that have multiple filters are AND
'd, that is, all filters conditions must be met to satisfy a match.
There are 16 filter types consisting of seven pairs and two unique operators, which are similar to the SQL comparison operators for database queries. The pairs are:
The
eq
operator allows you to specify a value that the field values of the result must be equal to. Thene
operator means not equal to. Note thevalue
field of thefilters
must be used; thevalues
field of thefilters
cannot be used foreq
andne
.The
in
operator allows you to specify multiple values in thevalues
field of thefilters
. The field values of the result must match one of the values. Thenot_in
operator is the opposite ofin
. Note thevalue
field of thefilters
cannot be used forin
andnot_in
.The
like
operator allows you to specify a pattern that the field values of the result must match. Thenot_like
operator is the opposite oflike
. Note thevalues
field of thefilters
cannot be used forlike
andnot_like
.The
ilike
operator works similar tolike
but it makes the match case insensitive. Thenot_ilike
operator is the opposite ofilike
. Note thevalues
field of thefilters
cannot be used forilike
andnot_ilike
.The
rlike
operator matches the specified pattern represented by regular expressions (more info on RLIKE — Snowflake Documentation). Thenot_rlike
operator is the opposite ofrlike
. Note thevalues
field of thefilters
cannot be used forrlike
andnot_rlike
.The
gt
operator allows you to specify a value that the field values of the result must begreater than
. Thelt
(less-than) operator is the opposite ofgt
. Note thevalues
field of thefilters
cannot be used forgt
andlt
.The
ge
operator allows you to specify a value that the field values of the result must begreater than or equal to
. Thele
(less-than-or-equal-to) operator is the opposite ofge
. Note thevalues
field of thefilters
cannot be used forge
andle
.
The unique operators are:
The
between
operator allows you to specify a range that the field values of the result must be within. The specified upper boundary must be larger/greater than the lower boundary. The two values of upper and lower boundaries must be set in thevalues
field of thefilters
. Note thevalue
field of thefilters
cannot be used forbetween
.The
expr
operator is reserved for future use.
Date & Time Formats
For date and time parameters, the time zone is always UTC and the following formats are supported:
yyyy-MM-dd
for example,2020-12-18
yyyy-MM-ddTHH
for example,2020-12-18T08
yyyy-MM-ddTHH:mm:ssZ
for example2020-12-18T08:00:00Z
yyyy-MM-ddTHH:mm:ss.SSSZ
for example,2020-12-18T08:00:00.000Z
Organization Level Access
An organization may have a primary account and multiple sub-accounts. If an access token is generated for the primary account and used as the authorization token, it can also be used for one of the sub-accounts with the additional header called Account-Name
(case insensitive).
For example, if the primary account is xyz
and the sub-account is xyz-sub1
, set the Account-Name
header to xyz-sub1
.
For accessing the organization level data sets, a separate header called Org-Access
(case insensitive) can be used. If this header is set to true
(case insensitive) and the authorization token has the proper permissions (org admin), if specified, the Account-Name
header is ignored, If the Org-Access
header is not set to true
, the Account-Name
header is used, if specified.
For more information about creating and using access (bearer) tokens for accounts in an Organization, see Role-Based API Authentication for Organizations.
Pagination
Making calls to Lacework APIs could return a lot of results. Pagination of the results helps manage overall performance and makes the responses easier for you to handle by dividing the results into separate pages, each with a subset of the results.
The following row limits apply:
Row limit per page: 5,000 rows
Row limit of all pages of one result set: 500,000 rows
Pagination is available for some datasets, such as those that are searched with the /api/v2/Vulnerabilities/Containers/search
or /api/v2/Entities/Machines/search
endpoints.
Pagination metadata is located within the response's paging
field, which contains information for rows
, totalRows
, and urls
. The urls
field contains the nextPage
field with the Next Page URL. The Next Page URLs stay valid for 24 hours. No pagination is available for an API if the paging
field is missing from a response.
To get the next page of the result, use the entire Next Page URL and send a GET request with the two required HTTP headers: "Authorization: Bearer {YourAPIToken}" and "Content-Type: application/json".
Example:
GET https://YourLacework.lacework.net/api/v2/Vulnerabilities/Containers/abcxyz...
See the right panel for response examples.
Rate Limiting
The current rate limit is 480 API requests per hour per user. When the total number of API requests on a one-hour rolling window exceeds the rate limit, the HTTP 429 Too Many Requests response status code is returned.
Lacework uses the token bucket algorithm to apply request rate limiting. Each API v2 functionality has its own bucket with 480 tokens and each request that you make removes one token from the bucket. For example, performing a GET /api/v2/AgentAccessTokens
or a GET /api/v2/AgentAccessTokens/{ID}
are both part of one functionality, which gets an agent access token, so each request removes one token from the same bucket. Similarly, updating an agent access token (PATCH /api/v2/AgentAccessTokens/{ID}
) is a different functionality and disregards the ID to use the same bucket, so a token is removed from a different bucket.
Each request sends back three response headers following standard HTTP naming conventions for rate limiting. RateLimit-Limit
is the total number of requests you can make in an hour, RateLimit-Remaining
is the number of remaining requests, and RateLimit-Reset
is how much time it will take (in seconds) before you can make another request once the limit is reached. For more information about RateLimit
header fields, see IETF Draft 05.
POST Body Size Limit
Many Lacework API endpoints accept data as POST body content. POST body content is limited to 1 MB. Requests that exceed the 1 MB limit result in a 400 Bad Request error.
Response Status Codes
The Lacework API endpoints return the following HTTP response status codes.
Status Code | Definition | Description |
---|---|---|
200 | OK | The request has succeeded. |
201 | Created | The request has been fulfilled and resulted in a new resource being created. |
204 | No Content | The server has fulfilled the request but does not need to return an entity-body. |
400 | Bad Request | The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications. |
401 | Unauthorized | The request requires user authentication. If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. |
403 | Forbidden | The server understood the request, but is refusing to fulfill it. Authorization will not fix the issue and the request SHOULD NOT be repeated. |
404 | Not Found | The server has not found anything matching the Request-URI. |
405 | Method Not Allowed | The method specified in the Request-Line is not allowed for the resource identified by the Request-URI. |
409 | Conflict | The request could not be completed due to a conflict with the current state of the resource. |
429 | Too Many Requests | Too many requests occurred during the allotted time period and rate limiting was applied. |
500 | Internal Server Error | The request did not complete due to an internal error on the server side. The server encountered an unexpected condition which prevented it from fulfilling the request. |
503 | Service Unavailable | The server is currently unable to handle the request due to a temporary overloading or maintenance of the server. |
Generate access tokens for API requests.
Generate Access Tokens
Get access tokens for the API requests by invoking the following endpoint:
POST https://YourLacework.lacework.net/api/v2/access/tokens
After creating a secret key, administrators can generate Temporary API access (bearer) tokens that clients and client applications use to access the Lacework API. Create temporary API access (bearer) tokens by invoking the POST https://YourLacework.lacework.net/api/v2/access/tokens
endpoint.
header Parameters
X-LW-UAKS required | string YourSecretKey |
Content-Type required | string application/json |
Request Body schema: application/json
keyId required | string YourAccessKeyID |
expiryTime required | integer The access token's expiration (in seconds) that you want to set. Maximum value: 86400 (24 hours). |
Responses
Request samples
- Payload
{- "keyId": "YourSecretKey",
- "expiryTime": 3600
}
Response samples
- 201
- 4XX
- 5XX
{- "expiresAt": "2021-08-18T08:00:00.000Z",
- "token": "string"
}
Schema Details
Get a list of available Lacework schema types by invoking the following endpoint:
GET https://YourLacework.lacework.net/api/v2/schemas
Get details about a Lacework schema by invoking the following endpoint:
GET https://YourLacework.lacework.net/api/v2/schemas/{type}
Here is an example invocation:
GET https://YourLacework.lacework.net/api/v2/schemas/AuditLogs
path Parameters
type required | string Example: AuditLogs When sending a request, use this parameter to specify the schema type. If not specified, the response returns all schema types. If specified, the response returns details of the requested schema. |
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Responses
Response samples
- 200
- 4XX
- 5XX
[- {
- "name": "accountName",
- "type": "string"
}, - {
- "name": "createdTime",
- "type": "integer"
}, - {
- "name": "eventDescription",
- "type": "string"
}, - {
- "name": "eventName",
- "type": "string"
}, - {
- "name": "userAction",
- "type": "string"
}, - {
- "name": "userName",
- "type": "string"
}
]
Schema Details of Subtype
Get details about a Lacework schema by specifying a schema type and subtype when invoking the endpoint.
GET https://YourLacework.lacework.net/api/v2/schemas/{type}/{subtype}
Here is an example invocation:
GET https://YourLacework.lacework.net/api/v2/schemas/AlertChannels/SlackChannel
path Parameters
type required | string Example: AlertChannels When sending a request, use this parameter to specify the schema type. If not specified, the response returns all schema types. If specified, the response returns details of the requested schema. |
subtype required | string Example: SlackChannel The schema's subtype. If a type is subordinate to another type, it is called a subtype. |
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Responses
Response samples
- 200
- 4XX
- 5XX
[- {
- "required": [
- "type",
- "enabled",
- "name",
- "data"
], - "properties": {
- "name": {
- "type": "string",
- "minLength": 1
}, - "type": {
- "type": "string",
- "enum": [
- "SlackChannel"
]
}, - "enabled": {
- "type": "number",
- "minimum": 0,
- "maximum": 1
}, - "data": {
- "properties": {
- "slackUrl": {
- "type": "string",
- "pattern": "^https://hooks.slack.com([/][a-zA-Z0-9#-_]+)+$"
}
}, - "required": [
- "slackUrl"
], - "additionalProperties": true,
- "type": "object"
}
}
}
]
Search Changed Files
Search for changed files in your environment by invoking the following endpoint:
POST https://YourLacework.lacework.net/api/v2/Activities/ChangedFiles/search
Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.
You can optionally filter the returned changed files by start time, end time, machine ID, file path, and more. For more information, see CHANGE_FILES_V View.
Here are some example body
payloads:
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},
"filters": [ { "field": "mid", "expression": "eq", "value": "48011" } ] }
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},
"filters": [ { "field": "mid", "expression": "eq", "value": "48011" }, { "field": "filePath", "expression": "eq", "value": "/usr/bin/curl" } ],
"returns": [ "filePath", "filedataHash", "mid" ] }
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Request Body schema: application/json
object The date/time range during which actions occurred. | |
Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match. | |
returns | Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive. |
Responses
Request samples
- Payload
{- "timeFilter": {
- "startTime": "string",
- "endTime": "string"
}, - "filters": [
- {
- "expression": "eq",
- "field": "string",
- "value": "string",
- "values": [
- "string"
]
}
], - "returns": [
- "string"
]
}
Response samples
- 200
- 4XX
- 5XX
{- "paging": {
- "rows": 5000,
- "totalRows": 654455,
- "urls": {
}
}, - "data": [
- {
- "startTime": "2021-09-10T23:00:00Z",
- "endTime": "2021-09-11T00:00:00Z",
- "mid": 12345,
- "filePath": "/usr/bin/curl",
- "filedataHash": "d055afd3h16f11460b3549885a9u8a40f1905df1f9d83cf16gbfa8a3157c29ac",
- "mtime": "1631306708492",
- "size": 210944,
- "threatInfo": "null"
}, - {
- "startTime": "2021-09-10T23:00:00Z",
- "endTime": "2021-09-11T00:00:00Z",
- "mid": 12345,
- "filePath": "/bin/sleep",
- "filedataHash": "ada88f7fd24bcdfdde10294c76968a335c2414ea7d43c5e3829b65cb037e90a4",
- "mtime": "1631317667570",
- "size": 0,
- "threatInfo": "null"
}
]
}
Search Connections
Search for connections in your environment by invoking the following endpoint:
POST https://YourLacework.lacework.net/api/v2/Activities/Connections/search
Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.
You can optionally filter the returned connections by start time, end time, created time, machine ID, and more. For more information, see CONNECTIONS_V View.
Here are some example body
payloads:
{ "timeFilter": { "startTime": "2022-08-18T00:00:00Z", "endTime": "2022-08-18T02:00:00Z"},
"filters": [ { "field": "dstEntityId.mid", "expression": "eq", "value": "116018" } ] }
{ "timeFilter": { "startTime": "2022-08-18T00:00:00Z", "endTime": "2022-08-18T02:00:00Z"},
"filters": [ { "field": "srcEntityId.mid", "expression": "eq", "value": "123456" }, { "field": "dstInBytes", "expression": "le", "value": "300000" } ],
"returns": [ "dstEntityId", "dstEntityType", "srcEntityId", "srcEntityType" ] }
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Request Body schema: application/json
object The date/time range during which actions occurred. | |
Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match. | |
returns | Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive. |
Responses
Request samples
- Payload
{- "timeFilter": {
- "startTime": "string",
- "endTime": "string"
}, - "filters": [
- {
- "expression": "eq",
- "field": "string",
- "value": "string",
- "values": [
- "string"
]
}
], - "returns": [
- "string"
]
}
Response samples
- 200
- 4XX
- 5XX
{- "paging": {
- "rows": 5000,
- "totalRows": 1233301,
- "urls": {
}
}, - "data": [
- {
- "dstEntityId": {
- "mid": 116015,
- "pid_hash": -8627328323700991000
}, - "dstEntityType": "Process",
- "dstInBytes": 162688,
- "dstOutBytes": 3572,
- "endpointDetails": [
- {
- "dst_ip_addr": "10.245.48.175",
- "dst_port": 2878,
- "protocol": "TCP",
- "src_ip_addr": "10.245.187.233"
}
], - "endTime": "2022-08-18T01:00:00.000Z",
- "numConns": 38,
- "srcEntityId": {
- "mid": 114151,
- "pid_hash": 6612898627139247000
}, - "srcEntityType": "Process",
- "srcInBytes": 3572,
- "srcOutBytes": 162688,
- "startTime": "2022-08-18T00:00:00.000Z"
}, - {
- "dstEntityId": {
- "mid": 116015,
- "pid_hash": -8627328323700991000
}, - "dstEntityType": "Process",
- "dstInBytes": 252673,
- "dstOutBytes": 4418,
- "endpointDetails": [
- {
- "dst_ip_addr": "10.245.48.175",
- "dst_port": 2878,
- "protocol": "TCP",
- "src_ip_addr": "10.245.172.126"
}
], - "endTime": "2022-08-18T01:00:00.000Z",
- "numConns": 47,
- "srcEntityId": {
- "mid": 114151,
- "pid_hash": 6143690005229381000
}, - "srcEntityType": "Process",
- "srcInBytes": 4418,
- "srcOutBytes": 252673,
- "startTime": "2022-08-18T00:00:00.000Z"
}
]
}
Search DNS Summaries
Search for DNS summaries in your environment by invoking the following endpoint:
POST https://YourLacework.lacework.net/api/v2/Activities/DNSs/search
Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.
You can optionally filter the returned DNS summaries by start time, end time, created time, machine ID, and more. For more information, see DNS_QUERY_V View.
Here are some example body
payloads:
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},
"filters": [ { "field": "mid", "expression": "eq", "value": "48011" } ] }
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},
"filters": [ { "field": "mid", "expression": "eq", "value": "48011" }, { "field": "fqdn", "expression": "eq", "value": "sqs.us-west-2.amazonaws.com" } ],
"returns": [ "fqdn", "hostIpAddr", "mid" ] }
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Request Body schema: application/json
object The date/time range during which actions occurred. | |
Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match. | |
returns | Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive. |
Responses
Request samples
- Payload
{- "timeFilter": {
- "startTime": "string",
- "endTime": "string"
}, - "filters": [
- {
- "expression": "eq",
- "field": "string",
- "value": "string",
- "values": [
- "string"
]
}
], - "returns": [
- "string"
]
}
Response samples
- 200
- 4XX
- 5XX
{- "paging": {
- "rows": 5000,
- "totalRows": 17519,
}, - "data": [
- {
- "createdTime": "2021-09-10T05:35:45.382Z",
- "mid": 12345,
- "fqdn": "sqs.us-west-2.amazonaws.com",
- "hostIpAddr": "22.94.218.126",
- "ttl": 1,
- "dnsServerIp": "11.251.0.9"
}, - {
- "createdTime": "2021-09-10T05:35:45.382Z",
- "mid": 12314,
- "fqdn": "sqs.us-west-2.amazonaws.com",
- "hostIpAddr": "22.94.228.126",
- "ttl": 60,
- "dnsServerIp": "11.312.0.9"
}
]
}
Search User Logins
Search for user logins in your environment by invoking the following endpoint:
POST https://YourLacework.lacework.net/api/v2/Activities/UserLogins/search
Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.
You can optionally filter the returned login activities by start time, end time, created time, machine ID, and more. For more information, see USER_LOGIN_V View.
Here are some example body
payloads:
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},
"filters": [ { "field": "mid", "expression": "eq", "value": "48011" } ] }
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},
"filters": [ { "field": "mid", "expression": "eq", "value": "48011" }, { "field": "username", "expression": "eq", "value": "ec2-user" } ],
"returns": [ "username", "activityType", "activityTime" ] }
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Request Body schema: application/json
object The date/time range during which actions occurred. | |
Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match. | |
returns | Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive. |
Responses
Request samples
- Payload
{- "timeFilter": {
- "startTime": "string",
- "endTime": "string"
}, - "filters": [
- {
- "expression": "eq",
- "field": "string",
- "value": "string",
- "values": [
- "string"
]
}
], - "returns": [
- "string"
]
}
Response samples
- 200
- 4XX
- 5XX
{- "paging": {
- "rows": 5000,
- "totalRows": 5050,
- "urls": {
}
}, - "data": [
- {
- "createdTime": "2021-09-10T05:35:45.382Z",
- "mid": 12345,
- "activityTime": "2021-08-06T06:05:05.260Z",
- "activityType": "LOGIN",
- "username": "ec2-user",
- "uid": 1000,
- "sourceIpAddr": "2.141.452.76"
}, - {
- "createdTime": "2021-09-10T05:35:45.382Z",
- "mid": 12345,
- "activityTime": "2021-08-06T06:05:05.260Z",
- "activityType": "LOGOFF",
- "username": "ec2-user",
- "uid": 1000,
- "sourceIpAddr": "2.141.452.76"
}
]
}
To connect to the Lacework instance, Lacework agents require an agent access token.
Create Agent Access Token
Create a new agent access token that an agent can use to connect and send data to your Lacework instance by invoking the following endpoint:
POST https://YourLacework.lacework.net/api/v2/AgentAccessTokens
Here is an example body
payload:
{ "tokenAlias": "prod", "tokenEnabled": "1" }
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Request Body schema: application/json
object The access token's properties, including | |
tokenEnabled required | string non-empty The |
tokenAlias required | string non-empty The token's alias such as Ops Agent. Aliases help communicate the intended purpose of a token and are effective when a value with a single intent appears in multiple places. |
Responses
Request samples
- Payload
{- "props": {
- "description": "string",
- "os": "string"
}, - "tokenEnabled": "string",
- "tokenAlias": "string"
}
Response samples
- 201
- 4XX
- 5XX
{- "data": {
- "accessToken": "47d102752b57caa18b...",
- "createdTime": "2020-12-16T16:43:37.915Z",
- "props": {
- "createdTime": "2020-12-16T16:43:37.915Z",
- "description": "testing agent"
}, - "tokenAlias": "Ops Agent",
- "tokenEnabled": "1",
- "version": "0.1"
}
}
List All Agent Access Tokens
Get a list of currently enabled agent access tokens in your Lacework instance by invoking the following endpoint:
GET https://YourLacework.lacework.net/api/v2/AgentAccessTokens
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Responses
Response samples
- 200
- 4XX
- 5XX
{- "data": [
- {
- "accessToken": "47d102752b57caa18b...",
- "createdTime": "2020-12-16T16:43:37.915Z",
- "props": {
- "createdTime": "2020-12-16T16:43:37.915Z",
- "description": "testing agent"
}, - "tokenAlias": "Ops Agent",
- "tokenEnabled": "1",
- "version": "0.1"
}, - {
- "accessToken": "e2f32885791213cb41...",
- "createdTime": "2020-12-10T18:14:05.754Z",
- "props": {
- "createdTime": "2020-12-10T18:14:05.754Z",
- "description": "testing agent 1"
}, - "tokenAlias": "Dev Agent",
- "tokenEnabled": "1",
- "version": "0.1"
}
]
}
Search Agent Access Tokens
Search all enabled agent access tokens in your Lacework instance by invoking the following endpoint:
POST https://YourLacework.lacework.net/api/v2/AgentAccessTokens/search
To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.
You can filter on the following fields:
accessToken
createdTime
tokenAlias
tokenEnabled
version
Here is an example body
payload:
{ "filters" : [ { "expression": "eq", "field": "tokenAlias", "value": "Eng" } ] }
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Request Body schema: application/json
Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match. | |
returns | Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive. |
Responses
Request samples
- Payload
{- "filters": [
- {
- "expression": "eq",
- "field": "string",
- "value": "string",
- "values": [
- "string"
]
}
], - "returns": [
- "string"
]
}
Response samples
- 200
- 4XX
- 5XX
{- "data": [
- {
- "accessToken": "47d102752b57caa18b...",
- "createdTime": "2020-12-16T16:43:37.915Z",
- "props": {
- "createdTime": "2020-12-16T16:43:37.915Z",
- "description": "testing agent"
}, - "tokenAlias": "Ops Agent",
- "tokenEnabled": "1",
- "version": "0.1"
}, - {
- "accessToken": "e2f32885791213cb41...",
- "createdTime": "2020-12-10T18:14:05.754Z",
- "props": {
- "createdTime": "2020-12-10T18:14:05.754Z",
- "description": "testing agent 1"
}, - "tokenAlias": "Dev Agent",
- "tokenEnabled": "1",
- "version": "0.1"
}
]
}
Agent Access Token Details
Get details about an agent access token by invoking the following endpoint:
GET https://YourLacework.lacework.net/api/v2/AgentAccessTokens/{id}
You can get the {id}
by invoking the GET /api/v2/AgentAccessTokens
endpoint. Replace {id}
with the long hexadecimal access token identifier returned in the accessToken
field of the GET /api/v2/AgentAccessTokens
endpoint response.
path Parameters
id required | string Agent Access Token {id} |
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Responses
Response samples
- 200
- 4XX
- 5XX
{- "data": {
- "accessToken": "47d102752b57caa18b...",
- "createdTime": "2020-12-16T16:43:37.915Z",
- "props": {
- "createdTime": "2020-12-16T16:43:37.915Z",
- "description": "testing agent"
}, - "tokenAlias": "Ops Agent",
- "tokenEnabled": "1",
- "version": "0.1"
}
}
Update Agent Access Token
Optionally update the tokenEnabled
settings of the passed in agent access token. Update these settings by invoking the following endpoint:
PATCH https://YourLacework.lacework.net/api/v2/AgentAccessTokens/{id}
Get the agent access token id by calling the GET /api/v2/AgentAccessTokens
endpoint.
Replace {id}
with the long hexadecimal access token identifier returned in the accessToken
field of the GET /api/v2/AgentAccessTokens
endpoint response.
Here is an example body
payload:
{ "tokenEnabled": "1" }
path Parameters
id required | string AgentAccessTokens {id} |
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Request Body schema: application/json
object The access token's properties, including | |
tokenEnabled | string non-empty The |
Responses
Request samples
- Payload
{- "props": {
- "description": "string",
- "os": "string"
}, - "tokenEnabled": "string"
}
Response samples
- 200
- 4XX
- 5XX
{- "data": {
- "accessToken": "47d102752b57caa18b...",
- "createdTime": "2020-12-16T16:43:37.915Z",
- "props": {
- "createdTime": "2020-12-16T16:43:37.915Z",
- "description": "testing agent"
}, - "tokenAlias": "Ops Agent",
- "tokenEnabled": "1",
- "version": "0.1"
}
}
View and verify information about all agents, including:
- The hostname
- The number of active and inactive agents
- Machine tags information associated with the agents
- The agent version
Search Agent Information
The Agent Information API enables you to retrieve information about all agents by invoking the following endpoint:
POST /api/v2/AgentInfo/search
Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.
You can optionally filter the information returned by agent status, agent version, IP address, and more. For details about what agent information is available, see AGENT_MANAGEMENT_V View.
Here are some example body
payloads:
{ "timeFilter": { "startTime" : "2022-04-28T00:00:00Z", "endTime": "2022-04-28T18:00:00Z"},
{ "timeFilter": { "startTime": " 2022-04-28T00:00:00Z", "endTime": "2022-04-28T18:00:00Z"},
"filters" : [ { "field": "status", "expression": "eq", "value": "ACTIVE" }, { "field": "tags.VmProvider", "expression": "eq", "value" : "AWS" } ],
"returns": [ "hostname", "ipAddr", "os" , "agentVersion", "status" ] }
Within request bodies, nested field names that contain one or more special characters—e.g., dot ("."), colon (":"), or slash ("/")—must be enclosed in escaped double quotes. For example, the field name aws:ec2launchtemplate:version
nested under the tags
field would be rendered as follows:
"tags.\"aws:ec2launchtemplate:version\""
In a filter, the example would appear as follows:
{ "field": "tags.\"aws:ec2launchtemplate:version\"", "expression": "eq", "value": "3" }
In addition, forward slash characters within field names must be escaped with a backslash, as in the following example:
"tags.\"kubernetes.io\/cluster\/prod1\""
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Request Body schema: application/json
object The date/time range during which actions occurred. | |
Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match. | |
returns | Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive. |
Responses
Request samples
- Payload
{- "timeFilter": {
- "startTime": "string",
- "endTime": "string"
}, - "filters": [
- {
- "expression": "eq",
- "field": "string",
- "value": "string",
- "values": [
- "string"
]
}
], - "returns": [
- "string"
]
}
Response samples
- 200
- 4XX
- 5XX
{- "paging": {
- "rows": 5000,
- "totalRows": 5060,
}, - "data": [
- {
- "agentVersion": "5.5.0-6ecefc7f",
- "createdTime": "2021-03-30T12:40:19.087Z",
- "hostname": "ip-10-231-16-188.us-west-2.compute.internal",
- "ipAddr": "10.231.16.188",
- "lastUpdate": "2022-04-27 16:59:11.283 -0700",
- "mid": 1898,
- "mode": "normal",
- "os": "Linux",
- "status": "ACTIVE",
- "tags": {
- "Account": "289356771585",
- "AmiId": "ami-0d9ef0d807e565a36",
- "COGS": "OPEX",
- "Env": "lw",
- "ExternalIp": "",
- "Hostname": "ip-10-231-16-188.us-west-2.compute.internal",
- "InstanceId": "i-05bd72db3d5678c23",
- "InternalIp": "10.231.16.188",
- "KubernetesCluster": "lw",
- "LwTokenShort": "2e568b3b9a3c5de63116422e41fccc",
- "Name": "prod-node.lw",
- "Owner": "lacework",
- "SubnetId": "subnet-0a83c026ef1437f0e",
- "VmInstanceType": "m5.large",
- "VmProvider": "AWS",
- "VpcId": "vpc-0df6f5ed0cd993ff2",
- "WavefrontProxy": "wavefront-proxy.kube-system.svc.cluster.local",
- "Zone": "us-west-2a",
- "arch": "amd64",
- "aws:autoscaling:groupName": "lw-cluster-123",
- "cluster": "eks-lw",
- "environment": "prod",
- "kubernetes.io/cluster/prod": "owned",
- "lw_KubernetesCluster": "prod",
- "os": "linux",
- "role": "default"
}
}, - {
- "agentVersion": "5.5.0-6ecefc7f",
- "createdTime": "2022-04-26T11:34:58.316Z",
- "hostname": "ip-10-231-168-119.us-west-2.compute.internal",
- "ipAddr": "10.231.168.119",
- "lastUpdate": "2022-04-28 11:05:58.317 -0700",
- "mid": 85282,
- "mode": "ebpf",
- "os": "Linux",
- "status": "INACTIVE",
- "tags": {
- "Account": "239656771685",
- "AmiId": "ami-03b6ddb2869abcd51",
- "Env": "lw",
- "ExternalIp": "",
- "Hostname": "ip-10-231-168-119.us-west-2.compute.internal",
- "InstanceId": "i-06f6569862686630e",
- "InternalIp": "10.231.168.119",
- "KubernetesCluster": "lw",
- "LwTokenShort": "2e568b3b9a3c5de63116422e51fccc",
- "Name": "on-demand.prod.lw",
- "SubnetId": "subnet-0b2a51e40b1a0bde8",
- "VmInstanceType": "r5.xlarge",
- "VmProvider": "AWS",
- "VpcId": "vpc-0df6f8ed0cd993ff2",
- "Zone": "us-west-2c",
- "arch": "amd64",
- "cluster": "eks-lw",
- "environment": "prod",
- "kubernetes.io/cluster/prod": "owned",
- "lw-role": "on-demand",
- "lw_KubernetesCluster": "prod",
- "os": "linux",
- "spotinst:accountId": "act-b0b9eea2",
- "spotinst:aws:ec2:group:createdBy": "spotinst",
- "spotinst:aws:ec2:group:id": "oesg-9a6dca03",
- "spotinst:aws:ec2:group:name": "Spotinst::Ocean::prod",
- "spotinst:ocean:launchspec:id": "ols-fad9bf81",
- "spotinst:ocean:launchspec:name": "on-demand"
}
}
]
}
Lacework combines alert channels with alert rules or report rules to provide a flexible method for routing alerts and reports.
- For alert channels, you define where to send alerts or reports, such as to Jira, Slack, or email.
- For alert rules, you define information about which alert types to send, such as critical and high severity compliance alerts.
- For report rules, you define information about which reports to send.
Create Alert Channels
Create an alert channel by specifying parameters in the request body when invoking the following endpoint:
POST https://YourLacework.lacework.net/api/v2/AlertChannels
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Org-Access | boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the |
Account-Name | string Use this attribute to specify which sub-account to access. |
Request Body schema: application/json
name required | string (Name) non-empty (?!^ +$)^.+$ When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. |
type required | string (Type) When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. |
enabled required | number (Enabled) [ 0 .. 1 ] When sending a request, use this attribute to enable or disable an integration. When included in a response, returns |
required | object |
Responses
Request samples
- Payload
{- "name": "string",
- "type": "AwsS3",
- "enabled": 1,
- "data": {
- "s3CrossAccountCredentials": {
- "externalId": "string",
- "roleArn": "string",
- "bucketArn": "string"
}
}
}
Response samples
- 201
- 4XX
- 5XX
{- "data": {
- "createdOrUpdatedBy": "user@example.com",
- "createdOrUpdatedTime": "2021-02-08T08:28:18Z",
- "enabled": 1,
- "intgGuid": "LWXYZ...",
- "isOrg": 0,
- "name": "Support",
- "props": "{object}",
- "state": "{object}",
- "type": "AwsS3",
- "data": {
- "s3CrossAccountCredentials": {
- "externalId": "123456",
- "roleArn": "arn:aws:iam::...",
- "bucketArn": "arn:aws:s3:::..."
}
}
}
}
List All Alert Channels
Get a list of alert channels for the current user by invoking the following endpoint:
GET https://YourLacework.lacework.net/api/v2/AlertChannels
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Org-Access | boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the |
Account-Name | string Use this attribute to specify which sub-account to access. |
Responses
Response samples
- 200
- 4XX
- 5XX
{- "data": [
- {
- "createdOrUpdatedBy": "user@example.com",
- "createdOrUpdatedTime": "2021-02-08T08:28:18Z",
- "enabled": 1,
- "intgGuid": "LWXYZ...",
- "isOrg": 0,
- "name": "Support",
- "props": "{object}",
- "state": "{object}",
- "type": "AwsS3",
- "data": {
- "s3CrossAccountCredentials": {
- "externalId": "123456",
- "roleArn": "arn:aws:iam::...",
- "bucketArn": "arn:aws:s3:::..."
}
}
}, - {
- "createdOrUpdatedBy": "info@example.com",
- "createdOrUpdatedTime": "2021-02-08T08:28:18Z",
- "enabled": 1,
- "intgGuid": "LWXYZ...",
- "isOrg": 0,
- "name": "info",
- "props": "{object}",
- "state": "{object}",
- "type": "AwsS3",
- "data": {
- "s3CrossAccountCredentials": {
- "externalId": "123456",
- "roleArn": "arn:aws:iam::...",
- "bucketArn": "arn:aws:s3:::..."
}
}
}
]
}
List Alert Channels by Type
Get a list of alert channels of the specified type by invoking the following endpoint:
GET https://YourLacework.lacework.net/api/v2/AlertChannels/{type}
Here is an example invocation:
GET https://YourLacework.lacework.net/api/v2/AlertChannels/SlackChannel
path Parameters
type required | string Enum: "AwsS3" "CiscoSparkWebhook" "CloudwatchEb" "Datadog" "EmailUser" "GcpPubsub" "IbmQradar" "Jira" "MicrosoftTeams" "NewRelicInsights" "PagerDutyApi" "ServiceNowRest" "SlackChannel" "SplunkHec" "VictorOps" "Webhook" Alert Channel Type |
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Org-Access | boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the |
Account-Name | string Use this attribute to specify which sub-account to access. |
Responses
Response samples
- 200
- 4XX
- 5XX
{- "data": [
- {
- "createdOrUpdatedBy": "user@example.com",
- "createdOrUpdatedTime": "2021-02-08T08:28:18Z",
- "enabled": 1,
- "intgGuid": "LWXYZ...",
- "isOrg": 0,
- "name": "Support",
- "props": "{object}",
- "state": "{object}",
- "type": "AwsS3",
- "data": {
- "s3CrossAccountCredentials": {
- "externalId": "123456",
- "roleArn": "arn:aws:iam::...",
- "bucketArn": "arn:aws:s3:::..."
}
}
}, - {
- "createdOrUpdatedBy": "info@example.com",
- "createdOrUpdatedTime": "2021-02-08T08:28:18Z",
- "enabled": 1,
- "intgGuid": "LWXYZ...",
- "isOrg": 0,
- "name": "info",
- "props": "{object}",
- "state": "{object}",
- "type": "AwsS3",
- "data": {
- "s3CrossAccountCredentials": {
- "externalId": "123456",
- "roleArn": "arn:aws:iam::...",
- "bucketArn": "arn:aws:s3:::..."
}
}
}
]
}
Search Alert Channels
Search alert channels by invoking the following endpoint:
POST https://YourLacework.lacework.net/api/v2/AlertChannels/search
To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.
In the request body, optionally specify the list of fields to return in the response by specifying the list in the returns
array, for example, "returns":[ "name", "type", "enabled" ]
.
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Org-Access | boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the |
Account-Name | string Use this attribute to specify which sub-account to access. |
Request Body schema: application/json
Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match. | |
returns | Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive. |
Responses
Request samples
- Payload
{- "filters": [
- {
- "expression": "eq",
- "field": "string",
- "value": "string",
- "values": [
- "string"
]
}
], - "returns": [
- "string"
]
}
Response samples
- 200
- 4XX
- 5XX
{- "data": [
- {
- "createdOrUpdatedBy": "user@example.com",
- "createdOrUpdatedTime": "2021-02-08T08:28:18Z",
- "enabled": 1,
- "intgGuid": "LWXYZ...",
- "isOrg": 0,
- "name": "Support",
- "props": "{object}",
- "state": "{object}",
- "type": "AwsS3",
- "data": {
- "s3CrossAccountCredentials": {
- "externalId": "123456",
- "roleArn": "arn:aws:iam::...",
- "bucketArn": "arn:aws:s3:::..."
}
}
}, - {
- "createdOrUpdatedBy": "info@example.com",
- "createdOrUpdatedTime": "2021-02-08T08:28:18Z",
- "enabled": 1,
- "intgGuid": "LWXYZ...",
- "isOrg": 0,
- "name": "info",
- "props": "{object}",
- "state": "{object}",
- "type": "AwsS3",
- "data": {
- "s3CrossAccountCredentials": {
- "externalId": "123456",
- "roleArn": "arn:aws:iam::...",
- "bucketArn": "arn:aws:s3:::..."
}
}
}
]
}
Test Alert Channels
Test the integration of an alert channel by invoking the following endpoint:
POST https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}/test
path Parameters
intgGuid required | string Alert Channel ID |
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Org-Access | boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the |
Account-Name | string Use this attribute to specify which sub-account to access. |
Responses
Response samples
- 4XX
- 5XX
{- "message": "Invalid ..."
}
Alert Channel Details
Get details about an alert channel by invoking the following endpoint:
GET https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}
path Parameters
intgGuid required | string Alert Channel ID |
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Org-Access | boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the |
Account-Name | string Use this attribute to specify which sub-account to access. |
Responses
Response samples
- 200
- 4XX
- 5XX
{- "data": {
- "createdOrUpdatedBy": "user@example.com",
- "createdOrUpdatedTime": "2021-02-08T08:28:18Z",
- "enabled": 1,
- "intgGuid": "LWXYZ...",
- "isOrg": 0,
- "name": "Support",
- "props": "{object}",
- "state": "{object}",
- "type": "AwsS3",
- "data": {
- "s3CrossAccountCredentials": {
- "externalId": "123456",
- "roleArn": "arn:aws:iam::...",
- "bucketArn": "arn:aws:s3:::..."
}
}
}
}
Update Alert Channels
Update an alert channel by specifying parameters in the request body when invoking the following endpoint:
PATCH https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}
In the request body, only specify the parameter(s) that you want to update, for example, { "enabled" : 0 }
.
path Parameters
intgGuid required | string Alert Channel ID |
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Org-Access | boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the |
Account-Name | string Use this attribute to specify which sub-account to access. |
Request Body schema: application/json
Only specify the parameter(s) that you want to update, for example, { "enabled" : 0 }
.
name | string (Name) non-empty (?!^ +$)^.+$ When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. |
type | string (Type) When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. |
enabled | number (Enabled) [ 0 .. 1 ] When sending a request, use this attribute to enable or disable an integration. When included in a response, returns |
object |
Responses
Request samples
- Payload
{- "name": "string",
- "type": "AwsS3",
- "enabled": 1,
- "data": {
- "s3CrossAccountCredentials": {
- "externalId": "string",
- "roleArn": "string",
- "bucketArn": "string"
}
}
}
Response samples
- 200
- 4XX
- 5XX
{- "data": {
- "createdOrUpdatedBy": "user@example.com",
- "createdOrUpdatedTime": "2021-02-08T08:28:18Z",
- "enabled": 1,
- "intgGuid": "LWXYZ...",
- "isOrg": 0,
- "name": "Support",
- "props": "{object}",
- "state": "{object}",
- "type": "AwsS3",
- "data": {
- "s3CrossAccountCredentials": {
- "externalId": "123456",
- "roleArn": "arn:aws:iam::...",
- "bucketArn": "arn:aws:s3:::..."
}
}
}
}
Update Alert Channels
Update an alert channel by specifying the entire object in the request body when invoking the following endpoint:
PUT https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}
In the request body, specify the entire object that you want to update, for example,
{"name": "string","type": "AwsS3", "enabled": 1, "data": {"s3CrossAccountCredentials": {"externalId": "string", "roleArn": "string", "bucketArn":"string"}} }
.
path Parameters
intgGuid required | string Alert Channel ID |
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Org-Access | boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the |
Account-Name | string Use this attribute to specify which sub-account to access. |
Request Body schema: application/json
name required | string (Name) non-empty (?!^ +$)^.+$ When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. |
type required | string (Type) When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. |
enabled required | number (Enabled) [ 0 .. 1 ] When sending a request, use this attribute to enable or disable an integration. When included in a response, returns |
required | object |
Responses
Request samples
- Payload
{- "name": "string",
- "type": "AwsS3",
- "enabled": 1,
- "data": {
- "s3CrossAccountCredentials": {
- "externalId": "string",
- "roleArn": "string",
- "bucketArn": "string"
}
}
}
Response samples
- 200
- 4XX
- 5XX
{- "data": {
- "createdOrUpdatedBy": "user@example.com",
- "createdOrUpdatedTime": "2021-02-08T08:28:18Z",
- "enabled": 1,
- "intgGuid": "LWXYZ...",
- "isOrg": 0,
- "name": "Support",
- "props": "{object}",
- "state": "{object}",
- "type": "AwsS3",
- "data": {
- "s3CrossAccountCredentials": {
- "externalId": "123456",
- "roleArn": "arn:aws:iam::...",
- "bucketArn": "arn:aws:s3:::..."
}
}
}
}
Delete Alert Channels
Delete an alert channel by invoking the following endpoint:
DELETE https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}
path Parameters
intgGuid required | string Alert Channel ID |
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Org-Access | boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the |
Account-Name | string Use this attribute to specify which sub-account to access. |
Responses
Response samples
- 4XX
- 5XX
{- "message": "Invalid ..."
}
An alert profile is a set of metadata that defines how your LQL queries get consumed into events and alerts.
Alert profiles exist as a system. Lacework provides a set of predefined alert profiles to ensure that policy evaluation gives you useful results out of the box. To create your own customized profiles, you extend an existing alert profile and add your custom definitions to it. The predefined alert profiles and operations for defining and editing your own are exposed via Lacework API calls.
Create Alert Profiles
Create an alert profile that extends off of a current alert profile by invoking the following endpoint:
POST https://YourLacework.lacework.net/api/v2/AlertProfiles
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Request Body schema: application/json
required | Array of objects[ items ] An alert is a definition of content to create from the results of a resource's policy violation. The event name, subject, and description contained in the alert appear in pushed alerts and in the Lacework Console. |
alertProfileId required | string Unique id within customer account for Alert Profile |
extends required | string Base Lacework defined Alert Profile to inherit properties |
Responses
Request samples
- Payload
{- "alerts": [
- {
- "name": "string",
- "eventName": "string",
- "description": "string",
- "subject": "string"
}
], - "alertProfileId": "string",
- "extends": "string"
}
Response samples
- 201
- 4XX
- 5XX
[- {
- "alertProfileId": "Custom_HE_Machines_AlertProfile",
- "extends": "LW_HE_Machines",
- "fields": [
- {
- "name": "_EVENT_COUNT"
}, - {
- "name": "_PRIMARY_TAG"
}, - {
- "name": "_RISK"
}, - {
- "name": "_SEVERITY"
}, - {
- "name": "_POLICY_ID"
}, - {
- "name": "HOSTNAME"
}
], - "descriptionKeys": [
- {
- "name": "_POLICY_DESCRIPTION",
- "spec": "{{_POLICY_DESCRIPTION}}"
}, - {
- "name": "_POLICY_TITLE",
- "spec": "{{_POLICY_TITLE}}"
}, - {
- "name": "HOSTNAME",
- "spec": "{{HOSTNAME}}"
}
], - "alerts": [
- {
- "name": "HE_Machine_NewViolation",
- "eventName": "Custom LW Host Entity Machine New Violation Alert",
- "description": "Custom New Violation for machine {{HOSTNAME}}",
- "subject": "Custom New violation detected for machine {{HOSTNAME}}"
}, - {
- "name": "HE_Machine_PolicyChanged",
- "eventName": "Custom LW Host Entity Machine Policy Changed Alert",
- "description": "Custom policy changed for machine {{HOSTNAME}}",
- "subject": "Custom policy change detected for machine {{HOSTNAME}}"
}
]
}
]
List All Alert Profiles
Get all the alert profiles for the current user by invoking the following endpoint:
GET https://YourLacework.lacework.net/api/v2/AlertProfiles
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Responses
Response samples
- 200
- 4XX
- 5XX
[- {
- "alertProfileId": "Custom_HE_Machines_AlertProfile",
- "extends": "LW_HE_Machines",
- "fields": [
- {
- "name": "_EVENT_COUNT"
}, - {
- "name": "_PRIMARY_TAG"
}, - {
- "name": "_RISK"
}, - {
- "name": "_SEVERITY"
}, - {
- "name": "_POLICY_ID"
}, - {
- "name": "HOSTNAME"
}
], - "descriptionKeys": [
- {
- "name": "_POLICY_DESCRIPTION",
- "spec": "{{_POLICY_DESCRIPTION}}"
}, - {
- "name": "_POLICY_TITLE",
- "spec": "{{_POLICY_TITLE}}"
}, - {
- "name": "HOSTNAME",
- "spec": "{{HOSTNAME}}"
}
], - "alerts": [
- {
- "name": "HE_Machine_NewViolation",
- "eventName": "Custom LW Host Entity Machine New Violation Alert",
- "description": "Custom New Violation for machine {{HOSTNAME}}",
- "subject": "Custom New violation detected for machine {{HOSTNAME}}"
}, - {
- "name": "HE_Machine_PolicyChanged",
- "eventName": "Custom LW Host Entity Machine Policy Changed Alert",
- "description": "Custom policy changed for machine {{HOSTNAME}}",
- "subject": "Custom policy change detected for machine {{HOSTNAME}}"
}
]
}
]
Alert Profiles Details
Get the details to the specified alert profile by invoking the following endpoint:
GET https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}
path Parameters
id required | string Alert Profile id |
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Responses
Response samples
- 200
- 4XX
- 5XX
[- {
- "alertProfileId": "Custom_HE_Machines_AlertProfile",
- "extends": "LW_HE_Machines",
- "fields": [
- {
- "name": "_EVENT_COUNT"
}, - {
- "name": "_PRIMARY_TAG"
}, - {
- "name": "_RISK"
}, - {
- "name": "_SEVERITY"
}, - {
- "name": "_POLICY_ID"
}, - {
- "name": "HOSTNAME"
}
], - "descriptionKeys": [
- {
- "name": "_POLICY_DESCRIPTION",
- "spec": "{{_POLICY_DESCRIPTION}}"
}, - {
- "name": "_POLICY_TITLE",
- "spec": "{{_POLICY_TITLE}}"
}, - {
- "name": "HOSTNAME",
- "spec": "{{HOSTNAME}}"
}
], - "alerts": [
- {
- "name": "HE_Machine_NewViolation",
- "eventName": "Custom LW Host Entity Machine New Violation Alert",
- "description": "Custom New Violation for machine {{HOSTNAME}}",
- "subject": "Custom New violation detected for machine {{HOSTNAME}}"
}, - {
- "name": "HE_Machine_PolicyChanged",
- "eventName": "Custom LW Host Entity Machine Policy Changed Alert",
- "description": "Custom policy changed for machine {{HOSTNAME}}",
- "subject": "Custom policy change detected for machine {{HOSTNAME}}"
}
]
}
]
Update Alert Profiles
Update the alert templates of the specified alert profile by invoking the following endpoint:
PATCH https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}
path Parameters
id required | string Alert Profile id |
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Request Body schema: application/json
Array of objects[ items ] An alert is a definition of content to create from the results of a resource's policy violation. The event name, subject, and description contained in the alert appear in pushed alerts and in the Lacework Console. | |||||||||
Array
|
Responses
Request samples
- Payload
{- "alerts": [
- {
- "name": "string",
- "eventName": "string",
- "description": "string",
- "subject": "string"
}
]
}
Response samples
- 200
- 4XX
- 5XX
[- {
- "alertProfileId": "Custom_HE_Machines_AlertProfile",
- "extends": "LW_HE_Machines",
- "fields": [
- {
- "name": "_EVENT_COUNT"
}, - {
- "name": "_PRIMARY_TAG"
}, - {
- "name": "_RISK"
}, - {
- "name": "_SEVERITY"
}, - {
- "name": "_POLICY_ID"
}, - {
- "name": "HOSTNAME"
}
], - "descriptionKeys": [
- {
- "name": "_POLICY_DESCRIPTION",
- "spec": "{{_POLICY_DESCRIPTION}}"
}, - {
- "name": "_POLICY_TITLE",
- "spec": "{{_POLICY_TITLE}}"
}, - {
- "name": "HOSTNAME",
- "spec": "{{HOSTNAME}}"
}
], - "alerts": [
- {
- "name": "HE_Machine_NewViolation",
- "eventName": "Custom LW Host Entity Machine New Violation Alert",
- "description": "Custom New Violation for machine {{HOSTNAME}}",
- "subject": "Custom New violation detected for machine {{HOSTNAME}}"
}, - {
- "name": "HE_Machine_PolicyChanged",
- "eventName": "Custom LW Host Entity Machine Policy Changed Alert",
- "description": "Custom policy changed for machine {{HOSTNAME}}",
- "subject": "Custom policy change detected for machine {{HOSTNAME}}"
}
]
}
]
Delete Alert Profiles
Delete the specified alert profile by invoking the following endpoint:
DELETE https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}
path Parameters
id required | string Alert Profile id |
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Responses
Response samples
- 4XX
- 5XX
{- "message": "Invalid ..."
}
Create Alert Templates
Create a new alert template for a specified alert profile by invoking the following endpoint:
POST https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}/AlertTemplates
path Parameters
id required | string Alert Profile id |
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Request Body schema: application/json
name required | string A name that policies can use to refer to this definition when generating alerts |
eventName required | string The name of the resulting alert |
description required | string Summary of the resulting alert |
subject required | string A high-level observation of the resulting alert |
Responses
Request samples
- Payload
{- "name": "string",
- "eventName": "string",
- "description": "string",
- "subject": "string"
}
Response samples
- 200
- 4XX
- 5XX
[- {
- "alertProfileId": "Custom_HE_Machines_AlertProfile",
- "extends": "LW_HE_Machines",
- "fields": [
- {
- "name": "_EVENT_COUNT"
}, - {
- "name": "_PRIMARY_TAG"
}, - {
- "name": "_RISK"
}, - {
- "name": "_SEVERITY"
}, - {
- "name": "_POLICY_ID"
}, - {
- "name": "HOSTNAME"
}
], - "descriptionKeys": [
- {
- "name": "_POLICY_DESCRIPTION",
- "spec": "{{_POLICY_DESCRIPTION}}"
}, - {
- "name": "_POLICY_TITLE",
- "spec": "{{_POLICY_TITLE}}"
}, - {
- "name": "HOSTNAME",
- "spec": "{{HOSTNAME}}"
}
], - "alerts": [
- {
- "name": "HE_Machine_NewViolation",
- "eventName": "Custom LW Host Entity Machine New Violation Alert",
- "description": "Custom New Violation for machine {{HOSTNAME}}",
- "subject": "Custom New violation detected for machine {{HOSTNAME}}"
}, - {
- "name": "HE_Machine_PolicyChanged",
- "eventName": "Custom LW Host Entity Machine Policy Changed Alert",
- "description": "Custom policy changed for machine {{HOSTNAME}}",
- "subject": "Custom policy change detected for machine {{HOSTNAME}}"
}
]
}
]
Update Alert Templates
Update an alert template for a specified alert profile by invoking the following endpoint:
PATCH https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}/AlertTemplates/{alertTemplateName}
path Parameters
id required | string Alert Profile id |
alertTemplateName required | string Alert Template Name |
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Request Body schema: application/json
eventName | string The name of the resulting alert |
description | string Summary of the resulting alert |
subject | string A high-level observation of the resulting alert |
Responses
Request samples
- Payload
{- "eventName": "string",
- "description": "string",
- "subject": "string"
}
Response samples
- 200
- 4XX
- 5XX
[- {
- "alertProfileId": "Custom_HE_Machines_AlertProfile",
- "extends": "LW_HE_Machines",
- "fields": [
- {
- "name": "_EVENT_COUNT"
}, - {
- "name": "_PRIMARY_TAG"
}, - {
- "name": "_RISK"
}, - {
- "name": "_SEVERITY"
}, - {
- "name": "_POLICY_ID"
}, - {
- "name": "HOSTNAME"
}
], - "descriptionKeys": [
- {
- "name": "_POLICY_DESCRIPTION",
- "spec": "{{_POLICY_DESCRIPTION}}"
}, - {
- "name": "_POLICY_TITLE",
- "spec": "{{_POLICY_TITLE}}"
}, - {
- "name": "HOSTNAME",
- "spec": "{{HOSTNAME}}"
}
], - "alerts": [
- {
- "name": "HE_Machine_NewViolation",
- "eventName": "Custom LW Host Entity Machine New Violation Alert",
- "description": "Custom New Violation for machine {{HOSTNAME}}",
- "subject": "Custom New violation detected for machine {{HOSTNAME}}"
}, - {
- "name": "HE_Machine_PolicyChanged",
- "eventName": "Custom LW Host Entity Machine Policy Changed Alert",
- "description": "Custom policy changed for machine {{HOSTNAME}}",
- "subject": "Custom policy change detected for machine {{HOSTNAME}}"
}
]
}
]
Delete Alert Templates
Delete an alert template for a specified alert profile by invoking the following endpoint:
DELETE https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}/AlertTemplates/{alertTemplateName}
path Parameters
id required | string Alert Profile id |
alertTemplateName required | string Alert Template Name |
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Responses
Response samples
- 4XX
- 5XX
{- "message": "Invalid ..."
}
Lacework combines alert channels and alert rules to provide a flexible method for routing alerts. For alert channels, you define information about where to send alerts, such as to Jira, Slack, or email. For alert rules, you define information about which alert types to send, such as critical and high severity compliance alerts.
Create Alert Rules
Create an alert rule by specifying parameters in the request body when invoking the following endpoint:
POST https://YourLacework.lacework.net/api/v2/AlertRules
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Org-Access | boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the |
Account-Name | string Use this attribute to specify which sub-account to access. |
Request Body schema: application/json
required | object When sending a request, use this object to define the new alert rule. When included in a response, this object contains details of an alert rule. You can use these attributes when searching for existing alert rules by invoking a GET request. |
intgGuidList required | Array of strings non-empty unique The alert channels for the rule to access. |
type required | string Value: "Event" The alert type. |
Responses
Request samples
- Payload
{- "filters": {
- "name": "string",
- "description": "string",
- "enabled": 1,
- "resourceGroups": [
- "string"
], - "eventCategory": [
- "Compliance"
], - "severity": [
- 1
]
}, - "intgGuidList": [
- "string"
], - "type": "Event"
}
Response samples
- 201
- 4XX
- 5XX
{- "data": {
- "mcGuid": "QA42F6C8_97...",
- "filters": {
- "name": "Default Rule",
- "createdOrUpdatedBy": "user@example.com",
- "createdOrUpdatedTime": "2020-02-18T16:52:57.726Z",
- "enabled": 1,
- "resourcegroups": [
- "QA402035_43..."
], - "severity": [
- 1,
- 2,
- 3
], - "eventcategory": [
- "App",
- "Compliance",
- "Cloud",
- "File",
- "K8sActivity",
- "Machine",
- "Platform",
- "User"
]
}, - "intgGuidList": [
- "QA402035_66..."
], - "type": "Event"
}
}
List All Alert Rules
List all alert rules in your Lacework instance by invoking the following endpoint:
GET https://YourLacework.lacework.net/api/v2/AlertRules
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Org-Access | boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the |
Account-Name | string Use this attribute to specify which sub-account to access. |
Responses
Response samples
- 200
- 4XX
- 5XX
{- "data": [
- {
- "mcGuid": "QA42F6C8_97...",
- "filters": {
- "name": "Default Rule",
- "createdOrUpdatedBy": "user@example.com",
- "createdOrUpdatedTime": "2020-02-18T16:52:57.726Z",
- "enabled": 1,
- "resourcegroups": [
- "QA402035_43.."
], - "severity": [
- 1,
- 2,
- 3
], - "eventcategory": [
- "App",
- "Compliance",
- "Cloud",
- "File",
- "K8sActivity",
- "Machine",
- "Platform",
- "User"
]
}, - "intgGuidList": [
- "QA402035_66..."
], - "type": "Event"
}, - {
- "mcGuid": "QA42F6C8_83...",
- "filters": {
- "name": "test",
- "createdOrUpdatedBy": "user@example.com",
- "createdOrUpdatedTime": "2020-01-15T07:07:21.989Z",
- "enabled": 1,
- "resourcegroups": [
- "QA402035_EB...",
- "QA402035_BA..."
], - "severity": [
- 1,
- 2,
- 3
], - "eventcategory": [
- "User",
- "Cloud"
]
}, - "intgGuidList": [
- "QA402035_01...",
- "QA402035_A6..."
], - "type": "Event"
}
]
}
Search Alert Rules
Search alert rules by invoking the following endpoint:
POST https://YourLacework.lacework.net/api/v2/AlertRules/search
To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.
Here are some example body
payloads:
{ "filters": [ { "field": "mcGuid", "expression": "rlike", "value": "123ABC" } ] }
{ "filters": [ { "field": "mcGuid", "expression": "between", "values": [ "ABC_123", "DEC_456" ] } ] }
{ "filters": [ { "field": "intgGuidList", "expression": "eq", "value": "ABC_123" } ] }
{ "filters": [ { "field": "intgGuidList", "expression": "in", "values": [ "ABC_123", "DEF_456" ] } ] }
{ "filters": [ { "field": "filters.name", "expression": "ilike", "value": "slack" } ] }
{ "filters": [ { "field": "filters.resourceGroups", "expression": "eq", "value": "ABC_123" } ] }
{ "filters": [ { "field": "filters.severity", "expression": "eq", "value": "5" } ] }
{ "filters": [ { "field": "filters.eventCategory", "expression": "eq", "value": "App" } ] }
{ "filters": [ { "field": "reportNotificationTypes.agentEvents", "expression": "eq", "value": "false" } ] }
In the request body, optionally specify the list of fields to return in the response by specifying the list in the returns
array.
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Org-Access | boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the |
Account-Name | string Use this attribute to specify which sub-account to access. |
Request Body schema: application/json
Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match. | |
returns | Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive. |
Responses
Request samples
- Payload
{- "filters": [
- {
- "expression": "eq",
- "field": "string",
- "value": "string",
- "values": [
- "string"
]
}
], - "returns": [
- "string"
]
}
Response samples
- 200
- 4XX
- 5XX
{- "data": [
- {
- "mcGuid": "QA42F6C8_97...",
- "filters": {
- "name": "Default Rule",
- "createdOrUpdatedBy": "user@example.com",
- "createdOrUpdatedTime": "2020-02-18T16:52:57.726Z",
- "enabled": 1,
- "resourcegroups": [
- "QA402035_43.."
], - "severity": [
- 1,
- 2,
- 3
], - "eventcategory": [
- "App",
- "Compliance",
- "Cloud",
- "File",
- "K8sActivity",
- "Machine",
- "Platform",
- "User"
]
}, - "intgGuidList": [
- "QA402035_66..."
], - "type": "Event"
}, - {
- "mcGuid": "QA42F6C8_83...",
- "filters": {
- "name": "test",
- "createdOrUpdatedBy": "user@example.com",
- "createdOrUpdatedTime": "2020-01-15T07:07:21.989Z",
- "enabled": 1,
- "resourcegroups": [
- "QA402035_EB...",
- "QA402035_BA..."
], - "severity": [
- 1,
- 2,
- 3
], - "eventcategory": [
- "User",
- "Cloud"
]
}, - "intgGuidList": [
- "QA402035_01...",
- "QA402035_A6..."
], - "type": "Event"
}
]
}
Alert Rule Details
Get details about an alert rule by invoking the following endpoint:
GET https://YourLacework.lacework.net/api/v2/AlertRules/{mcGuid}
Replace {mcGuid}
with the mcGuid
value returned for an alert rule in the response when the GET /api/v2/AlertRules
endpoint is invoked.
path Parameters
mcGuid required | string Alert Rule mcGuid |
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Org-Access | boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the |
Account-Name | string Use this attribute to specify which sub-account to access. |
Responses
Response samples
- 200
- 4XX
- 5XX
{- "data": {
- "mcGuid": "QA42F6C8_97...",
- "filters": {
- "name": "Default Rule",
- "createdOrUpdatedBy": "user@example.com",
- "createdOrUpdatedTime": "2020-02-18T16:52:57.726Z",
- "enabled": 1,
- "resourcegroups": [
- "QA402035_43..."
], - "severity": [
- 1,
- 2,
- 3
], - "eventcategory": [
- "App",
- "Compliance",
- "Cloud",
- "File",
- "K8sActivity",
- "Machine",
- "Platform",
- "User"
]
}, - "intgGuidList": [
- "QA402035_66..."
], - "type": "Event"
}
}
Update Alert Rules
Update an alert rule by specifying parameters in the request body when invoking the following endpoint:
PATCH https://YourLacework.lacework.net/api/v2/AlertRules/{mcGuid}
Replace {mcGuid}
with the mcGuid
value returned for an alert rule in the response when the GET /api/v2/AlertRules
endpoint is invoked. In the request body, only specify the parameters that you want to update.
path Parameters
mcGuid required | string Alert Rules mcGuid |
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Org-Access | boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the |
Account-Name | string Use this attribute to specify which sub-account to access. |
Request Body schema: application/json
object When sending a request, use this object to define the new alert rule. When included in a response, this object contains details of an alert rule. You can use these attributes when searching for existing alert rules by invoking a GET request. | |
intgGuidList | Array of strings non-empty unique The alert channels for the rule to access. |
Responses
Request samples
- Payload
{- "filters": {
- "name": "string",
- "description": "string",
- "enabled": 1,
- "resourceGroups": [
- "string"
], - "eventCategory": [
- "Compliance"
], - "severity": [
- 1
]
}, - "intgGuidList": [
- "string"
]
}
Response samples
- 200
- 4XX
- 5XX
{- "data": {
- "mcGuid": "QA42F6C8_97...",
- "filters": {
- "name": "Default Rule",
- "createdOrUpdatedBy": "user@example.com",
- "createdOrUpdatedTime": "2020-02-18T16:52:57.726Z",
- "enabled": 1,
- "resourcegroups": [
- "QA402035_43..."
], - "severity": [
- 1,
- 2,
- 3
], - "eventcategory": [
- "App",
- "Compliance",
- "Cloud",
- "File",
- "K8sActivity",
- "Machine",
- "Platform",
- "User"
]
}, - "intgGuidList": [
- "QA402035_66..."
], - "type": "Event"
}
}
Delete Alert Rules
Delete an alert rule by invoking the following endpoint:
DELETE https://YourLacework.lacework.net/api/v2/AlertRules/{mcGuid}
Replace {mcGuid}
with the mcGuid
value returned for an alert rule in the response when the GET /api/v2/AlertRules
endpoint is invoked.
path Parameters
mcGuid required | string Alert Rules mcGuid |
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Org-Access | boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the |
Account-Name | string Use this attribute to specify which sub-account to access. |
Responses
Response samples
- 4XX
- 5XX
{- "message": "Invalid ..."
}
Lacework provides real-time alerts that are interactive and manageable. Each alert contains various metadata information, such as severity level, type, status, alert category, and associated tags.
You can also post a comment to an alert's timeline; or change an alert status from Open to Closed.
List Alerts
Get a list of alerts during the specified date range by invoking the following endpoint:
GET https://YourLacework.lacework.net/api/v2/Alerts?startTime={startTime}&endTime={endTime}
Use the following formats to specify the startTime
and endTime
:
yyyy-MM-dd
for example,2022-06-28
yyyy-MM-ddTHH
for example,2022-06-28T08
yyyy-MM-ddTHH:mm:ssZ
for example,2022-06-28T08:00:00Z
yyyy-MM-ddTHH:mm:ss.SSSZ
for example,2022-06-28T08:00:00.000Z
Here is an example invocation:
GET https://YourLacework.lacework .net/api/v2/Alerts?startTime=2022-06-30T00:00:00Z&endTime=2022-06-30T08:00:00Z
Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days.
Pagination metadata is located within the response's paging
field, which contains information for rows
, totalRows
, and urls
. The urls
field contains the nextPage
field with the Next Page URL. The Next Page URLs stay valid for 24 hours.
To get the next page of the result, use the entire Next Page URL and send a GET request with the two required HTTP headers: "Authorization: Bearer {YourAPIToken}" and "Content-Type: application/json".
Example:
GET https://YourLacework.lacework.net/api/v2/Alerts/abcxyz123...
query Parameters
startTime | string Returns only recorded actions that occurred after this timestamp. |
endTime | string Returns only recorded actions that occurred before this timestamp. If empty or missing, the current time is used. |
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Responses
Response samples
- 200
- 4XX
- 5XX
{- "paging": {
- "rows": 1000,
- "totalRows": 3120,
}, - "data": [
- {
- "alertId": 855628,
- "startTime": "2022-06-30T00:00:00.000Z",
- "alertType": "CloudActivityLogIngestionFailed",
- "severity": "High",
- "endTime": "2022-06-30T01:00:00.000Z",
- "lastUserUpdatedTime": "",
- "status": "Open",
- "alertName": "Clone of Cloud Activity log ingestion failure detected",
- "alertInfo": {
- "subject": "Clone of Cloud Activity log ingestion failure detected: `azure-al-india-dnd` (and `3` more) is failing for data ingestion into Lacework",
- "description": "New integration failure detected for azure-al-india-dnd (and 3 more)"
}, - "policyId": "CUSTOM_PLATFORM_130"
}, - {
- "alertId": 855629,
- "startTime": "2022-06-30T00:00:00.000Z",
- "alertType": "UnauthorizedAPICall",
- "severity": "Info",
- "endTime": "2022-06-30T01:00:00.000Z",
- "lastUserUpdatedTime": "2022-06-30T01:26:51.392Z",
- "status": "Open",
- "alertName": "Unauthorized API Call",
- "alertInfo": {
- "subject": "Unauthorized API Call: For account: `1234567890`: Unauthorized API call was attempted `4` times",
- "description": "For account: 1234567890: Unauthorized API call was attempted 4 times by user ABCD1234:Lacework"
}
}
]
}
Search Alerts
Search alerts by invoking the following endpoint:
POST https://YourLacework.lacework.net/api/v2/Alerts/search
Optionally specify filters in the request body. For more information about using filters, see the Simple & Advanced Search section.
For the timeFilter
filter, these are the supported time formats:
yyyy-MM-dd
for example,2022-07-08
yyyy-MM-ddTHH
for example,2022-07-08T08
yyyy-MM-ddTHH:mm:ssZ
for example,2022-07-08T08:00:00Z
yyyy-MM-ddTHH:mm:ss.SSSZ
for example,2022-07-08T08:00:00.000Z
Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.
To limit the returned result, optionally specify one or more filters in the request body. These fields can be set in the filters: alertId
, alertType
, severity
, status
, subCategory
, category
, and source
.
You can optionally filter the returned alerts by one or more of the top-level fields. See Filter Alerts for the filter values.
Here are some example body
payloads:
{ "timeFilter": { "startTime": "2022-07-08T00:00:00Z", "endTime": "2022-07-08T08:00:00Z"},
"filters": [ { "field": "alertType", "expression": "eq", "value": "SuspiciousUserFailedLogin" } ] }
{ "timeFilter": { "startTime": "2022-07-08T00:00:00Z", "endTime": "2022-07-08T08:00:00Z"},
"filters": [ { "field": "severity", "expression": "eq", "value": "Critical" }, { "field": "status", "expression": "eq", "value": "Open" } ],
"returns": [ "alertId", "alertName", "alertType", "alertInfo" ] }
Pagination metadata is located within the response's paging
field, which contains information for rows
, totalRows
, and urls
. The urls
field contains the nextPage
field with the Next Page URL. The Next Page URLs stay valid for 24 hours.
To get the next page of the result, use the entire Next Page URL and send a GET request with the two required HTTP headers: "Authorization: Bearer {YourAPIToken}" and "Content-Type: application/json".
Example:
GET https://YourLacework.lacework.net/api/v2/Alerts/abcxyz123...
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Request Body schema: application/json
object The date/time range during which actions occurred. | |
Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match. | |
returns | Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive. |
Responses
Request samples
- Payload
{- "timeFilter": {
- "startTime": "string",
- "endTime": "string"
}, - "filters": [
- {
- "expression": "eq",
- "field": "alertId",
- "value": "string"
}
], - "returns": [
- "string"
]
}
Response samples
- 200
- 4XX
- 5XX
{- "paging": {
- "rows": 1000,
- "totalRows": 3120,
}, - "data": [
- {
- "alertId": 855628,
- "startTime": "2022-06-30T00:00:00.000Z",
- "alertType": "CloudActivityLogIngestionFailed",
- "severity": "High",
- "endTime": "2022-06-30T01:00:00.000Z",
- "lastUserUpdatedTime": "",
- "status": "Open",
- "alertName": "Clone of Cloud Activity log ingestion failure detected",
- "alertInfo": {
- "subject": "Clone of Cloud Activity log ingestion failure detected: `azure-al-india-dnd` (and `3` more) is failing for data ingestion into Lacework",
- "description": "New integration failure detected for azure-al-india-dnd (and 3 more)"
}, - "policyId": "CUSTOM_PLATFORM_130"
}, - {
- "alertId": 855629,
- "startTime": "2022-06-30T00:00:00.000Z",
- "alertType": "UnauthorizedAPICall",
- "severity": "Info",
- "endTime": "2022-06-30T01:00:00.000Z",
- "lastUserUpdatedTime": "2022-06-30T01:26:51.392Z",
- "status": "Open",
- "alertName": "Unauthorized API Call",
- "alertInfo": {
- "subject": "Unauthorized API Call: For account: `1234567890`: Unauthorized API call was attempted `4` times",
- "description": "For account: 1234567890: Unauthorized API call was attempted 4 times by user ABCD1234:Lacework"
}
}
]
}
Alert Details
Get details about an alert by invoking the following endpoint:
GET https://YourLacework.lacework.net/api/v2/Alerts/{alertId}?scope={scope}
You must specify a scope, as one of these options: Details
, Investigation
, Events
, RelatedAlerts
, Integrations
, or Timeline
.
path Parameters
alertId required | string Alert id |
query Parameters
scope required | string Enum: "Details" "Investigation" "Events" "RelatedAlerts" "Integrations" "Timeline" You must specify a scope, as one of these options. |
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Responses
Response samples
- 200
- 4XX
- 5XX
{- "data": {
- "alertId": 813628,
- "startTime": "2022-06-30T00:00:00.000Z",
- "alertType": "CloudActivityLogIngestionFailed",
- "severity": "High",
- "endTime": "2022-06-30T01:00:00.000Z",
- "lastUserUpdatedTime": "",
- "status": "Open",
- "alertName": "Clone of Cloud Activity log ingestion failure detected",
- "alertInfo": {
- "subject": "Clone of Cloud Activity log ingestion failure detected: `azure-al-india-dnd` (and `3` more) is failing for data ingestion into Lacework",
- "description": "New integration failure detected for azure-al-india-dnd (and 3 more)"
}, - "entityMap": {
- "API": "{object}",
- "CT_User": "{object}",
- "CT_RawTime": "{object}",
- "Region": "{object}",
- "Resource": "{object}",
- "RulesTriggered": "{object}",
- "SourceIpAddress": "{object}"
}
}
}
Post Comments
Post a user comment on an alert’s timeline by invoking the following endpoint:
POST https://YourLacework.lacework.net/api/v2/Alerts/{alertId}/comment
For details about alert timelines, see Timeline.
path Parameters
alertId required | string Alert id |
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Request Body schema: application/json
comment required | string |
Responses
Request samples
- Payload
{- "comment": "string"
}
Response samples
- 200
- 4XX
- 5XX
{- "data": {
- "id": 211250,
- "alertId": 871115,
- "createdTime": "2022-07-18T18:28:30.739Z",
- "entryType": "Comment",
- "entryAuthorType": "UserUpdate",
- "message": {
- "value": "test comment"
}, - "externalTime": "",
- "user": {
- "userGuid": "LW123_6FA99157890E373006F7EE3FA926B02C38D547BD6C79F1D",
- "username": "user@example.com"
}, - "updateContext": { }
}
}
Close Alerts
Change the status of an alert to closed by invoking the following endpoint:
POST https://YourLacework.lacework.net/api/v2/Alerts/{alertId}/close
The body of the request should contain the reason for closing, from these options:
- Other
- False positive
- Not enough information
- Malicious and have resolution in place
- Expected because of routine testing.
If you choose Other
, the message field is required and should contain a brief explanation of why the alert is closed.
Note that a closed alert cannot be reopened.
For details about alert statuses, see Status.
path Parameters
alertId required | string Alert id |
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Request Body schema: application/json
reason required | number Enum: 0 1 2 3 4 0 - Other 1 - False positive 2 - Not enough information 3 - Malicious and have resolution in place 4 - Expected because of routine testing |
comment | string If you choose |
Responses
Request samples
- Payload
{- "reason": 0,
- "comment": "string"
}
Response samples
- 4XX
- 5XX
{- "message": "Invalid ..."
}
Audit logs let you view the history of all actions performed within a Lacework account so you know who made changes to the system and when. For example, you can see who suppressed certain alerts, what time an authentication setting was modified, etc. For more information, see Audit Logs.
Audit Logs
Get audit logs by invoking the following endpoint:
GET https://YourLacework.lacework.net/api/v2/AuditLogs
Optionally specify the startTime
and endTime
time range filters using the following formats:
yyyy-MM-dd
for example,2020-12-18
yyyy-MM-ddTHH
for example,2020-12-18T08
yyyy-MM-ddTHH:mm:ssZ
for example,2020-12-18T08:00:00Z
yyyy-MM-ddTHH:mm:ss.SSSZ
for example,2020-12-18T08:00:00.000Z
To use the current time as the end time, exclude the endTime parameter.
Here is an example invocation:
GET https://YourLacework.lacework.net/api/v2/AuditLogs?startTime=2020-12-11T08:00:00Z&endTime=2020-12-18T08:00:00Z
query Parameters
startTime | string Returns only recorded actions that occurred after this timestamp. |
endTime | string Returns only recorded actions that occurred before this timestamp. If empty or missing, the current time is used. |
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Org-Access | boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the |
Account-Name | string Use this attribute to specify which sub-account to access. |
Responses
Response samples
- 200
- 4XX
- 5XX
{- "data": [
- {
- "accountName": "Lacework",
- "createdTime": "2020-12-18T18:38:28Z",
- "eventDescription": "User info@example.com logged in to Lacework account using OAuth credentials",
- "eventName": "User Login",
- "userAction": "Login with OAuth Succeeded",
- "userName": "info@example.com"
}, - {
- "accountName": "Lacework",
- "createdTime": "2020-12-18T22:38:28Z",
- "eventDescription": "User info@example.com logged in to Lacework account using OAuth credentials",
- "eventName": "User Login",
- "userAction": "Login with OAuth Succeeded",
- "userName": "info@example.com"
}
]
}
Search Audit Logs
Search the audit logs by invoking the following endpoint:
POST https://YourLacework.lacework.net/api/v2/AuditLogs/search
Optionally specify filters in the request body. For more information about using filters, see the Simple & Advanced Search section.
For the timeFilter
filter, these are the supported time formats:
yyyy-MM-dd
for example,2020-12-18
yyyy-MM-ddTHH
for example,2020-12-18T08
yyyy-MM-ddTHH:mm:ssZ
for example,2020-12-18T08:00:00Z
yyyy-MM-ddTHH:mm:ss.SSSZ
, for example,2020-12-18T08:00:00.000Z
To use the current time as the end time, exclude the endTime field.
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Org-Access | boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the |
Account-Name | string Use this attribute to specify which sub-account to access. |
Request Body schema: application/json
Filters in the request body
object The date/time range during which actions occurred. | |
Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match. | |
returns | Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive. |
Responses
Request samples
- Payload
{- "timeFilter": {
- "startTime": "string",
- "endTime": "string"
}, - "filters": [
- {
- "expression": "eq",
- "field": "string",
- "value": "string",
- "values": [
- "string"
]
}
], - "returns": [
- "string"
]
}
Response samples
- 200
- 4XX
- 5XX
{- "data": [
- {
- "accountName": "Lacework",
- "createdTime": "2020-12-18T18:38:28Z",
- "eventDescription": "User info@example.com logged in to Lacework account using OAuth credentials",
- "eventName": "User Login",
- "userAction": "Login with OAuth Succeeded",
- "userName": "info@example.com"
}, - {
- "accountName": "Lacework",
- "createdTime": "2020-12-18T22:38:28Z",
- "eventDescription": "User info@example.com logged in to Lacework account using OAuth credentials",
- "eventName": "User Login",
- "userAction": "Login with OAuth Succeeded",
- "userName": "info@example.com"
}
]
}
Cloud accounts are integrations between Lacework and cloud providers such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform.
Create Cloud Accounts
Create a cloud account by specifying parameters in the request body when invoking the following endpoint:
POST https://YourLacework.lacework.net/api/v2/CloudAccounts
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Org-Access | boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the |
Account-Name | string Use this attribute to specify which sub-account to access. |
Request Body schema: application/json
name required | string (Name) non-empty (?!^ +$)^.+$ When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. |
type required | string (Type) When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. |
enabled required | number (Enabled) [ 0 .. 1 ] When sending a request, use this attribute to enable or disable an integration. When included in a response, returns |
required | object |
Responses
Request samples
- Payload
{- "name": "string",
- "type": "AwsCfg",
- "enabled": 1,
- "data": {
- "awsAccountId": "string",
- "crossAccountCredentials": {
- "externalId": "string",
- "roleArn": "string"
}
}
}
Response samples
- 201
- 4XX
- 5XX
{- "data": {
- "createdOrUpdatedBy": "user@example.com",
- "createdOrUpdatedTime": "2021-02-08T08:28:18Z",
- "enabled": 1,
- "intgGuid": "LWXYZ...",
- "isOrg": 0,
- "name": "Support",
- "props": "{object}",
- "state": "{object}",
- "type": "AwsCfg",
- "data": {
- "awsAccountId": "123456789012",
- "crossAccountCredentials": {
- "roleArn": "arn:aws:iam::...",
- "externalId": "123456"
}
}
}
}
List All Cloud Accounts
Get a list of cloud accounts for the current user by invoking the following endpoint:
GET https://YourLacework.lacework.net/api/v2/CloudAccounts
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Org-Access | boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the |
Account-Name | string Use this attribute to specify which sub-account to access. |
Responses
Response samples
- 200
- 4XX
- 5XX
{- "data": [
- {
- "createdOrUpdatedBy": "user@example.com",
- "createdOrUpdatedTime": "2021-01-28T08:28:18Z",
- "enabled": 1,
- "intgGuid": "LWXYZ...",
- "isOrg": 0,
- "name": "Support",
- "props": "{object}",
- "state": "{object}",
- "type": "AwsCfg",
- "data": {
- "awsAccountId": "123456789012",
- "crossAccountCredentials": {
- "roleArn": "arn:aws:iam::...",
- "externalId": "123456"
}
}
}, - {
- "createdOrUpdatedBy": "info@example.com",
- "createdOrUpdatedTime": "2021-01-30T08:28:18Z",
- "enabled": 1,
- "intgGuid": "LWXYZ...",
- "isOrg": 0,
- "name": "Info",
- "props": "{object}",
- "state": "{object}",
- "type": "AwsCfg",
- "data": {
- "awsAccountId": "123456789012",
- "crossAccountCredentials": {
- "roleArn": "arn:aws:iam::...",
- "externalId": "123456"
}
}
}
]
}
List Cloud Accounts by Type
Get a list of cloud accounts of the specified type by invoking the following endpoint:
GET https://YourLacework.lacework.net/api/v2/CloudAccounts/{type}
Here is an example invocation:
GET https://YourLacework.lacework.net/api/v2/CloudAccounts/AwsCfg
path Parameters
type required | string Enum: "AwsCfg" "AwsCtSqs" "AwsEksAudit" "AwsUsGovCfg" "AwsUsGovCtSqs" "AzureAlSeq" "AzureCfg" "GcpAtSes" "GcpCfg" Cloud Accounts Type |
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Org-Access | boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the |
Account-Name | string Use this attribute to specify which sub-account to access. |
Responses
Response samples
- 200
- 4XX
- 5XX
{- "data": [
- {
- "createdOrUpdatedBy": "user@example.com",
- "createdOrUpdatedTime": "2021-01-28T08:28:18Z",
- "enabled": 1,
- "intgGuid": "LWXYZ...",
- "isOrg": 0,
- "name": "Support",
- "props": "{object}",
- "state": "{object}",
- "type": "AwsCfg",
- "data": {
- "awsAccountId": "123456789012",
- "crossAccountCredentials": {
- "roleArn": "arn:aws:iam::...",
- "externalId": "123456"
}
}
}, - {
- "createdOrUpdatedBy": "info@example.com",
- "createdOrUpdatedTime": "2021-01-30T08:28:18Z",
- "enabled": 1,
- "intgGuid": "LWXYZ...",
- "isOrg": 0,
- "name": "Info",
- "props": "{object}",
- "state": "{object}",
- "type": "AwsCfg",
- "data": {
- "awsAccountId": "123456789012",
- "crossAccountCredentials": {
- "roleArn": "arn:aws:iam::...",
- "externalId": "123456"
}
}
}
]
}
Search Cloud Accounts
Search cloud accounts by invoking the following endpoint:
POST https://YourLacework.lacework.net/api/v2/CloudAccounts/search
To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.
In the request body, optionally specify the list of fields to return in the response by specifying the list in the returns
array, for example, "returns":[ "name", "type", "enabled" ]
.
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Org-Access | boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the |
Account-Name | string Use this attribute to specify which sub-account to access. |
Request Body schema: application/json
Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match. | |
returns | Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive. |
Responses
Request samples
- Payload
{- "filters": [
- {
- "expression": "eq",
- "field": "string",
- "value": "string",
- "values": [
- "string"
]
}
], - "returns": [
- "string"
]
}
Response samples
- 200
- 4XX
- 5XX
{- "data": [
- {
- "createdOrUpdatedBy": "user@example.com",
- "createdOrUpdatedTime": "2021-01-28T08:28:18Z",
- "enabled": 1,
- "intgGuid": "LWXYZ...",
- "isOrg": 0,
- "name": "Support",
- "props": "{object}",
- "state": "{object}",
- "type": "AwsCfg",
- "data": {
- "awsAccountId": "123456789012",
- "crossAccountCredentials": {
- "roleArn": "arn:aws:iam::...",
- "externalId": "123456"
}
}
}, - {
- "createdOrUpdatedBy": "info@example.com",
- "createdOrUpdatedTime": "2021-01-30T08:28:18Z",
- "enabled": 1,
- "intgGuid": "LWXYZ...",
- "isOrg": 0,
- "name": "Info",
- "props": "{object}",
- "state": "{object}",
- "type": "AwsCfg",
- "data": {
- "awsAccountId": "123456789012",
- "crossAccountCredentials": {
- "roleArn": "arn:aws:iam::...",
- "externalId": "123456"
}
}
}
]
}
Cloud Accounts Details
Get details about a cloud account by invoking the following endpoint:
GET https://YourLacework.lacework.net/api/v2/CloudAccounts/{intgGuid}
path Parameters
intgGuid required | string Cloud Account ID |
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Org-Access | boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the |
Account-Name | string Use this attribute to specify which sub-account to access. |
Responses
Response samples
- 200
- 4XX
- 5XX
{- "data": {
- "createdOrUpdatedBy": "user@example.com",
- "createdOrUpdatedTime": "2021-02-08T08:28:18Z",
- "enabled": 1,
- "intgGuid": "LWXYZ...",
- "isOrg": 0,
- "name": "Support",
- "props": "{object}",
- "state": "{object}",
- "type": "AwsCfg",
- "data": {
- "awsAccountId": "123456789012",
- "crossAccountCredentials": {
- "roleArn": "arn:aws:iam::...",
- "externalId": "123456"
}
}
}
}
Update Cloud Accounts
Update a cloud account by specifying parameters in the request body when invoking the following endpoint:
PATCH https://YourLacework.lacework.net/api/v2/CloudAccounts/{intgGuid}
In the request body, only specify the parameters that you want to update, for example, { "enabled" : 0 }
.
path Parameters
intgGuid required | string Cloud Account ID |
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Org-Access | boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the |
Account-Name | string Use this attribute to specify which sub-account to access. |
Request Body schema: application/json
name | string (Name) non-empty (?!^ +$)^.+$ When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. |
type | string (Type) When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. |
enabled | number (Enabled) [ 0 .. 1 ] When sending a request, use this attribute to enable or disable an integration. When included in a response, returns |
object |
Responses
Request samples
- Payload
{- "name": "string",
- "type": "AwsCfg",
- "enabled": 1,
- "data": {
- "awsAccountId": "string",
- "crossAccountCredentials": {
- "externalId": "string",
- "roleArn": "string"
}
}
}
Response samples
- 200
- 4XX
- 5XX
{- "data": {
- "createdOrUpdatedBy": "user@example.com",
- "createdOrUpdatedTime": "2021-02-08T08:28:18Z",
- "enabled": 1,
- "intgGuid": "LWXYZ...",
- "isOrg": 0,
- "name": "Support",
- "props": "{object}",
- "state": "{object}",
- "type": "AwsCfg",
- "data": {
- "awsAccountId": "123456789012",
- "crossAccountCredentials": {
- "roleArn": "arn:aws:iam::...",
- "externalId": "123456"
}
}
}
}
Update Cloud Accounts
Update a cloud account by specifying the entire object in the request body when invoking the following endpoint:
PUT https://YourLacework.lacework.net/api/v2/CloudAccounts/{intgGuid}
In the request body, specify the entire object that you want to update, for example,
{"name": "string","type": "AwsCfg", "enabled": 1, "data": { "awsAccountId": "string", "crossAccountCredentials": {"externalId": "string", "roleArn": "string"}} }
.
path Parameters
intgGuid required | string Cloud Account ID |
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Org-Access | boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the |
Account-Name | string Use this attribute to specify which sub-account to access. |
Request Body schema: application/json
name required | string (Name) non-empty (?!^ +$)^.+$ When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. |
type required | string (Type) When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. |
enabled required | number (Enabled) [ 0 .. 1 ] When sending a request, use this attribute to enable or disable an integration. When included in a response, returns |
required | object |
Responses
Request samples
- Payload
{- "name": "string",
- "type": "AwsCfg",
- "enabled": 1,
- "data": {
- "awsAccountId": "string",
- "crossAccountCredentials": {
- "externalId": "string",
- "roleArn": "string"
}
}
}
Response samples
- 200
- 4XX
- 5XX
{- "data": {
- "createdOrUpdatedBy": "user@example.com",
- "createdOrUpdatedTime": "2021-02-08T08:28:18Z",
- "enabled": 1,
- "intgGuid": "LWXYZ...",
- "isOrg": 0,
- "name": "Support",
- "props": "{object}",
- "state": "{object}",
- "type": "AwsCfg",
- "data": {
- "awsAccountId": "123456789012",
- "crossAccountCredentials": {
- "roleArn": "arn:aws:iam::...",
- "externalId": "123456"
}
}
}
}
Delete Cloud Accounts
Delete a cloud account by invoking the following endpoint:
DELETE https://YourLacework.lacework.net/api/v2/CloudAccounts/{intgGuid}
path Parameters
intgGuid required | string Cloud Account ID |
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Org-Access | boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the |
Account-Name | string Use this attribute to specify which sub-account to access. |
Responses
Response samples
- 4XX
- 5XX
{- "message": "Invalid ..."
}
Get information about cloud activities for the integrated AWS cloud accounts in your Lacework instance.
Cloud Activities
Get cloud activity details by invoking the following endpoint:
GET https://YourLacework.lacework.net/api/v2/CloudActivities
Optionally filter by specifying the startTime
and endTime
of a time range using the following formats:
yyyy-MM-dd
for example,2020-12-18
yyyy-MM-ddTHH
for example,2020-12-18T08
yyyy-MM-ddTHH:mm:ssZ
for example,2020-12-18T08:00:00Z
yyyy-MM-ddTHH:mm:ss.SSSZ
for example,2020-12-18T08:00:00.000Z
To use the current time as the end time, exclude the endTime parameter.
Here is an example invocation:
GET https://YourLacework.lacework.net/api/v2/CloudActivities?startTime=2020-12-11T08:00:00Z&endTime=2020-12-18T08:00:00Z
To use the current time as the end time, exclude the endTime parameter.
query Parameters
startTime | string Returns only recorded actions that occurred after this timestamp. |
endTime | string Returns only recorded actions that occurred before this timestamp. If empty or missing, the current time is used. |
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Responses
Response samples
- 200
- 4XX
- 5XX
{- "paging": {
- "rows": 5000,
- "totalRows": 5020,
}, - "data": [
- {
- "startTime": "2021-12-18T06:00:00Z",
- "endTime": "2021-12-18T06:30:00Z",
- "eventType": "CloudTrailDefaultAlert",
- "eventId": 291028,
- "eventModel": "CloudTrailCep",
- "eventActor": "Aws",
- "eventMap": {
- "API": [
- {
- "KEY": {
- "api": "DeleteUser",
- "service": "iam.amazonaws.com"
}, - "PROPS": {
- "source_ip_address_list": [
- "34.221.221.117"
], - "user_list": [
- "AssumedRole/631664038012:dev-test-instances"
]
}
}
], - "CT_User": [
- {
- "KEY": {
- "account": "631664038012",
- "mfa": 0,
- "principalId": "ABCDEFGHIJKL123456789",
- "username": "AssumedRole/631664038012:dev-test-instances"
}, - "PROPS": {
- "api_list": [
- "DeleteUser"
], - "region_list": [
- "us-east-1"
]
}
}
], - "Region": [
- {
- "KEY": {
- "region": "us-east-1"
}, - "PROPS": {
- "account_list": [
- "631668038012"
]
}
}
], - "Resource": [
- {
- "KEY": {
- "name": "userName",
- "value": "demomon13dec21083001"
}
}, - {
- "KEY": {
- "name": "userName",
- "value": "demomon13dec21083001"
}
}
], - "RulesTriggered": [
- {
- "KEY": {
- "triggered_rule_id": "lw-dev-1"
}, - "PROPS": {
- "rule_description": "An existing user was deleted.",
- "rule_id": "lw-dev-1",
- "rule_severity": 3,
- "rule_title": "Delete User"
}
}
], - "SourceIpAddress": [
- {
- "KEY": {
- "ip_addr": "34.221.221.117"
}, - "PROPS": {
- "api_list": [
- "DeleteUser"
]
}
}
]
}
}, - {
- "startTime": "2021-12-18T08:00:00Z",
- "endTime": "2021-12-18T08:30:00Z",
- "eventType": "IAMAccessKeyChanged",
- "eventId": 19018,
- "eventModel": "CloudTrailCep",
- "eventActor": "Aws",
- "eventMap": {
- "API": [
- {
- "KEY": {
- "api": "CreateAccessKey",
- "service": "iam.amazonaws.com"
}, - "PROPS": {
- "source_ip_address_list": [
- "34.221.221.117"
], - "user_list": [
- "AssumedRole/631664038012:dev-test-instances"
]
}
}, - {
- "KEY": {
- "api": "DeleteAccessKey",
- "service": "iam.amazonaws.com"
}, - "PROPS": {
- "source_ip_address_list": [
- "34.221.221.117"
], - "user_list": [
- "AssumedRole/631664038012:dev-test-instances"
]
}
}
], - "CT_User": [
- {
- "KEY": {
- "account": "631664038012",
- "mfa": 0,
- "principalId": "ABCDEFGHIJKL123456789",
- "username": "AssumedRole/631664038012:dev-test-instances"
}, - "PROPS": {
- "api_list": [
- "CreateAccessKey",
- "DeleteAccessKey"
], - "region_list": [
- "us-east-1"
]
}
}
], - "Region": [
- {
- "KEY": {
- "region": "us-east-1"
}, - "PROPS": {
- "account_list": [
- "631664038012"
]
}
}
], - "Resource": [
- {
- "KEY": {
- "name": "accessKeyId",
- "value": "ABCD1234567890"
}
}, - {
- "KEY": {
- "name": "userName",
- "value": "demomon13dec21083001"
}
}, - {
- "KEY": {
- "name": "accessKeyId",
- "value": "ABCD9876543210"
}
}, - {
- "KEY": {
- "name": "userName",
- "value": "demomon13dec21083001"
}
}
], - "RulesTriggered": [
- {
- "KEY": {
- "triggered_rule_id": "lw-global-12"
}, - "PROPS": {
- "rule_description": "An IAM access key was created or deleted.",
- "rule_id": "lw-global-12",
- "rule_severity": 2,
- "rule_title": "IAM Access Key Change"
}
}
], - "SourceIpAddress": [
- {
- "KEY": {
- "ip_addr": "34.221.221.117"
}, - "PROPS": {
- "api_list": [
- "CreateAccessKey",
- "DeleteAccessKey"
]
}
}
]
}
}
]
}
Search Cloud Activities
Search cloud activities by invoking the following endpoint:
POST https://YourLacework.lacework.net/api/v2/CloudActivities/search
Optionally specify filters in the request body. For more information about using filters, see the Simple & Advanced Search section.
For the timeFilter
filter, these are the supported time formats:
yyyy-MM-dd
for example,2021-12-18
yyyy-MM-ddTHH
for example,2021-12-18T08
yyyy-MM-ddTHH:mm:ssZ
for example,2021-12-18T08:00:00Z
yyyy-MM-ddTHH:mm:ss.SSSZ
for example,2021-12-18T08:00:00.000Z
Here are some example body
payloads:
{ "timeFilter": { "startTime": "2021-12-11T00:00:00Z", "endTime": "2021-12-12T00:00:00Z"},
"filters": [ { "field": "eventType", "expression": "eq", "value": "NewUser" } ] }
{ "timeFilter": { "startTime": "2021-12-11T00:00:00Z", "endTime": "2021-12-12T00:00:00Z"},
"filters": [ { "field": "eventType", "expression": "eq", "value": "NewUser" },
{ "field": "eventModel", "expression": "eq", "value": "AwsApiTracker" } ],
"returns":[ "startTime", "endTime", "eventType", "eventActor", "eventModel" ] }
To use the current time as the end time, exclude the endTime field.
header Parameters
Authorization required | string Bearer Access Token. For example, "Bearer {YourAPIToken}" |
Content-Type required | string application/json |
Request Body schema: application/json
object The date/time range during which actions occurred. | |
Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match. | |
returns | Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive. |
Responses
Request samples
- Payload
{- "timeFilter": {