Lacework API 2.0 Documentation (2.0)

Download OpenAPI specification:Download

Lacework, Inc.: info@lacework.net URL: https://info.lacework.com/contact License: Lacework Use License Terms of Service

The Lacework API documentation is available directly from your Lacework application at the following URI: https://YourLacework.lacework.net/api/v2/docs, where YourLacework is your Lacework application.

No login to the Lacework Console is required. However, there is a link to the Lacework API 2.0 documentation from the Lacework Console. From the Help drop-down, select API Documentation and then API 2.0 Documentation.

All the Lacework API operations listed below require an API Access Token to allow access to the Lacework API. For more information about getting a temporary API Access Token to pass into these operations as a header, see https://docs.lacework.com/generate-api-access-keys-and-tokens.

You can run the Lacework APIs using your favorite REST API tools, such as curl or Postman. You can also run the Lacework API from the Lacework CLI. For more information, see Get Started with the Lacework CLI.

Overview

Conventions

Parameters: Parameters follow the JSON conventions, i.e., camelcase or lowerCamelcase notation, for all parameter names in the query, request and response bodies, for example, startTime, endTime.
Data Types: For the constant types of data sets, integrations, assets, and other resources, the convention is to use UpperCamelcase notation, for example, AlertChannels, AuditLogs, CloudActivities.
Response Schema: A successful response returns either the HTTP 200 or 201 Status Code and a top-level property called data, which contains the result in the JSON format. A response returning the HTTP 4xx or 5xx Status Code returns the top-level property called message, which contains an error message.
additionalProperties Keyword: For all response schemas, the additionalProperties keyword is set to true. This means additional fields or properties can be added to responses in the future. For information about the additionalProperties keyword, see the JSON Schema online documentation.

Simple & Advanced Search

The Lacework API provides simple and advanced searches for retrieving information.

For simple searches, specify a HTTP GET method with simple query parameters, for example, startTime, endTime.

For advanced searches, specify a HTTP POST method with filters in the request body. The filters in requests that have multiple filters are AND'd, that is, all filters conditions must be met to satisfy a match.

There are 16 filter types consisting of seven pairs and two unique operators, which are similar to the SQL comparison operators for database queries. The pairs are:

The eq operator allows you to specify a value that the field values of the result must be equal to. The ne operator means not equal to. Note the value field of the filters must be used; the values field of the filters cannot be used for eq and ne.
The in operator allows you to specify multiple values in the values field of the filters. The field values of the result must match one of the values. The not_in operator is the opposite of in. Note the value field of the filters cannot be used for in and not_in.
The like operator allows you to specify a pattern that the field values of the result must match. The not_like operator is the opposite of like. Note the values field of the filters cannot be used for like and not_like.
The ilike operator works similar to like but it makes the match case insensitive. The not_ilike operator is the opposite of ilike. Note the values field of the filters cannot be used for ilike and not_ilike.
The rlike operator matches the specified pattern represented by regular expressions (more info on RLIKE — Snowflake Documentation). You can use rlike to filter object values in arrays, to return only those values that match a regular expression. The not_rlike operator is the opposite of rlike. Note the values field of the filters cannot be used for rlike and not_rlike.
The gt operator allows you to specify a value that the field values of the result must be greater than. The lt (less-than) operator is the opposite of gt. Note the values field of the filters cannot be used for gt and lt.
The ge operator allows you to specify a value that the field values of the result must be greater than or equal to. The le (less-than-or-equal-to) operator is the opposite of ge. Note the values field of the filters cannot be used for ge and le.

The unique operators are:

The between operator allows you to specify a range that the field values of the result must be within. The specified upper boundary must be larger/greater than the lower boundary. The two values of upper and lower boundaries must be set in the values field of the filters. Note the value field of the filters cannot be used for between.
The expr operator is reserved for future use.

Date & Time Formats

For date and time parameters, the time zone is always UTC and the following formats are supported:

yyyy-MM-dd for example, 2020-12-18
yyyy-MM-ddTHH for example, 2020-12-18T08
yyyy-MM-ddTHH:mm:ssZ for example 2020-12-18T08:00:00Z
yyyy-MM-ddTHH:mm:ss.SSSZ for example, 2020-12-18T08:00:00.000Z

Organization Level Access

An organization may have a primary account and multiple sub-accounts. An access token generated for the primary account and used as the authorization token can also be used for one of the sub-accounts, with the additional header called Account-Name (case insensitive).

For example, if the primary account is xyz and the sub-account is xyz-sub1, set the Account-Name header to xyz-sub1.

Note: Multiple sub-account and organizational-level access is limited to access tokens generated with regular user API keys. A service user has access to individual accounts only.

To access organization-level data sets, you can use a header called Org-Access (case insensitive). If this header is set to true (case insensitive) and the authorization token has the proper permissions (org admin), if specified, the Account-Name header is ignored. If the Org-Access header is not set to true, the Account-Name header is used, if specified.

Pagination

Making calls to Lacework APIs could return a lot of results. Pagination of the results helps manage overall performance and makes the responses easier for you to handle by dividing the results into separate pages, each with a subset of the results.

The following row limits apply:

Row limit per page: 5,000 rows
Row limit of all pages of one result set: 500,000 rows

Pagination is available for some datasets, such as those that are searched with the /api/v2/Vulnerabilities/Containers/search or /api/v2/Entities/Machines/search endpoints.

Pagination metadata is located within the response's paging field, which contains information for rows, totalRows, and urls. The urls field contains the nextPage field with the Next Page URL. The Next Page URLs stay valid for 24 hours. No pagination is available for an API if the paging field is missing from a response.

To get the next page of the result, use the entire Next Page URL and send a GET request with the two required HTTP headers: "Authorization: Bearer {YourAPIToken}" and "Content-Type: application/json".

Example:

GET https://YourLacework.lacework.net/api/v2/Vulnerabilities/Containers/abcxyz...

See the right panel for response examples.

Rate Limiting

The current rate limit is 480 API requests per hour per user. When the total number of API requests on a one-hour rolling window exceeds the rate limit, the HTTP 429 Too Many Requests response status code is returned.

Lacework uses the token bucket algorithm to apply request rate limiting. Each API v2 functionality has its own bucket with 480 tokens and each request that you make removes one token from the bucket. For example, performing a GET /api/v2/AgentAccessTokens or a GET /api/v2/AgentAccessTokens/{ID} are both part of one functionality, which gets an agent access token, so each request removes one token from the same bucket. Similarly, updating an agent access token (PATCH /api/v2/AgentAccessTokens/{ID}) is a different functionality and disregards the ID to use the same bucket, so a token is removed from a different bucket.

Each request sends back three response headers following standard HTTP naming conventions for rate limiting. RateLimit-Limit is the total number of requests you can make in an hour, RateLimit-Remaining is the number of remaining requests, and RateLimit-Reset is how much time it will take (in seconds) before you can make another request once the limit is reached. For more information about RateLimit header fields, see IETF Draft 05.

POST Body Size Limit

Many Lacework API endpoints accept data as POST body content. POST body content is limited to 1 MB. Requests that exceed the 1 MB limit result in a 400 Bad Request error.

Response Status Codes

The Lacework API endpoints return the following HTTP response status codes.

Status Code	Definition	Description
200	OK	The request has succeeded.
201	Created	The request has been fulfilled and resulted in a new resource being created.
204	No Content	The server has fulfilled the request but does not need to return an entity-body.
400	Bad Request	The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications.
401	Unauthorized	The request requires user authentication. If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials.
403	Forbidden	The server understood the request, but is refusing to fulfill it. Authorization will not fix the issue and the request SHOULD NOT be repeated.
404	Not Found	The server has not found anything matching the Request-URI.
405	Method Not Allowed	The method specified in the Request-Line is not allowed for the resource identified by the Request-URI.
409	Conflict	The request could not be completed due to a conflict with the current state of the resource.
429	Too Many Requests	Too many requests occurred during the allotted time period and rate limiting was applied.
500	Internal Server Error	The request did not complete due to an internal error on the server side. The server encountered an unexpected condition which prevented it from fulfilling the request.
503	Service Unavailable	The server is currently unable to handle the request due to a temporary overloading or maintenance of the server.

Access Tokens

Generate access tokens for API requests.

Generate Access Tokens

Get access tokens for the API requests by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/access/tokens

After creating a secret key, administrators can generate Temporary API access (bearer) tokens that clients and client applications use to access the Lacework API. Create temporary API access (bearer) tokens by invoking the POST https://YourLacework.lacework.net/api/v2/access/tokens endpoint.

header Parameters

X-LW-UAKS required	string YourSecretKey
Content-Type required	string application/json

Request Body schema: application/json

keyId required	string YourAccessKeyID
expiryTime required	integer The access token's expiration (in seconds) that you want to set. Maximum value: 86400 (24 hours).

Responses

Request samples

Payload

Content type

application/json

{"keyId": "YourSecretKey",
"expiryTime": 3600
}

Response samples

201
4XX
5XX

Content type

application/json

{"expiresAt": "2021-08-18T08:00:00.000Z",
"token": "string"
}

Schemas

Get details about the available Lacework schemas.

Schema Details

Get a list of available Lacework schema types by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/schemas

Get details about a Lacework schema by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/schemas/{type}

Here is an example invocation:

GET https://YourLacework.lacework.net/api/v2/schemas/AuditLogs

path Parameters

type

required

string

Example: AuditLogs

When sending a request, use this parameter to specify the schema type. If not specified, the response returns all schema types. If specified, the response returns details of the requested schema.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

[{"name": "accountName",
"type": "string"
},
{"name": "createdTime",
"type": "integer"
},
{"name": "eventDescription",
"type": "string"
},
{"name": "eventName",
"type": "string"
},
{"name": "userAction",
"type": "string"
},
{"name": "userName",
"type": "string"
}
]

Schema Details of Subtype

Get details about a Lacework schema by specifying a schema type and subtype when invoking the endpoint.

GET https://YourLacework.lacework.net/api/v2/schemas/{type}/{subtype}

Here is an example invocation:

GET https://YourLacework.lacework.net/api/v2/schemas/AlertChannels/SlackChannel

path Parameters

type required	string Example: AlertChannels When sending a request, use this parameter to specify the schema type. If not specified, the response returns all schema types. If specified, the response returns details of the requested schema.
subtype required	string Example: SlackChannel The schema's subtype. If a type is subordinate to another type, it is called a subtype.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

[{"required": ["type",
"enabled",
"name",
"data"
],
"properties": {"name": {"type": "string",
"minLength": 1
},
"type": {"type": "string",
"enum": ["SlackChannel"
]
},
"enabled": {"type": "number",
"minimum": 0,
"maximum": 1
},
"data": {"properties": {"slackUrl": {"type": "string",
"pattern": "^https://hooks.slack.com([/][a-zA-Z0-9#-_]+)+$"
}
},
"required": ["slackUrl"
],
"additionalProperties": true,
"type": "object"
}
}
}
]

Activities

Get information about network activities detected through the agent.

Search Changed Files

Search for changed files in your environment by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Activities/ChangedFiles/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter the returned changed files by start time, end time, machine ID, file path, and more. For more information, see CHANGE_FILES_V View.

Here are some example body payloads:

{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "48011" } ] }
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "48011" }, { "field": "filePath", "expression": "eq", "value": "/usr/bin/curl" } ],
"returns": [ "filePath", "filedataHash", "mid" ] }

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 654455,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/Activities/ChangedFiles/AbcdEfgh123..."
}
},
"data": [{"startTime": "2021-09-10T23:00:00Z",
"endTime": "2021-09-11T00:00:00Z",
"mid": 12345,
"filePath": "/usr/bin/curl",
"filedataHash": "d055afd3h16f11460b3549885a9u8a40f1905df1f9d83cf16gbfa8a3157c29ac",
"mtime": "1631306708492",
"size": 210944,
"threatInfo": "null"
},
{"startTime": "2021-09-10T23:00:00Z",
"endTime": "2021-09-11T00:00:00Z",
"mid": 12345,
"filePath": "/bin/sleep",
"filedataHash": "ada88f7fd24bcdfdde10294c76968a335c2414ea7d43c5e3829b65cb037e90a4",
"mtime": "1631317667570",
"size": 0,
"threatInfo": "null"
}
]
}

Search Connections

Search for connections in your environment by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Activities/Connections/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter the returned connections by start time, end time, created time, machine ID, and more. For more information, see CONNECTIONS_V View.

Here are some example body payloads:

{ "timeFilter": { "startTime": "2022-08-18T00:00:00Z", "endTime": "2022-08-18T02:00:00Z"}, "filters": [ { "field": "dstEntityId.mid", "expression": "eq", "value": "116018" } ] }
{ "timeFilter": { "startTime": "2022-08-18T00:00:00Z", "endTime": "2022-08-18T02:00:00Z"}, "filters": [ { "field": "srcEntityId.mid", "expression": "eq", "value": "123456" }, { "field": "dstInBytes", "expression": "le", "value": "300000" } ],
"returns": [ "dstEntityId", "dstEntityType", "srcEntityId", "srcEntityType" ] }

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 1233301,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/Activities/Connections/AbcdEfgh123..."
}
},
"data": [{"dstEntityId": {"mid": 116015,
"pid_hash": -8627328323700991000
},
"dstEntityType": "Process",
"dstInBytes": 162688,
"dstOutBytes": 3572,
"endpointDetails": [{"dst_ip_addr": "10.245.48.175",
"dst_port": 2878,
"protocol": "TCP",
"src_ip_addr": "10.245.187.233"
}
],
"endTime": "2022-08-18T01:00:00.000Z",
"numConns": 38,
"srcEntityId": {"mid": 114151,
"pid_hash": 6612898627139247000
},
"srcEntityType": "Process",
"srcInBytes": 3572,
"srcOutBytes": 162688,
"startTime": "2022-08-18T00:00:00.000Z"
},
{"dstEntityId": {"mid": 116015,
"pid_hash": -8627328323700991000
},
"dstEntityType": "Process",
"dstInBytes": 252673,
"dstOutBytes": 4418,
"endpointDetails": [{"dst_ip_addr": "10.245.48.175",
"dst_port": 2878,
"protocol": "TCP",
"src_ip_addr": "10.245.172.126"
}
],
"endTime": "2022-08-18T01:00:00.000Z",
"numConns": 47,
"srcEntityId": {"mid": 114151,
"pid_hash": 6143690005229381000
},
"srcEntityType": "Process",
"srcInBytes": 4418,
"srcOutBytes": 252673,
"startTime": "2022-08-18T00:00:00.000Z"
}
]
}

Search DNS Summaries

Search for DNS summaries in your environment by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Activities/DNSs/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter the returned DNS summaries by start time, end time, created time, machine ID, and more. For more information, see DNS_QUERY_V View.

Here are some example body payloads:

{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "48011" } ] }
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "48011" }, { "field": "fqdn", "expression": "eq", "value": "sqs.us-west-2.amazonaws.com" } ],
"returns": [ "fqdn", "hostIpAddr", "mid" ] }

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 17519,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/Activities/DNSs/AbcdEfgh123..."
}
},
"data": [{"createdTime": "2021-09-10T05:35:45.382Z",
"mid": 12345,
"fqdn": "sqs.us-west-2.amazonaws.com",
"hostIpAddr": "22.94.218.126",
"ttl": 1,
"dnsServerIp": "11.251.0.9"
},
{"createdTime": "2021-09-10T05:35:45.382Z",
"mid": 12314,
"fqdn": "sqs.us-west-2.amazonaws.com",
"hostIpAddr": "22.94.228.126",
"ttl": 60,
"dnsServerIp": "11.312.0.9"
}
]
}

Search User Logins

Search for user logins in your environment by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Activities/UserLogins/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter the returned login activities by start time, end time, created time, machine ID, and more. For more information, see USER_LOGIN_V View.

Here are some example body payloads:

{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "48011" } ] }
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "48011" }, { "field": "username", "expression": "eq", "value": "ec2-user" } ],
"returns": [ "username", "activityType", "activityTime" ] }

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 5050,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/Activities/UserLogins/AbcdEfgh123..."
}
},
"data": [{"createdTime": "2021-09-10T05:35:45.382Z",
"mid": 12345,
"activityTime": "2021-08-06T06:05:05.260Z",
"activityType": "LOGIN",
"username": "ec2-user",
"uid": 1000,
"sourceIpAddr": "2.141.452.76"
},
{"createdTime": "2021-09-10T05:35:45.382Z",
"mid": 12345,
"activityTime": "2021-08-06T06:05:05.260Z",
"activityType": "LOGOFF",
"username": "ec2-user",
"uid": 1000,
"sourceIpAddr": "2.141.452.76"
}
]
}

Agent Access Tokens

To connect to the Lacework instance, Lacework agents require an agent access token.

Create Agent Access Token

Create a new agent access token that an agent can use to connect and send data to your Lacework instance by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AgentAccessTokens

Here is an example body payload:

{ "tokenAlias": "prod", "tokenEnabled": "1" }

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The access token's properties, including `createdTime` and `description`.
tokenEnabled required	string non-empty The `tokenEnabled` property determines if an edit control is a "Text token" edit control. When the `tokenEnabled` property is set to `1`, if the user enters a separator character or a carriage return (CR), a token is automatically added and the user can continue entering values in the control.
tokenAlias required	string non-empty The token's alias such as Ops Agent. Aliases help communicate the intended purpose of a token and are effective when a value with a single intent appears in multiple places.

Responses

Request samples

Payload

Content type

application/json

{"props": {"description": "string",
"os": "string"
},
"tokenEnabled": "string",
"tokenAlias": "string"
}

Response samples

201
4XX
5XX

Content type

application/json

{"data": {"accessToken": "47d102752b57caa18b...",
"createdTime": "2020-12-16T16:43:37.915Z",
"props": {"createdTime": "2020-12-16T16:43:37.915Z",
"description": "testing agent"
},
"tokenAlias": "Ops Agent",
"tokenEnabled": "1",
"version": "0.1"
}
}

List All Agent Access Tokens

Get a list of currently enabled agent access tokens in your Lacework instance by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AgentAccessTokens

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"accessToken": "47d102752b57caa18b...",
"createdTime": "2020-12-16T16:43:37.915Z",
"props": {"createdTime": "2020-12-16T16:43:37.915Z",
"description": "testing agent"
},
"tokenAlias": "Ops Agent",
"tokenEnabled": "1",
"version": "0.1"
},
{"accessToken": "e2f32885791213cb41...",
"createdTime": "2020-12-10T18:14:05.754Z",
"props": {"createdTime": "2020-12-10T18:14:05.754Z",
"description": "testing agent 1"
},
"tokenAlias": "Dev Agent",
"tokenEnabled": "1",
"version": "0.1"
}
]
}

Search Agent Access Tokens

Search all enabled agent access tokens in your Lacework instance by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AgentAccessTokens/search

To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

You can filter on the following fields:

accessToken
createdTime
tokenAlias
tokenEnabled
version

Here is an example body payload:

{ "filters" : [ { "expression": "eq", "field": "tokenAlias", "value": "Eng" } ] }

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"accessToken": "47d102752b57caa18b...",
"createdTime": "2020-12-16T16:43:37.915Z",
"props": {"createdTime": "2020-12-16T16:43:37.915Z",
"description": "testing agent"
},
"tokenAlias": "Ops Agent",
"tokenEnabled": "1",
"version": "0.1"
},
{"accessToken": "e2f32885791213cb41...",
"createdTime": "2020-12-10T18:14:05.754Z",
"props": {"createdTime": "2020-12-10T18:14:05.754Z",
"description": "testing agent 1"
},
"tokenAlias": "Dev Agent",
"tokenEnabled": "1",
"version": "0.1"
}
]
}

Agent Access Token Details

Get details about an agent access token by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AgentAccessTokens/{id}

You can get the {id} by invoking the GET /api/v2/AgentAccessTokens endpoint. Replace {id} with the long hexadecimal access token identifier returned in the accessToken field of the GET /api/v2/AgentAccessTokens endpoint response.

path Parameters

id

required

string

Agent Access Token {id}

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"accessToken": "47d102752b57caa18b...",
"createdTime": "2020-12-16T16:43:37.915Z",
"props": {"createdTime": "2020-12-16T16:43:37.915Z",
"description": "testing agent"
},
"tokenAlias": "Ops Agent",
"tokenEnabled": "1",
"version": "0.1"
}
}

Update Agent Access Token

Optionally update the tokenEnabled settings of the passed in agent access token. Update these settings by invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/AgentAccessTokens/{id}

Get the agent access token id by calling the GET /api/v2/AgentAccessTokens endpoint.

Replace {id} with the long hexadecimal access token identifier returned in the accessToken field of the GET /api/v2/AgentAccessTokens endpoint response.

Here is an example body payload:

{ "tokenEnabled": "1" }

path Parameters

id

required

string

AgentAccessTokens {id}

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The access token's properties, including `createdTime` and `description`.
tokenEnabled	string non-empty The `tokenEnabled` property determines if an edit control is a "Text token" edit control. When the `tokenEnabled` property is set to `1`, if the user enters a separator character or a carriage return (CR), a token is automatically added and the user can continue entering values in the control.

Responses

Request samples

Payload

Content type

application/json

{"props": {"description": "string",
"os": "string"
},
"tokenEnabled": "string"
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"accessToken": "47d102752b57caa18b...",
"createdTime": "2020-12-16T16:43:37.915Z",
"props": {"createdTime": "2020-12-16T16:43:37.915Z",
"description": "testing agent"
},
"tokenAlias": "Ops Agent",
"tokenEnabled": "1",
"version": "0.1"
}
}

Agent Information

View and verify information about all agents, including:

The hostname
The number of active and inactive agents
Machine tags information associated with the agents
The agent version

Search Agent Information

The Agent Information API enables you to retrieve information about all agents by invoking the following endpoint:

POST /api/v2/AgentInfo/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter the information returned by agent status, agent version, IP address, and more. For details about what agent information is available, see AGENT_MANAGEMENT_V View.

Here are some example body payloads:

{ "timeFilter": { "startTime" : "2022-04-28T00:00:00Z", "endTime": "2022-04-28T18:00:00Z"},
{ "timeFilter": { "startTime": " 2022-04-28T00:00:00Z", "endTime": "2022-04-28T18:00:00Z"}, "filters" : [ { "field": "status", "expression": "eq", "value": "ACTIVE" }, { "field": "tags.VmProvider", "expression": "eq", "value" : "AWS" } ],
"returns": [ "hostname", "ipAddr", "os" , "agentVersion", "status" ] }

Within request bodies, nested field names that contain one or more special characters—e.g., dot ("."), colon (":"), or slash ("/")—must be enclosed in escaped double quotes. For example, the field name aws:ec2launchtemplate:version nested under the tags field would be rendered as follows:

"tags.\"aws:ec2launchtemplate:version\""

In a filter, the example would appear as follows:

{ "field": "tags.\"aws:ec2launchtemplate:version\"", "expression": "eq", "value": "3" }

In addition, forward slash characters within field names must be escaped with a backslash, as in the following example:

"tags.\"kubernetes.io\/cluster\/prod1\""

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 5060,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/AgentInfo/AbcdEfgh123..."
}
},
"data": [{"agentVersion": "5.5.0-6ecefc7f",
"createdTime": "2021-03-30T12:40:19.087Z",
"hostname": "ip-10-231-16-188.us-west-2.compute.internal",
"ipAddr": "10.231.16.188",
"lastUpdate": "2022-04-27 16:59:11.283 -0700",
"mid": 1898,
"mode": "normal",
"os": "Linux",
"status": "ACTIVE",
"tags": {"Account": "289356771585",
"AmiId": "ami-0d9ef0d807e565a36",
"COGS": "OPEX",
"Env": "lw",
"ExternalIp": "",
"Hostname": "ip-10-231-16-188.us-west-2.compute.internal",
"InstanceId": "i-05bd72db3d5678c23",
"InternalIp": "10.231.16.188",
"KubernetesCluster": "lw",
"LwTokenShort": "2e568b3b9a3c5de63116422e41fccc",
"Name": "prod-node.lw",
"Owner": "lacework",
"SubnetId": "subnet-0a83c026ef1437f0e",
"VmInstanceType": "m5.large",
"VmProvider": "AWS",
"VpcId": "vpc-0df6f5ed0cd993ff2",
"WavefrontProxy": "wavefront-proxy.kube-system.svc.cluster.local",
"Zone": "us-west-2a",
"arch": "amd64",
"aws:autoscaling:groupName": "lw-cluster-123",
"cluster": "eks-lw",
"environment": "prod",
"kubernetes.io/cluster/prod": "owned",
"lw_KubernetesCluster": "prod",
"os": "linux",
"role": "default"
}
},
{"agentVersion": "5.5.0-6ecefc7f",
"createdTime": "2022-04-26T11:34:58.316Z",
"hostname": "ip-10-231-168-119.us-west-2.compute.internal",
"ipAddr": "10.231.168.119",
"lastUpdate": "2022-04-28 11:05:58.317 -0700",
"mid": 85282,
"mode": "ebpf",
"os": "Linux",
"status": "INACTIVE",
"tags": {"Account": "239656771685",
"AmiId": "ami-03b6ddb2869abcd51",
"Env": "lw",
"ExternalIp": "",
"Hostname": "ip-10-231-168-119.us-west-2.compute.internal",
"InstanceId": "i-06f6569862686630e",
"InternalIp": "10.231.168.119",
"KubernetesCluster": "lw",
"LwTokenShort": "2e568b3b9a3c5de63116422e51fccc",
"Name": "on-demand.prod.lw",
"SubnetId": "subnet-0b2a51e40b1a0bde8",
"VmInstanceType": "r5.xlarge",
"VmProvider": "AWS",
"VpcId": "vpc-0df6f8ed0cd993ff2",
"Zone": "us-west-2c",
"arch": "amd64",
"cluster": "eks-lw",
"environment": "prod",
"kubernetes.io/cluster/prod": "owned",
"lw-role": "on-demand",
"lw_KubernetesCluster": "prod",
"os": "linux",
"spotinst:accountId": "act-b0b9eea2",
"spotinst:aws:ec2:group:createdBy": "spotinst",
"spotinst:aws:ec2:group:id": "oesg-9a6dca03",
"spotinst:aws:ec2:group:name": "Spotinst::Ocean::prod",
"spotinst:ocean:launchspec:id": "ols-fad9bf81",
"spotinst:ocean:launchspec:name": "on-demand"
}
}
]
}

Alert Channels

Lacework combines alert channels with alert rules or report rules to provide a flexible method for routing alerts and reports.

For alert channels, you define where to send alerts or reports, such as to Jira, Slack, or email.
For alert rules, you define information about which alert types to send, such as critical and high severity compliance alerts.
For report rules, you define information about which reports to send.

Create Alert Channels

Create an alert channel by specifying parameters in the request body when invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AlertChannels

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

name required	string (Name) non-empty (?!^ +$)^.+$ When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name.
type required	string (Type) When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. AwsS3
enabled required	number (Enabled) [ 0 .. 1 ] When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration.
required	object

Responses

Request samples

Payload

Content type

application/json

Example

AwsS3

{"name": "string",
"type": "AwsS3",
"enabled": 1,
"data": {"s3CrossAccountCredentials": {"externalId": "string",
"roleArn": "string",
"bucketArn": "string"
}
}
}

Response samples

201
4XX
5XX

Content type

application/json

Example

AwsS3

{"data": {"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "AwsS3",
"data": {"s3CrossAccountCredentials": {"externalId": "123456",
"roleArn": "arn:aws:iam::...",
"bucketArn": "arn:aws:s3:::..."
}
}
}
}

List All Alert Channels

Get a list of alert channels for the current user by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AlertChannels

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

200
4XX
5XX

Content type

application/json

Example

AwsS3

{"data": [{"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "AwsS3",
"data": {"s3CrossAccountCredentials": {"externalId": "123456",
"roleArn": "arn:aws:iam::...",
"bucketArn": "arn:aws:s3:::..."
}
}
},
{"createdOrUpdatedBy": "info@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "info",
"props": "{object}",
"state": "{object}",
"type": "AwsS3",
"data": {"s3CrossAccountCredentials": {"externalId": "123456",
"roleArn": "arn:aws:iam::...",
"bucketArn": "arn:aws:s3:::..."
}
}
}
]
}

List Alert Channels by Type

Get a list of alert channels of the specified type by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AlertChannels/{type}

Here is an example invocation:

GET https://YourLacework.lacework.net/api/v2/AlertChannels/SlackChannel

path Parameters

type

required

string

Enum: "AwsS3" "CiscoSparkWebhook" "CloudwatchEb" "Datadog" "EmailUser" "GcpPubsub" "IbmQradar" "Jira" "MicrosoftTeams" "NewRelicInsights" "PagerDutyApi" "ServiceNowRest" "SlackChannel" "SplunkHec" "VictorOps" "Webhook"

Alert Channel Type

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

200
4XX
5XX

Content type

application/json

Example

AwsS3

{"data": [{"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "AwsS3",
"data": {"s3CrossAccountCredentials": {"externalId": "123456",
"roleArn": "arn:aws:iam::...",
"bucketArn": "arn:aws:s3:::..."
}
}
},
{"createdOrUpdatedBy": "info@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "info",
"props": "{object}",
"state": "{object}",
"type": "AwsS3",
"data": {"s3CrossAccountCredentials": {"externalId": "123456",
"roleArn": "arn:aws:iam::...",
"bucketArn": "arn:aws:s3:::..."
}
}
}
]
}

Search Alert Channels

Search alert channels by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AlertChannels/search

To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

In the request body, optionally specify the list of fields to return in the response by specifying the list in the returns array, for example, "returns":[ "name", "type", "enabled" ].

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

Example

AwsS3

{"data": [{"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "AwsS3",
"data": {"s3CrossAccountCredentials": {"externalId": "123456",
"roleArn": "arn:aws:iam::...",
"bucketArn": "arn:aws:s3:::..."
}
}
},
{"createdOrUpdatedBy": "info@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "info",
"props": "{object}",
"state": "{object}",
"type": "AwsS3",
"data": {"s3CrossAccountCredentials": {"externalId": "123456",
"roleArn": "arn:aws:iam::...",
"bucketArn": "arn:aws:s3:::..."
}
}
}
]
}

Test Alert Channels

Test the integration of an alert channel by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}/test

path Parameters

intgGuid

required

string

Alert Channel ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

4XX
5XX

Content type

application/json

{"message": "Invalid ..."
}

Alert Channel Details

Get details about an alert channel by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}

path Parameters

intgGuid

required

string

Alert Channel ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

200
4XX
5XX

Content type

application/json

Example

AwsS3

{"data": {"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "AwsS3",
"data": {"s3CrossAccountCredentials": {"externalId": "123456",
"roleArn": "arn:aws:iam::...",
"bucketArn": "arn:aws:s3:::..."
}
}
}
}

Update Alert Channels

Update an alert channel by specifying parameters in the request body when invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}

In the request body, only specify the parameter(s) that you want to update, for example, { "enabled" : 0 }.

path Parameters

intgGuid

required

string

Alert Channel ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

Only specify the parameter(s) that you want to update, for example, { "enabled" : 0 }.

name	string (Name) non-empty (?!^ +$)^.+$ When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name.
type	string (Type) When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. AwsS3
enabled	number (Enabled) [ 0 .. 1 ] When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration.
	object

Responses

Request samples

Payload

Content type

application/json

Example

AwsS3

{"name": "string",
"type": "AwsS3",
"enabled": 1,
"data": {"s3CrossAccountCredentials": {"externalId": "string",
"roleArn": "string",
"bucketArn": "string"
}
}
}

Response samples

200
4XX
5XX

Content type

application/json

Example

AwsS3

{"data": {"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "AwsS3",
"data": {"s3CrossAccountCredentials": {"externalId": "123456",
"roleArn": "arn:aws:iam::...",
"bucketArn": "arn:aws:s3:::..."
}
}
}
}

Update Alert Channels

Update an alert channel by specifying the entire object in the request body when invoking the following endpoint:

PUT https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}

In the request body, specify the entire object that you want to update, for example,

{"name": "string","type": "AwsS3", "enabled": 1, "data": {"s3CrossAccountCredentials": {"externalId": "string", "roleArn": "string", "bucketArn":"string"}} }.

path Parameters

intgGuid

required

string

Alert Channel ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

name required	string (Name) non-empty (?!^ +$)^.+$ When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name.
type required	string (Type) When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. AwsS3
enabled required	number (Enabled) [ 0 .. 1 ] When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration.
required	object

Responses

Request samples

Payload

Content type

application/json

Example

AwsS3

{"name": "string",
"type": "AwsS3",
"enabled": 1,
"data": {"s3CrossAccountCredentials": {"externalId": "string",
"roleArn": "string",
"bucketArn": "string"
}
}
}

Response samples

200
4XX
5XX

Content type

application/json

Example

AwsS3

{"data": {"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "AwsS3",
"data": {"s3CrossAccountCredentials": {"externalId": "123456",
"roleArn": "arn:aws:iam::...",
"bucketArn": "arn:aws:s3:::..."
}
}
}
}

Delete Alert Channels

Delete an alert channel by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}

path Parameters

intgGuid

required

string

Alert Channel ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

4XX
5XX

Content type

application/json

{"message": "Invalid ..."
}

Alert Profiles

An alert profile is a set of metadata that defines how your LQL queries get consumed into events and alerts.

Alert profiles exist as a system. Lacework provides a set of predefined alert profiles to ensure that policy evaluation gives you useful results out of the box. To create your own customized profiles, you extend an existing alert profile and add your custom definitions to it. The predefined alert profiles and operations for defining and editing your own are exposed via Lacework API calls.

Create Alert Profiles

Create an alert profile that extends off of a current alert profile by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AlertProfiles

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

required	Array of objects[ items ] An alert is a definition of content to create from the results of a resource's policy violation. The event name, subject, and description contained in the alert appear in pushed alerts and in the Lacework Console.
alertProfileId required	string Unique id within customer account for Alert Profile
extends required	string Base Lacework defined Alert Profile to inherit properties

Responses

Request samples

Payload

Content type

application/json

{"alerts": [{"name": "string",
"eventName": "string",
"description": "string",
"subject": "string"
}
],
"alertProfileId": "string",
"extends": "string"
}

Response samples

201
4XX
5XX

Content type

application/json

[{"alertProfileId": "Custom_HE_Machines_AlertProfile",
"extends": "LW_HE_Machines",
"fields": [{"name": "_EVENT_COUNT"
},
{"name": "_PRIMARY_TAG"
},
{"name": "_RISK"
},
{"name": "_SEVERITY"
},
{"name": "_POLICY_ID"
},
{"name": "HOSTNAME"
}
],
"descriptionKeys": [{"name": "_POLICY_DESCRIPTION",
"spec": "{{_POLICY_DESCRIPTION}}"
},
{"name": "_POLICY_TITLE",
"spec": "{{_POLICY_TITLE}}"
},
{"name": "HOSTNAME",
"spec": "{{HOSTNAME}}"
}
],
"alerts": [{"name": "HE_Machine_NewViolation",
"eventName": "Custom LW Host Entity Machine New Violation Alert",
"description": "Custom New Violation for machine {{HOSTNAME}}",
"subject": "Custom New violation detected for machine {{HOSTNAME}}"
},
{"name": "HE_Machine_PolicyChanged",
"eventName": "Custom LW Host Entity Machine Policy Changed Alert",
"description": "Custom policy changed for machine {{HOSTNAME}}",
"subject": "Custom policy change detected for machine {{HOSTNAME}}"
}
]
}
]

List All Alert Profiles

Get all the alert profiles for the current user by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AlertProfiles

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

[{"alertProfileId": "Custom_HE_Machines_AlertProfile",
"extends": "LW_HE_Machines",
"fields": [{"name": "_EVENT_COUNT"
},
{"name": "_PRIMARY_TAG"
},
{"name": "_RISK"
},
{"name": "_SEVERITY"
},
{"name": "_POLICY_ID"
},
{"name": "HOSTNAME"
}
],
"descriptionKeys": [{"name": "_POLICY_DESCRIPTION",
"spec": "{{_POLICY_DESCRIPTION}}"
},
{"name": "_POLICY_TITLE",
"spec": "{{_POLICY_TITLE}}"
},
{"name": "HOSTNAME",
"spec": "{{HOSTNAME}}"
}
],
"alerts": [{"name": "HE_Machine_NewViolation",
"eventName": "Custom LW Host Entity Machine New Violation Alert",
"description": "Custom New Violation for machine {{HOSTNAME}}",
"subject": "Custom New violation detected for machine {{HOSTNAME}}"
},
{"name": "HE_Machine_PolicyChanged",
"eventName": "Custom LW Host Entity Machine Policy Changed Alert",
"description": "Custom policy changed for machine {{HOSTNAME}}",
"subject": "Custom policy change detected for machine {{HOSTNAME}}"
}
]
}
]

Alert Profiles Details

Get the details to the specified alert profile by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}

path Parameters

id

required

string

Alert Profile id

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

[{"alertProfileId": "Custom_HE_Machines_AlertProfile",
"extends": "LW_HE_Machines",
"fields": [{"name": "_EVENT_COUNT"
},
{"name": "_PRIMARY_TAG"
},
{"name": "_RISK"
},
{"name": "_SEVERITY"
},
{"name": "_POLICY_ID"
},
{"name": "HOSTNAME"
}
],
"descriptionKeys": [{"name": "_POLICY_DESCRIPTION",
"spec": "{{_POLICY_DESCRIPTION}}"
},
{"name": "_POLICY_TITLE",
"spec": "{{_POLICY_TITLE}}"
},
{"name": "HOSTNAME",
"spec": "{{HOSTNAME}}"
}
],
"alerts": [{"name": "HE_Machine_NewViolation",
"eventName": "Custom LW Host Entity Machine New Violation Alert",
"description": "Custom New Violation for machine {{HOSTNAME}}",
"subject": "Custom New violation detected for machine {{HOSTNAME}}"
},
{"name": "HE_Machine_PolicyChanged",
"eventName": "Custom LW Host Entity Machine Policy Changed Alert",
"description": "Custom policy changed for machine {{HOSTNAME}}",
"subject": "Custom policy change detected for machine {{HOSTNAME}}"
}
]
}
]

Update Alert Profiles

Update the alert templates of the specified alert profile by invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}

path Parameters

id

required

string

Alert Profile id

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

Array of objects[ items ]

An alert is a definition of content to create from the results of a resource's policy violation. The event name, subject, and description contained in the alert appear in pushed alerts and in the Lacework Console.

Array

name	string A name that policies can use to refer to this definition when generating alerts
eventName	string The name of the resulting alert
description	string Summary of the resulting alert
subject	string A high-level observation of the resulting alert

Responses

Request samples

Payload

Content type

application/json

{"alerts": [{"name": "string",
"eventName": "string",
"description": "string",
"subject": "string"
}
]
}

Response samples

200
4XX
5XX

Content type

application/json

[{"alertProfileId": "Custom_HE_Machines_AlertProfile",
"extends": "LW_HE_Machines",
"fields": [{"name": "_EVENT_COUNT"
},
{"name": "_PRIMARY_TAG"
},
{"name": "_RISK"
},
{"name": "_SEVERITY"
},
{"name": "_POLICY_ID"
},
{"name": "HOSTNAME"
}
],
"descriptionKeys": [{"name": "_POLICY_DESCRIPTION",
"spec": "{{_POLICY_DESCRIPTION}}"
},
{"name": "_POLICY_TITLE",
"spec": "{{_POLICY_TITLE}}"
},
{"name": "HOSTNAME",
"spec": "{{HOSTNAME}}"
}
],
"alerts": [{"name": "HE_Machine_NewViolation",
"eventName": "Custom LW Host Entity Machine New Violation Alert",
"description": "Custom New Violation for machine {{HOSTNAME}}",
"subject": "Custom New violation detected for machine {{HOSTNAME}}"
},
{"name": "HE_Machine_PolicyChanged",
"eventName": "Custom LW Host Entity Machine Policy Changed Alert",
"description": "Custom policy changed for machine {{HOSTNAME}}",
"subject": "Custom policy change detected for machine {{HOSTNAME}}"
}
]
}
]

Delete Alert Profiles

Delete the specified alert profile by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}

path Parameters

id

required

string

Alert Profile id

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

4XX
5XX

Content type

application/json

{"message": "Invalid ..."
}

Create Alert Templates

Create a new alert template for a specified alert profile by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}/AlertTemplates

path Parameters

id

required

string

Alert Profile id

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

name required	string A name that policies can use to refer to this definition when generating alerts
eventName required	string The name of the resulting alert
description required	string Summary of the resulting alert
subject required	string A high-level observation of the resulting alert

Responses

Request samples

Payload

Content type

application/json

{"name": "string",
"eventName": "string",
"description": "string",
"subject": "string"
}

Response samples

200
4XX
5XX

Content type

application/json

[{"alertProfileId": "Custom_HE_Machines_AlertProfile",
"extends": "LW_HE_Machines",
"fields": [{"name": "_EVENT_COUNT"
},
{"name": "_PRIMARY_TAG"
},
{"name": "_RISK"
},
{"name": "_SEVERITY"
},
{"name": "_POLICY_ID"
},
{"name": "HOSTNAME"
}
],
"descriptionKeys": [{"name": "_POLICY_DESCRIPTION",
"spec": "{{_POLICY_DESCRIPTION}}"
},
{"name": "_POLICY_TITLE",
"spec": "{{_POLICY_TITLE}}"
},
{"name": "HOSTNAME",
"spec": "{{HOSTNAME}}"
}
],
"alerts": [{"name": "HE_Machine_NewViolation",
"eventName": "Custom LW Host Entity Machine New Violation Alert",
"description": "Custom New Violation for machine {{HOSTNAME}}",
"subject": "Custom New violation detected for machine {{HOSTNAME}}"
},
{"name": "HE_Machine_PolicyChanged",
"eventName": "Custom LW Host Entity Machine Policy Changed Alert",
"description": "Custom policy changed for machine {{HOSTNAME}}",
"subject": "Custom policy change detected for machine {{HOSTNAME}}"
}
]
}
]

Update Alert Templates

Update an alert template for a specified alert profile by invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}/AlertTemplates/{alertTemplateName}

path Parameters

id required	string Alert Profile id
alertTemplateName required	string Alert Template Name

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

eventName	string The name of the resulting alert
description	string Summary of the resulting alert
subject	string A high-level observation of the resulting alert

Responses

Request samples

Payload

Content type

application/json

{"eventName": "string",
"description": "string",
"subject": "string"
}

Response samples

200
4XX
5XX

Content type

application/json

[{"alertProfileId": "Custom_HE_Machines_AlertProfile",
"extends": "LW_HE_Machines",
"fields": [{"name": "_EVENT_COUNT"
},
{"name": "_PRIMARY_TAG"
},
{"name": "_RISK"
},
{"name": "_SEVERITY"
},
{"name": "_POLICY_ID"
},
{"name": "HOSTNAME"
}
],
"descriptionKeys": [{"name": "_POLICY_DESCRIPTION",
"spec": "{{_POLICY_DESCRIPTION}}"
},
{"name": "_POLICY_TITLE",
"spec": "{{_POLICY_TITLE}}"
},
{"name": "HOSTNAME",
"spec": "{{HOSTNAME}}"
}
],
"alerts": [{"name": "HE_Machine_NewViolation",
"eventName": "Custom LW Host Entity Machine New Violation Alert",
"description": "Custom New Violation for machine {{HOSTNAME}}",
"subject": "Custom New violation detected for machine {{HOSTNAME}}"
},
{"name": "HE_Machine_PolicyChanged",
"eventName": "Custom LW Host Entity Machine Policy Changed Alert",
"description": "Custom policy changed for machine {{HOSTNAME}}",
"subject": "Custom policy change detected for machine {{HOSTNAME}}"
}
]
}
]

Delete Alert Templates

Delete an alert template for a specified alert profile by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}/AlertTemplates/{alertTemplateName}

path Parameters

id required	string Alert Profile id
alertTemplateName required	string Alert Template Name

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

4XX
5XX

Content type

application/json

{"message": "Invalid ..."
}

Alert Rules

Lacework combines alert channels and alert rules to provide a flexible method for routing alerts. For alert channels, you define information about where to send alerts, such as to Jira, Slack, or email. For alert rules, you define information about which alert types to send, such as critical and high severity compliance alerts.

Create Alert Rules

Create an alert rule by specifying parameters in the request body when invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AlertRules

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

required	object When sending a request, use this object to define the new alert rule. When included in a response, this object contains details of an alert rule. You can use these attributes when searching for existing alert rules by invoking a GET request.
intgGuidList required	Array of strings non-empty unique The alert channels for the rule to access.
type required	string Value: "Event" The alert type.

Responses

Request samples

Payload

Content type

application/json

{"filters": {"name": "string",
"description": "string",
"enabled": 1,
"resourceGroups": ["string"
],
"eventCategory": ["Compliance"
],
"source": ["Agent"
],
"sources": ["Agent"
],
"category": ["Anomaly"
],
"severity": [1
]
},
"intgGuidList": ["string"
],
"type": "Event"
}

Response samples

201
4XX
5XX

Content type

application/json

{"data": {"mcGuid": "QA42F6C8_97...",
"filters": {"name": "Default Rule",
"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2020-02-18T16:52:57.726Z",
"enabled": 1,
"resourcegroups": ["QA402035_43..."
],
"severity": [1,
2,
3
],
"eventcategory": ["App",
"Compliance",
"Cloud",
"File",
"K8sActivity",
"Machine",
"Platform",
"User"
]
},
"intgGuidList": ["QA402035_66..."
],
"type": "Event"
}
}

List All Alert Rules

List all alert rules in your Lacework instance by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AlertRules

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"mcGuid": "QA42F6C8_97...",
"filters": {"name": "Default Rule",
"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2020-02-18T16:52:57.726Z",
"enabled": 1,
"resourcegroups": ["QA402035_43.."
],
"severity": [1,
2,
3
],
"eventcategory": ["App",
"Compliance",
"Cloud",
"File",
"K8sActivity",
"Machine",
"Platform",
"User"
]
},
"intgGuidList": ["QA402035_66..."
],
"type": "Event"
},
{"mcGuid": "QA42F6C8_83...",
"filters": {"name": "test",
"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2020-01-15T07:07:21.989Z",
"enabled": 1,
"resourcegroups": ["QA402035_EB...",
"QA402035_BA..."
],
"severity": [1,
2,
3
],
"eventcategory": ["User",
"Cloud"
]
},
"intgGuidList": ["QA402035_01...",
"QA402035_A6..."
],
"type": "Event"
}
]
}

Search Alert Rules

Search alert rules by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AlertRules/search

To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

Here are some example body payloads:

{ "filters": [ { "field": "mcGuid", "expression": "rlike", "value": "123ABC" } ] }
{ "filters": [ { "field": "mcGuid", "expression": "between", "values": [ "ABC_123", "DEC_456" ] } ] }
{ "filters": [ { "field": "intgGuidList", "expression": "eq", "value": "ABC_123" } ] }
{ "filters": [ { "field": "intgGuidList", "expression": "in", "values": [ "ABC_123", "DEF_456" ] } ] }
{ "filters": [ { "field": "filters.name", "expression": "ilike", "value": "slack" } ] }
{ "filters": [ { "field": "filters.resourceGroups", "expression": "eq", "value": "ABC_123" } ] }
{ "filters": [ { "field": "filters.severity", "expression": "eq", "value": "5" } ] }
{ "filters": [ { "field": "filters.eventCategory", "expression": "eq", "value": "App" } ] }
{ "filters": [ { "field": "reportNotificationTypes.agentEvents", "expression": "eq", "value": "false" } ] }

In the request body, optionally specify the list of fields to return in the response by specifying the list in the returns array.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"mcGuid": "QA42F6C8_97...",
"filters": {"name": "Default Rule",
"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2020-02-18T16:52:57.726Z",
"enabled": 1,
"resourcegroups": ["QA402035_43.."
],
"severity": [1,
2,
3
],
"eventcategory": ["App",
"Compliance",
"Cloud",
"File",
"K8sActivity",
"Machine",
"Platform",
"User"
]
},
"intgGuidList": ["QA402035_66..."
],
"type": "Event"
},
{"mcGuid": "QA42F6C8_83...",
"filters": {"name": "test",
"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2020-01-15T07:07:21.989Z",
"enabled": 1,
"resourcegroups": ["QA402035_EB...",
"QA402035_BA..."
],
"severity": [1,
2,
3
],
"eventcategory": ["User",
"Cloud"
]
},
"intgGuidList": ["QA402035_01...",
"QA402035_A6..."
],
"type": "Event"
}
]
}

Alert Rule Details

Get details about an alert rule by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AlertRules/{mcGuid}

Replace {mcGuid} with the mcGuid value returned for an alert rule in the response when the GET /api/v2/AlertRules endpoint is invoked.

path Parameters

mcGuid

required

string

Alert Rule mcGuid

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"mcGuid": "QA42F6C8_97...",
"filters": {"name": "Default Rule",
"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2020-02-18T16:52:57.726Z",
"enabled": 1,
"resourcegroups": ["QA402035_43..."
],
"severity": [1,
2,
3
],
"eventcategory": ["App",
"Compliance",
"Cloud",
"File",
"K8sActivity",
"Machine",
"Platform",
"User"
]
},
"intgGuidList": ["QA402035_66..."
],
"type": "Event"
}
}

Update Alert Rules

Update an alert rule by specifying parameters in the request body when invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/AlertRules/{mcGuid}

Replace {mcGuid} with the mcGuid value returned for an alert rule in the response when the GET /api/v2/AlertRules endpoint is invoked. In the request body, only specify the parameters that you want to update.

path Parameters

mcGuid

required

string

Alert Rules mcGuid

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

	object When sending a request, use this object to define the new alert rule. When included in a response, this object contains details of an alert rule. You can use these attributes when searching for existing alert rules by invoking a GET request.
intgGuidList	Array of strings non-empty unique The alert channels for the rule to access.

Responses

Request samples

Payload

Content type

application/json

{"filters": {"name": "string",
"description": "string",
"enabled": 1,
"resourceGroups": ["string"
],
"eventCategory": ["Compliance"
],
"source": ["Agent"
],
"sources": ["Agent"
],
"category": ["Anomaly"
],
"severity": [1
]
},
"intgGuidList": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"mcGuid": "QA42F6C8_97...",
"filters": {"name": "Default Rule",
"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2020-02-18T16:52:57.726Z",
"enabled": 1,
"resourcegroups": ["QA402035_43..."
],
"severity": [1,
2,
3
],
"eventcategory": ["App",
"Compliance",
"Cloud",
"File",
"K8sActivity",
"Machine",
"Platform",
"User"
]
},
"intgGuidList": ["QA402035_66..."
],
"type": "Event"
}
}

Delete Alert Rules

Delete an alert rule by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/AlertRules/{mcGuid}

Replace {mcGuid} with the mcGuid value returned for an alert rule in the response when the GET /api/v2/AlertRules endpoint is invoked.

path Parameters

mcGuid

required

string

Alert Rules mcGuid

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

4XX
5XX

Content type

application/json

{"message": "Invalid ..."
}

Alerts

Lacework provides real-time alerts that are interactive and manageable. Each alert contains various metadata information, such as severity level, type, status, alert category, and associated tags.

You can also post a comment to an alert's timeline; or change an alert status from Open to Closed.

List Alerts

Get a list of alerts during the specified date range by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/Alerts?startTime={startTime}&endTime={endTime}

Use the following formats to specify the startTime and endTime:

yyyy-MM-dd for example, 2022-06-28
yyyy-MM-ddTHH for example, 2022-06-28T08
yyyy-MM-ddTHH:mm:ssZ for example, 2022-06-28T08:00:00Z
yyyy-MM-ddTHH:mm:ss.SSSZ for example, 2022-06-28T08:00:00.000Z

Here is an example invocation:

GET https://YourLacework.lacework .net/api/v2/Alerts?startTime=2022-06-30T00:00:00Z&endTime=2022-06-30T08:00:00Z

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days.

Pagination metadata is located within the response's paging field, which contains information for rows, totalRows, and urls. The urls field contains the nextPage field with the Next Page URL. The Next Page URLs stay valid for 24 hours.

To get the next page of the result, use the entire Next Page URL and send a GET request with the two required HTTP headers: "Authorization: Bearer {YourAPIToken}" and "Content-Type: application/json".

Example:

GET https://YourLacework.lacework.net/api/v2/Alerts/abcxyz123...

query Parameters

startTime	string Returns only recorded actions that occurred after this timestamp.
endTime	string Returns only recorded actions that occurred before this timestamp. If empty or missing, the current time is used.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 1000,
"totalRows": 3120,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/Alerts/AbcdEfgh123..."
}
},
"data": [{"alertId": 855628,
"startTime": "2022-06-30T00:00:00.000Z",
"alertType": "MaliciousFile",
"severity": "Critical",
"internetExposure": "UnknownInternetExposure",
"reachability": "UnknownReachability",
"derivedFields": {"category": "Anomaly",
"sub_category": "File",
"source": "Agent"
},
"endTime": "2022-06-30T01:00:00.000Z",
"lastUserUpdatedTime": "",
"status": "Open",
"alertName": "Clone of Cloud Activity log ingestion failure detected",
"alertInfo": {"subject": "Clone of Cloud Activity log ingestion failure detected: `azure-al-india-dnd` (and `3` more) is failing for data ingestion into Lacework",
"description": "New integration failure detected for azure-al-india-dnd (and 3 more)"
},
"policyId": "CUSTOM_PLATFORM_130"
},
{"alertId": 855629,
"startTime": "2022-06-30T00:00:00.000Z",
"alertType": "ChangedFile",
"severity": "Critical",
"internetExposure": "UnknownInternetExposure",
"reachability": "UnknownReachability",
"derivedFields": {"category": "Policy",
"sub_category": "File",
"source": "Agent"
},
"endTime": "2022-06-30T01:00:00.000Z",
"lastUserUpdatedTime": "2022-06-30T01:26:51.392Z",
"status": "Open",
"alertName": "Unauthorized API Call",
"alertInfo": {"subject": "Unauthorized API Call: For account: `1234567890`: Unauthorized API call was attempted `4` times",
"description": "For account: 1234567890: Unauthorized API call was attempted 4 times by user  ABCD1234:Lacework"
}
}
]
}

Search Alerts

Search alerts by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Alerts/search

Optionally specify filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

For the timeFilter filter, these are the supported time formats:

yyyy-MM-dd for example, 2022-07-08
yyyy-MM-ddTHH for example, 2022-07-08T08
yyyy-MM-ddTHH:mm:ssZ for example, 2022-07-08T08:00:00Z
yyyy-MM-ddTHH:mm:ss.SSSZ for example, 2022-07-08T08:00:00.000Z

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

To limit the returned result, optionally specify one or more filters in the request body. These fields can be set in the filters: alertId, alertType, severity, status, subCategory, category, and source.

You can optionally filter the returned alerts by one or more of the top-level fields. See Filter Alerts for the filter values.

Here are some example body payloads:

{ "timeFilter": { "startTime": "2022-07-08T00:00:00Z", "endTime": "2022-07-08T08:00:00Z"}, "filters": [ { "field": "alertType", "expression": "eq", "value": "SuspiciousUserFailedLogin" } ] }
{ "timeFilter": { "startTime": "2022-07-08T00:00:00Z", "endTime": "2022-07-08T08:00:00Z"}, "filters": [ { "field": "severity", "expression": "eq", "value": "Critical" }, { "field": "status", "expression": "eq", "value": "Open" } ],
"returns": [ "alertId", "alertName", "alertType", "alertInfo" ] }

Pagination metadata is located within the response's paging field, which contains information for rows, totalRows, and urls. The urls field contains the nextPage field with the Next Page URL. The Next Page URLs stay valid for 24 hours.

To get the next page of the result, use the entire Next Page URL and send a GET request with the two required HTTP headers: "Authorization: Bearer {YourAPIToken}" and "Content-Type: application/json".

Example:

GET https://YourLacework.lacework.net/api/v2/Alerts/abcxyz123...

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "alertId",
"value": "string"
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 1000,
"totalRows": 3120,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/Alerts/AbcdEfgh123..."
}
},
"data": [{"alertId": 855628,
"startTime": "2022-06-30T00:00:00.000Z",
"alertType": "MaliciousFile",
"severity": "Critical",
"internetExposure": "UnknownInternetExposure",
"reachability": "UnknownReachability",
"derivedFields": {"category": "Anomaly",
"sub_category": "File",
"source": "Agent"
},
"endTime": "2022-06-30T01:00:00.000Z",
"lastUserUpdatedTime": "",
"status": "Open",
"alertName": "Clone of Cloud Activity log ingestion failure detected",
"alertInfo": {"subject": "Clone of Cloud Activity log ingestion failure detected: `azure-al-india-dnd` (and `3` more) is failing for data ingestion into Lacework",
"description": "New integration failure detected for azure-al-india-dnd (and 3 more)"
},
"policyId": "CUSTOM_PLATFORM_130"
},
{"alertId": 855629,
"startTime": "2022-06-30T00:00:00.000Z",
"alertType": "ChangedFile",
"severity": "Critical",
"internetExposure": "UnknownInternetExposure",
"reachability": "UnknownReachability",
"derivedFields": {"category": "Policy",
"sub_category": "File",
"source": "Agent"
},
"endTime": "2022-06-30T01:00:00.000Z",
"lastUserUpdatedTime": "2022-06-30T01:26:51.392Z",
"status": "Open",
"alertName": "Unauthorized API Call",
"alertInfo": {"subject": "Unauthorized API Call: For account: `1234567890`: Unauthorized API call was attempted `4` times",
"description": "For account: 1234567890: Unauthorized API call was attempted 4 times by user  ABCD1234:Lacework"
}
}
]
}

Alert Details

Get details about an alert by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/Alerts/{alertId}?scope={scope}

You must specify a scope, as one of these options: Details, Investigation, Events, RelatedAlerts, Integrations, or Timeline.

path Parameters

alertId

required

string

Alert id

query Parameters

scope

required

string

Enum: "Details" "Investigation" "Events" "RelatedAlerts" "Integrations" "Timeline"

You must specify a scope, as one of these options.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

Example

Details

{"data": {"alertId": 813628,
"startTime": "2022-06-30T00:00:00.000Z",
"alertType": "CloudActivityLogIngestionFailed",
"severity": "High",
"endTime": "2022-06-30T01:00:00.000Z",
"lastUserUpdatedTime": "",
"status": "Open",
"alertName": "Clone of Cloud Activity log ingestion failure detected",
"alertInfo": {"subject": "Clone of Cloud Activity log ingestion failure detected: `azure-al-india-dnd` (and `3` more) is failing for data ingestion into Lacework",
"description": "New integration failure detected for azure-al-india-dnd (and 3 more)",
"supportingFacts": [{"supportingFactText": "Container Escape",
"subElements": [{"supportingFactText": "Use of known container privilege escalation and exploit tools 6 time(s) on host(s) ip-172-18-0-240"
}
]
}
]
},
"entityMap": {"API": "{object}",
"CT_User": "{object}",
"CT_RawTime": "{object}",
"Region": "{object}",
"Resource": "{object}",
"RulesTriggered": "{object}",
"SourceIpAddress": "{object}"
}
}
}

Post Comments

Post a user comment on an alert’s timeline by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Alerts/{alertId}/comment

For details about alert timelines, see Timeline.

path Parameters

alertId

required

string

Alert id

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

comment required	string
format	string Default: "Plaintext" Enum: "Plaintext" "Markdown" When sending a request, use this attribute to specify the comment’s format.

Responses

Request samples

Payload

Content type

application/json

{"comment": "string",
"format": "Plaintext"
}

Response samples

200
4XX
5XX

Content type

application/json

Example

Plaintext

{"data": {"id": 211250,
"alertId": 871115,
"createdTime": "2022-07-18T18:28:30.739Z",
"entryType": "Comment",
"entryAuthorType": "UserUpdate",
"message": {"format": "Plaintext:1.0",
"value": "test comment"
},
"externalTime": "",
"user": {"userGuid": "LW123_6FA99157890E373006F7EE3FA926B02C38D547BD6C79F1D",
"username": "user@example.com"
},
"updateContext": { }
}
}

Close Alerts

Change the status of an alert to closed by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Alerts/{alertId}/close

The body of the request should contain the reason for closing, from these options:

Other
False positive
Not enough information
Malicious and have resolution in place
Expected because of routine testing
Expected behavior

If you choose Other, the message field is required and should contain a brief explanation of why the alert is closed.

Note that a closed alert cannot be reopened.

For details about alert statuses, see Status.

path Parameters

alertId

required

string

Alert id

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

reason required	number Enum: 0 1 2 3 4 5 0 - Other 1 - False positive 2 - Not enough information 3 - Malicious and have resolution in place 4 - Expected because of routine testing 5 - Expected behavior
comment	string If you choose `0` (`Other`), the comment field is required and should contain a brief explanation of why the alert is closed.

Responses

Request samples

Payload

Content type

application/json

{"reason": 0,
"comment": "string"
}

Response samples

4XX
5XX

Content type

application/json

{"message": "Invalid ..."
}

Audit Logs

Audit logs let you view the history of all actions performed within a Lacework account so you know who made changes to the system and when. For example, you can see who suppressed certain alerts, what time an authentication setting was modified, etc. For more information, see Audit Logs.

Audit Logs

Get audit logs by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AuditLogs

Optionally specify the startTime and endTime time range filters using the following formats:

yyyy-MM-dd for example, 2020-12-18
yyyy-MM-ddTHH for example, 2020-12-18T08
yyyy-MM-ddTHH:mm:ssZ for example, 2020-12-18T08:00:00Z
yyyy-MM-ddTHH:mm:ss.SSSZ for example, 2020-12-18T08:00:00.000Z

To use the current time as the end time, exclude the endTime parameter.

Here is an example invocation:

GET https://YourLacework.lacework.net/api/v2/AuditLogs?startTime=2020-12-11T08:00:00Z&endTime=2020-12-18T08:00:00Z

query Parameters

startTime	string Returns only recorded actions that occurred after this timestamp.
endTime	string Returns only recorded actions that occurred before this timestamp. If empty or missing, the current time is used.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"accountName": "Lacework",
"createdTime": "2020-12-18T18:38:28Z",
"eventDescription": "User info@example.com logged in to Lacework account using OAuth credentials",
"eventName": "User Login",
"userAction": "Login with OAuth Succeeded",
"userName": "info@example.com"
},
{"accountName": "Lacework",
"createdTime": "2020-12-18T22:38:28Z",
"eventDescription": "User info@example.com logged in to Lacework account using OAuth credentials",
"eventName": "User Login",
"userAction": "Login with OAuth Succeeded",
"userName": "info@example.com"
}
]
}

Search Audit Logs

Search the audit logs by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AuditLogs/search

Optionally specify filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

For the timeFilter filter, these are the supported time formats:

yyyy-MM-dd for example, 2020-12-18
yyyy-MM-ddTHH for example, 2020-12-18T08
yyyy-MM-ddTHH:mm:ssZ for example, 2020-12-18T08:00:00Z
yyyy-MM-ddTHH:mm:ss.SSSZ, for example, 2020-12-18T08:00:00.000Z

To use the current time as the end time, exclude the endTime field.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

Filters in the request body

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"accountName": "Lacework",
"createdTime": "2020-12-18T18:38:28Z",
"eventDescription": "User info@example.com logged in to Lacework account using OAuth credentials",
"eventName": "User Login",
"userAction": "Login with OAuth Succeeded",
"userName": "info@example.com"
},
{"accountName": "Lacework",
"createdTime": "2020-12-18T22:38:28Z",
"eventDescription": "User info@example.com logged in to Lacework account using OAuth credentials",
"eventName": "User Login",
"userAction": "Login with OAuth Succeeded",
"userName": "info@example.com"
}
]
}

Cloud Accounts

Cloud accounts are integrations between Lacework and cloud providers such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform.

Create Cloud Accounts

Create a cloud account by specifying parameters in the request body when invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/CloudAccounts

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

name required	string (Name) non-empty (?!^ +$)^.+$ When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name.
type required	string (Type) When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. AwsCfg
enabled required	number (Enabled) [ 0 .. 1 ] When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration.
required	object

Responses

Request samples

Payload

Content type

application/json

Example

AwsCfg

{"name": "string",
"type": "AwsCfg",
"enabled": 1,
"data": {"awsAccountId": "string",
"crossAccountCredentials": {"externalId": "string",
"roleArn": "string"
}
}
}

Response samples

201
4XX
5XX

Content type

application/json

Example

AwsCfg

{"data": {"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "AwsCfg",
"data": {"awsAccountId": "123456789012",
"crossAccountCredentials": {"roleArn": "arn:aws:iam::...",
"externalId": "123456"
}
}
}
}

List All Cloud Accounts

Get a list of cloud accounts for the current user by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/CloudAccounts

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

200
4XX
5XX

Content type

application/json

Example

AwsCfg

{"data": [{"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-01-28T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "AwsCfg",
"data": {"awsAccountId": "123456789012",
"crossAccountCredentials": {"roleArn": "arn:aws:iam::...",
"externalId": "123456"
}
}
},
{"createdOrUpdatedBy": "info@example.com",
"createdOrUpdatedTime": "2021-01-30T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Info",
"props": "{object}",
"state": "{object}",
"type": "AwsCfg",
"data": {"awsAccountId": "123456789012",
"crossAccountCredentials": {"roleArn": "arn:aws:iam::...",
"externalId": "123456"
}
}
}
]
}

List Cloud Accounts by Type

Get a list of cloud accounts of the specified type by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/CloudAccounts/{type}

Here is an example invocation:

GET https://YourLacework.lacework.net/api/v2/CloudAccounts/AwsCfg

path Parameters

type

required

string

Enum: "AwsCfg" "AwsCtSqs" "AwsEksAudit" "AwsUsGovCfg" "AwsUsGovCtSqs" "AzureAlSeq" "AzureCfg" "GcpAtSes" "GcpCfg"

Cloud Accounts Type

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

200
4XX
5XX

Content type

application/json

Example

AwsCfg

{"data": [{"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-01-28T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "AwsCfg",
"data": {"awsAccountId": "123456789012",
"crossAccountCredentials": {"roleArn": "arn:aws:iam::...",
"externalId": "123456"
}
}
},
{"createdOrUpdatedBy": "info@example.com",
"createdOrUpdatedTime": "2021-01-30T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Info",
"props": "{object}",
"state": "{object}",
"type": "AwsCfg",
"data": {"awsAccountId": "123456789012",
"crossAccountCredentials": {"roleArn": "arn:aws:iam::...",
"externalId": "123456"
}
}
}
]
}

Search Cloud Accounts

Search cloud accounts by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/CloudAccounts/search

To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

In the request body, optionally specify the list of fields to return in the response by specifying the list in the returns array, for example, "returns":[ "name", "type", "enabled" ].

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

Example

AwsCfg

{"data": [{"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-01-28T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "AwsCfg",
"data": {"awsAccountId": "123456789012",
"crossAccountCredentials": {"roleArn": "arn:aws:iam::...",
"externalId": "123456"
}
}
},
{"createdOrUpdatedBy": "info@example.com",
"createdOrUpdatedTime": "2021-01-30T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Info",
"props": "{object}",
"state": "{object}",
"type": "AwsCfg",
"data": {"awsAccountId": "123456789012",
"crossAccountCredentials": {"roleArn": "arn:aws:iam::...",
"externalId": "123456"
}
}
}
]
}

Cloud Accounts Details

Get details about a cloud account by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/CloudAccounts/{intgGuid}

path Parameters

intgGuid

required

string

Cloud Account ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

200
4XX
5XX

Content type

application/json

Example

AwsCfg

{"data": {"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "AwsCfg",
"data": {"awsAccountId": "123456789012",
"crossAccountCredentials": {"roleArn": "arn:aws:iam::...",
"externalId": "123456"
}
}
}
}

Update Cloud Accounts

Update a cloud account by specifying parameters in the request body when invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/CloudAccounts/{intgGuid}

In the request body, only specify the parameters that you want to update, for example, { "enabled" : 0 }.

path Parameters

intgGuid

required

string

Cloud Account ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

name	string (Name) non-empty (?!^ +$)^.+$ When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name.
type	string (Type) When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. AwsCfg
enabled	number (Enabled) [ 0 .. 1 ] When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration.
	object

Responses

Request samples

Payload

Content type

application/json

Example

AwsCfg

{"name": "string",
"type": "AwsCfg",
"enabled": 1,
"data": {"awsAccountId": "string",
"crossAccountCredentials": {"externalId": "string",
"roleArn": "string"
}
}
}

Response samples

200
4XX
5XX

Content type

application/json

Example

AwsCfg

{"data": {"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "AwsCfg",
"data": {"awsAccountId": "123456789012",
"crossAccountCredentials": {"roleArn": "arn:aws:iam::...",
"externalId": "123456"
}
}
}
}

Update Cloud Accounts

Update a cloud account by specifying the entire object in the request body when invoking the following endpoint:

PUT https://YourLacework.lacework.net/api/v2/CloudAccounts/{intgGuid}

In the request body, specify the entire object that you want to update, for example,

{"name": "string","type": "AwsCfg", "enabled": 1, "data": { "awsAccountId": "string", "crossAccountCredentials": {"externalId": "string", "roleArn": "string"}} }.

path Parameters

intgGuid

required

string

Cloud Account ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

name required	string (Name) non-empty (?!^ +$)^.+$ When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name.
type required	string (Type) When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. AwsCfg
enabled required	number (Enabled) [ 0 .. 1 ] When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration.
required	object

Responses

Request samples

Payload

Content type

application/json

Example

AwsCfg

{"name": "string",
"type": "AwsCfg",
"enabled": 1,
"data": {"awsAccountId": "string",
"crossAccountCredentials": {"externalId": "string",
"roleArn": "string"
}
}
}

Response samples

200
4XX
5XX

Content type

application/json

Example

AwsCfg

{"data": {"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "AwsCfg",
"data": {"awsAccountId": "123456789012",
"crossAccountCredentials": {"roleArn": "arn:aws:iam::...",
"externalId": "123456"
}
}
}
}

Delete Cloud Accounts

Delete a cloud account by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/CloudAccounts/{intgGuid}

path Parameters

intgGuid

required

string

Cloud Account ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

4XX
5XX

Content type

application/json

{"message": "Invalid ..."
}

Cloud Activities

Get information about cloud activities for the integrated AWS cloud accounts in your Lacework instance.

Cloud Activities

Get cloud activity details by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/CloudActivities

Optionally filter by specifying the startTime and endTime of a time range using the following formats:

yyyy-MM-dd for example, 2020-12-18
yyyy-MM-ddTHH for example, 2020-12-18T08
yyyy-MM-ddTHH:mm:ssZ for example, 2020-12-18T08:00:00Z
yyyy-MM-ddTHH:mm:ss.SSSZ for example, 2020-12-18T08:00:00.000Z

To use the current time as the end time, exclude the endTime parameter.

Here is an example invocation:

GET https://YourLacework.lacework.net/api/v2/CloudActivities?startTime=2020-12-11T08:00:00Z&endTime=2020-12-18T08:00:00Z

To use the current time as the end time, exclude the endTime parameter.

query Parameters

startTime	string Returns only recorded actions that occurred after this timestamp.
endTime	string Returns only recorded actions that occurred before this timestamp. If empty or missing, the current time is used.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 5020,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/CloudActivities/AbcdEfgh123..."
}
},
"data": [{"startTime": "2021-12-18T06:00:00Z",
"endTime": "2021-12-18T06:30:00Z",
"eventType": "CloudTrailDefaultAlert",
"eventId": 291028,
"eventModel": "CloudTrailCep",
"eventActor": "Aws",
"eventMap": {"API": [{"KEY": {"api": "DeleteUser",
"service": "iam.amazonaws.com"
},
"PROPS": {"source_ip_address_list": ["34.221.221.117"
],
"user_list": ["AssumedRole/631664038012:dev-test-instances"
]
}
}
],
"CT_User": [{"KEY": {"account": "631664038012",
"mfa": 0,
"principalId": "ABCDEFGHIJKL123456789",
"username": "AssumedRole/631664038012:dev-test-instances"
},
"PROPS": {"api_list": ["DeleteUser"
],
"region_list": ["us-east-1"
]
}
}
],
"Region": [{"KEY": {"region": "us-east-1"
},
"PROPS": {"account_list": ["631668038012"
]
}
}
],
"Resource": [{"KEY": {"name": "userName",
"value": "demomon13dec21083001"
}
},
{"KEY": {"name": "userName",
"value": "demomon13dec21083001"
}
}
],
"RulesTriggered": [{"KEY": {"triggered_rule_id": "lw-dev-1"
},
"PROPS": {"rule_description": "An existing user was deleted.",
"rule_id": "lw-dev-1",
"rule_severity": 3,
"rule_title": "Delete User"
}
}
],
"SourceIpAddress": [{"KEY": {"ip_addr": "34.221.221.117"
},
"PROPS": {"api_list": ["DeleteUser"
]
}
}
]
}
},
{"startTime": "2021-12-18T08:00:00Z",
"endTime": "2021-12-18T08:30:00Z",
"eventType": "IAMAccessKeyChanged",
"eventId": 19018,
"eventModel": "CloudTrailCep",
"eventActor": "Aws",
"eventMap": {"API": [{"KEY": {"api": "CreateAccessKey",
"service": "iam.amazonaws.com"
},
"PROPS": {"source_ip_address_list": ["34.221.221.117"
],
"user_list": ["AssumedRole/631664038012:dev-test-instances"
]
}
},
{"KEY": {"api": "DeleteAccessKey",
"service": "iam.amazonaws.com"
},
"PROPS": {"source_ip_address_list": ["34.221.221.117"
],
"user_list": ["AssumedRole/631664038012:dev-test-instances"
]
}
}
],
"CT_User": [{"KEY": {"account": "631664038012",
"mfa": 0,
"principalId": "ABCDEFGHIJKL123456789",
"username": "AssumedRole/631664038012:dev-test-instances"
},
"PROPS": {"api_list": ["CreateAccessKey",
"DeleteAccessKey"
],
"region_list": ["us-east-1"
]
}
}
],
"Region": [{"KEY": {"region": "us-east-1"
},
"PROPS": {"account_list": ["631664038012"
]
}
}
],
"Resource": [{"KEY": {"name": "accessKeyId",
"value": "ABCD1234567890"
}
},
{"KEY": {"name": "userName",
"value": "demomon13dec21083001"
}
},
{"KEY": {"name": "accessKeyId",
"value": "ABCD9876543210"
}
},
{"KEY": {"name": "userName",
"value": "demomon13dec21083001"
}
}
],
"RulesTriggered": [{"KEY": {"triggered_rule_id": "lw-global-12"
},
"PROPS": {"rule_description": "An IAM access key was created or deleted.",
"rule_id": "lw-global-12",
"rule_severity": 2,
"rule_title": "IAM Access Key Change"
}
}
],