Lacework API 2.0 Documentation (2.0)

Download OpenAPI specification:Download

Lacework, Inc.: info@lacework.net URL: https://info.lacework.com/contact License: Lacework Use License Terms of Service

The Lacework API documentation is available directly from your Lacework application at the following URI: https://YourLacework.lacework.net/api/v2/docs, where YourLacework is your Lacework application.

No login to the Lacework Console is required. However, there is a link to the Lacework API 2.0 documentation from the Lacework Console. From the Help drop-down, select API Documentation and then API 2.0 Documentation.

All the Lacework API operations listed below require an API Access Token to allow access to the Lacework API. For more information about getting a temporary API Access Token to pass into these operations as a header, see https://docs.lacework.com/generate-api-access-keys-and-tokens.

You can run the Lacework APIs using your favorite REST API tools, such as curl or Postman. You can also run the Lacework API from the Lacework CLI. For more information, see Get Started with the Lacework CLI.

Overview

Conventions

Parameters: Parameters follow the JSON conventions, i.e., camelcase or lowerCamelcase notation, for all parameter names in the query, request and response bodies, for example, startTime, endTime.
Data Types: For the constant types of data sets, integrations, assets, and other resources, the convention is to use UpperCamelcase notation, for example, AlertChannels, AuditLogs, CloudActivities.
Response Schema: A successful response returns either the HTTP 200 or 201 Status Code and a top-level property called data, which contains the result in the JSON format. A response returning the HTTP 4xx or 5xx Status Code returns the top-level property called message, which contains an error message.
additionalProperties Keyword: For all response schemas, the additionalProperties keyword is set to true. This means additional fields or properties can be added to responses in the future. For information about the additionalProperties keyword, see the JSON Schema online documentation.

Simple & Advanced Search

The Lacework API provides simple and advanced searches for retrieving information.

For simple searches, specify a HTTP GET method with simple query parameters, for example, startTime, endTime.

For advanced searches, specify a HTTP POST method with filters in the request body. For a given endpoint, you can see what fields are available to filter on by viewing the response schema for the endpoint. The filters in requests that have multiple filters are AND'd, that is, all filters conditions must be met to satisfy a match.

There are 16 filter types consisting of seven pairs and two unique operators, which are similar to the SQL comparison operators for database queries. The pairs are:

The eq operator allows you to specify a value that the field values of the result must be equal to. The ne operator means not equal to. Note the value field of the filters must be used; the values field of the filters cannot be used for eq and ne.
The in operator allows you to specify multiple values in the values field of the filters. The field values of the result must match one of the values. The not_in operator is the opposite of in. Note the value field of the filters cannot be used for in and not_in.
The like operator allows you to specify a pattern that the field values of the result must match. The not_like operator is the opposite of like. Note the values field of the filters cannot be used for like and not_like.
The ilike operator works similar to like but it makes the match case insensitive. The not_ilike operator is the opposite of ilike. Note the values field of the filters cannot be used for ilike and not_ilike.
The rlike operator matches the specified pattern represented by regular expressions (more info on RLIKE — Snowflake Documentation). You can use rlike to filter object values in arrays, to return only those values that match a regular expression. The not_rlike operator is the opposite of rlike. Note the values field of the filters cannot be used for rlike and not_rlike.
The gt operator allows you to specify a value that the field values of the result must be greater than. The lt (less-than) operator is the opposite of gt. Note the values field of the filters cannot be used for gt and lt.
The ge operator allows you to specify a value that the field values of the result must be greater than or equal to. The le (less-than-or-equal-to) operator is the opposite of ge. Note the values field of the filters cannot be used for ge and le.

The unique operators are:

The between operator allows you to specify a range that the field values of the result must be within. The specified upper boundary must be larger/greater than the lower boundary. The two values of upper and lower boundaries must be set in the values field of the filters. Note the value field of the filters cannot be used for between.
The expr operator is reserved for future use.

Date & Time Formats

For date and time parameters, the time zone is always UTC and the following formats are supported:

yyyy-MM-dd for example, 2020-12-18
yyyy-MM-ddTHH for example, 2020-12-18T08
yyyy-MM-ddTHH:mm:ssZ for example 2020-12-18T08:00:00Z
yyyy-MM-ddTHH:mm:ss.SSSZ for example, 2020-12-18T08:00:00.000Z

Organization Level Access

An organization may have a primary account and multiple sub-accounts. An access token generated for the primary account and used as the authorization token can also be used for one of the sub-accounts, with the additional header called Account-Name (case insensitive).

For example, if the primary account is xyz and the sub-account is xyz-sub1, set the Account-Name header to xyz-sub1.

Note: Multiple sub-account and organizational-level access is limited to access tokens generated with regular user API keys. A service user has access to individual accounts only.

To access organization-level data sets, you can use a header called Org-Access (case insensitive). If this header is set to true (case insensitive) and the authorization token has the proper permissions (org admin), if specified, the Account-Name header is ignored. If the Org-Access header is not set to true, the Account-Name header is used, if specified.

Pagination

Making calls to Lacework APIs could return a lot of results. Pagination of the results helps manage overall performance and makes the responses easier for you to handle by dividing the results into separate pages, each with a subset of the results.

The following row limits apply:

Row limit per page: 5,000 rows
Row limit of all pages of one result set: 500,000 rows

Pagination is available for some datasets, such as those that are searched with the /api/v2/Vulnerabilities/Containers/search or /api/v2/Entities/Machines/search endpoints.

Pagination metadata is located within the response's paging field, which contains information for rows, totalRows, and urls. The urls field contains the nextPage field with the Next Page URL. The Next Page URLs stay valid for 24 hours. No pagination is available for an API if the paging field is missing from a response.

To get the next page of the result, use the entire Next Page URL and send a GET request with the two required HTTP headers: "Authorization: Bearer {YourAPIToken}" and "Content-Type: application/json".

Example:

GET https://YourLacework.lacework.net/api/v2/Vulnerabilities/Containers/abcxyz...

See the right panel for response examples.

Rate Limiting

The current rate limit is 480 API requests per hour per user. When the total number of API requests on a one-hour rolling window exceeds the rate limit, the HTTP 429 Too Many Requests response status code is returned.

Lacework uses the token bucket algorithm to apply request rate limiting. Each API v2 functionality has its own bucket with 480 tokens and each request that you make removes one token from the bucket. For example, performing a GET /api/v2/AgentAccessTokens or a GET /api/v2/AgentAccessTokens/{ID} are both part of one functionality, which gets an agent access token, so each request removes one token from the same bucket. Similarly, updating an agent access token (PATCH /api/v2/AgentAccessTokens/{ID}) is a different functionality and disregards the ID to use the same bucket, so a token is removed from a different bucket.

Each request sends back three response headers following standard HTTP naming conventions for rate limiting. RateLimit-Limit is the total number of requests you can make in an hour, RateLimit-Remaining is the number of remaining requests, and RateLimit-Reset is how much time it will take (in seconds) before you can make another request once the limit is reached. For more information about RateLimit header fields, see IETF Draft 05.

POST Body Size Limit

Many Lacework API endpoints accept data as POST body content. POST body content is limited to 1 MB. Requests that exceed the 1 MB limit result in a 400 Bad Request error.

Response Status Codes

The Lacework API endpoints return the following HTTP response status codes.

Status Code	Definition	Description
200	OK	The request has succeeded.
201	Created	The request has been fulfilled and resulted in a new resource being created.
204	No Content	The server has fulfilled the request but does not need to return an entity-body.
400	Bad Request	The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications.
401	Unauthorized	The request requires user authentication. If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials.
403	Forbidden	The server understood the request, but is refusing to fulfill it. Authorization will not fix the issue and the request SHOULD NOT be repeated.
404	Not Found	The server has not found anything matching the Request-URI.
405	Method Not Allowed	The method specified in the Request-Line is not allowed for the resource identified by the Request-URI.
409	Conflict	The request could not be completed due to a conflict with the current state of the resource.
429	Too Many Requests	Too many requests occurred during the allotted time period and rate limiting was applied.
500	Internal Server Error	The request did not complete due to an internal error on the server side. The server encountered an unexpected condition which prevented it from fulfilling the request.
503	Service Unavailable	The server is currently unable to handle the request due to a temporary overloading or maintenance of the server.

Access Tokens

Generate access tokens for API requests.

Generate Access Tokens

Get access tokens for the API requests by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/access/tokens

After creating a secret key, administrators can generate Temporary API access (bearer) tokens that clients and client applications use to access the Lacework API. Create temporary API access (bearer) tokens by invoking the POST https://YourLacework.lacework.net/api/v2/access/tokens endpoint.

header Parameters

X-LW-UAKS required	string YourSecretKey
Content-Type required	string application/json

Request Body schema: application/json

keyId required	string YourAccessKeyID
expiryTime required	integer The access token's expiration (in seconds) that you want to set. Maximum value: 86400 (24 hours).

Responses

Request samples

Payload

Content type

application/json

{"keyId": "YourSecretKey",
"expiryTime": 3600
}

Response samples

201
4XX
5XX

Content type

application/json

{"expiresAt": "2021-08-18T08:00:00.000Z",
"token": "string"
}

Schemas

Get details about the available Lacework schemas.

Schema Details

Get a list of available Lacework schema types by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/schemas

Get details about a Lacework schema by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/schemas/{type}

Here is an example invocation:

GET https://YourLacework.lacework.net/api/v2/schemas/AuditLogs

path Parameters

type

required

string

Example: AuditLogs

When sending a request, use this parameter to specify the schema type. If not specified, the response returns all schema types. If specified, the response returns details of the requested schema.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

[{"name": "accountName",
"type": "string"
},
{"name": "createdTime",
"type": "integer"
},
{"name": "eventDescription",
"type": "string"
},
{"name": "eventName",
"type": "string"
},
{"name": "userAction",
"type": "string"
},
{"name": "userName",
"type": "string"
}
]

Schema Details of Subtype

Get details about a Lacework schema by specifying a schema type and subtype when invoking the endpoint.

GET https://YourLacework.lacework.net/api/v2/schemas/{type}/{subtype}

Here is an example invocation:

GET https://YourLacework.lacework.net/api/v2/schemas/AlertChannels/SlackChannel

path Parameters

type required	string Example: AlertChannels When sending a request, use this parameter to specify the schema type. If not specified, the response returns all schema types. If specified, the response returns details of the requested schema.
subtype required	string Example: SlackChannel The schema's subtype. If a type is subordinate to another type, it is called a subtype.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

[{"required": ["type",
"enabled",
"name",
"data"
],
"properties": {"name": {"type": "string",
"minLength": 1
},
"type": {"type": "string",
"enum": ["SlackChannel"
]
},
"enabled": {"type": "number",
"minimum": 0,
"maximum": 1
},
"data": {"properties": {"slackUrl": {"type": "string",
"pattern": "^https://hooks.slack.com([/][a-zA-Z0-9#-_]+)+$"
}
},
"required": ["slackUrl"
],
"additionalProperties": true,
"type": "object"
}
}
}
]

Activities

Get information about network activities detected through the agent.

Search Changed Files

Search for changed files in your environment by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Activities/ChangedFiles/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter the returned changed files by start time, end time, machine ID, file path, and more. For more information, see CHANGE_FILES_V View.

Here are some example body payloads:

{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "48011" } ] }
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "48011" }, { "field": "filePath", "expression": "eq", "value": "/usr/bin/curl" } ],
"returns": [ "filePath", "filedataHash", "mid" ] }

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 654455,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/Activities/ChangedFiles/AbcdEfgh123..."
}
},
"data": [{"startTime": "2021-09-10T23:00:00Z",
"endTime": "2021-09-11T00:00:00Z",
"mid": 12345,
"filePath": "/usr/bin/curl",
"filedataHash": "d055afd3h16f11460b3549885a9u8a40f1905df1f9d83cf16gbfa8a3157c29ac",
"mtime": "1631306708492",
"size": 210944,
"threatInfo": "null"
},
{"startTime": "2021-09-10T23:00:00Z",
"endTime": "2021-09-11T00:00:00Z",
"mid": 12345,
"filePath": "/bin/sleep",
"filedataHash": "ada88f7fd24bcdfdde10294c76968a335c2414ea7d43c5e3829b65cb037e90a4",
"mtime": "1631317667570",
"size": 0,
"threatInfo": "null"
}
]
}

Search Connections

Search for connections in your environment by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Activities/Connections/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter the returned connections by start time, end time, created time, machine ID, and more. For more information, see CONNECTIONS_V View.

Here are some example body payloads:

{ "timeFilter": { "startTime": "2022-08-18T00:00:00Z", "endTime": "2022-08-18T02:00:00Z"}, "filters": [ { "field": "dstEntityId.mid", "expression": "eq", "value": "116018" } ] }
{ "timeFilter": { "startTime": "2022-08-18T00:00:00Z", "endTime": "2022-08-18T02:00:00Z"}, "filters": [ { "field": "srcEntityId.mid", "expression": "eq", "value": "123456" }, { "field": "dstInBytes", "expression": "le", "value": "300000" } ],
"returns": [ "dstEntityId", "dstEntityType", "srcEntityId", "srcEntityType" ] }

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 1233301,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/Activities/Connections/AbcdEfgh123..."
}
},
"data": [{"dstEntityId": {"mid": 116015,
"pid_hash": -8627328323700991000
},
"dstEntityType": "Process",
"dstInBytes": 162688,
"dstOutBytes": 3572,
"endpointDetails": [{"dst_ip_addr": "10.245.48.175",
"dst_port": 2878,
"protocol": "TCP",
"src_ip_addr": "10.245.187.233"
}
],
"endTime": "2022-08-18T01:00:00.000Z",
"numConns": 38,
"srcEntityId": {"mid": 114151,
"pid_hash": 6612898627139247000
},
"srcEntityType": "Process",
"srcInBytes": 3572,
"srcOutBytes": 162688,
"startTime": "2022-08-18T00:00:00.000Z"
},
{"dstEntityId": {"mid": 116015,
"pid_hash": -8627328323700991000
},
"dstEntityType": "Process",
"dstInBytes": 252673,
"dstOutBytes": 4418,
"endpointDetails": [{"dst_ip_addr": "10.245.48.175",
"dst_port": 2878,
"protocol": "TCP",
"src_ip_addr": "10.245.172.126"
}
],
"endTime": "2022-08-18T01:00:00.000Z",
"numConns": 47,
"srcEntityId": {"mid": 114151,
"pid_hash": 6143690005229381000
},
"srcEntityType": "Process",
"srcInBytes": 4418,
"srcOutBytes": 252673,
"startTime": "2022-08-18T00:00:00.000Z"
}
]
}

Search DNS Summaries

Search for DNS summaries in your environment by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Activities/DNSs/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter the returned DNS summaries by start time, end time, created time, machine ID, and more. For more information, see DNS_QUERY_V View.

Here are some example body payloads:

{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "48011" } ] }
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "48011" }, { "field": "fqdn", "expression": "eq", "value": "sqs.us-west-2.amazonaws.com" } ],
"returns": [ "fqdn", "hostIpAddr", "mid" ] }

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 17519,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/Activities/DNSs/AbcdEfgh123..."
}
},
"data": [{"createdTime": "2021-09-10T05:35:45.382Z",
"mid": 12345,
"fqdn": "sqs.us-west-2.amazonaws.com",
"hostIpAddr": "22.94.218.126",
"ttl": 1,
"dnsServerIp": "11.251.0.9"
},
{"createdTime": "2021-09-10T05:35:45.382Z",
"mid": 12314,
"fqdn": "sqs.us-west-2.amazonaws.com",
"hostIpAddr": "22.94.228.126",
"ttl": 60,
"dnsServerIp": "11.312.0.9"
}
]
}

Search User Logins

Search for user logins in your environment by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Activities/UserLogins/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter the returned login activities by start time, end time, created time, machine ID, and more. For more information, see USER_LOGIN_V View.

Here are some example body payloads:

{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "48011" } ] }
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "48011" }, { "field": "username", "expression": "eq", "value": "ec2-user" } ],
"returns": [ "username", "activityType", "activityTime" ] }

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 5050,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/Activities/UserLogins/AbcdEfgh123..."
}
},
"data": [{"createdTime": "2021-09-10T05:35:45.382Z",
"mid": 12345,
"activityTime": "2021-08-06T06:05:05.260Z",
"activityType": "LOGIN",
"username": "ec2-user",
"uid": 1000,
"sourceIpAddr": "2.141.452.76"
},
{"createdTime": "2021-09-10T05:35:45.382Z",
"mid": 12345,
"activityTime": "2021-08-06T06:05:05.260Z",
"activityType": "LOGOFF",
"username": "ec2-user",
"uid": 1000,
"sourceIpAddr": "2.141.452.76"
}
]
}

Agent Access Tokens

To connect to the Lacework instance, Lacework agents require an agent access token.

Create Agent Access Token

Create a new agent access token that an agent can use to connect and send data to your Lacework instance by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AgentAccessTokens

Here is an example body payload:

{ "tokenAlias": "prod", "tokenEnabled": "1" }

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The access token's properties, including `createdTime` and `description`.
tokenEnabled required	string non-empty The `tokenEnabled` property determines if an edit control is a "Text token" edit control. When the `tokenEnabled` property is set to `1`, if the user enters a separator character or a carriage return (CR), a token is automatically added and the user can continue entering values in the control.
tokenAlias required	string non-empty The token's alias such as Ops Agent. Aliases help communicate the intended purpose of a token and are effective when a value with a single intent appears in multiple places.

Responses

Request samples

Payload

Content type

application/json

{"props": {"description": "string",
"os": "string",
"subscription": "standard"
},
"tokenEnabled": "string",
"tokenAlias": "string"
}

Response samples

201
4XX
5XX

Content type

application/json

{"data": {"accessToken": "47d102752b57caa18b...",
"createdTime": "2020-12-16T16:43:37.915Z",
"props": {"createdTime": "2020-12-16T16:43:37.915Z",
"description": "testing agent",
"subscription": "enterprise"
},
"tokenAlias": "Ops Agent",
"tokenEnabled": "1",
"version": "0.1"
}
}

List All Agent Access Tokens

Get a list of currently enabled agent access tokens in your Lacework instance by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AgentAccessTokens

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"accessToken": "47d102752b57caa18b...",
"createdTime": "2020-12-16T16:43:37.915Z",
"props": {"createdTime": "2020-12-16T16:43:37.915Z",
"description": "testing agent",
"subscription": "enterprise"
},
"tokenAlias": "Ops Agent",
"tokenEnabled": "1",
"version": "0.1"
},
{"accessToken": "e2f32885791213cb41...",
"createdTime": "2020-12-10T18:14:05.754Z",
"props": {"createdTime": "2020-12-10T18:14:05.754Z",
"description": "testing agent 1",
"subscription": "professional"
},
"tokenAlias": "Dev Agent",
"tokenEnabled": "1",
"version": "0.1"
}
]
}

Search Agent Access Tokens

Search all enabled agent access tokens in your Lacework instance by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AgentAccessTokens/search

To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

You can filter on the following fields:

accessToken
createdTime
tokenAlias
tokenEnabled
version

Here is an example body payload:

{ "filters" : [ { "expression": "eq", "field": "tokenAlias", "value": "Eng" } ] }

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"accessToken": "47d102752b57caa18b...",
"createdTime": "2020-12-16T16:43:37.915Z",
"props": {"createdTime": "2020-12-16T16:43:37.915Z",
"description": "testing agent",
"subscription": "enterprise"
},
"tokenAlias": "Ops Agent",
"tokenEnabled": "1",
"version": "0.1"
},
{"accessToken": "e2f32885791213cb41...",
"createdTime": "2020-12-10T18:14:05.754Z",
"props": {"createdTime": "2020-12-10T18:14:05.754Z",
"description": "testing agent 1",
"subscription": "professional"
},
"tokenAlias": "Dev Agent",
"tokenEnabled": "1",
"version": "0.1"
}
]
}

Agent Access Token Details

Get details about an agent access token by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AgentAccessTokens/{id}

You can get the {id} by invoking the GET /api/v2/AgentAccessTokens endpoint. Replace {id} with the long hexadecimal access token identifier returned in the accessToken field of the GET /api/v2/AgentAccessTokens endpoint response.

path Parameters

id

required

string

Agent Access Token {id}

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"accessToken": "47d102752b57caa18b...",
"createdTime": "2020-12-16T16:43:37.915Z",
"props": {"createdTime": "2020-12-16T16:43:37.915Z",
"description": "testing agent",
"subscription": "enterprise"
},
"tokenAlias": "Ops Agent",
"tokenEnabled": "1",
"version": "0.1"
}
}

Update Agent Access Token

Optionally update the tokenEnabled settings of the passed in agent access token. Update these settings by invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/AgentAccessTokens/{id}

Get the agent access token id by calling the GET /api/v2/AgentAccessTokens endpoint.

Replace {id} with the long hexadecimal access token identifier returned in the accessToken field of the GET /api/v2/AgentAccessTokens endpoint response.

Here is an example body payload:

{ "tokenEnabled": "1" }

path Parameters

id

required

string

AgentAccessTokens {id}

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The access token's properties, including `createdTime` and `description`.
tokenEnabled	string non-empty The `tokenEnabled` property determines if an edit control is a "Text token" edit control. When the `tokenEnabled` property is set to `1`, if the user enters a separator character or a carriage return (CR), a token is automatically added and the user can continue entering values in the control.

Responses

Request samples

Payload

Content type

application/json

{"props": {"description": "string",
"os": "string",
"subscription": "standard"
},
"tokenEnabled": "string"
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"accessToken": "47d102752b57caa18b...",
"createdTime": "2020-12-16T16:43:37.915Z",
"props": {"createdTime": "2020-12-16T16:43:37.915Z",
"description": "testing agent",
"subscription": "enterprise"
},
"tokenAlias": "Ops Agent",
"tokenEnabled": "1",
"version": "0.1"
}
}

Agent Information

View and verify information about all agents, including:

The hostname
The number of active and inactive agents
Machine tags information associated with the agents
The agent version

Search Agent Information

The Agent Information API enables you to retrieve information about all agents by invoking the following endpoint:

POST /api/v2/AgentInfo/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter the information returned by agent status, agent version, IP address, and more. For details about what agent information is available, see AGENT_MANAGEMENT_V View.

Here are some example body payloads:

{ "timeFilter": { "startTime" : "2022-04-28T00:00:00Z", "endTime": "2022-04-28T18:00:00Z"},
{ "timeFilter": { "startTime": " 2022-04-28T00:00:00Z", "endTime": "2022-04-28T18:00:00Z"}, "filters" : [ { "field": "status", "expression": "eq", "value": "ACTIVE" }, { "field": "tags.VmProvider", "expression": "eq", "value" : "AWS" } ],
"returns": [ "hostname", "ipAddr", "os" , "agentVersion", "status" ] }

Within request bodies, nested field names that contain one or more special characters—e.g., dot ("."), colon (":"), or slash ("/")—must be enclosed in escaped double quotes. For example, the field name aws:ec2launchtemplate:version nested under the tags field would be rendered as follows:

"tags.\"aws:ec2launchtemplate:version\""

In a filter, the example would appear as follows:

{ "field": "tags.\"aws:ec2launchtemplate:version\"", "expression": "eq", "value": "3" }

In addition, forward slash characters within field names must be escaped with a backslash, as in the following example:

"tags.\"kubernetes.io\/cluster\/prod1\""

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 5060,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/AgentInfo/AbcdEfgh123..."
}
},
"data": [{"agentVersion": "5.5.0-6ecefc7f",
"createdTime": "2021-03-30T12:40:19.087Z",
"hostname": "ip-10-231-16-188.us-west-2.compute.internal",
"ipAddr": "10.231.16.188",
"lastUpdate": "2022-04-27 16:59:11.283 -0700",
"mid": 1898,
"mode": "normal",
"os": "Linux",
"status": "ACTIVE",
"tags": {"Account": "289356771585",
"AmiId": "ami-0d9ef0d807e565a36",
"COGS": "OPEX",
"Env": "lw",
"ExternalIp": "",
"Hostname": "ip-10-231-16-188.us-west-2.compute.internal",
"InstanceId": "i-05bd72db3d5678c23",
"InternalIp": "10.231.16.188",
"KubernetesCluster": "lw",
"LwTokenShort": "2e568b3b9a3c5de63116422e41fccc",
"Name": "prod-node.lw",
"Owner": "lacework",
"SubnetId": "subnet-0a83c026ef1437f0e",
"VmInstanceType": "m5.large",
"VmProvider": "AWS",
"VpcId": "vpc-0df6f5ed0cd993ff2",
"WavefrontProxy": "wavefront-proxy.kube-system.svc.cluster.local",
"Zone": "us-west-2a",
"arch": "amd64",
"aws:autoscaling:groupName": "lw-cluster-123",
"cluster": "eks-lw",
"environment": "prod",
"kubernetes.io/cluster/prod": "owned",
"lw_KubernetesCluster": "prod",
"os": "linux",
"role": "default"
}
},
{"agentVersion": "5.5.0-6ecefc7f",
"createdTime": "2022-04-26T11:34:58.316Z",
"hostname": "ip-10-231-168-119.us-west-2.compute.internal",
"ipAddr": "10.231.168.119",
"lastUpdate": "2022-04-28 11:05:58.317 -0700",
"mid": 85282,
"mode": "ebpf",
"os": "Linux",
"status": "INACTIVE",
"tags": {"Account": "239656771685",
"AmiId": "ami-03b6ddb2869abcd51",
"Env": "lw",
"ExternalIp": "",
"Hostname": "ip-10-231-168-119.us-west-2.compute.internal",
"InstanceId": "i-06f6569862686630e",
"InternalIp": "10.231.168.119",
"KubernetesCluster": "lw",
"LwTokenShort": "2e568b3b9a3c5de63116422e51fccc",
"Name": "on-demand.prod.lw",
"SubnetId": "subnet-0b2a51e40b1a0bde8",
"VmInstanceType": "r5.xlarge",
"VmProvider": "AWS",
"VpcId": "vpc-0df6f8ed0cd993ff2",
"Zone": "us-west-2c",
"arch": "amd64",
"cluster": "eks-lw",
"environment": "prod",
"kubernetes.io/cluster/prod": "owned",
"lw-role": "on-demand",
"lw_KubernetesCluster": "prod",
"os": "linux",
"spotinst:accountId": "act-b0b9eea2",
"spotinst:aws:ec2:group:createdBy": "spotinst",
"spotinst:aws:ec2:group:id": "oesg-9a6dca03",
"spotinst:aws:ec2:group:name": "Spotinst::Ocean::prod",
"spotinst:ocean:launchspec:id": "ols-fad9bf81",
"spotinst:ocean:launchspec:name": "on-demand"
}
}
]
}

Alert Channels

Lacework combines alert channels with alert rules or report rules to provide a flexible method for routing alerts and reports.

For alert channels, you define where to send alerts or reports, such as to Jira, Slack, or email.
For alert rules, you define information about which alert types to send, such as critical and high severity compliance alerts.
For report rules, you define information about which reports to send.

Create Alert Channels

Create an alert channel by specifying parameters in the request body when invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AlertChannels

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

name required	string (Name) non-empty (?!^ +$)^.+$ When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name.
type required	string (Type) When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. AwsS3
enabled required	number (Enabled) [ 0 .. 1 ] When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration.
required	object

Responses

Request samples

Payload

Content type

application/json

Example

AwsS3

{"name": "string",
"type": "AwsS3",
"enabled": 1,
"data": {"s3CrossAccountCredentials": {"externalId": "string",
"roleArn": "string",
"bucketArn": "string"
}
}
}

Response samples

201
4XX
5XX

Content type

application/json

Example

AwsS3

{"data": {"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "AwsS3",
"data": {"s3CrossAccountCredentials": {"externalId": "123456",
"roleArn": "arn:aws:iam::...",
"bucketArn": "arn:aws:s3:::..."
}
}
}
}

List All Alert Channels

Get a list of alert channels for the current user by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AlertChannels

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

200
4XX
5XX

Content type

application/json

Example

AwsS3

{"data": [{"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "AwsS3",
"data": {"s3CrossAccountCredentials": {"externalId": "123456",
"roleArn": "arn:aws:iam::...",
"bucketArn": "arn:aws:s3:::..."
}
}
},
{"createdOrUpdatedBy": "info@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "info",
"props": "{object}",
"state": "{object}",
"type": "AwsS3",
"data": {"s3CrossAccountCredentials": {"externalId": "123456",
"roleArn": "arn:aws:iam::...",
"bucketArn": "arn:aws:s3:::..."
}
}
}
]
}

List Alert Channels by Type

Get a list of alert channels of the specified type by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AlertChannels/{type}

Here is an example invocation:

GET https://YourLacework.lacework.net/api/v2/AlertChannels/SlackChannel

path Parameters

type

required

string

Enum: "AwsS3" "CiscoSparkWebhook" "CloudwatchEb" "Datadog" "EmailUser" "GcpPubsub" "IbmQradar" "Jira" "MicrosoftTeams" "NewRelicInsights" "PagerDutyApi" "ServiceNowRest" "SlackChannel" "SplunkHec" "VictorOps" "Webhook"

Alert Channel Type

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

200
4XX
5XX

Content type

application/json

Example

AwsS3

{"data": [{"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "AwsS3",
"data": {"s3CrossAccountCredentials": {"externalId": "123456",
"roleArn": "arn:aws:iam::...",
"bucketArn": "arn:aws:s3:::..."
}
}
},
{"createdOrUpdatedBy": "info@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "info",
"props": "{object}",
"state": "{object}",
"type": "AwsS3",
"data": {"s3CrossAccountCredentials": {"externalId": "123456",
"roleArn": "arn:aws:iam::...",
"bucketArn": "arn:aws:s3:::..."
}
}
}
]
}

Search Alert Channels

Search alert channels by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AlertChannels/search

To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

In the request body, optionally specify the list of fields to return in the response by specifying the list in the returns array, for example, "returns":[ "name", "type", "enabled" ].

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

Example

AwsS3

{"data": [{"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "AwsS3",
"data": {"s3CrossAccountCredentials": {"externalId": "123456",
"roleArn": "arn:aws:iam::...",
"bucketArn": "arn:aws:s3:::..."
}
}
},
{"createdOrUpdatedBy": "info@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "info",
"props": "{object}",
"state": "{object}",
"type": "AwsS3",
"data": {"s3CrossAccountCredentials": {"externalId": "123456",
"roleArn": "arn:aws:iam::...",
"bucketArn": "arn:aws:s3:::..."
}
}
}
]
}

Test Alert Channels

Test the integration of an alert channel by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}/test

path Parameters

intgGuid

required

string

Alert Channel ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

4XX
5XX

Content type

application/json

{"message": "Invalid ..."
}

Alert Channel Details

Get details about an alert channel by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}

path Parameters

intgGuid

required

string

Alert Channel ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

200
4XX
5XX

Content type

application/json

Example

AwsS3

{"data": {"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "AwsS3",
"data": {"s3CrossAccountCredentials": {"externalId": "123456",
"roleArn": "arn:aws:iam::...",
"bucketArn": "arn:aws:s3:::..."
}
}
}
}

Update Alert Channels

Update an alert channel by specifying parameters in the request body when invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}

In the request body, only specify the parameter(s) that you want to update, for example, { "enabled" : 0 }.

path Parameters

intgGuid

required

string

Alert Channel ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

Only specify the parameter(s) that you want to update, for example, { "enabled" : 0 }.

name	string (Name) non-empty (?!^ +$)^.+$ When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name.
type	string (Type) When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. AwsS3
enabled	number (Enabled) [ 0 .. 1 ] When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration.
	object

Responses

Request samples

Payload

Content type

application/json

Example

AwsS3

{"name": "string",
"type": "AwsS3",
"enabled": 1,
"data": {"s3CrossAccountCredentials": {"externalId": "string",
"roleArn": "string",
"bucketArn": "string"
}
}
}

Response samples

200
4XX
5XX

Content type

application/json

Example

AwsS3

{"data": {"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "AwsS3",
"data": {"s3CrossAccountCredentials": {"externalId": "123456",
"roleArn": "arn:aws:iam::...",
"bucketArn": "arn:aws:s3:::..."
}
}
}
}

Update Alert Channels

Update an alert channel by specifying the entire object in the request body when invoking the following endpoint:

PUT https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}

In the request body, specify the entire object that you want to update, for example,

{"name": "string","type": "AwsS3", "enabled": 1, "data": {"s3CrossAccountCredentials": {"externalId": "string", "roleArn": "string", "bucketArn":"string"}} }.

path Parameters

intgGuid

required

string

Alert Channel ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

name required	string (Name) non-empty (?!^ +$)^.+$ When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name.
type required	string (Type) When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. AwsS3
enabled required	number (Enabled) [ 0 .. 1 ] When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration.
required	object

Responses

Request samples

Payload

Content type

application/json

Example

AwsS3

{"name": "string",
"type": "AwsS3",
"enabled": 1,
"data": {"s3CrossAccountCredentials": {"externalId": "string",
"roleArn": "string",
"bucketArn": "string"
}
}
}

Response samples

200
4XX
5XX

Content type

application/json

Example

AwsS3

{"data": {"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "AwsS3",
"data": {"s3CrossAccountCredentials": {"externalId": "123456",
"roleArn": "arn:aws:iam::...",
"bucketArn": "arn:aws:s3:::..."
}
}
}
}

Delete Alert Channels

Delete an alert channel by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}

path Parameters

intgGuid

required

string

Alert Channel ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

4XX
5XX

Content type

application/json

{"message": "Invalid ..."
}

Alert Profiles

An alert profile is a set of metadata that defines how your LQL queries get consumed into events and alerts.

Alert profiles exist as a system. Lacework provides a set of predefined alert profiles to ensure that policy evaluation gives you useful results out of the box. To create your own customized profiles, you extend an existing alert profile and add your custom definitions to it. The predefined alert profiles and operations for defining and editing your own are exposed via Lacework API calls.

Create Alert Profiles

Create an alert profile that extends off of a current alert profile by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AlertProfiles

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

required	Array of objects[ items ] An alert is a definition of content to create from the results of a resource's policy violation. The event name, subject, and description contained in the alert appear in pushed alerts and in the Lacework Console.
alertProfileId required	string Unique id within customer account for Alert Profile
extends required	string Base Lacework defined Alert Profile to inherit properties

Responses

Request samples

Payload

Content type

application/json

{"alerts": [{"name": "string",
"eventName": "string",
"description": "string",
"subject": "string"
}
],
"alertProfileId": "string",
"extends": "string"
}

Response samples

201
4XX
5XX

Content type

application/json

[{"alertProfileId": "Custom_HE_Machines_AlertProfile",
"extends": "LW_HE_Machines",
"fields": [{"name": "_EVENT_COUNT"
},
{"name": "_PRIMARY_TAG"
},
{"name": "_RISK"
},
{"name": "_SEVERITY"
},
{"name": "_POLICY_ID"
},
{"name": "HOSTNAME"
}
],
"descriptionKeys": [{"name": "_POLICY_DESCRIPTION",
"spec": "{{_POLICY_DESCRIPTION}}"
},
{"name": "_POLICY_TITLE",
"spec": "{{_POLICY_TITLE}}"
},
{"name": "HOSTNAME",
"spec": "{{HOSTNAME}}"
}
],
"alerts": [{"name": "HE_Machine_NewViolation",
"eventName": "Custom LW Host Entity Machine New Violation Alert",
"description": "Custom New Violation for machine {{HOSTNAME}}",
"subject": "Custom New violation detected for machine {{HOSTNAME}}"
},
{"name": "HE_Machine_PolicyChanged",
"eventName": "Custom LW Host Entity Machine Policy Changed Alert",
"description": "Custom policy changed for machine {{HOSTNAME}}",
"subject": "Custom policy change detected for machine {{HOSTNAME}}"
}
]
}
]

List All Alert Profiles

Get all the alert profiles for the current user by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AlertProfiles

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

[{"alertProfileId": "Custom_HE_Machines_AlertProfile",
"extends": "LW_HE_Machines",
"fields": [{"name": "_EVENT_COUNT"
},
{"name": "_PRIMARY_TAG"
},
{"name": "_RISK"
},
{"name": "_SEVERITY"
},
{"name": "_POLICY_ID"
},
{"name": "HOSTNAME"
}
],
"descriptionKeys": [{"name": "_POLICY_DESCRIPTION",
"spec": "{{_POLICY_DESCRIPTION}}"
},
{"name": "_POLICY_TITLE",
"spec": "{{_POLICY_TITLE}}"
},
{"name": "HOSTNAME",
"spec": "{{HOSTNAME}}"
}
],
"alerts": [{"name": "HE_Machine_NewViolation",
"eventName": "Custom LW Host Entity Machine New Violation Alert",
"description": "Custom New Violation for machine {{HOSTNAME}}",
"subject": "Custom New violation detected for machine {{HOSTNAME}}"
},
{"name": "HE_Machine_PolicyChanged",
"eventName": "Custom LW Host Entity Machine Policy Changed Alert",
"description": "Custom policy changed for machine {{HOSTNAME}}",
"subject": "Custom policy change detected for machine {{HOSTNAME}}"
}
]
}
]

Alert Profiles Details

Get the details to the specified alert profile by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}

path Parameters

id

required

string

Alert Profile id

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

[{"alertProfileId": "Custom_HE_Machines_AlertProfile",
"extends": "LW_HE_Machines",
"fields": [{"name": "_EVENT_COUNT"
},
{"name": "_PRIMARY_TAG"
},
{"name": "_RISK"
},
{"name": "_SEVERITY"
},
{"name": "_POLICY_ID"
},
{"name": "HOSTNAME"
}
],
"descriptionKeys": [{"name": "_POLICY_DESCRIPTION",
"spec": "{{_POLICY_DESCRIPTION}}"
},
{"name": "_POLICY_TITLE",
"spec": "{{_POLICY_TITLE}}"
},
{"name": "HOSTNAME",
"spec": "{{HOSTNAME}}"
}
],
"alerts": [{"name": "HE_Machine_NewViolation",
"eventName": "Custom LW Host Entity Machine New Violation Alert",
"description": "Custom New Violation for machine {{HOSTNAME}}",
"subject": "Custom New violation detected for machine {{HOSTNAME}}"
},
{"name": "HE_Machine_PolicyChanged",
"eventName": "Custom LW Host Entity Machine Policy Changed Alert",
"description": "Custom policy changed for machine {{HOSTNAME}}",
"subject": "Custom policy change detected for machine {{HOSTNAME}}"
}
]
}
]

Update Alert Profiles

Update the alert templates of the specified alert profile by invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}

path Parameters

id

required

string

Alert Profile id

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

Array of objects[ items ]

An alert is a definition of content to create from the results of a resource's policy violation. The event name, subject, and description contained in the alert appear in pushed alerts and in the Lacework Console.

Array

name	string A name that policies can use to refer to this definition when generating alerts
eventName	string The name of the resulting alert
description	string Summary of the resulting alert
subject	string A high-level observation of the resulting alert

Responses

Request samples

Payload

Content type

application/json

{"alerts": [{"name": "string",
"eventName": "string",
"description": "string",
"subject": "string"
}
]
}

Response samples

200
4XX
5XX

Content type

application/json

[{"alertProfileId": "Custom_HE_Machines_AlertProfile",
"extends": "LW_HE_Machines",
"fields": [{"name": "_EVENT_COUNT"
},
{"name": "_PRIMARY_TAG"
},
{"name": "_RISK"
},
{"name": "_SEVERITY"
},
{"name": "_POLICY_ID"
},
{"name": "HOSTNAME"
}
],
"descriptionKeys": [{"name": "_POLICY_DESCRIPTION",
"spec": "{{_POLICY_DESCRIPTION}}"
},
{"name": "_POLICY_TITLE",
"spec": "{{_POLICY_TITLE}}"
},
{"name": "HOSTNAME",
"spec": "{{HOSTNAME}}"
}
],
"alerts": [{"name": "HE_Machine_NewViolation",
"eventName": "Custom LW Host Entity Machine New Violation Alert",
"description": "Custom New Violation for machine {{HOSTNAME}}",
"subject": "Custom New violation detected for machine {{HOSTNAME}}"
},
{"name": "HE_Machine_PolicyChanged",
"eventName": "Custom LW Host Entity Machine Policy Changed Alert",
"description": "Custom policy changed for machine {{HOSTNAME}}",
"subject": "Custom policy change detected for machine {{HOSTNAME}}"
}
]
}
]

Delete Alert Profiles

Delete the specified alert profile by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}

path Parameters

id

required

string

Alert Profile id

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

4XX
5XX

Content type

application/json

{"message": "Invalid ..."
}

Create Alert Templates

Create a new alert template for a specified alert profile by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}/AlertTemplates

path Parameters

id

required

string

Alert Profile id

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

name required	string A name that policies can use to refer to this definition when generating alerts
eventName required	string The name of the resulting alert
description required	string Summary of the resulting alert
subject required	string A high-level observation of the resulting alert

Responses

Request samples

Payload

Content type

application/json

{"name": "string",
"eventName": "string",
"description": "string",
"subject": "string"
}

Response samples

200
4XX
5XX

Content type

application/json

[{"alertProfileId": "Custom_HE_Machines_AlertProfile",
"extends": "LW_HE_Machines",
"fields": [{"name": "_EVENT_COUNT"
},
{"name": "_PRIMARY_TAG"
},
{"name": "_RISK"
},
{"name": "_SEVERITY"
},
{"name": "_POLICY_ID"
},
{"name": "HOSTNAME"
}
],
"descriptionKeys": [{"name": "_POLICY_DESCRIPTION",
"spec": "{{_POLICY_DESCRIPTION}}"
},
{"name": "_POLICY_TITLE",
"spec": "{{_POLICY_TITLE}}"
},
{"name": "HOSTNAME",
"spec": "{{HOSTNAME}}"
}
],
"alerts": [{"name": "HE_Machine_NewViolation",
"eventName": "Custom LW Host Entity Machine New Violation Alert",
"description": "Custom New Violation for machine {{HOSTNAME}}",
"subject": "Custom New violation detected for machine {{HOSTNAME}}"
},
{"name": "HE_Machine_PolicyChanged",
"eventName": "Custom LW Host Entity Machine Policy Changed Alert",
"description": "Custom policy changed for machine {{HOSTNAME}}",
"subject": "Custom policy change detected for machine {{HOSTNAME}}"
}
]
}
]

Update Alert Templates

Update an alert template for a specified alert profile by invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}/AlertTemplates/{alertTemplateName}

path Parameters

id required	string Alert Profile id
alertTemplateName required	string Alert Template Name

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

eventName	string The name of the resulting alert
description	string Summary of the resulting alert
subject	string A high-level observation of the resulting alert

Responses

Request samples

Payload

Content type

application/json

{"eventName": "string",
"description": "string",
"subject": "string"
}

Response samples

200
4XX
5XX

Content type

application/json

[{"alertProfileId": "Custom_HE_Machines_AlertProfile",
"extends": "LW_HE_Machines",
"fields": [{"name": "_EVENT_COUNT"
},
{"name": "_PRIMARY_TAG"
},
{"name": "_RISK"
},
{"name": "_SEVERITY"
},
{"name": "_POLICY_ID"
},
{"name": "HOSTNAME"
}
],
"descriptionKeys": [{"name": "_POLICY_DESCRIPTION",
"spec": "{{_POLICY_DESCRIPTION}}"
},
{"name": "_POLICY_TITLE",
"spec": "{{_POLICY_TITLE}}"
},
{"name": "HOSTNAME",
"spec": "{{HOSTNAME}}"
}
],
"alerts": [{"name": "HE_Machine_NewViolation",
"eventName": "Custom LW Host Entity Machine New Violation Alert",
"description": "Custom New Violation for machine {{HOSTNAME}}",
"subject": "Custom New violation detected for machine {{HOSTNAME}}"
},
{"name": "HE_Machine_PolicyChanged",
"eventName": "Custom LW Host Entity Machine Policy Changed Alert",
"description": "Custom policy changed for machine {{HOSTNAME}}",
"subject": "Custom policy change detected for machine {{HOSTNAME}}"
}
]
}
]

Delete Alert Templates

Delete an alert template for a specified alert profile by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}/AlertTemplates/{alertTemplateName}

path Parameters

id required	string Alert Profile id
alertTemplateName required	string Alert Template Name

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

4XX
5XX

Content type

application/json

{"message": "Invalid ..."
}

Alert Rules

Lacework combines alert channels and alert rules to provide a flexible method for routing alerts. For alert channels, you define information about where to send alerts, such as to Jira, Slack, or email. For alert rules, you define information about which alert types to send, such as critical and high severity compliance alerts.

Create Alert Rules

Create an alert rule by specifying parameters in the request body when invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AlertRules

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

required	object When sending a request, use this object to define the new alert rule. When included in a response, this object contains details of an alert rule. You can use these attributes when searching for existing alert rules by invoking a GET request.
intgGuidList required	Array of strings non-empty unique The alert channels for the rule to access.
type required	string Value: "Event" The alert type.

Responses

Request samples

Payload

Content type

application/json

{"filters": {"name": "string",
"description": "string",
"enabled": 1,
"resourceGroups": ["string"
],
"eventCategory": ["Compliance"
],
"source": ["Agent"
],
"sources": ["Agent"
],
"category": ["Anomaly"
],
"subCategory": ["Compliance"
],
"severity": [1
]
},
"intgGuidList": ["string"
],
"type": "Event"
}

Response samples

201
4XX
5XX

Content type

application/json

{"data": {"mcGuid": "QA42F6C8_97...",
"filters": {"name": "Default Rule",
"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2020-02-18T16:52:57.726Z",
"enabled": 1,
"resourcegroups": ["QA402035_43..."
],
"severity": [1,
2,
3
],
"eventcategory": ["App",
"Compliance",
"Cloud",
"File",
"K8sActivity",
"Machine",
"Platform",
"User"
],
"subCategory": ["Application",
"Compliance",
"Cloud Activity",
"File",
"Kubernetes Activity",
"Machine",
"Platform",
"User"
]
},
"intgGuidList": ["QA402035_66..."
],
"type": "Event"
}
}

List All Alert Rules

List all alert rules in your Lacework instance by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AlertRules

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"mcGuid": "QA42F6C8_97...",
"filters": {"name": "Default Rule",
"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2020-02-18T16:52:57.726Z",
"enabled": 1,
"resourcegroups": ["QA402035_43.."
],
"severity": [1,
2,
3
],
"eventcategory": ["App",
"Compliance",
"Cloud",
"File",
"K8sActivity",
"Machine",
"Platform",
"User"
],
"subCategory": ["Application",
"Compliance",
"Cloud Activity",
"File",
"Kubernetes Activity",
"Machine",
"Platform",
"User"
]
},
"intgGuidList": ["QA402035_66..."
],
"type": "Event"
},
{"mcGuid": "QA42F6C8_83...",
"filters": {"name": "test",
"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2020-01-15T07:07:21.989Z",
"enabled": 1,
"resourcegroups": ["QA402035_EB...",
"QA402035_BA..."
],
"severity": [1,
2,
3
],
"eventcategory": ["User",
"Cloud"
],
"subCategory": ["User",
"Cloud Activity"
]
},
"intgGuidList": ["QA402035_01...",
"QA402035_A6..."
],
"type": "Event"
}
]
}

Search Alert Rules

Search alert rules by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AlertRules/search

To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

Here are some example body payloads:

{ "filters": [ { "field": "mcGuid", "expression": "rlike", "value": "123ABC" } ] }
{ "filters": [ { "field": "mcGuid", "expression": "between", "values": [ "ABC_123", "DEC_456" ] } ] }
{ "filters": [ { "field": "intgGuidList", "expression": "eq", "value": "ABC_123" } ] }
{ "filters": [ { "field": "intgGuidList", "expression": "in", "values": [ "ABC_123", "DEF_456" ] } ] }
{ "filters": [ { "field": "filters.name", "expression": "ilike", "value": "slack" } ] }
{ "filters": [ { "field": "filters.resourceGroups", "expression": "eq", "value": "ABC_123" } ] }
{ "filters": [ { "field": "filters.severity", "expression": "eq", "value": "5" } ] }
{ "filters": [ { "field": "filters.eventCategory", "expression": "eq", "value": "App" } ] }
{ "filters": [ { "field": "reportNotificationTypes.agentEvents", "expression": "eq", "value": "false" } ] }

In the request body, optionally specify the list of fields to return in the response by specifying the list in the returns array.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"mcGuid": "QA42F6C8_97...",
"filters": {"name": "Default Rule",
"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2020-02-18T16:52:57.726Z",
"enabled": 1,
"resourcegroups": ["QA402035_43.."
],
"severity": [1,
2,
3
],
"eventcategory": ["App",
"Compliance",
"Cloud",
"File",
"K8sActivity",
"Machine",
"Platform",
"User"
],
"subCategory": ["Application",
"Compliance",
"Cloud Activity",
"File",
"Kubernetes Activity",
"Machine",
"Platform",
"User"
]
},
"intgGuidList": ["QA402035_66..."
],
"type": "Event"
},
{"mcGuid": "QA42F6C8_83...",
"filters": {"name": "test",
"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2020-01-15T07:07:21.989Z",
"enabled": 1,
"resourcegroups": ["QA402035_EB...",
"QA402035_BA..."
],
"severity": [1,
2,
3
],
"eventcategory": ["User",
"Cloud"
],
"subCategory": ["User",
"Cloud Activity"
]
},
"intgGuidList": ["QA402035_01...",
"QA402035_A6..."
],
"type": "Event"
}
]
}

Alert Rule Details

Get details about an alert rule by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AlertRules/{mcGuid}

Replace {mcGuid} with the mcGuid value returned for an alert rule in the response when the GET /api/v2/AlertRules endpoint is invoked.

path Parameters

mcGuid

required

string

Alert Rule mcGuid

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"mcGuid": "QA42F6C8_97...",
"filters": {"name": "Default Rule",
"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2020-02-18T16:52:57.726Z",
"enabled": 1,
"resourcegroups": ["QA402035_43..."
],
"severity": [1,
2,
3
],
"eventcategory": ["App",
"Compliance",
"Cloud",
"File",
"K8sActivity",
"Machine",
"Platform",
"User"
],
"subCategory": ["Application",
"Compliance",
"Cloud Activity",
"File",
"Kubernetes Activity",
"Machine",
"Platform",
"User"
]
},
"intgGuidList": ["QA402035_66..."
],
"type": "Event"
}
}

Update Alert Rules

Update an alert rule by specifying parameters in the request body when invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/AlertRules/{mcGuid}

Replace {mcGuid} with the mcGuid value returned for an alert rule in the response when the GET /api/v2/AlertRules endpoint is invoked. In the request body, only specify the parameters that you want to update.

path Parameters

mcGuid

required

string

Alert Rules mcGuid

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

	object When sending a request, use this object to define the new alert rule. When included in a response, this object contains details of an alert rule. You can use these attributes when searching for existing alert rules by invoking a GET request.
intgGuidList	Array of strings non-empty unique The alert channels for the rule to access.

Responses

Request samples

Payload

Content type

application/json

{"filters": {"name": "string",
"description": "string",
"enabled": 1,
"resourceGroups": ["string"
],
"eventCategory": ["Compliance"
],
"source": ["Agent"
],
"sources": ["Agent"
],
"category": ["Anomaly"
],
"subCategory": ["Compliance"
],
"severity": [1
]
},
"intgGuidList": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"mcGuid": "QA42F6C8_97...",
"filters": {"name": "Default Rule",
"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2020-02-18T16:52:57.726Z",
"enabled": 1,
"resourcegroups": ["QA402035_43..."
],
"severity": [1,
2,
3
],
"eventcategory": ["App",
"Compliance",
"Cloud",
"File",
"K8sActivity",
"Machine",
"Platform",
"User"
],
"subCategory": ["Application",
"Compliance",
"Cloud Activity",
"File",
"Kubernetes Activity",
"Machine",
"Platform",
"User"
]
},
"intgGuidList": ["QA402035_66..."
],
"type": "Event"
}
}

Delete Alert Rules

Delete an alert rule by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/AlertRules/{mcGuid}

Replace {mcGuid} with the mcGuid value returned for an alert rule in the response when the GET /api/v2/AlertRules endpoint is invoked.

path Parameters

mcGuid

required

string

Alert Rules mcGuid

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

4XX
5XX

Content type

application/json

{"message": "Invalid ..."
}

Alerts

Lacework provides real-time alerts that are interactive and manageable. Each alert contains various metadata information, such as severity level, type, status, alert category, and associated tags.

You can also post a comment to an alert's timeline; or change an alert status from Open to Closed.

List Alerts

Get a list of alerts during the specified date range by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/Alerts?startTime={startTime}&endTime={endTime}

Use the following formats to specify the startTime and endTime:

yyyy-MM-dd for example, 2022-06-28
yyyy-MM-ddTHH for example, 2022-06-28T08
yyyy-MM-ddTHH:mm:ssZ for example, 2022-06-28T08:00:00Z
yyyy-MM-ddTHH:mm:ss.SSSZ for example, 2022-06-28T08:00:00.000Z

Here is an example invocation:

GET https://YourLacework.lacework .net/api/v2/Alerts?startTime=2022-06-30T00:00:00Z&endTime=2022-06-30T08:00:00Z

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days.

Pagination metadata is located within the response's paging field, which contains information for rows, totalRows, and urls. The urls field contains the nextPage field with the Next Page URL. The Next Page URLs stay valid for 24 hours.

To get the next page of the result, use the entire Next Page URL and send a GET request with the two required HTTP headers: "Authorization: Bearer {YourAPIToken}" and "Content-Type: application/json".

Example:

GET https://YourLacework.lacework.net/api/v2/Alerts/abcxyz123...

query Parameters

startTime	string Returns only recorded actions that occurred after this timestamp.
endTime	string Returns only recorded actions that occurred before this timestamp. If empty or missing, the current time is used.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 1000,
"totalRows": 3120,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/Alerts/AbcdEfgh123..."
}
},
"data": [{"alertId": 855628,
"startTime": "2022-06-30T00:00:00.000Z",
"alertType": "MaliciousFile",
"severity": "Critical",
"internetExposure": "UnknownInternetExposure",
"reachability": "UnknownReachability",
"derivedFields": {"category": "Anomaly",
"sub_category": "File",
"source": "Agent"
},
"endTime": "2022-06-30T01:00:00.000Z",
"lastUserUpdatedTime": "",
"status": "Open",
"alertName": "Clone of Cloud Activity log ingestion failure detected",
"alertInfo": {"subject": "Clone of Cloud Activity log ingestion failure detected: `azure-al-india-dnd` (and `3` more) is failing for data ingestion into Lacework",
"description": "New integration failure detected for azure-al-india-dnd (and 3 more)"
},
"policyId": "CUSTOM_PLATFORM_130"
},
{"alertId": 855629,
"startTime": "2022-06-30T00:00:00.000Z",
"alertType": "ChangedFile",
"severity": "Critical",
"internetExposure": "UnknownInternetExposure",
"reachability": "UnknownReachability",
"derivedFields": {"category": "Policy",
"sub_category": "File",
"source": "Agent"
},
"endTime": "2022-06-30T01:00:00.000Z",
"lastUserUpdatedTime": "2022-06-30T01:26:51.392Z",
"status": "Open",
"alertName": "Unauthorized API Call",
"alertInfo": {"subject": "Unauthorized API Call: For account: `1234567890`: Unauthorized API call was attempted `4` times",
"description": "For account: 1234567890: Unauthorized API call was attempted 4 times by user  ABCD1234:Lacework"
}
}
]
}

Search Alerts

Search alerts by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Alerts/search

Optionally specify filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

For the timeFilter filter, these are the supported time formats:

yyyy-MM-dd for example, 2022-07-08
yyyy-MM-ddTHH for example, 2022-07-08T08
yyyy-MM-ddTHH:mm:ssZ for example, 2022-07-08T08:00:00Z
yyyy-MM-ddTHH:mm:ss.SSSZ for example, 2022-07-08T08:00:00.000Z

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

To limit the returned result, optionally specify one or more filters in the request body. These fields can be set in the filters: alertId, alertType, severity, status, subCategory, category, and source. In the filter, specify the field on which to filter, the eq operator, and the value against which the field value is compared.

You can optionally filter the returned alerts by one or more of the top-level fields. See Filter Alerts for the filter values.

Here are some example body payloads:

{ "timeFilter": { "startTime": "2022-07-08T00:00:00Z", "endTime": "2022-07-08T08:00:00Z"}, "filters": [ { "field": "alertType", "expression": "eq", "value": "SuspiciousUserFailedLogin" } ] }
{ "timeFilter": { "startTime": "2022-07-08T00:00:00Z", "endTime": "2022-07-08T08:00:00Z"}, "filters": [ { "field": "severity", "expression": "eq", "value": "Critical" }, { "field": "status", "expression": "eq", "value": "Open" } ],
"returns": [ "alertId", "alertName", "alertType", "alertInfo" ] }

Pagination metadata is located within the response's paging field, which contains information for rows, totalRows, and urls. The urls field contains the nextPage field with the Next Page URL. The Next Page URLs stay valid for 24 hours.

To get the next page of the result, use the entire Next Page URL and send a GET request with the two required HTTP headers: "Authorization: Bearer {YourAPIToken}" and "Content-Type: application/json".

Example:

GET https://YourLacework.lacework.net/api/v2/Alerts/abcxyz123...

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "alertId",
"value": "string"
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 1000,
"totalRows": 3120,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/Alerts/AbcdEfgh123..."
}
},
"data": [{"alertId": 855628,
"startTime": "2022-06-30T00:00:00.000Z",
"alertType": "MaliciousFile",
"severity": "Critical",
"internetExposure": "UnknownInternetExposure",
"reachability": "UnknownReachability",
"derivedFields": {"category": "Anomaly",
"sub_category": "File",
"source": "Agent"
},
"endTime": "2022-06-30T01:00:00.000Z",
"lastUserUpdatedTime": "",
"status": "Open",
"alertName": "Clone of Cloud Activity log ingestion failure detected",
"alertInfo": {"subject": "Clone of Cloud Activity log ingestion failure detected: `azure-al-india-dnd` (and `3` more) is failing for data ingestion into Lacework",
"description": "New integration failure detected for azure-al-india-dnd (and 3 more)"
},
"policyId": "CUSTOM_PLATFORM_130"
},
{"alertId": 855629,
"startTime": "2022-06-30T00:00:00.000Z",
"alertType": "ChangedFile",
"severity": "Critical",
"internetExposure": "UnknownInternetExposure",
"reachability": "UnknownReachability",
"derivedFields": {"category": "Policy",
"sub_category": "File",
"source": "Agent"
},
"endTime": "2022-06-30T01:00:00.000Z",
"lastUserUpdatedTime": "2022-06-30T01:26:51.392Z",
"status": "Open",
"alertName": "Unauthorized API Call",
"alertInfo": {"subject": "Unauthorized API Call: For account: `1234567890`: Unauthorized API call was attempted `4` times",
"description": "For account: 1234567890: Unauthorized API call was attempted 4 times by user  ABCD1234:Lacework"
}
}
]
}

Alert Details

Get details about an alert by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/Alerts/{alertId}?scope={scope}

You must specify a scope, as one of these options: Details, Investigation, Events, RelatedAlerts, Integrations, or Timeline.

path Parameters

alertId

required

string

Alert id

query Parameters

scope

required

string

Enum: "Details" "Investigation" "Events" "RelatedAlerts" "Integrations" "Timeline"

You must specify a scope, as one of these options.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

Example

Details

{"data": {"alertId": 813628,
"startTime": "2022-06-30T00:00:00.000Z",
"alertType": "CloudActivityLogIngestionFailed",
"severity": "High",
"endTime": "2022-06-30T01:00:00.000Z",
"lastUserUpdatedTime": "",
"status": "Open",
"alertName": "Clone of Cloud Activity log ingestion failure detected",
"alertInfo": {"subject": "Clone of Cloud Activity log ingestion failure detected: `azure-al-india-dnd` (and `3` more) is failing for data ingestion into Lacework",
"description": "New integration failure detected for azure-al-india-dnd (and 3 more)",
"isExpectedLWBehavior": true,
"customerCount": 10,
"supportingFacts": [{"supportingFactText": "Container Escape",
"subElements": [{"supportingFactText": "Use of known container privilege escalation and exploit tools 6 time(s) on host(s) ip-172-18-0-240"
}
]
}
]
},
"entityMap": {"API": "{object}",
"CT_User": "{object}",
"CT_RawTime": "{object}",
"Region": "{object}",
"Resource": "{object}",
"RulesTriggered": "{object}",
"SourceIpAddress": "{object}"
}
}
}

Alert Entities

List all entities associated with a given alert ID for which additional context is available. The entity can be any non-compliant resource, such as a machine or IP address.

path Parameters

alertId

required

string

Alert id

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

Example

Entity list

{"data": [{"entities": [{"entityValue": "175.178.114.15",
"contextEntityType": "IpAddress"
}
],
"countOfEntities": 1
}
]
}

Alert Entity Details

Get details about an entity associated with a given alert ID for which additional context is available by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/Alerts/EntityDetails/{alertId}?contextEntityType={entityType}&entityValue={entityValue}

You must specify a contextEntityType and entityValue. (Currently, additional context support is available for IpAddress entities only, so contextEntityType must be Machine or IpAddress.) If any item of information about this entity is not available, partial information is returned.

path Parameters

alertId

required

string

Alert ID

query Parameters

contextEntityType required	string Enum: "IpAddress" "Machine" You must specify a context entity type from the available options. (Currently, only `Machine` and `IpAddress` is available.)
entityValue required	string You must specify a context entity value, such as the Machine identifier (MID) or IP address.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

Example

IpAddress

{"data": {"isAgentInstalled": false,
"isInternalIp": false,
"laceworkLabs": {"customerCount": 12,
"badIpAddress": true,
"startTimeRange": 1697659200000,
"endTimeRange": 1697662800000
},
"virusTotal": {"securityVendorsCount": 2,
"source": "VirusTotal",
"network": "1.9.0.0/16",
"autonomousSystemNumber": 4788,
"autonomousSystemLabel": "TM TECHNOLOGY SERVICES SDN. BHD.",
"regionalInternalRegistry": "APNIC",
"country": "IN",
"continent": "AS",
"startTimeRange": 1697659200000,
"endTimeRange": 1697662800000
},
"ipAddressSummary": {"country": "United States of America",
"region": "Illinois",
"city": "Chicago",
"countryCode": "US",
"startTimeRange": 1697659200000,
"endTimeRange": 1697662800000
},
"resolvedIpInformation": {"resolvedIPInfo": [{"dnsResolverIp": "567.2.3.5",
"dnsName": "pip.org",
"resolvedIp": "127.1.321.1"
}
],
"startTimeRange": 1697659200000,
"endTimeRange": 1697662800000
},
"uniqueProcessDetails": {"uniqueProcesses": [{"cmdLine": "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups",
"launchTime": 1697659200000,
"hostname": "ip-172-18-0-240"
}
],
"startTimeRange": 1697659200000,
"endTimeRange": 1697662800000
},
"networkActivityOverview": {"externalServerConn": {"count": 208
},
"externalClientConn": {"count": 0
},
"externalInBytes": {"count": 3450
},
"externalOutBytes": {"count": 7887
},
"startTimeRange": 1697659200000,
"endTimeRange": 1697662800000
}
}
}

Post Comments

Post a user comment on an alert’s timeline by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Alerts/{alertId}/comment

For details about alert timelines, see Timeline.

path Parameters

alertId

required

string

Alert id

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

comment

required

string

Responses

Request samples

Payload

Content type

application/json

{"comment": "string"
}

Response samples

200
4XX
5XX

Content type

application/json

Example

Plaintext

{"data": {"id": 211250,
"alertId": 871115,
"createdTime": "2022-07-18T18:28:30.739Z",
"entryType": "Comment",
"entryAuthorType": "UserUpdate",
"message": {"format": "Plaintext:1.0",
"value": "test comment"
},
"externalTime": "",
"user": {"userGuid": "LW123_6FA99157890E373006F7EE3FA926B02C38D547BD6C79F1D",
"username": "user@example.com"
},
"updateContext": { }
}
}

Close Alerts

Change the status of an alert to closed by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Alerts/{alertId}/close

The body of the request should contain the reason for closing, from these options:

Other
False positive
Not enough information
Malicious and have resolution in place
Expected because of routine testing
Expected behavior

If you choose Other, the message field is required and should contain a brief explanation of why the alert is closed.

Note that a closed alert cannot be reopened.

For details about alert statuses, see Status.

path Parameters

alertId

required

string

Alert id

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

reason required	number Enum: 0 1 2 3 4 5 0 - Other 1 - False positive 2 - Not enough information 3 - Malicious and have resolution in place 4 - Expected because of routine testing 5 - Expected behavior
comment	string If you choose `0` (`Other`), the comment field is required and should contain a brief explanation of why the alert is closed.

Responses

Request samples

Payload

Content type

application/json

{"reason": 0,
"comment": "string"
}

Response samples

4XX
5XX

Content type

application/json

{"message": "Invalid ..."
}

Audit Logs

Audit logs let you view the history of all actions performed within a Lacework account so you know who made changes to the system and when. For example, you can see who suppressed certain alerts, what time an authentication setting was modified, etc. For more information, see Audit Logs.

Audit Logs

Get audit logs by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AuditLogs

Optionally specify the startTime and endTime time range filters using the following formats:

yyyy-MM-dd for example, 2020-12-18
yyyy-MM-ddTHH for example, 2020-12-18T08
yyyy-MM-ddTHH:mm:ssZ for example, 2020-12-18T08:00:00Z
yyyy-MM-ddTHH:mm:ss.SSSZ for example, 2020-12-18T08:00:00.000Z

To use the current time as the end time, exclude the endTime parameter.

Here is an example invocation:

GET https://YourLacework.lacework.net/api/v2/AuditLogs?startTime=2020-12-11T08:00:00Z&endTime=2020-12-18T08:00:00Z

query Parameters

startTime	string Returns only recorded actions that occurred after this timestamp.
endTime	string Returns only recorded actions that occurred before this timestamp. If empty or missing, the current time is used.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"accountName": "Lacework",
"createdTime": "2020-12-18T18:38:28Z",
"eventDescription": "User info@example.com logged in to Lacework account using OAuth credentials",
"eventName": "User Login",
"userAction": "Login with OAuth Succeeded",
"userName": "info@example.com"
},
{"accountName": "Lacework",
"createdTime": "2020-12-18T22:38:28Z",
"eventDescription": "User info@example.com logged in to Lacework account using OAuth credentials",
"eventName": "User Login",
"userAction": "Login with OAuth Succeeded",
"userName": "info@example.com"
}
]
}

Search Audit Logs

Search the audit logs by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AuditLogs/search

Optionally specify filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

For the timeFilter filter, these are the supported time formats:

yyyy-MM-dd for example, 2020-12-18
yyyy-MM-ddTHH for example, 2020-12-18T08
yyyy-MM-ddTHH:mm:ssZ for example, 2020-12-18T08:00:00Z
yyyy-MM-ddTHH:mm:ss.SSSZ, for example, 2020-12-18T08:00:00.000Z

To use the current time as the end time, exclude the endTime field.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

Filters in the request body

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"accountName": "Lacework",
"createdTime": "2020-12-18T18:38:28Z",
"eventDescription": "User info@example.com logged in to Lacework account using OAuth credentials",
"eventName": "User Login",
"userAction": "Login with OAuth Succeeded",
"userName": "info@example.com"
},
{"accountName": "Lacework",
"createdTime": "2020-12-18T22:38:28Z",
"eventDescription": "User info@example.com logged in to Lacework account using OAuth credentials",
"eventName": "User Login",
"userAction": "Login with OAuth Succeeded",
"userName": "info@example.com"
}
]
}

Cloud Accounts

Cloud accounts are integrations between Lacework and cloud providers such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform.

Create Cloud Accounts

Create a cloud account by specifying parameters in the request body when invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/CloudAccounts

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

name required	string (Name) non-empty (?!^ +$)^.+$ When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name.
type required	string (Type) When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. AwsCfg
enabled required	number (Enabled) [ 0 .. 1 ] When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration.
required	object

Responses

Request samples

Payload

Content type

application/json

Example

AwsCfg

{"name": "string",
"type": "AwsCfg",
"enabled": 1,
"data": {"awsAccountId": "string",
"crossAccountCredentials": {"externalId": "string",
"roleArn": "string"
}
}
}

Response samples

201
4XX
5XX

Content type

application/json

Example

AwsCfg

{"data": {"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "AwsCfg",
"data": {"awsAccountId": "123456789012",
"crossAccountCredentials": {"roleArn": "arn:aws:iam::...",
"externalId": "123456"
}
}
}
}

List All Cloud Accounts

Get a list of cloud accounts for the current user by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/CloudAccounts

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

200
4XX
5XX

Content type

application/json

Example

AwsCfg

{"data": [{"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-01-28T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "AwsCfg",
"data": {"awsAccountId": "123456789012",
"crossAccountCredentials": {"roleArn": "arn:aws:iam::...",
"externalId": "123456"
}
}
},
{"createdOrUpdatedBy": "info@example.com",
"createdOrUpdatedTime": "2021-01-30T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Info",
"props": "{object}",
"state": "{object}",
"type": "AwsCfg",
"data": {"awsAccountId": "123456789012",
"crossAccountCredentials": {"roleArn": "arn:aws:iam::...",
"externalId": "123456"
}
}
}
]
}

List Cloud Accounts by Type

Get a list of cloud accounts of the specified type by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/CloudAccounts/{type}

Here is an example invocation:

GET https://YourLacework.lacework.net/api/v2/CloudAccounts/AwsCfg

path Parameters

type

required

string

Enum: "AwsCfg" "AwsCtSqs" "AwsEksAudit" "AwsUsGovCfg" "AwsUsGovCtSqs" "AzureAlSeq" "AzureCfg" "GcpAtSes" "GcpCfg"

Cloud Accounts Type

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

200
4XX
5XX

Content type

application/json

Example

AwsCfg

{"data": [{"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-01-28T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "AwsCfg",
"data": {"awsAccountId": "123456789012",
"crossAccountCredentials": {"roleArn": "arn:aws:iam::...",
"externalId": "123456"
}
}
},
{"createdOrUpdatedBy": "info@example.com",
"createdOrUpdatedTime": "2021-01-30T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Info",
"props": "{object}",
"state": "{object}",
"type": "AwsCfg",
"data": {"awsAccountId": "123456789012",
"crossAccountCredentials": {"roleArn": "arn:aws:iam::...",
"externalId": "123456"
}
}
}
]
}

Search Cloud Accounts

Search cloud accounts by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/CloudAccounts/search

To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

In the request body, optionally specify the list of fields to return in the response by specifying the list in the returns array, for example, "returns":[ "name", "type", "enabled" ].

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

Example

AwsCfg

{"data": [{"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-01-28T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "AwsCfg",
"data": {"awsAccountId": "123456789012",
"crossAccountCredentials": {"roleArn": "arn:aws:iam::...",
"externalId": "123456"
}
}
},
{"createdOrUpdatedBy": "info@example.com",
"createdOrUpdatedTime": "2021-01-30T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Info",
"props": "{object}",
"state": "{object}",
"type": "AwsCfg",
"data": {"awsAccountId": "123456789012",
"crossAccountCredentials": {"roleArn": "arn:aws:iam::...",
"externalId": "123456"
}
}
}
]
}

Cloud Accounts Details

Get details about a cloud account by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/CloudAccounts/{intgGuid}

path Parameters

intgGuid

required

string

Cloud Account ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

200
4XX
5XX

Content type

application/json

Example

AwsCfg

{"data": {"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "AwsCfg",
"data": {"awsAccountId": "123456789012",
"crossAccountCredentials": {"roleArn": "arn:aws:iam::...",
"externalId": "123456"
}
}
}
}

Update Cloud Accounts

Update a cloud account by specifying parameters in the request body when invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/CloudAccounts/{intgGuid}

In the request body, only specify the parameters that you want to update, for example, { "enabled" : 0 }.

path Parameters

intgGuid

required

string

Cloud Account ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

name	string (Name) non-empty (?!^ +$)^.+$ When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name.
type	string (Type) When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. AwsCfg
enabled	number (Enabled) [ 0 .. 1 ] When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration.
	object

Responses

Request samples

Payload

Content type

application/json

Example

AwsCfg

{"name": "string",
"type": "AwsCfg",
"enabled": 1,
"data": {"awsAccountId": "string",
"crossAccountCredentials": {"externalId": "string",
"roleArn": "string"
}
}
}

Response samples

200
4XX
5XX

Content type

application/json

Example

AwsCfg

{"data": {"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "AwsCfg",
"data": {"awsAccountId": "123456789012",
"crossAccountCredentials": {"roleArn": "arn:aws:iam::...",
"externalId": "123456"
}
}
}
}

Update Cloud Accounts

Update a cloud account by specifying the entire object in the request body when invoking the following endpoint:

PUT https://YourLacework.lacework.net/api/v2/CloudAccounts/{intgGuid}

In the request body, specify the entire object that you want to update, for example,

{"name": "string","type": "AwsCfg", "enabled": 1, "data": { "awsAccountId": "string", "crossAccountCredentials": {"externalId": "string", "roleArn": "string"}} }.

path Parameters

intgGuid

required

string

Cloud Account ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

name required	string (Name) non-empty (?!^ +$)^.+$ When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name.
type required	string (Type) When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. AwsCfg
enabled required	number (Enabled) [ 0 .. 1 ] When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration.
required	object

Responses

Request samples

Payload

Content type

application/json

Example

AwsCfg

{"name": "string",
"type": "AwsCfg",
"enabled": 1,
"data": {"awsAccountId": "string",
"crossAccountCredentials": {"externalId": "string",
"roleArn": "string"
}
}
}

Response samples

200
4XX
5XX

Content type

application/json

Example

AwsCfg

{"data": {"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "AwsCfg",
"data": {"awsAccountId": "123456789012",
"crossAccountCredentials": {"roleArn": "arn:aws:iam::...",
"externalId": "123456"
}
}
}
}

Delete Cloud Accounts

Delete a cloud account by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/CloudAccounts/{intgGuid}

path Parameters

intgGuid

required

string

Cloud Account ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

4XX
5XX

Content type

application/json

{"message": "Invalid ..."
}

Cloud Activities

Get information about cloud activities for the integrated AWS cloud accounts in your Lacework instance.

Cloud Activities

Get cloud activity details by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/CloudActivities

Optionally filter by specifying the startTime and endTime of a time range using the following formats:

yyyy-MM-dd for example, 2020-12-18
yyyy-MM-ddTHH for example, 2020-12-18T08
yyyy-MM-ddTHH:mm:ssZ for example, 2020-12-18T08:00:00Z
yyyy-MM-ddTHH:mm:ss.SSSZ for example, 2020-12-18T08:00:00.000Z

To use the current time as the end time, exclude the endTime parameter.

Here is an example invocation:

GET https://YourLacework.lacework.net/api/v2/CloudActivities?startTime=2020-12-11T08:00:00Z&endTime=2020-12-18T08:00:00Z

To use the current time as the end time, exclude the endTime parameter.

query Parameters

startTime	string Returns only recorded actions that occurred after this timestamp.
endTime	string Returns only recorded actions that occurred before this timestamp. If empty or missing, the current time is used.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 5020,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/CloudActivities/AbcdEfgh123..."
}
},
"data": [{"startTime": "2021-12-18T06:00:00Z",
"endTime": "2021-12-18T06:30:00Z",
"eventType": "CloudTrailDefaultAlert",
"eventId": 291028,
"eventModel": "CloudTrailCep",
"eventActor": "Aws",
"eventMap": {"API": [{"KEY": {"api": "DeleteUser",
"service": "iam.amazonaws.com"
},
"PROPS": {"source_ip_address_list": ["34.221.221.117"
],
"user_list": ["AssumedRole/631664038012:dev-test-instances"
]
}
}
],
"CT_User": [{"KEY": {"account": "631664038012",
"mfa": 0,
"principalId": "ABCDEFGHIJKL123456789",
"username": "AssumedRole/631664038012:dev-test-instances"
},
"PROPS": {"api_list": ["DeleteUser"
],
"region_list": ["us-east-1"
]
}
}
],
"Region": [{"KEY": {"region": "us-east-1"
},
"PROPS": {"account_list": ["631668038012"
]
}
}
],
"Resource": [{"KEY": {"name": "userName",
"value": "demomon13dec21083001"
}
},
{"KEY": {"name": "userName",
"value": "demomon13dec21083001"
}
}
],
"RulesTriggered": [{"KEY": {"triggered_rule_id": "lw-dev-1"
},
"PROPS": {"rule_description": "An existing user was deleted.",
"rule_id": "lw-dev-1",
"rule_severity": 3,
"rule_title": "Delete User"
}
}
],
"SourceIpAddress": [{"KEY": {"ip_addr": "34.221.221.117"
},
"PROPS": {"api_list": ["DeleteUser"
]
}
}
]
}
},
{"startTime": "2021-12-18T08:00:00Z",
"endTime": "2021-12-18T08:30:00Z",
"eventType": "IAMAccessKeyChanged",
"eventId": 19018,
"eventModel": "CloudTrailCep",
"eventActor": "Aws",
"eventMap": {"API": [{"KEY": {"api": "CreateAccessKey",
"service": "iam.amazonaws.com"
},
"PROPS": {"source_ip_address_list": ["34.221.221.117"
],
"user_list": ["AssumedRole/631664038012:dev-test-instances"
]
}
},
{"KEY": {"api": "DeleteAccessKey",
"service": "iam.amazonaws.com"
},
"PROPS": {"source_ip_address_list": ["34.221.221.117"
],
"user_list": ["AssumedRole/631664038012:dev-test-instances"
]
}
}
],
"CT_User": [{"KEY": {"account": "631664038012",
"mfa": 0,
"principalId": "ABCDEFGHIJKL123456789",
"username": "AssumedRole/631664038012:dev-test-instances"
},
"PROPS": {"api_list": ["CreateAccessKey",
"DeleteAccessKey"
],
"region_list": ["us-east-1"
]
}
}
],
"Region": [{"KEY": {"region": "us-east-1"
},
"PROPS": {"account_list": ["631664038012"
]
}
}
],
"Resource": [{"KEY": {"name": "accessKeyId",
"value": "ABCD1234567890"
}
},
{"KEY": {"name": "userName",
"value": "demomon13dec21083001"
}
},
{"KEY": {"name": "accessKeyId",
"value": "ABCD9876543210"
}
},
{"KEY": {"name": "userName",
"value": "demomon13dec21083001"
}
}
],
"RulesTriggered": [{"KEY": {"triggered_rule_id": "lw-global-12"
},
"PROPS": {"rule_description": "An IAM access key was created or deleted.",
"rule_id": "lw-global-12",
"rule_severity": 2,
"rule_title": "IAM Access Key Change"
}
}
],
"SourceIpAddress": [{"KEY": {"ip_addr": "34.221.221.117"
},
"PROPS": {"api_list": ["CreateAccessKey",
"DeleteAccessKey"
]
}
}
]
}
}
]
}

Search Cloud Activities

Search cloud activities by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/CloudActivities/search

Optionally specify filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

For the timeFilter filter, these are the supported time formats:

yyyy-MM-dd for example, 2021-12-18
yyyy-MM-ddTHH for example, 2021-12-18T08
yyyy-MM-ddTHH:mm:ssZ for example, 2021-12-18T08:00:00Z
yyyy-MM-ddTHH:mm:ss.SSSZ for example, 2021-12-18T08:00:00.000Z

The rlike and not_rlike operators are useful for filtering results. For example, the following expression limits results to the CreateTags API:

"filters": [ { "expression": "rlike", "field": "entityMap.API", "value": ".CreateTags." } ]

Here is another example that shows how to limit results to those with the numeric pattern specified as the resource ID:

"filters": [ { "expression": "rlike", "field": "entityMap.Resource", "value": ".3\.0\.529\.0." } ]

Here are some additional example body payloads:

{ "timeFilter": { "startTime": "2021-12-11T00:00:00Z", "endTime": "2021-12-12T00:00:00Z"}, "filters": [ { "field": "eventType", "expression": "eq", "value": "NewUser" } ] }
{ "timeFilter": { "startTime": "2021-12-11T00:00:00Z", "endTime": "2021-12-12T00:00:00Z"}, "filters": [ { "field": "eventType", "expression": "eq", "value": "NewUser" },
{ "field": "eventModel", "expression": "eq", "value": "AwsApiTracker" } ],
"returns":[ "startTime", "endTime", "eventType", "eventActor", "eventModel" ] }

To use the current time as the end time, exclude the endTime field.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 5020,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/CloudActivities/AbcdEfgh123..."
}
},
"data": [{"startTime": "2021-12-18T06:00:00Z",
"endTime": "2021-12-18T06:30:00Z",
"eventType": "CloudTrailDefaultAlert",
"eventId": 291028,
"eventModel": "CloudTrailCep",
"eventActor": "Aws",
"eventMap": {"API": [{"KEY": {"api": "DeleteUser",
"service": "iam.amazonaws.com"
},
"PROPS": {"source_ip_address_list": ["34.221.221.117"
],
"user_list": ["AssumedRole/631664038012:dev-test-instances"
]
}
}
],
"CT_User": [{"KEY": {"account": "631664038012",
"mfa": 0,
"principalId": "ABCDEFGHIJKL123456789",
"username": "AssumedRole/631664038012:dev-test-instances"
},
"PROPS": {"api_list": ["DeleteUser"
],
"region_list": ["us-east-1"
]
}
}
],
"Region": [{"KEY": {"region": "us-east-1"
},
"PROPS": {"account_list": ["631668038012"
]
}
}
],
"Resource": [{"KEY": {"name": "userName",
"value": "demomon13dec21083001"
}
},
{"KEY": {"name": "userName",
"value": "demomon13dec21083001"
}
}
],
"RulesTriggered": [{"KEY": {"triggered_rule_id": "lw-dev-1"
},
"PROPS": {"rule_description": "An existing user was deleted.",
"rule_id": "lw-dev-1",
"rule_severity": 3,
"rule_title": "Delete User"
}
}
],
"SourceIpAddress": [{"KEY": {"ip_addr": "34.221.221.117"
},
"PROPS": {"api_list": ["DeleteUser"
]
}
}
]
}
},
{"startTime": "2021-12-18T08:00:00Z",
"endTime": "2021-12-18T08:30:00Z",
"eventType": "IAMAccessKeyChanged",
"eventId": 19018,
"eventModel": "CloudTrailCep",
"eventActor": "Aws",
"eventMap": {"API": [{"KEY": {"api": "CreateAccessKey",
"service": "iam.amazonaws.com"
},
"PROPS": {"source_ip_address_list": ["34.221.221.117"
],
"user_list": ["AssumedRole/631664038012:dev-test-instances"
]
}
},
{"KEY": {"api": "DeleteAccessKey",
"service": "iam.amazonaws.com"
},
"PROPS": {"source_ip_address_list": ["34.221.221.117"
],
"user_list": ["AssumedRole/631664038012:dev-test-instances"
]
}
}
],
"CT_User": [{"KEY": {"account": "631664038012",
"mfa": 0,
"principalId": "ABCDEFGHIJKL123456789",
"username": "AssumedRole/631664038012:dev-test-instances"
},
"PROPS": {"api_list": ["CreateAccessKey",
"DeleteAccessKey"
],
"region_list": ["us-east-1"
]
}
}
],
"Region": [{"KEY": {"region": "us-east-1"
},
"PROPS": {"account_list": ["631664038012"
]
}
}
],
"Resource": [{"KEY": {"name": "accessKeyId",
"value": "ABCD1234567890"
}
},
{"KEY": {"name": "userName",
"value": "demomon13dec21083001"
}
},
{"KEY": {"name": "accessKeyId",
"value": "ABCD9876543210"
}
},
{"KEY": {"name": "userName",
"value": "demomon13dec21083001"
}
}
],
"RulesTriggered": [{"KEY": {"triggered_rule_id": "lw-global-12"
},
"PROPS": {"rule_description": "An IAM access key was created or deleted.",
"rule_id": "lw-global-12",
"rule_severity": 2,
"rule_title": "IAM Access Key Change"
}
}
],
"SourceIpAddress": [{"KEY": {"ip_addr": "34.221.221.117"
},
"PROPS": {"api_list": ["CreateAccessKey",
"DeleteAccessKey"
]
}
}
]
}
}
]
}

Configurations

Get information about compliance configurations.

Search Compliance Evaluations

Search for compliance evaluations (with details such as compliance status, violated resources, reason, recommendation, account info, etc.) for a specified cloud provider within the last 90 days by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Configs/ComplianceEvaluations/search

The search results include details about compliance violations identified by cloud assessments for all supported and configured cloud provider types: AWS, Azure, and GCP.

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days.

You must specify a dataset. The possible datasets are AwsCompliance, AzureCompliance, GcpCompliance, and K8sCompliance. You can optionally filter the compliance evaluations by report time, account, section, ID, and more. For more information, see CLOUD_COMPLIANCE_V View.

Here are some example body payloads:

{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "dataset": "AwsCompliance" }
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "status", "expression": "eq", "value": "NonCompliant" }, { "field": "account.AccountId", "expression": "eq", "value": "812212113623" } ],
"returns": [ "account", "id", "recommendation", "severity", "status" ],
"dataset": "AzureCompliance" }

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.
dataset required	any Enum: "AwsCompliance" "AzureCompliance" "GcpCompliance" "K8sCompliance"

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
],
"dataset": "AwsCompliance"
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 9838,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/Configs/ComplianceEvaluations/AbcdEfgh123..."
}
},
"data": [{"account": {"AccountId"": "812212113623",
"Account_Alias": "lacework"
},
"evalType": "LW_SA",
"id": "LW_AWS_IAM_7",
"reason": "Iam user is created but it is not active in the last 30 days",
"recommendation": "Iam user should not be inactive from last 30 days or more",
"reportTime": "2021-09-02T11:04:45.817Z",
"resource": "arn:aws:iam::812252663823:user/lwUser",
"severity": "Medium",
"status": "NonCompliant"
},
{"account": {"AccountId"": "812212113623",
"Account_Alias": "lacework"
},
"evalType": "LW_SA",
"id": "LW_AWS_NETWORKING_2",
"reason": "Security Groups have Unrestricted Inbound Traffic other than port 80 and 443",
"recommendation": "Network ACLs do not allow unrestricted inbound traffic",
"region": "eu-west-2",
"reportTime": "2021-09-02T11:04:45.817Z",
"resource": "arn:aws:ec2:eu-west-2:855452774823:network-acl/acl-1ue8138",
"severity": "Critical",
"status": "NonCompliant"
}
]
}

Azure Subscriptions

Get a list of Azure subscription IDs for an entire account or for a specific Azure tenant.

To list all Azure subscription IDs for an account, invoke the following endpoint:

GET https://YourLacework.lacework.net/api/v2/Configs/AzureSubscriptions

To get a list of Azure subscription IDs for a specific tenant, pass the tenant ID as a parameter to the endpoint:

GET https://YourLacework.lacework.net/api/v2/Configs/AzureSubscriptions?tenantId={tenantId}

query Parameters

tenantId

string

The Azure tenant ID.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"tenant": "a329d8bf-4557-3ccf-b132-82e7025ea22d (a329d8bf-4557-3ccf-b132-82e7025ea22d)",
"subscriptions": ["88813981-9B83-2B1F-9368-975D71921ACF ([LW] US-WEST)"
]
},
{"tenant": "e5c2ec8e-d3eb-42d8-b646-c34b6e86fa61 (e5c2ec8e-d3eb-42d8-b646-c34b6e86fa61)",
"subscriptions": ["81A2D8F9-F8B6-3A5D-B3C7-99680EF0B89F (Pay-As-You-Go)",
"83E80CD8-0802-1576-9B68-551D28393BB0 (Pay-As-You-Go-For-Integration)"
]
}
]
}

GCP Projects

Get a list of GCP project IDs for an entire account or for a specific organization.

To list all GCP project IDs for an account, invoke the following endpoint:

GET https://YourLacework.lacework.net/api/v2/Configs/GcpProjects

To get a list of GCP project IDs for a specific organization, pass the organization ID as a parameter to the endpoint:

GET https://YourLacework.lacework.net/api/v2/Configs/GcpProjects?orgId={orgId}

query Parameters

orgId

string

The GCP organization ID.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"organization": "123456789012",
"projects": ["lw-us-east (LW-US-East)",
"lw-us-west (LW-US-West)",
"lw-demo"
]
},
{"organization": "234567890123",
"projects": ["lacework-eu (lacework-eu)"
]
}
]
}

Container Registries

Lacework provides the ability to assess, identify, and report vulnerabilities found in the operating system software packages in a Docker container image. After integrating a container registry in Lacework, Lacework finds all container images in the registry repositories, assesses those container images for software packages with known vulnerabilities, and reports them.

In addition to online container registry integrations, Lacework helps secure containers that are not connected to the Internet through the use of proxy scanners and inline scanners. Container registries that are of type proxy scanner (PROXY_SCANNER) or inline scanner (INLINE_SCANNER) may not include all fields shown below, such as state.

Note: If the state property is missing for any type other than PROXY_SCANNER or INLINE_SCANNER, the state of the integration is Pending.

Create Container Registries

Create a container registry by specifying parameters in the request body when invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/ContainerRegistries

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

name required	string (Name) non-empty (?!^ +$)^.+$ When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name.
type required	string (Type) When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. ContVulnCfg
enabled required	number (Enabled) [ 0 .. 1 ] When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration.
required	object

Responses

Request samples

Payload

Content type

application/json

{"name": "string",
"type": "ContVulnCfg",
"enabled": 1,
"data": {"crossAccountCredentials": {"externalId": "string",
"roleArn": "string"
},
"awsAuthType": "AWS_IAM",
"registryType": "AWS_ECR",
"registryDomain": "string",
"limitNumImg": 5,
"limitByRep": [ ],
"nonOsPackageEval": true,
"limitByTag": [ ],
"limitByLabel": [ ]
}
}

Response samples

201
4XX
5XX

Content type

application/json

{"data": {"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "ContVulnCfg",
"data": {"accessKeyCredentials": {"accessKeyId": "ABCDEFGHIJKLMNOPQRST",
"secretAccessKey": ""
},
"registryType": "AWS_ECR",
"registryDomain": "12345678.abc.ecr.us-west-2.amazonaws.com",
"limitByTag": ["latest*"
],
"limitByLabel": [ ],
"limitByRep"": [ ],
"limitNumImg": 5,
"identifierTag": [{"tag1": "tag_1"
},
{"tag2": "tag_2"
}
]
}
}
}

List All Container Registries

Get a list of container registries for the current user by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/ContainerRegistries

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "ContVulnCfg",
"data": {"accessKeyCredentials": {"accessKeyId": "ABCDEFGHIJKLMNOPQRST",
"secretAccessKey": ""
},
"registryType": "AWS_ECR",
"registryDomain": "12345678.abc.ecr.us-west-2.amazonaws.com",
"limitByTag": ["latest*"
],
"limitByLabel": [ ],
"limitByRep"": [ ],
"limitNumImg": 5,
"identifierTag": [{"tag1": "tag_1"
},
{"tag2": "tag_2"
}
]
}
},
{"createdOrUpdatedBy": "info@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "info",
"props": "{object}",
"state": "{object}",
"type": "ContVulnCfg",
"data": {"accessKeyCredentials": {"accessKeyId": "ABCDEFGHIJKLMNOPQRST",
"secretAccessKey": ""
},
"registryType": "AWS_ECR",
"registryDomain": "12345678.abc.ecr.us-west-2.amazonaws.com",
"limitByTag": ["latest*"
],
"limitByLabel": [ ],
"limitByRep"": [ ],
"limitNumImg": 5,
"identifierTag": [{"tag1": "tag_1"
},
{"tag2": "tag_2"
}
]
}
}
]
}

List Container Registries by Type

Get a list of container registries of the specified type by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/ContainerRegistries/{type}/{subtype}

Here is an example invocation:

GET https://YourLacework.lacework.net/api/v2/ContainerRegistries/ContVulnCfg/AWS_ECR

path Parameters

type required	string Value: "ContVulnCfg" Container Registry Type
required	ContVulnCfg (string) (ContainerRegistriesSubtype) Container Registry Subtype

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "ContVulnCfg",
"data": {"accessKeyCredentials": {"accessKeyId": "ABCDEFGHIJKLMNOPQRST",
"secretAccessKey": ""
},
"registryType": "AWS_ECR",
"registryDomain": "12345678.abc.ecr.us-west-2.amazonaws.com",
"limitByTag": ["latest*"
],
"limitByLabel": [ ],
"limitByRep"": [ ],
"limitNumImg": 5,
"identifierTag": [{"tag1": "tag_1"
},
{"tag2": "tag_2"
}
]
}
},
{"createdOrUpdatedBy": "info@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "info",
"props": "{object}",
"state": "{object}",
"type": "ContVulnCfg",
"data": {"accessKeyCredentials": {"accessKeyId": "ABCDEFGHIJKLMNOPQRST",
"secretAccessKey": ""
},
"registryType": "AWS_ECR",
"registryDomain": "12345678.abc.ecr.us-west-2.amazonaws.com",
"limitByTag": ["latest*"
],
"limitByLabel": [ ],
"limitByRep"": [ ],
"limitNumImg": 5,
"identifierTag": [{"tag1": "tag_1"
},
{"tag2": "tag_2"
}
]
}
}
]
}

Search Container Registries

Search container registries by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/ContainerRegistries/search

To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

In the request body, optionally specify the list of fields to return in the response by specifying the list in the returns array, for example, "returns":[ "name", "type", "enabled" ].

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "ContVulnCfg",
"data": {"accessKeyCredentials": {"accessKeyId": "ABCDEFGHIJKLMNOPQRST",
"secretAccessKey": ""
},
"registryType": "AWS_ECR",
"registryDomain": "12345678.abc.ecr.us-west-2.amazonaws.com",
"limitByTag": ["latest*"
],
"limitByLabel": [ ],
"limitByRep"": [ ],
"limitNumImg": 5,
"identifierTag": [{"tag1": "tag_1"
},
{"tag2": "tag_2"
}
]
}
},
{"createdOrUpdatedBy": "info@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "info",
"props": "{object}",
"state": "{object}",
"type": "ContVulnCfg",
"data": {"accessKeyCredentials": {"accessKeyId": "ABCDEFGHIJKLMNOPQRST",
"secretAccessKey": ""
},
"registryType": "AWS_ECR",
"registryDomain": "12345678.abc.ecr.us-west-2.amazonaws.com",
"limitByTag": ["latest*"
],
"limitByLabel": [ ],
"limitByRep"": [ ],
"limitNumImg": 5,
"identifierTag": [{"tag1": "tag_1"
},
{"tag2": "tag_2"
}
]
}
}
]
}

Map policies to Container Registries

Map specific policies to a container registry by invoking the following endpoint: POST https://YourLacework.lacework.net/api/v2/ContainerRegistries/{intgGuid}/mapPolicies

path Parameters

intgGuid

required

string

The container registry's ID.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

evaluate	boolean Set to `True` if you want to evaluate all policies for this integration. Otherwise, set to `False`.
policyGuids	Array of strings A list of all policy IDs to map to this integration.

Responses

Request samples

Payload

Content type

application/json

{"evaluate": true,
"policyGuids": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "ContVulnCfg",
"data": {"accessKeyCredentials": {"accessKeyId": "ABCDEFGHIJKLMNOPQRST",
"secretAccessKey": ""
},
"registryType": "AWS_ECR",
"registryDomain": "12345678.abc.ecr.us-west-2.amazonaws.com",
"limitByTag": ["latest*"
],
"limitByLabel": [ ],
"limitByRep"": [ ],
"limitNumImg": 5,
"identifierTag": [{"tag1": "tag_1"
},
{"tag2": "tag_2"
}
]
}
}
}

Container Registry Details

Get details about a container registry by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/ContainerRegistries/{intgGuid}

path Parameters

intgGuid

required

string

The container registry's ID.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "ContVulnCfg",
"data": {"accessKeyCredentials": {"accessKeyId": "ABCDEFGHIJKLMNOPQRST",
"secretAccessKey": ""
},
"registryType": "AWS_ECR",
"registryDomain": "12345678.abc.ecr.us-west-2.amazonaws.com",
"limitByTag": ["latest*"
],
"limitByLabel": [ ],
"limitByRep"": [ ],
"limitNumImg": 5,
"identifierTag": [{"tag1": "tag_1"
},
{"tag2": "tag_2"
}
]
}
}
}

Update Container Registries

Update a container registry by specifying parameters in the request body when invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/ContainerRegistries/{intgGuid}

In the request body, only specify the parameters that you want to update, for example, { "enabled" : 0 }.

path Parameters

intgGuid

required

string

The container registry's ID.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

name	string (Name) non-empty (?!^ +$)^.+$ When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name.
type	string (Type) When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. ContVulnCfg
enabled	number (Enabled) [ 0 .. 1 ] When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration.
	object

Responses

Request samples

Payload

Content type

application/json

{"name": "string",
"type": "ContVulnCfg",
"enabled": 1,
"data": {"crossAccountCredentials": {"externalId": "string",
"roleArn": "string"
},
"awsAuthType": "AWS_IAM",
"registryType": "AWS_ECR",
"registryDomain": "string",
"limitNumImg": 5,
"limitByRep": [ ],
"nonOsPackageEval": true,
"limitByTag": [ ],
"limitByLabel": [ ]
}
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2021-02-08T08:28:18Z",
"enabled": 1,
"intgGuid": "LWXYZ...",
"isOrg": 0,
"name": "Support",
"props": "{object}",
"state": "{object}",
"type": "ContVulnCfg",
"data": {"accessKeyCredentials": {"accessKeyId": "ABCDEFGHIJKLMNOPQRST",
"secretAccessKey": ""
},
"registryType": "AWS_ECR",
"registryDomain": "12345678.abc.ecr.us-west-2.amazonaws.com",
"limitByTag": ["latest*"
],
"limitByLabel": [ ],
"limitByRep"": [ ],
"limitNumImg": 5,
"identifierTag": [{"tag1": "tag_1"
},
{"tag2": "tag_2"
}
]
}
}
}

Delete Container Registries

Delete a container registry by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/ContainerRegistries/{intgGuid}

path Parameters

intgGuid

required

string

The container registry's ID.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

4XX
5XX

Content type

application/json

{"message": "Invalid ..."
}

Contract Info

Get Lacework contract information.

Contract Info

Return contract details about the Lacework licenses found in the Lacework instance by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/ContractInfo

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"objName": "CloudActivities",
"props": {"contractStartUtc": "2020-12-01T00:00:00Z",
"renewalUtc": "2021-03-01T00:00:00Z",
"numPurchased": 1,
"dataRetentionInDay": 90
}
},
{"objName": "AWSConfig",
"props": {"contractStartUtc": "2020-12-01T00:00:00Z",
"renewalUtc": "2021-03-01T00:00:00Z",
"numPurchased": 1,
"dataRetentionInDay": 90
}
}
]
}

Data Export Rules

S3 data export allows you to export data collected from your Lacework account and send it to an S3 bucket of your choice. You can extend Lacework processed/normalized data to report/visualize alone or combine with other business/security data to get insights and make meaningful business decisions.

Create Data Export Rules

Create a data export rule by specifying parameters in the request body when invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/DataExportRules

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

required	object When sending a request, use this object to define the new data export rule. When included in a response, this object contains details of a data export rule. You can use these attributes when searching for existing data export rules by invoking a POST request.
intgGuidList required	Array of strings non-empty unique The alert channels for the rule to use.
type required	string Value: "Dataexport" The data export rule's type such as `Dataexport`.

Responses

Request samples

Payload

Content type

application/json

{"filters": {"name": "string",
"description": "string",
"enabled": 1,
"profileVersions": ["string"
]
},
"intgGuidList": ["string"
],
"type": "Dataexport"
}

Response samples

201
4XX
5XX

Content type

application/json

{"data": {"mcGuid": "QA42F6C8_97...",
"filters": {"name": "Default Data Export Rule",
"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2020-02-18T16:52:57.726Z",
"enabled": 1,
"profileVersions": ["V1"
]
},
"intgGuidList": ["QA402035_66..."
],
"type": "Dataexport"
}
}

List All Data Export Rules

List all data export rules in your Lacework Application by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/DataExportRules

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"mcGuid": "QA42F6C8_83...",
"filters": {"name": "LW Data Export Rule 1",
"createdOrUpdatedBy": "info@example.com",
"createdOrUpdatedTime": "2021-01-12T23:16:08.418Z",
"enabled": 1,
"profileVersions": ["V1"
]
},
"intgGuidList": ["QA402035_32..."
],
"type": "Dataexport"
},
{"mcGuid": "QA42F6C8_88...",
"filters": {"name": "LW Data Export Rule 2",
"createdOrUpdatedBy": "info@example.com",
"createdOrUpdatedTime": "2021-01-12T23:18:08.418Z",
"enabled": 1,
"profileVersions": ["V1"
]
},
"intgGuidList": ["QA402035_33..."
],
"type": "Dataexport"
}
]
}

Search Data Export Rules

Search data export rules by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/DataExportRules/search

To limit the returned result, optionally specify one or more filters in the request body.

Here are some example body payloads:

{ "filters": [ { "field": "mcGuid", "expression": "rlike", "value": "123ABC" } ] }
{ "filters": [ { "field": "mcGuid", "expression": "between", "values": [ "ABC_123", "DEC_456" ] } ] }
{ "filters": [ { "field": "intgGuidList", "expression": "eq", "value": "ABC_123" } ] }
{ "filters": [ { "field": "intgGuidList", "expression": "in", "values": [ "ABC_123", "DEF_456" ] } ] }
{ "filters": [ { "field": "filters.name", "expression": "ilike", "value": "slack" } ] }
{ "filters": [ { "field": "filters.profileVersions", "expression": "eq", "value": "V1" } ] }

In the request body, optionally specify the list of fields to return in the response by specifying the list in the returns array.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"mcGuid": "QA42F6C8_83...",
"filters": {"name": "LW Data Export Rule 1",
"createdOrUpdatedBy": "info@example.com",
"createdOrUpdatedTime": "2021-01-12T23:16:08.418Z",
"enabled": 1,
"profileVersions": ["V1"
]
},
"intgGuidList": ["QA402035_32..."
],
"type": "Dataexport"
},
{"mcGuid": "QA42F6C8_88...",
"filters": {"name": "LW Data Export Rule 2",
"createdOrUpdatedBy": "info@example.com",
"createdOrUpdatedTime": "2021-01-12T23:18:08.418Z",
"enabled": 1,
"profileVersions": ["V1"
]
},
"intgGuidList": ["QA402035_33..."
],
"type": "Dataexport"
}
]
}

Data Export Rule Details

Get details about a data export rule by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/DataExportRules/{mcGuid}

Replace {mcGuid} with the mcGuid value returned for a data export rule in the response when the GET /api/v2/DataExportRules endpoint is invoked.

path Parameters

mcGuid

required

string

Data Export Rule ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"mcGuid": "QA42F6C8_97...",
"filters": {"name": "Default Data Export Rule",
"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2020-02-18T16:52:57.726Z",
"enabled": 1,
"profileVersions": ["V1"
]
},
"intgGuidList": ["QA402035_66..."
],
"type": "Dataexport"
}
}

Update Data Export Rules

Update a data export rule by specifying parameters in the request body when invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/DataExportRules/{mcGuid}

Replace {mcGuid} with the mcGuid value returned for a data export rule in the response when the GET /api/v2/DataExportRules endpoint is invoked.

In the request body, only specify the parameters that you want to update, for example, { "enabled" : 0 }.

path Parameters

mcGuid

required

string

Data Export Rule ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

	object When sending a request, use this object to define the new data export rule. When included in a response, this object contains details of a data export rule. You can use these attributes when searching for existing data export rules by invoking a POST request.
intgGuidList	Array of strings non-empty unique The alert channels for the rule to use.

Responses

Request samples

Payload

Content type

application/json

{"filters": {"name": "string",
"description": "string",
"enabled": 1,
"profileVersions": ["string"
]
},
"intgGuidList": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"mcGuid": "QA42F6C8_97...",
"filters": {"name": "Default Data Export Rule",
"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2020-02-18T16:52:57.726Z",
"enabled": 1,
"profileVersions": ["V1"
]
},
"intgGuidList": ["QA402035_66..."
],
"type": "Dataexport"
}
}

Update Data Export Rules

Update a data export rule by specifying the entire object in the request body when invoking the following endpoint:

PUT https://YourLacework.lacework.net/api/v2/DataExportRules/{mcGuid}

In the request body, specify the entire object that you want to update, for example,

{"mcGuid": "string", "filters": {"name": "string", "description": "string", "enabled": 1, "profileVersions": ["V1"]}, "intgGuidList": ["string"], "type": "Dataexport"}.

path Parameters

mcGuid

required

string

Data Export Rule ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

required	object When sending a request, use this object to define the new data export rule. When included in a response, this object contains details of a data export rule. You can use these attributes when searching for existing data export rules by invoking a POST request.
intgGuidList required	Array of strings non-empty unique The alert channels for the rule to use.
type required	string Value: "Dataexport" The data export rule's type such as `Dataexport`.

Responses

Request samples

Payload

Content type

application/json

{"filters": {"name": "string",
"description": "string",
"enabled": 1,
"profileVersions": ["string"
]
},
"intgGuidList": ["string"
],
"type": "Dataexport"
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"mcGuid": "QA42F6C8_97...",
"filters": {"name": "Default Data Export Rule",
"createdOrUpdatedBy": "user@example.com",
"createdOrUpdatedTime": "2020-02-18T16:52:57.726Z",
"enabled": 1,
"profileVersions": ["V1"
]
},
"intgGuidList": ["QA402035_66..."
],
"type": "Dataexport"
}
}

Delete DataExportRules

Delete a data export rule by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/DataExportRules/{mcGuid}

path Parameters

mcGuid

required

string

Data Export Rule ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

4XX
5XX

Content type

application/json

{"message": "Invalid ..."
}

Datasources

Get schema details for all datasources that you can query using LQL.

List All Datasources

List all available datasources in your Lacework instance by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/Datasources

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"name": "LW_DATASOURCE_1",
"description": "Details about datasource",
"resultSchema": [{"name": "START_TIME",
"dataType": "Timestamp",
"description": "Beginning of time interval"
},
{"name": "END_TIME",
"dataType": "Timestamp",
"description": "End of time interval"
},
{"name": "CREATED_TIME",
"dataType": "Timestamp",
"description": "Record creation time"
}
],
"sourceRelationships": [{"from": "MACHINES",
"to": "DNS_REQUESTS",
"name": "Machines-to-DNS-Requests",
"description": "DNS requests made from this machine",
"toCardinality": "MANY"
},
{"from": "MACHINES",
"to": "USER_LOGINS",
"name": "Machines-to-User-Logins",
"description": "User logins made on this machine",
"toCardinality": "MANY"
}
]
},
{"name": "LW_DATASOURCE_2",
"description": "Details about datasource",
"resultSchema": [{"name": "START_TIME",
"dataType": "Timestamp",
"description": "Beginning of time interval"
},
{"name": "END_TIME",
"dataType": "Timestamp",
"description": "End of time interval"
},
{"name": "CREATED_TIME",
"dataType": "Timestamp",
"description": "Record creation time"
}
],
"sourceRelationships": [{"from": "CONNECTIONS",
"to": "MACHINES",
"name": "Connections-to-Machines",
"description": "Machine the connection was recorded on",
"toCardinality": "ONE"
}
]
}
]
}

Datasource Details

Get details about a single datasource by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/Datasources/{datasource}

Replace {datasource} with the name value returned for a datasource in the response when invoking the following endpoint: GET /api/v2/Datasources.

path Parameters

datasource

required

string

The datasource's name.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"name": "LW_DATASOURCE_1",
"description": "Details about datasource",
"resultSchema": [{"name": "START_TIME",
"dataType": "Timestamp",
"description": "Beginning of time interval"
},
{"name": "END_TIME",
"dataType": "Timestamp",
"description": "End of time interval"
},
{"name": "CREATED_TIME",
"dataType": "Timestamp",
"description": "Record creation time"
}
],
"sourceRelationships": [{"from": "MACHINES",
"to": "DNS_REQUESTS",
"name": "Machines-to-DNS-Requests",
"description": "DNS requests made from this machine",
"toCardinality": "MANY"
},
{"from": "MACHINES",
"to": "USER_LOGINS",
"name": "Machines-to-User-Logins",
"description": "User logins made on this machine",
"toCardinality": "MANY"
}
]
}
}

Search Datasources

Search for datasources by specifying parameters in the request body when invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Datasources/search

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.

To use wildcards with the LIKE, ILIKE NOT_LIKE OR NOT_ILIKE filters, use the % symbol to match any string. This allows you to perform more flexible and broad searches for text data.

% represents a wildcard to match zero or more characters
_ (underscore) represents a wildcard match for a single character

Array

expression required	string Enum: "eq" "ne" "in" "not_in" "like" "ilike" "not_like" "not_ilike" "gt" "ge" "lt" "le" "between" The comparison operator for the filter condition.
field required	string The name of the data field to which the condition applies.
value	string The value that the condition checks for in the specified field. Use this attribute when specifying a single value.
values	Array of strings The values that the condition checks for in the specified field. Use this attribute when specifying multiple values.

Responses

Request samples

Payload

Content type

application/json

{"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"name": "LW_DATASOURCE_1",
"description": "Details about datasource",
"resultSchema": [{"name": "START_TIME",
"dataType": "Timestamp",
"description": "Beginning of time interval"
},
{"name": "END_TIME",
"dataType": "Timestamp",
"description": "End of time interval"
},
{"name": "CREATED_TIME",
"dataType": "Timestamp",
"description": "Record creation time"
}
],
"sourceRelationships": [{"from": "MACHINES",
"to": "DNS_REQUESTS",
"name": "Machines-to-DNS-Requests",
"description": "DNS requests made from this machine",
"toCardinality": "MANY"
},
{"from": "MACHINES",
"to": "USER_LOGINS",
"name": "Machines-to-User-Logins",
"description": "User logins made on this machine",
"toCardinality": "MANY"
}
]
}
}

Entities

Lacework continuously monitors machines in your environment and maintains data on both running and non-running virtual machines.

Search Applications

Search for applications running on the machine with an agent within the last 90 days. Get details such as the application name, username, machine, etc. by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Entities/Applications/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter the returned applications by application name, username, machine, and more. For more information, see APPLICATIONS_V View.

Here are some example body payloads:

{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "containerInfo.pod_type", "expression": "eq", "value": "lacework-agent" } ],
"returns": [ "appName", "exePath", "containerInfo", "mid", "username" ] }

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 8368,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/Entities/Applications/AbcdEfgh123..."
}
},
"data": [{"startTime": "2021-08-28T21:00:00Z",
"endTime": "2021-08-28T22:00:00Z",
"mid": 12345,
"appName": "appName1",
"exePath": "exePath1",
"username": {"effective": "example1",
"original": "example2"
},
"propsMachine": {"hostname": "ip-10-100-20-200",
"ip_addr": "10.100.20.200",
"mem_kbytes": 340000049,
"num_users": 5,
"primary_tags": ["primaryTag1"
],
"tags": { },
"up_time": 45
},
"containerInfo": {"k8s_cluster": "cluster value",
"pod_name": "lacework-agent-ab8ok",
"pod_namespace": "kube-system",
"pod_type": "lacework-agent",
"vmType": "VM type 1"
},
"netStats": { },
"props": { }
},
{"startTime": "2021-08-28T21:00:00Z",
"endTime": "2021-08-28T22:00:00Z",
"mid": 12346,
"appName": "appName2",
"exePath": "exePath2",
"username": {"effective": "example3",
"original": "example4"
},
"propsMachine": {"hostname": "ip-10-100-20-201",
"ip_addr": "10.100.20.201",
"mem_kbytes": 340000050,
"num_users": 7,
"primary_tags": ["primaryTag6"
],
"tags": { },
"up_time": 60
},
"containerInfo": {"k8s_cluster": "cluster value 2",
"pod_name": "lacework-agent-ab8st",
"pod_namespace": "kube-system",
"pod_type": "lacework-agent",
"vmType": "VM type 2"
},
"netStats": { },
"props": { }
}
]
}

Search Command Line Invocations

Search for active command line invocations in your environment across machines. Get details such as the created time, command line hash, and name of the command line executable by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Entities/CommandLines/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter the returned command line invocations by the created time, command line hash, and name of the command line executable. For more information, see CMDLINE_V View.

Here are some example body payloads:

{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "cmdlineHash", "expression": "eq", "value": "12345sdlfkhk54l5..." } ] }
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "cmdlineHash", "expression": "eq", "value": "12345sdlfkhk54l5..." }, { "field": "cmdline", "expression": "eq", "value": "some command" } ],
"returns": [ "cmdline", "cmdlineHash" ] }

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 8368,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/Entities/CommandLines/AbcdEfgh123..."
}
},
"data": [{"createdTime": "2021-08-28T21:00:00Z",
"cmdlineHash": "sdlkfjl3492343240....",
"cmdline": "/bin/bash ..."
},
{"createdTime": "2021-08-28T21:00:00Z",
"cmdlineHash": "12345fospdofd000909fsfsd....",
"cmdline": "kubectl apply ..."
}
]
}

Search Containers

Search for containers in your environment. Get details, such as the container name, pod name, tags, and so on, by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Entities/Containers/search

The results reflect containers that were active within the specified time frame. Containers that were not active do not appear in the results.

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter the returned containers by the container name, pod name, tags, and more. For more information, see CONTAINER_SUMMARY_V View.

Here are some example body payloads:

{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "propsContainer.IMAGE_TAG", "expression": "eq", "value": "v1.7.0-eksbuild.1" } ],
"returns": [ "containerName", "imageId", "podName", "propsContainer", "tags" ] }

Within request bodies, nested field names that contain one or more special characters—e.g., dot ("."), colon (":"), or slash ("/")—must be enclosed in escaped double quotes. For example, the field name io.codefresh.repo.name nested under the PROPS_LABEL of the propsContainer field would be rendered as follows:

"propsContainer.PROPS_LABEL.\"io.codefresh.repo.name\""

In a filter, the example would appear as follows:

{ "field": "propsContainer.PROPS_LABEL.\"io.codefresh.repo.name\"", "expression": "eq", "value": "modelservice" }

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 5698,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/Entities/Containers/AbcdEfgh123..."
}
},
"data": [{"startTime": "2021-08-29T21:00:00Z",
"endTime": "2021-08-29T22:00:00Z",
"mid": 12345,
"containerName": "container1",
"podName": "podName1",
"imageId": "sha256:12345678910abcdefghijklmno...",
"propsContainer": {"IMAGE_CREATED_TIME": "2020-08-31T19:16:56.210Z",
"IMAGE_ID": "sha256:e3adaca0b7890abcdefghijklmnopqrstuvwxyz",
"IMAGE_SIZE": 46269990,
"IMAGE_TAG": "v1.7.0-eksbuild.1",
"IMAGE_VERSION": "19.03.11",
"IMAGE_VIRTUAL_SIZE": 46269990,
"IPV4": "10.238.75.183",
"NAME": "/k8s_coredns_coredns-559b5db78d-w72nn_kube-system_12a3d5c0-vea3-6305-a3f9-2733528849d5_0",
"PID_MODE": "Private",
"POD_IP_ADDR": "10.238.75.183",
"POD_TYPE": "coredns-559b5db85d",
"PRIVILEGED": 0,
"PROPS_LABEL": { },
"VOLUME_MAP": { }
},
"tags": { }
},
{"startTime": "2021-08-29T21:00:00Z",
"endTime": "2021-08-29T22:00:00Z",
"mid": 98765,
"containerName": "container2",
"podName": "podName2",
"imageId": "sha256:sdkfhjdsk349324823vclkj...",
"propsContainer": {"IMAGE_CREATED_TIME": "2020-08-31T19:16:56.210Z",
"IMAGE_ID": "sha256:e3adaca0b7890abcdefghijklmnopqrstuvwxyz",
"IMAGE_SIZE": 46269990,
"IMAGE_TAG": "v1.7.0-eksbuild.1",
"IMAGE_VERSION": "19.03.11",
"IMAGE_VIRTUAL_SIZE": 46269990,
"IPV4": "10.231.32.155",
"NAME": "/k8s_coredns_coredns-559b5db78d-w72nn_kube-system_12a3d5c0-vea3-6305-a3f9-2733528849d5_0",
"PID_MODE": "Private",
"POD_IP_ADDR": "10.231.32.155",
"POD_TYPE": "coredns-559b5db85d",
"PRIVILEGED": 0,
"PROPS_LABEL": { },
"VOLUME_MAP": { }
},
"tags": { }
}
]
}

Search Files

Search for files in your environment. Get details such as the path to the file, file size, date of file modification, etc. by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Entities/Files/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter the returned files by the path to the file, file size, date of file modification, and more. For more information, see ALL_FILES_V View.

Here are some example body payloads:

{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "filePath", "expression": "eq", "value": "somePath" } ],
"returns": [ "filePath", "filedataHash", "mid", "size" ] }

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 5698,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/Entities/Files/AbcdEfgh123..."
}
},
"data": [{"createdTime": "2021-08-29T21:00:00Z",
"mid": 12345,
"filePath": "filePath1",
"filedataHash": "hash1",
"size": 1234567,
"mtime": "1232132198"
},
{"createdTime": "2021-08-29T21:00:00Z",
"mid": 98765,
"filePath": "filePath2",
"filedataHash": "hash2",
"size": 59849509,
"mtime": "9892347923"
}
]
}

Search Images

Search for container images in your environment. Get details such as the image id, image size, repository name, etc. by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Entities/Images/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter the returned images by image id, image size, repository name, and more. For more information, see IMAGE_V View.

Here are some example body payloads:

{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "size", "expression": "eq", "value": "434" } ],
"returns": [ "imageId", "mid", "repo", "size" ] }

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 6298,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/Entities/Images/AbcdEfgh123..."
}
},
"data": [{"createdTime": "2021-08-28T21:00:00Z",
"mid": 12345,
"imageId": "sha256:1234sjfd3343592a320392...",
"repo": "repo1",
"tag": "tag1",
"size": 1234567,
"containerType": "DOCKER"
},
{"createdTime": "2021-08-28T21:00:00Z",
"mid": 98765,
"imageId": "sha256:1264kfdjg45430fdl...",
"repo": "repo2",
"tag": "tag2",
"size": 5687,
"containerType": "DOCKER"
}
]
}

Search Internal IP Addresses

Search for internal IP addresses in your environment. Get details such as the start time, IP address, machine ID, etc. by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Entities/InternalIPAddresses/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter the returned addresses by the start time, IP address, machine ID, and more. For more information, see INTERNAL_IPA_V View.

Here are some example body payloads:

{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "ipAddr", "expression": "eq", "value": "10.123.456.1" } ],
"returns": [ "ipAddr" ] }

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 6298,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/Entities/InternalIPAddresses/AbcdEfgh123..."
}
},
"data": [{"startTime": "2021-10-12T09:00:00Z",
"endTime": "2021-10-12T10:00:00Z",
"ipAddr": "10.123.987.0",
"mid": 21099
},
{"startTime": "2021-10-12T08:00:00Z",
"endTime": "2021-10-12T09:00:00Z",
"ipAddr": "19.567.921.3",
"mid": 12345
}
]
}

Search K8s Pods

Search for Kubernetes pods in your environment. Get details such as the pod name, IP address assigned to the pod, and other pod statistics by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Entities/K8sPods/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter the returned pods by machine ID, pod name, primary IP address, and more. For more information, see POD_SUMMARY_V View.

Here are some example body payloads:

{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "propsContainer.IMAGE_ID", "expression": "eq", "value": "sha256:9e862c010bf39766f9821926848754adccf58225aa652cc18a97fccba273df39" } ],
"returns": [ "mid", "podName", "propsContainer" ] }

Within request bodies, nested field names that contain one or more special characters—e.g., dot ("."), colon (":"), or slash ("/")—must be enclosed in escaped double quotes. For example, the field name io.kubernetes.pod.namespace nested under the PROPS_LABEL of the propsContainer field would be rendered as follows:

"propsContainer.PROPS_LABEL.\"io.kubernetes.pod.namespace\""

In a filter, the example would appear as follows:

{ "field": "propsContainer.PROPS_LABEL.\"io.kubernetes.pod.namespace\"", "expression": "eq", "value": "codefresh" }

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 12398,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/Entities/K8sPods/AbcdEfgh123..."
}
},
"data": [{"startTime": "2021-08-28T21:00:00Z",
"endTime": "2021-08-28T22:00:00Z",
"mid": 12345,
"podName": "name1",
"primaryIpAddr": "10.100.20.200",
"propsContainer": {"CONTAINER_TYPE": "DOCKER",
"IMAGE_CREATED_TIME": "2018-06-03T23:17:09.859Z",
"IMAGE_ID": "sha256:9e862c010bf39766f9821926848754adccf58225aa652cc18a97fccba273df39",
"IMAGE_REPO": "602801163852.dkr.ecr.us-west-2.amazonaws.com/eks/pause-amd64",
"IMAGE_SIZE": 742472,
"IMAGE_TAG": "3.1",
"IMAGE_VERSION": "17.06.2-ce",
"IMAGE_VIRTUAL_SIZE": 742472,
"IPV4": "0.0.0.0",
"NAME": "/k8s_POD_vmalert-vm-5865bffbd6-f6c7l_vm_b46fdbf1-8103-667b-ab5b-8efbff0fe8ae_0",
"NETWORK_MODE": "None",
"PID_MODE": "Private",
"POD_TYPE": "vmalert-vm",
"PRIVILEGED": 0,
"PROPS_LABEL": { }
}
},
{"startTime": "2021-08-28T21:00:00Z",
"endTime": "2021-08-28T22:00:00Z",
"mid": 98763,
"podName": "name2",
"primaryIpAddr": "10.100.20.201",
"propsContainer": {"CONTAINER_TYPE": "DOCKER",
"IMAGE_CREATED_TIME": "2018-06-03T23:17:09.859Z",
"IMAGE_ID": "sha256:9e862c010bf39766f9821926828754adccf58225aa652cc18a97fccba273df39",
"IMAGE_REPO": "602801163852.dkr.ecr.us-west-2.amazonaws.com/eks/pause-amd64",
"IMAGE_SIZE": 742472,
"IMAGE_TAG": "3.1",
"IMAGE_VERSION": "17.06.2-ce",
"IMAGE_VIRTUAL_SIZE": 742472,
"IPV4": "0.0.0.0",
"NAME": "/k8s_POD_vmalert-vm-5865bffbd6-f6c7l_vm_b46fdbf1-8103-667b-ab5b-8efbff0fe8ae_0",
"NETWORK_MODE": "Host",
"PID_MODE": "Host",
"PRIVILEGED": 0,
"PROPS_LABEL": { }
}
}
]
}

Search Machines

Search for machines in your environment. Get details such as the machine ID, host name of the machine, and other machine statistics by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Entities/Machines/search

The results reflect the online machines for the specified time frame. Machines that were not online do not appear in the results.

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter the returned machines by machine ID, host name, primary IP address, and more. For more information, see MACHINE_SUMMARY_V View.

Here are some example body payloads:

{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "machineTags.ExternalIp", "expression": "eq", "value": "35.163.78.148" } ],
"returns": [ "hostname", "machineTags", "mid", "primaryIpAddr" ] }

Within request bodies, nested field names that contain one or more special characters—e.g., dot ("."), colon (":"), or slash ("/")—must be enclosed in escaped double quotes. For example, the field name spotinst:aws:ec2:group:createdBy nested under the machineTags field would be rendered as follows:

"machineTags.\"spotinst:aws:ec2:group:createdBy\""

In a filter, the example would appear as follows:

{ "field": "machineTags.\"spotinst:aws:ec2:group:createdBy\"", "expression": "eq", "value": "spotinst" }

In addition, forward slash characters within field names must be escaped with a backslash, as in the following example:

"machineTags.\"kubernetes.io\/cluster\/prod1\""

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 6318,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/Entities/Machines/AbcdEfgh123..."
}
},
"data": [{"startTime": "2021-08-28T21:00:00Z",
"endTime": "2021-08-28T22:00:00Z",
"mid": 12345,
"hostname": "ip-172-31-22-135.us-west-2.compute.internal",
"machineTags": {"ExternalIp": "35.163.78.148",
"Hostname": "ip-172-31-22-135.us-west-2.compute.internal",
"InstanceId": "i-07927817a7a532c81",
"InstanceName": "vpc-39c60f41",
"InternalIp": "172.31.22.135",
"NumericProjectId": "ami-038b12f51d612b5db",
"ProjectId": "632668038012",
"SubnetId": "subnet-ec136995",
"VmInstanceType": "t2.xlarge",
"VmProvider": "AWS",
"Zone": "us-west-2"
},
"primaryIpAddr": "172-31-22-135",
"entityType": "Machine"
},
{"startTime": "2021-08-28T21:00:00Z",
"endTime": "2021-08-28T22:00:00Z",
"mid": 12346,
"hostname": "ip-172-31-22-138.us-west-2.compute.internal",
"machineTags": {"ExternalIp": "35.163.78.138",
"Hostname": "ip-172-31-22-138.us-west-2.compute.internal",
"InstanceId": "i-07927817a7a532c83",
"InstanceName": "vpc-39c60f31",
"InternalIp": "172.31.22.138",
"NumericProjectId": "ami-038b12f51d312b5db",
"ProjectId": "632668038013",
"SubnetId": "subnet-ec136965",
"VmInstanceType": "t2.xlarge",
"VmProvider": "AWS",
"Zone": "us-west-2"
},
"primaryIpAddr": "172-31-22-138",
"entityType": "Machine"
}
]
}

Search Machine Details

Search for machine details in your environment. Get details such as the machine ID, host name of the machine, domain associated with the machine, kernel type of the machine, and other machine statistics by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Entities/MachineDetails/search

Machine details are available only for machines that were online for the specified time frame. Details for machines that were not online are not available.

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter the returned machines by machine ID, host name, domain, os, os version, and more. For more information, see MACHINE_DETAILS_V View.

Here are some example body payloads:

{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "tags.AmiId", "expression": "eq", "value": "ami-0b83c6233cdbe5c3e" } ],
"returns": [ "hostname", "mid", "awsInstanceId", "awsZone", "tags" ] }

Within request bodies, nested field names that contain one or more special characters—e.g., dot ("."), colon (":"), or slash ("/")—must be enclosed in escaped double quotes. For example, the field name spotinst:aws:ec2:group:createdBy nested under the tags field would be rendered as follows:

"tags.\"spotinst:aws:ec2:group:createdBy\""

In a filter, the example would appear as follows:

{ "field": "tags.\"spotinst:aws:ec2:group:createdBy\"", "expression": "eq", "value": "spotinst" }

In addition, forward slash characters within field names must be escaped with a backslash, as in the following example:

"tags.\"kubernetes.io\/cluster\/prod1\""

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 6138,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/Entities/MachineDetails/AbcdEfgh123..."
}
},
"data": [{"createdTime": "2021-10-12T09:00:00Z",
"mid": 21099,
"hostname": "ip-1-2-3-4.us-west-2.compute.internal",
"domain": "domainName-1",
"os": "Amazon Linux",
"osVersion": "v1",
"kernel": "Linux",
"kernalRelease": "release-1",
"kernelVersion": "kernelVersion1",
"tags": {"Account": "631663038012",
"AmiId": "ami-0b83c6233cdbe5c3e",
"Env": "k8s",
"ExternalIp": "65.12.33.13",
"Hostname": "ip-172-20-48-251.ap-south-1.compute.internal",
"InstanceId": "i-086d43d6a3b95577b",
"InternalIp": "172.20.48.251",
"KubernetesCluster": "k8s.pr3-india.k8s.local",
"SubnetId": "subnet-00632df802c188943",
"VmInstanceType": "t2.large",
"VmProvider": "AWS",
"VpcId": "vpc-0b27d7188aa120476",
"Zone": "ap-south-1a",
"arch": "amd64",
"os": "linux"
},
"awsInstanceId": "i-1",
"awsZone": "us-west-2a"
},
{"createdTime": "2021-10-12T10:00:00Z",
"mid": 12345,
"hostname": "ip-10-29-39-40.us-west-2.compute.internal",
"domain": "domainName-2",
"os": "Amazon Linux",
"osVersion": "v2",
"kernel": "Linux",
"kernalRelease": "release-2",
"kernelVersion": "kernelVersion2",
"tags": {"Account": "631663038222",
"AmiId": "ami-0b82c6233cdbe5c3e",
"Env": "k8s",
"ExternalIp": "65.12.33.12",
"Hostname": "ip-172-20-48-252.ap-south-1.compute.internal",
"InstanceId": "i-086d43d6a3b95577b",
"InternalIp": "172.20.48.252",
"KubernetesCluster": "k8s.pr2-india.k8s.local",
"SubnetId": "subnet-02632df802c188923",
"VmInstanceType": "t2.large",
"VmProvider": "AWS",
"VpcId": "vpc-0b27d7188aa120276",
"Zone": "ap-south-1a",
"arch": "amd64",
"os": "linux"
},
"awsInstanceId": "i-2",
"awsZone": "us-west-2b"
}
]
}

Search Network Interfaces

Search for network interfaces in your environment. Get details such as the interface name, machine ID, hardware address associated with the interface, etc. by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Entities/NetworkInterfaces/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter the returned interfaces by the interface name, machine ID, the hardware address associated with the interface, and more. For more information, see INTERFACES_V View.

Here are some example body payloads:

{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "name", "expression": "eq", "value": "someName" } ],
"returns": [ "name", "mid", "hwAddr", "ipAddr" ] }

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 23680,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/Entities/NetworkInterfaces/AbcdEfgh123..."
}
},
"data": [{"createdTime": "2020-12-18T08:00:00Z",
"mid": 12345,
"name": "name-1",
"hwAddr": "a5:3d:f4:7o:hy",
"ipAddr": "hg97::kdjf:klj9:kin8:lej4"
},
{"createdTime": "2020-12-18T08:30:00Z",
"mid": 98765,
"name": "name-2",
"hwAddr": "b7:k0:bh:8n",
"ipAddr": "som4::skd8:kj99:hg72:lk98"
}
]
}

Search New File Hashes

Search for new file hashes in your environment. Get details such as the file hash, start time, and end time by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Entities/NewFileHashes/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter the returned file hashes by the file hash, start time, or end time. For more information, see NEW_HASHES_V View.

Here are some example body payloads:

{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "filedataHash", "expression": "eq", "value": "2394832980909eoifjof3209032840i39r02390" } ],
"returns": [ "filedataHash" ] }

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 123456,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/Entities/NewFileHashes/AbcdEfgh123..."
}
},
"data": [{"startTime": "2020-12-18T08:00:00Z",
"endTime": "2020-12-18T08:30:00Z",
"filedataHash": "3209482304949038fjdksjfk324923840fuiewf498274923odiu32049"
},
{"startTime": "2020-12-18T08:00:00Z",
"endTime": "2020-12-18T08:30:00Z",
"filedataHash": "lksjfldkjfl5j345uioert94t344920349j03f9ejf34900tj40934940"
}
]
}

Search Packages

Search for package in your environment. Get details such as the machine ID that contains the package, package name, package version, and other package statistics by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Entities/Packages/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter the returned packages by machine ID, version, package architecture type, and more. For more information, see PACKAGE_V View.

Here are some example body payloads:

{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "packageName", "expression": "eq", "value": "package-1" } ],
"returns": [ "packageName", "mid", "version" ] }

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 123680,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/Entities/Packages/AbcdEfgh123..."
}
},
"data": [{"createdTime": "2021-10-12T09:00:00Z",
"mid": 21099,
"packageName": "package-1",
"version": "version-1",
"arch": "noarch"
},
{"createdTime": "2021-10-12T10:00:00Z",
"mid": 12345,
"packageName": "package-2",
"version": "version-2",
"arch": "noarch"
}
]
}

Search Processes

Search for processes in your environment. Get details such as the process ID, username that started the process, path to the file, parent process ID, etc., by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Entities/Processes/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter the returned processes by the process id, username that started the process, path to the file, parent process ID, and more. For more information, see PROCESS_SUMMARY_V View.

Here are some example body payloads:

{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "ppid", "expression": "eq", "value": "0044" } ],
"returns": [ "pid", "ppid", "cmdlineHash", "mid", "uid", "username" ] }

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 123680,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/Entities/Processes/AbcdEfgh123..."
}
},
"data": [{"startTime": "2021-08-29T21:00:00Z",
"endTime": "2021-08-29T22:00:00Z",
"mid": 98765,
"pid": 12345,
"ppid": 11,
"username": "root",
"uid": 0,
"filePath": "someFilePath",
"cmdlineHash": "0011234567abja3495834d3954389fh",
"podName": "pod1",
"processStartTime": "2021-08-28T21:00:00Z",
"containerId": "12345467894329487ofi345987439857439gki349857394857438957349"
},
{"startTime": "2021-08-29T21:00:00Z",
"endTime": "2021-08-29T22:00:00Z",
"mid": 12345,
"pid": 98765,
"ppid": 1100,
"username": "root",
"uid": 0,
"filePath": "someFilePath2",
"cmdlineHash": "394823749fskdhf349823fh498",
"podName": "pod2",
"processStartTime": "2021-08-27T21:00:00Z",
"containerId": "3454395843759fodsigoiu495385789hgsighdskhgjfdk4843242342342"
}
]
}

Search Users

Search for users in your environment. Get details such as the username, machine ID, user ID, etc. by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Entities/Users/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter the returned users by username, machine ID, user ID, and more. For more information, see USER_DETAILS_V View.

Here are some example body payloads:

{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "username", "expression": "eq", "value": "someUser" } ],
"returns": [ "username", "uid", "mid" ] }

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 12345,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/Entities/Users/AbcdEfgh123..."
}
},
"data": [{"createdTime": "2021-08-28T21:00:00Z",
"mid": 12345,
"username": "username1",
"uid": 55,
"primaryGroupName": "primaryName1",
"otherGroupNames": "[\n  \"groupName1\",\n  \"groupName2\"\n]"
},
{"createdTime": "2021-08-28T21:00:00Z",
"mid": 98765,
"username": "username2",
"uid": 532,
"primaryGroupName": "primaryName2",
"otherGroupNames": "[\n  \"groupName3\"\n]"
}
]
}

Events

View and verify the evidence or observation details of individual events.

Search Events

The Events API enables you to retrieve the evidence or observation details by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Events/search

Lacework highly recommends specifying a time range in the request to narrow the search. If no time range is specified, the request uses the default time range of 24 hours before the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter the returned users by eventType, srcType, and more.

Here are some example body payloads:

{ "timeFilter": { "startTime": "2022-03-18T00:00:00Z", "endTime": "2022-03-18T12:00:00Z"}}
{ "timeFilter": { "startTime": "2022-03-18T00:00:00Z", "endTime": "2022-03-18T12:00:00Z"}, "filters": [ { "field": "eventType", "expression": "eq", "value": "CloudTrailDefaultAlert" } ] }
{ "timeFilter": { "startTime": "2022-03-18T00:00:00Z", "endTime": "2022-03-18T12:00:00Z"}, "filters": [ { "field": "srcType", "expression": "eq", "value": "AwsResource" }, { "field": "srcEvent.awsRegion", "expression": "eq", "value": "us-west-2" } ],
"returns": [ "id", "srcEvent", "srcType" ] }

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"endTime": "2022-03-18T01:00:00.000Z",
"eventCount": 7738,
"eventType": "CloudTrailDefaultAlert",
"id": 438898,
"srcEvent": {"awsRegion": "us-west-2",
"event": {"additionalEventData": {"AuthenticationMethod": "AuthHeader",
"CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"SignatureVersion": "SigV4",
"bytesTransferredIn": 0,
"bytesTransferredOut": 137,
"x-amz-id-2": "wl+gKI0I80T1CIBzz8d96nX5XcesTU/eIeo8SwdNqmSH2ZYFZssPmlqNhJJnhvewgefx6Babcqc="
},
"awsRegion": "us-west-2",
"eventCategory": "Management",
"eventID": "1dddd61c-7608-87d8-b9f8-4a52495bdbb1",
"eventName": "GetBucketLocation",
"eventSource": "s3.amazonaws.com",
"eventTime": "2022-03-18T00:04:08Z",
"eventType": "AwsApiCall",
"eventVersion": "1.08",
"managementEvent": true,
"readOnly": true,
"recipientAccountId": "631668038012",
"requestID": "SRZY6EVTR8Q3ADSJ",
"requestParameters": {"Host": "s3.us-west-2.amazonaws.com",
"bucketName": "redhat-k8-crio-bucket",
"location": ""
},
"resources": [{"ARN": "arn:aws:s3:::redhat-k8-crio-bucket",
"accountId": "631668038012",
"type": "Aws::s3::bucket"
}
],
"sourceIPAddress": "36.223.225.183",
"tlsDetails": {"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "s3.us-west-2.amazonaws.com",
"tlsVersion": "TLSv1.2"
},
"userAgent": "[aws-sdk-go/1.37.0 (go1.15.8; linux; amd64)]",
"userIdentity": {"accessKeyId": "ABCDEFGHIJKLMNOPQRST",
"accountId": "631668038012",
"arn": "arn:aws:sts::631668038012:assumed-role/masters.redhatk8crio.k8s.local/i-06443e34ddc641957",
"principalId": "ABCDEFGHIJKL123456789",
"sessionContext": {"attributes": {"creationDate": "2022-03-17T23:58:00Z",
"mfaAuthenticated": "false"
},
"ec2RoleDelivery": "2.0",
"sessionIssuer": {"accountId": "631668038012",
"arn": "arn:aws:iam::631668038012:role/masters.redhatk8crio.k8s.local",
"principalId": "ABCDEFGHIJKL123456789",
"type": "Role",
"userName": "masters.redhatk8crio.k8s.local"
},
"webIdFederationData": { }
},
"type": "Assumedrole"
}
},
"eventName": "GetBucketLocation",
"eventSource": "s3.amazonaws.com",
"is_assumed_role": true,
"principalId": "ABCDEFGHIJKL123456789",
"recipientAccountId": "631668038012",
"sourceIPAddress": "36.223.225.183",
"userIdentity": {"accessKeyId": "ABCDEFGHIJKLMNOPQRST",
"accountId": "631668038012",
"arn": "arn:aws:sts::631668038012:assumed-role/masters.redhatk8crio.k8s.local/i-06443e34ddc641957",
"principalId": "ABCDEFGHIJKL123456789",
"sessionContext": {"attributes": {"creationDate": "2022-03-17T23:58:00Z",
"mfaAuthenticated": "false"
},
"ec2RoleDelivery": "2.0",
"sessionIssuer": {"accountId": "631668038012",
"arn": "arn:aws:iam::631668038012:role/masters.redhatk8crio.k8s.local",
"principalId": "ABCDEFGHIJKL123456789",
"type": "Role",
"userName": "masters.redhatk8crio.k8s.local"
},
"webIdFederationData": { }
},
"type": "Assumedrole"
},
"userIdentityAccount": "631668038012",
"userIdentityName": "masters.redhatk8crio.k8s.local",
"userIdentityType": "AssumedRole",
"username": "AssumedRole/631668038012:masters.redhatk8crio.k8s.local"
},
"srcType": "AwsResource",
"startTime": "2022-03-18T00:00:00.000Z"
},
{"endTime": "2022-03-18T01:00:00.000Z",
"eventCount": 7738,
"eventType": "CloudTrailDefaultAlert",
"id": 438898,
"srcEvent": {"awsRegion": "us-west-2",
"event": {"additionalEventData": {"AuthenticationMethod": "AuthHeader",
"CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"SignatureVersion": "SigV4",
"bytesTransferredIn": 0,
"bytesTransferredOut": 137,
"x-amz-id-2": "hhxqxS6lksuIoI/E8eZqZ1xg+yqLSVwoXBgFb3doT0+e3QJzoDyGuQ6RqVkL8zjyhVBKhbQGC9E="
},
"awsRegion": "us-west-2",
"eventCategory": "Management",
"eventID": "1338a37d-4309-44bb-9f68-30c39ce152b0",
"eventName": "GetBucketLocation",
"eventSource": "s3.amazonaws.com",
"eventTime": "2022-03-18T00:17:27Z",
"eventType": "AwsApiCall",
"eventVersion": "1.08",
"managementEvent": true,
"readOnly": true,
"recipientAccountId": "631668038012",
"requestID": "T7SB5GS78Q8ZA4KV",
"requestParameters": {"Host": "s3.us-west-2.amazonaws.com",
"bucketName": "asset-mgt-dev-697",
"location": ""
},
"resources": [{"ARN": "arn:aws:s3:::asset-mgt-dev-697",
"accountId": "631668038012",
"type": "Aws::s3::bucket"
}
],
"sourceIPAddress": "10.0.198.115",
"tlsDetails": {"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "s3.us-west-2.amazonaws.com",
"tlsVersion": "TLSv1.2"
},
"userAgent": "[aws-sdk-go/1.40.53 (go1.16; linux; amd64)]",
"userIdentity": {"accessKeyId": "ABCDEFGHIJKLMNOPQRST",
"accountId": "631668038012",
"arn": "arn:aws:iam::631668038012:user/user1-7nsnk-managed-velero-operator-iam-credentia-dr7ss",
"principalId": "ABCDEFGHIJKL123456789",
"type": "Iamuser",
"userName": "user1-7nsnk-managed-velero-operator-iam-credentia-dr7ss"
},
"vpcEndpointId": "vpce-0b01b13fbbcec47fa"
},
"eventName": "GetBucketLocation",
"eventSource": "s3.amazonaws.com",
"is_assumed_role": false,
"principalId": "ABCDEFGHIJKL123456789",
"recipientAccountId": "631668038012",
"sourceIPAddress": "10.0.198.115",
"userIdentity": {"accessKeyId": "ABCDEFGHIJKLMNOPQRST",
"accountId": "631668038012",
"arn": "arn:aws:iam::631668038012:user/user1-7nsnk-managed-velero-operator-iam-credentia-dr7ss",
"principalId": "ABCDEFGHIJKL123456789",
"type": "Iamuser",
"userName": "user1-7nsnk-managed-velero-operator-iam-credentia-dr7ss"
},
"userIdentityAccount": "631668038012",
"userIdentityType": "IAMUser",
"username": "IAMUser/631668038012:user1-7nsnk-managed-velero-operator-iam-credentia-dr7ss"
},
"srcType": "AwsResource",
"startTime": "2022-03-18T00:00:00.000Z"
}
]
}

Policy Exceptions

Policy exceptions are a mechanism used to maintain the policies but allow you to circumvent one or more restrictions.

Create Policy Exceptions

Create exceptions for a specific policy by specifying the exception metadata when invoking the following endpoint:

POST /api/v2/Exceptions?policyId={policyId}

Replace {policyId} with the policyId value returned for an LQL policy in the response when invoking the following endpoint:

GET /api/v2/Policies

query Parameters

policyId

required

string

Policy ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

description	string A brief description of the new exception.
required	Array of objects[ items ] The detailed constraints applied to the exception.

Responses

Request samples

Payload

Content type

application/json

{"description": "string",
"constraints": [{"fieldKey": "string",
"fieldValues": [{ }
]
}
]
}

Response samples

201
4XX
5XX

Content type

application/json

{"data": {"exceptionId": "510c8bc5-f06b-8afb-8028-0203d6e582de",
"description": "wildcard exception",
"constraints": [{"fieldKey": "fieldKey1",
"fieldValues": ["*"
]
}
],
"lastUpdateTime": "2022-04-05T01:53:11.809Z",
"lastUpdateUser": "info@example.com"
}
}

List All Policy Exceptions

Get all existing exceptions by invoking the following endpoint:

GET /api/v2/Exceptions

Get all existing exceptions of a specific policy by invoking the following endpoint:

GET /api/v2/Exceptions?policyId={policyId}

Replace {policyId} with the policyId value returned for an LQL policy in the response when invoking the following endpoint:

GET /api/v2/Policies

query Parameters

policyId

string

Policy ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"exceptionId": "510c8bc5-f06b-8afb-8028-0203d6e582da",
"description": "wildcard exception",
"constraints": [{"fieldKey": "fieldKey1",
"fieldValues": ["*"
]
}
],
"lastUpdateTime": "2022-04-05T01:53:11.809Z",
"lastUpdateUser": "info@example.com"
},
{"exceptionId": "510c8bc5-f06b-8afb-8028-0203d6e582d",
"description": "exception for eu regions",
"constraints": [{"fieldKey": "fieldKey1",
"fieldValues": ["eu-central-1",
"eu-north-1"
]
}
],
"lastUpdateTime": "2022-04-05T01:56:21.808Z",
"lastUpdateUser": "info@example.com"
}
]
}

Policy Exception Details

Get details about an existing exception applied to a specific policy by invoking the following endpoint:

GET /api/v2/Exceptions/{exceptionId}?policyId={policyId}

Replace {policyId} with the policyId value returned for an LQL policy in the response when when invoking the following endpoint:

GET /api/v2/Policies

Replace {exceptionId} with the exceptionId value returned for an LQL policy in the response when invoking the following endpoint:

GET /api/v2/Exceptions?policyId={policyId}

path Parameters

exceptionId

required

string

Exception ID

query Parameters

policyId

required

string

Policy ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"exceptionId": "510c8bc5-f06b-8afb-8028-0203d6e582de",
"description": "wildcard exception",
"constraints": [{"fieldKey": "fieldKey1",
"fieldValues": ["*"
]
}
],
"lastUpdateTime": "2022-04-05T01:53:11.809Z",
"lastUpdateUser": "info@example.com"
}
}

Update Policy Exceptions

Update an existing exception applied to a specific policy by invoking the following endpoint:

PATCH /api/v2/Exceptions/{exceptionId}?policyId={policyId}

Replace {policyId} with the policyId value returned for an LQL policy in the response when invoking the following endpoint:

GET /api/v2/Policies

Replace {exceptionId} with the exceptionId value returned for an LQL policy in the response when invoking the following endpoint:

GET /api/v2/Exceptions?policyId={policyId}

path Parameters

exceptionId

required

string

Exception ID

query Parameters

policyId

required

string

Policy ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

description	string A brief description of the new exception.
	Array of objects[ items ] The detailed constraints applied to the exception.

Responses

Request samples

Payload

Content type

application/json

{"description": "string",
"constraints": [{"fieldKey": "string",
"fieldValues": [{ }
]
}
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"exceptionId": "510c8bc5-f06b-8afb-8028-0203d6e582de",
"description": "wildcard exception",
"constraints": [{"fieldKey": "fieldKey1",
"fieldValues": ["*"
]
}
],
"lastUpdateTime": "2022-04-05T01:53:11.809Z",
"lastUpdateUser": "info@example.com"
}
}

Delete Policy Exceptions

Delete an existing exception applied to a specific policy by invoking the following endpoint:

DELETE /api/v2/Exceptions/{exceptionId}?policyId={policyId}

Replace {policyId} with the policyId value returned for an LQL policy in the response when invoking the following endpoint:

GET /api/v2/Policies

Replace {exceptionId} with the exceptionId value returned for an LQL policy in the response when invoking the following endpoint:

GET /api/v2/Exceptions?policyId={policyId}

path Parameters

exceptionId

required

string

Exception ID

query Parameters

policyId

required

string

Policy ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

4XX
5XX

Content type

application/json

{"message": "Invalid ..."
}

Inventory

View and monitor in-use cloud resources' risk, compliance, and configuration changes.

For more details about snapshots of resources, see Resource Inventory.

Search Inventory

The Inventory API enables you to retrieve information about resources in your cloud integrations, such as virtual machines, S3 buckets, security groups, and more, using the following endpoint:

POST /api/v2/Inventory/search

By default, Lacework collects resource information once a day. You can view and modify when resource collection starts using the Compliance Report Schedule setting.

The time filter allows you to see your resource inventory at a specific point of time. When using the Inventory API, keep in mind that the information returned reflects the inventory when the resource collector last ran within the specified time range. If you use a recent time range that does not encompass the last time inventory collection occurred, the query returns an empty array. In this case, expand the time span to include the last collection time.

For details about what cloud resource information is available, see CLOUD_CONFIGURATION_V View.

The rlike and not_rlike operators are useful for filtering results. For example, if the result contains the security group ID sg-0a1b2c3d4e5f6g7h in the path resourceConfig.SecurityGroups.GroupId, and SecurityGroups is an array, you can filter by ID for that pattern as follows:

"filters" : [ {"field":"resourceConfig","expression": "rlike", "value":".*sg-0a1b2c3d4e5f6g7h.*" } ]

Here are additional example body payloads:

{ "timeFilter": { "startTime" : "2022-06-08T00:00:00Z", "endTime": "2022-06-10T12:00:00Z"}, "csp": "AWS" }
{ "timeFilter": { "startTime": "2022-06-08T00:00:00Z", "endTime": "2022-06-10T12:00:00Z"}, "filters" : [ { "field": "resourceConfig.Architecture", "expression": "eq", "value": "x86_64" }, { "field": "resourceRegion", "expression": "eq", "value" : "us-east-2" } ],
"returns": [ "cloudDetails", "csp", "resourceConfig" , "resourceId", "resourceType" ],
"csp": "GCP" }

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.
csp	any Enum: "AWS" "Azure" "GCP" Cloud service provider. You must specify either `csp` or `dataset` in the request.
dataset	any Deprecated Enum: "AwsCompliance" "GcpCompliance" You must specify either `csp` or `dataset` in the request.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
],
"csp": "AWS",
"dataset": "AwsCompliance"
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 78623,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/Inventory/AbcdEfgh123..."
}
},
"data": [{"apiKey": "describe-db-subnet-groups",
"cloudDetails": {"accountAlias": "abc-prod-account",
"accountID": "631668038012"
},
"csp": "AWS",
"endTime": "2022-04-28T04:00:00.000Z",
"resourceConfig": {"AmiLaunchIndex": 0,
"Architecture": "x86_64",
"BlockDeviceMappings": [{"DeviceName": "/dev/sda1",
"Ebs": {"AttachTime": "2019-10-13T18:27:30.000Z",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "vol-05620dfe2b7fcc0d6"
}
}
],
"CapacityReservationSpecification": {"CapacityReservationPreference": "open"
},
"ClientToken": "",
"CpuOptions": {"CoreCount": 1,
"ThreadsPerCore": 1
},
"EbsOptimized": false,
"EnaSupport": true,
"EnclaveOptions": {"Enabled": false
},
"HibernationOptions": {"Configured": false
},
"Hypervisor": "xen",
"ImageId": "ami-06d31e91cea0dac8d",
"InstanceId": "i-011a36c1169995c86",
"InstanceType": "t2.micro",
"KeyName": "test1",
"LaunchTime": "2019-10-13T18:27:29.000Z",
"MetadataOptions": {"HttpEndpoint": "enabled",
"HttpProtocolIpv6": "disabled",
"HttpPutResponseHopLimit": 1,
"HttpTokens": "optional",
"State": "applied"
},
"Monitoring": {"State": "disabled"
},
"NetworkInterfaces": [{"Attachment": {"AttachTime": "2019-10-13T18:27:29.000Z",
"AttachmentId": "eni-attach-02c2609c0fe4758a0",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"NetworkCardIndex": 0,
"Status": "attached"
},
"Description"": "",
"Groups": [{"GroupId": "sg-0dee9782b9ba32717",
"GroupName": "launch-wizard-23"
}
],
"InterfaceType": "interface",
"Ipv6Addresses": [ ],
"MacAddress": "06:8e:88:e8:50:2e",
"NetworkInterfaceId": "eni-054e319950b404c1e",
"OwnerId": "631664038012",
"PrivateDnsName": "ip-172-31-40-205.us-west-2.compute.internal",
"PrivateIpAddress": "172.31.40.205",
"PrivateIpAddresses": [{"Primary": true,
"PrivateDnsName": "ip-172-31-40-205.us-west-2.compute.internal",
"PrivateIpAddress": "172.31.40.205"
}
],
"SourceDestCheck"": true,
"Status": "in-use",
"SubnetId": "subnet-c592d68e",
"VpcId": "vpc-39c60f41"
}
],
"Placement": {"AvailabilityZone": "us-west-2a",
"GroupName": "",
"Tenancy": "default"
},
"PlatformDetails": "Linux/UNIX",
"PrivateDnsName": "ip-172-31-20-205.us-west-2.compute.internal",
"PrivateIpAddress": "172.31.20.205",
"ProductCodes": [ ],
"PublicDnsName": "",
"RootDeviceName": "/dev/sda1",
"RootDeviceType": "ebs",
"SecurityGroups": [{"GroupId": "sg-0dee9774b9ba32717",
"GroupName": "launch-wizard-23"
}
],
"SourceDestCheck": true,
"State": {"Code": 80,
"Name": "stopped"
},
"StateReason": {"Code": "Server.ScheduledStop",
"Message": "Server.ScheduledStop: Stopped due to scheduled retirement"
},
"StateTransitionReason": "Server.InternalError",
"SubnetId": "subnet-c592d68e",
"UsageOperation": "RunInstances",
"UsageOperationUpdateTime": "2019-10-13T18:27:29.000Z",
"VirtualizationType": "hvm",
"VpcId": "vpc-39c60f41"
},
"resourceId": "i-011a76c1169995c76",
"resourceRegion": "us-west-2",
"resourceTags": {"KubernetesCluster": "auto-02272022-160719-prod.k8s.local",
"Name": "a.etcd-main.auto-02272022-160719-prod.k8s.local",
"k8s.io/etcd/main": "a/a",
"k8s.io/role/master": "1",
"kubernetes.io/cluster/auto-02272022-160719-prod.k8s.local": "owned"
},
"resourceType": "ec2:instance",
"service": "ec2",
"startTime": "2022-04-28T03:00:00.000Z",
"status": {"formatVersion": 2,
"props": { },
"status": "success"
},
"urn": "arn:aws:ec2:us-west-2:631664038012:instance/i-011a76c1169995c76"
},
{"apiKey": "describe-account-attributes",
"cloudDetails": {"accountAlias": "abc-prod-account",
"accountID": "631668038012"
},
"csp": "AWS",
"endTime": "2022-04-28T04:00:00.000Z",
"resourceConfig": {"AmiLaunchIndex": 0,
"Architecture": "x86_64",
"BlockDeviceMappings": [{"DeviceName": "/dev/sda1",
"Ebs": {"AttachTime": "2019-10-13T18:27:30.000Z",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "vol-05620dfe2b7fcc0d6"
}
}
],
"CapacityReservationSpecification": null,
"CapacityReservationPreference": "open",
"ClientToken": "",
"CpuOptions": {"CoreCount": 1,
"ThreadsPerCore": 1
},
"EbsOptimized": false,
"EnaSupport": true,
"EnclaveOptions": {"Enabled": false
},
"HibernationOptions": {"Configured": false
},
"Hypervisor": "xen",
"ImageId": "ami-06d31e91cea0dac8d",
"InstanceId": "i-011a36c1169995c86",
"InstanceType": "t2.micro",
"KeyName": "test1",
"LaunchTime": "2019-10-13T18:27:29.000Z",
"MetadataOptions": {"HttpEndpoint": "enabled",
"HttpProtocolIpv6": "disabled",
"HttpPutResponseHopLimit": 1,
"HttpTokens": "optional",
"State": "applied"
},
"Monitoring": {"State": "disabled"
},
"NetworkInterfaces": [{"Attachment": {"AttachTime": "2019-10-13T18:27:29.000Z",
"AttachmentId": "eni-attach-02c2609c0fe4758a0",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"NetworkCardIndex": 0,
"Status": "attached"
},
"Description"": "",
"Groups": [{"GroupId": "sg-0dee9782b9ba32717",
"GroupName": "launch-wizard-23"
}
],
"InterfaceType": "interface",
"Ipv6Addresses": [ ],
"MacAddress": "06:8e:88:e8:50:2e",
"NetworkInterfaceId": "eni-054e319950b404c1e",
"OwnerId": "631664038012",
"PrivateDnsName": "ip-172-31-40-205.us-west-2.compute.internal",
"PrivateIpAddress": "172.31.40.205",
"PrivateIpAddresses": [{"Primary": true,
"PrivateDnsName": "ip-172-31-40-205.us-west-2.compute.internal",
"PrivateIpAddress": "172.31.40.205"
}
],
"SourceDestCheck"": true,
"Status": "in-use",
"SubnetId": "subnet-c592d68e",
"VpcId": "vpc-39c60f41"
}
],
"Placement": {"AvailabilityZone": "us-west-2a",
"GroupName": "",
"Tenancy": "default"
},
"PlatformDetails": "Linux/UNIX",
"PrivateDnsName": "ip-172-31-20-205.us-west-2.compute.internal",
"PrivateIpAddress": "172.31.20.205",
"ProductCodes": [ ],
"PublicDnsName": "",
"RootDeviceName": "/dev/sda1",
"RootDeviceType": "ebs",
"SecurityGroups": [{"GroupId": "sg-0dee9774b9ba32717",
"GroupName": "launch-wizard-23"
}
],
"SourceDestCheck": true,
"State": {"Code": 80,
"Name": "stopped"
},
"StateReason": {"Code": "Server.ScheduledStop",
"Message": "Server.ScheduledStop: Stopped due to scheduled retirement"
},
"StateTransitionReason": "Server.InternalError",
"SubnetId": "subnet-c592d68e",
"UsageOperation": "RunInstances",
"UsageOperationUpdateTime": "2019-10-13T18:27:29.000Z",
"VirtualizationType": "hvm",
"VpcId": "vpc-39c60f41"
},
"resourceId": "i-011a76c1169995c76",
"resourceRegion": "us-west-2",
"resourceTags": { },
"resourceType": "ec2:instance",
"service": "ec2",
"startTime": "2022-04-28T03:00:00.000Z",
"status": {"formatVersion": 2,
"props": { },
"status": "success"
},
"urn": "arn:aws:ec2:us-west-2:631664038012:instance/i-011a76c1169995c76"
}
]
}

Scan Inventory

Trigger a resource scan. By default, Lacework scans cloud integrations in order to generate or update its resource inventory once a day. This endpoint lets you trigger scans manually. This endpoint is useful, for example, after you have onboarded a new cloud integration and want to start collecting and evaluating resources from the system immediately. Manual scans can be run one hour after the last scan has completed.

Usage Example:

curl -X POST -H 'Content-Type: application/json' "https://YourLacework.lacework.net/api/v2/Inventory/scan?csp=AWS" -H "Authorization: Bearer YourAPIToken"

query Parameters

csp

required

string

Enum: "AWS" "GCP" "Azure"

Cloud service provider

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

Example

Available

{"data": {"status": "available",
"details": "Scan is available"
}
}

Track Inventory Scan Status

Check the status of a resource scan. A resource scan may take an hour or more to complete. This endpoint lets you check the progress of a running scan.

Usage Example:

curl -X GET -H 'Content-Type: application/json' "https://YourLacework.lacework .net/api/v2/Inventory/scan?csp=AWS" -H "Authorization: Bearer YourAPIToken"

query Parameters

csp

required

string

Enum: "AWS" "GCP" "Azure"

Cloud service provider

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

Example

Available

{"data": {"status": "available",
"details": "Scan is available"
}
}

Organization Info

Return information about whether the Lacework account is an organization account and, if it is, what the organization account URL is by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/OrganizationInfo

Organization Info

Return information about whether the Lacework account is an organization account and, if it is, what the organization account URL is by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/OrganizationInfo

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

200
4XX
5XX

Content type

application/json

[{"orgAccount": true,
"orgAccountUrl": "YourLacework.lacework.net"
}
]

Policies

Policies are a mechanism used to add annotated metadata to queries for improving the context of alerts, reports, and information displayed in the Lacework Console. You can fully customize policies.

Create Policies

Create a Lacework Query Language (LQL) policy by specifying parameters in the request body when invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Policies

This creates the LQL policy in your Lacework instance so you can view it in the Lacework Console. You can get the unique identifiers for the LQL policies (policyIdList) array by invoking the GET /api/v2/Policies endpoint.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

policyType	string Value: "Violation" The policy type such as `Violation`.
queryId required	string Identifier of the query that executes while running the policy.
title required	string The policy's title.
enabled required	boolean When sending a request, use this attribute to enable or disable a policy. When included in a response, returns `True` for enabled policies, or returns `False` for disabled policies.
description required	string Information about the new policy.
remediation required	string Remediation strategy for the events triggered by the policy.
severity required	string Enum: "info" "low" "medium" "high" "critical" The severity of an event triggered by the policy.
limit	number >= 1 Default: 1000 The maximum number of records that each policy will return. The default value is 1000.
evalFrequency	string Deprecated Enum: "Hourly" "Daily" Frequency at which the policy will be evaluated
alertEnabled required	boolean When sending a request, set to `True` if you want to send alerts to an alert profile when the policy is triggered. Set to `False` if you want to mute alerts when the policy is triggered.
alertProfile	string The alert profile to use for sending alerts when the policy is triggered.
tags	Array of strings A list of policy tags.
policyId	string Policy ID. The convention for policy ID creation is `accountName-remainder`, for example, lws-special-100. When sending a request, you can simply provide `$account-<remainder>`, and Lacework will substitute the `$account` prefix with your actual account name. Note: The `-remainder` must use the regex pattern (`^[a-z]{1,16}(-\d{1,8})?$`), and cannot be `default` or start with `default-`.

Responses

Request samples

Payload

Content type

application/json

{"policyType": "Violation",
"queryId": "string",
"title": "string",
"enabled": true,
"description": "string",
"remediation": "string",
"severity": "info",
"limit": 1000,
"evalFrequency": "Hourly",
"alertEnabled": true,
"alertProfile": "string",
"tags": ["string"
],
"policyId": "string"
}

Response samples

201
4XX
5XX

Content type

application/json

{"data": {"evaluatorId": "Cloudtrail",
"policyId": "lacework...",
"policyType": "Violation",
"queryId": "LW_Custom_AWS_CTA_AuroraPasswordChange",
"queryText": "LW_Custom_AWS_CTA_AuroraPasswordChange { SOURCE { CloudTrailRawEvents } FILTER ...",
"title": "Cloudtrail Policy 2",
"enabled": false,
"description": "Cloudtrail Policy 2",
"remediation": "Policy remediation 2",
"severity": "medium",
"limit": 100,
"evalFrequency": "Hourly",
"alertEnabled": true,
"alertProfile": "LW_CloudTrail_Alerts.CloudTrailDefaultAlert_AwsResource",
"owner": "user@example.com",
"lastUpdateTime": "2022-10-03T16:23:38.915Z",
"lastUpdateUser": "user@example.com",
"tags": ["domain:Host",
"subdomain:Container"
]
}
}

List All Policies

List all registered LQL policies in your Lacework instance, by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/Policies

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"policyId": "lacework-global-89",
"policyType": "Compliance",
"queryId": "",
"queryText": "",
"title": "EC2 instance does not have any tags",
"enabled": false,
"description": "Tags allow users to better organize resources and assist the collection of metrics...",
"remediation": "Perform the following to add tags:\n1. Log in to the AWS Management Console...",
"severity": "high",
"alertEnabled": false,
"alertProfile": "",
"owner": "Lacework",
"lastUpdateTime": "2021-05-31T19:00:00.000Z",
"lastUpdateUser": "Lacework",
"tags": ["framework:aws-lacework-security-1-0",
"domain:AWS",
"subdomain:Configuration"
],
"exceptionConfiguration": {"constraintFields": [{"fieldKey": "accountIds",
"dataType": "String",
"multiValue": true
},
{"fieldKey": "regionNames",
"dataType": "String",
"multiValue": true
},
{"fieldKey": "resourceNames",
"dataType": "String",
"multiValue": false
},
{"fieldKey": "resourceTags",
"dataType": "KVTagPair",
"multiValue": true
}
]
}
},
{"evaluatorId": "Cloudtrail",
"policyId": "lacework...",
"policyType": "Violation",
"queryId": "LW_Custom_AWS_CTA_AuroraPasswordChange",
"queryText": "LW_Custom_AWS_CTA_AuroraPasswordChange { SOURCE { CloudTrailRawEvents } FILTER ...",
"title": "Cloudtrail Policy 2",
"enabled": false,
"description": "Cloudtrail Policy 2",
"remediation": "Policy remediation 2",
"severity": "medium",
"limit": 100,
"evalFrequency": "Hourly",
"alertEnabled": true,
"alertProfile": "LW_CloudTrail_Alerts.CloudTrailDefaultAlert_AwsResource",
"owner": "user@example.com",
"lastUpdateTime": "2022-10-03T16:23:38.915Z",
"lastUpdateUser": "user@example.com",
"tags": ["domain:Host",
"subdomain:Container"
]
}
]
}

Search Policies

Search for policies by specifying parameters in the request body when invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Policies/search

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.

To use wildcards with the LIKE, ILIKE NOT_LIKE OR NOT_ILIKE filters, use the % symbol to match any string. This allows you to perform more flexible and broad searches for text data.

% represents a wildcard to match zero or more characters
_ (underscore) represents a wildcard match for a single character

Array

expression required	string Enum: "eq" "ne" "in" "not_in" "like" "ilike" "not_like" "not_ilike" "gt" "ge" "lt" "le" "between" The comparison operator for the filter condition.
field required	string The name of the data field to which the condition applies.
value	string The value that the condition checks for in the specified field. Use this attribute when specifying a single value.
values	Array of strings The values that the condition checks for in the specified field. Use this attribute when specifying multiple values.

Responses

Request samples

Payload

Content type

application/json

{"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"evaluatorId": "Cloudtrail",
"policyId": "lacework...",
"policyType": "Violation",
"queryId": "LW_Custom_AWS_CTA_AuroraPasswordChange",
"queryText": "LW_Custom_AWS_CTA_AuroraPasswordChange { SOURCE { CloudTrailRawEvents } FILTER ...",
"title": "Cloudtrail Policy 2",
"enabled": false,
"description": "Cloudtrail Policy 2",
"remediation": "Policy remediation 2",
"severity": "medium",
"limit": 100,
"evalFrequency": "Hourly",
"alertEnabled": true,
"alertProfile": "LW_CloudTrail_Alerts.CloudTrailDefaultAlert_AwsResource",
"owner": "user@example.com",
"lastUpdateTime": "2022-10-03T16:23:38.915Z",
"lastUpdateUser": "user@example.com",
"tags": ["domain:Host",
"subdomain:Container"
]
}
}

Policy Tags

Get a list of policy tags

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": ["domain:AWS",
"domain:Host",
"subdomain:Cloudtrail",
"subdomain:Container"
]
}

Policy Details

Get details about a single LQL policy by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/Policies/{policyId}

Replace {policyId} with the policyId value returned for an LQL policy in the response when the GET /api/v2/Policies endpoint is invoked.

path Parameters

policyId

required

string

Policy ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"evaluatorId": "Cloudtrail",
"policyId": "lacework...",
"policyType": "Violation",
"queryId": "LW_Custom_AWS_CTA_AuroraPasswordChange",
"queryText": "LW_Custom_AWS_CTA_AuroraPasswordChange { SOURCE { CloudTrailRawEvents } FILTER ...",
"title": "Cloudtrail Policy 2",
"enabled": false,
"description": "Cloudtrail Policy 2",
"remediation": "Policy remediation 2",
"severity": "medium",
"limit": 100,
"evalFrequency": "Hourly",
"alertEnabled": true,
"alertProfile": "LW_CloudTrail_Alerts.CloudTrailDefaultAlert_AwsResource",
"owner": "user@example.com",
"lastUpdateTime": "2022-10-03T16:23:38.915Z",
"lastUpdateUser": "user@example.com",
"tags": ["domain:Host",
"subdomain:Container"
]
}
}

Update Policies

Update an existing LQL policy registered in your Lacework instance by specifying parameters in the request body when invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/Policies/{policyId}

Replace {policyId} with the policyId value returned for an LQL policy in the response when the GET /api/v2/Policies endpoint is invoked.

path Parameters

policyId

required

string

Policy ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

policyType	string Value: "Violation" The policy type such as `Violation`.
queryId	string Identifier of the query that executes while running the policy.
title	string The policy's title.
enabled	boolean When sending a request, use this attribute to enable or disable a policy. When included in a response, returns `True` for enabled policies, or returns `False` for disabled policies.
description	string Information about the new policy.
remediation	string Remediation strategy for the events triggered by the policy.
severity	string Enum: "info" "low" "medium" "high" "critical" The severity of an event triggered by the policy.
limit	number >= 1 Default: 1000 The maximum number of records that each policy will return. The default value is 1000.
evalFrequency	string Deprecated Enum: "Hourly" "Daily" Frequency at which the policy will be evaluated
alertEnabled	boolean When sending a request, set to `True` if you want to send alerts to an alert profile when the policy is triggered. Set to `False` if you want to mute alerts when the policy is triggered.
alertProfile	string The alert profile to use for sending alerts when the policy is triggered.
tags	Array of strings A list of policy tags.

Responses

Request samples

Payload

Content type

application/json

{"policyType": "Violation",
"queryId": "string",
"title": "string",
"enabled": true,
"description": "string",
"remediation": "string",
"severity": "info",
"limit": 1000,
"evalFrequency": "Hourly",
"alertEnabled": true,
"alertProfile": "string",
"tags": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"evaluatorId": "Cloudtrail",
"policyId": "lacework...",
"policyType": "Violation",
"queryId": "LW_Custom_AWS_CTA_AuroraPasswordChange",
"queryText": "LW_Custom_AWS_CTA_AuroraPasswordChange { SOURCE { CloudTrailRawEvents } FILTER ...",
"title": "Cloudtrail Policy 2",
"enabled": false,
"description": "Cloudtrail Policy 2",
"remediation": "Policy remediation 2",
"severity": "medium",
"limit": 100,
"evalFrequency": "Hourly",
"alertEnabled": true,
"alertProfile": "LW_CloudTrail_Alerts.CloudTrailDefaultAlert_AwsResource",
"owner": "user@example.com",
"lastUpdateTime": "2022-10-03T16:23:38.915Z",
"lastUpdateUser": "user@example.com",
"tags": ["domain:Host",
"subdomain:Container"
]
}
}

Delete Policies

Delete an LQL custom policy registered in your Lacework instance by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/Policies/{policyId}

Replace {policyId} with the policyId value returned for an LQL policy in the response when the GET /api/v2/Policies endpoint is invoked.

path Parameters

policyId

required

string

Policy ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

4XX
5XX

Content type

application/json

{"message": "Invalid ..."
}

Queries

Queries are the mechanism used to interactively request information from a specific curated datasource. Queries have a defined structure for authoring detections.

Create Queries

Create a Lacework Query Language (LQL) query by specifying parameters in the request body when invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Queries

This creates the LQL query in your Lacework instance so you can use it in an LQL custom policy and view it in the Lacework Console. You can get the unique identifiers for the LQL queries (queryIdList) array by invoking the GET /api/v2/Queries endpoint.

For information on creating queries, including information on specifying data sources, filtering, and returning data with the DISTINCT operator, see LQL Overview.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

queryText required	string When sending a request, provide a human-readable text syntax for specifying selection, filtering, and manipulation of data.
queryId required	string Identifier of the query that executes while running the policy.

Responses

Request samples

Payload

Content type

application/json

{"queryText": "string",
"queryId": "string"
}

Response samples

201
4XX
5XX

Content type

application/json

{"data": {"evaluatorId": "Cloudtrail",
"queryId": "LW_Global_...",
"queryText": "Query...",
"owner": "user@example.com",
"lastUpdateTime": "2020-12-16T16:43:37.915Z",
"lastUpdateUser": "user@example.com",
"resultSchema": [{"name": "EVENT",
"dataType": "JSON",
"description": "Description of the result"
},
{"name": "EVENT_TIME",
"dataType": "Timestamp",
"description": "Description of the result"
}
]
}
}

List All Queries

List all registered LQL queries in your Lacework instance by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/Queries

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"evaluatorId": "Cloudtrail",
"queryId": "LW_Global_...",
"queryText": "Query...",
"owner": "user@example.com",
"lastUpdateTime": "2020-12-16T16:43:37.915Z",
"lastUpdateUser": "user@example.com",
"resultSchema": [{"name": "EVENT",
"dataType": "JSON",
"description": "Description of the result"
},
{"name": "EVENT_TIME",
"dataType": "Timestamp",
"description": "Description of the result"
}
]
},
{"evaluatorId": "Cloudtrail",
"queryId": "LW_Global2_...",
"queryText": "Query...",
"owner": "user@example.com",
"lastUpdateTime": "2020-12-16T16:43:37.915Z",
"lastUpdateUser": "user@example.com",
"resultSchema": [{"name": "EVENT",
"dataType": "JSON",
"description": "Description of the result"
},
{"name": "EVENT_TIME",
"dataType": "Timestamp",
"description": "Description of the result"
}
]
}
]
}

Execute Queries

Run an LQL query by specifying parameters in the request body by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Queries/execute

The response is the data that the query finds in the datasource for the specified time period. To specify a time period, use the StartTimeRange and EndTimeRange arguments. For an example of how to specify a time frame, see Example Queries.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

required	object
	object (Query_Execute_Options)
	Array of objects[ items ]

Responses

Request samples

Payload

Content type

application/json

{"query": {"queryText": "string"
},
"options": {"limit": 1
},
"arguments": [{"name": "string",
"value": "string"
}
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{ }
]
}

Execute Queries by ID

Run an existing LQL query registered in your Lacework instance by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Queries/{queryId}/execute

Replace {queryId} with the queryId value returned for an LQL query in the response when the GET /api/v2/Queries endpoint is invoked. The response is the data that the query finds in the datasource for the specified time period. For an example of how to specify a time frame, see Example Queries.

path Parameters

queryId

required

string

Identifier of the query that executes while running the policy.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object (Query_Execute_Options)
	Array of objects[ items ]

Responses

Request samples

Payload

Content type

application/json

{"options": {"limit": 1
},
"arguments": [{"name": "string",
"value": "string"
}
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{ }
]
}

Validate Queries

Validate an LQL query by specifying parameters in the request body by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Queries/validate

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

queryText

required

string

When sending a request, provide a human-readable text syntax for specifying selection, filtering, and manipulation of data.

Responses

Request samples

Payload

Content type

application/json

{"queryText": "string"
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"evaluatorId": "Cloudtrail",
"queryId": "LW_Global_...",
"queryText": "Query...",
"resultSchema": [{"name": "column1",
"dataType": ""
},
{"name": "column2",
"dataType": ""
}
]
}
}

Search Queries

Search for queries by specifying parameters in the request body when invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Queries/search

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.

To use wildcards with the LIKE, ILIKE NOT_LIKE OR NOT_ILIKE filters, use the % symbol to match any string. This allows you to perform more flexible and broad searches for text data.

% represents a wildcard to match zero or more characters
_ (underscore) represents a wildcard match for a single character

Array

expression required	string Enum: "eq" "ne" "in" "not_in" "like" "ilike" "not_like" "not_ilike" "gt" "ge" "lt" "le" "between" The comparison operator for the filter condition.
field required	string The name of the data field to which the condition applies.
value	string The value that the condition checks for in the specified field. Use this attribute when specifying a single value.
values	Array of strings The values that the condition checks for in the specified field. Use this attribute when specifying multiple values.

Responses

Request samples

Payload

Content type

application/json

{"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"evaluatorId": "Cloudtrail",
"queryId": "LW_Global_...",
"queryText": "Query...",
"owner": "user@example.com",
"lastUpdateTime": "2020-12-16T16:43:37.915Z",
"lastUpdateUser": "user@example.com",
"resultSchema": [{"name": "EVENT",
"dataType": "JSON",
"description": "Description of the result"
},
{"name": "EVENT_TIME",
"dataType": "Timestamp",
"description": "Description of the result"
}
]
}
}

Query Details

Get details about a single LQL query by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/Queries/{queryId}

Replace {queryId} with the queryId value returned for an LQL query in the response when the GET /api/v2/Queries endpoint is invoked.

path Parameters

queryId

required

string

Identifier of the query that executes while running the policy.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"evaluatorId": "Cloudtrail",
"queryId": "LW_Global_...",
"queryText": "Query...",
"owner": "user@example.com",
"lastUpdateTime": "2020-12-16T16:43:37.915Z",
"lastUpdateUser": "user@example.com",
"resultSchema": [{"name": "EVENT",
"dataType": "JSON",
"description": "Description of the result"
},
{"name": "EVENT_TIME",
"dataType": "Timestamp",
"description": "Description of the result"
}
]
}
}

Update Queries

Update an existing LQL query registered in your Lacework instance by invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/Queries/{queryId}

Replace {queryId} with the queryId value returned for an LQL query in the response when the GET /api/v2/Queries endpoint is invoked.

path Parameters

queryId

required

string

Identifier of the query that executes while running the policy.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

queryText

string

When sending a request, provide a human-readable text syntax for specifying selection, filtering, and manipulation of data.

Responses

Request samples

Payload

Content type

application/json

{"queryText": "string"
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"evaluatorId": "Cloudtrail",
"queryId": "LW_Global_...",
"queryText": "Query...",
"owner": "user@example.com",
"lastUpdateTime": "2020-12-16T16:43:37.915Z",
"lastUpdateUser": "user@example.com",
"resultSchema": [{"name": "EVENT",
"dataType": "JSON",
"description": "Description of the result"
},
{"name": "EVENT_TIME",
"dataType": "Timestamp",
"description": "Description of the result"
}
]
}
}

Delete Queries

Delete a Lacework Query Language (LQL) query registered in your Lacework instance by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/Queries/{queryId}

Replace {queryId} with the queryId value returned for an LQL query in the response when invoking the following endpoint: GET /api/v2/Queries.

path Parameters

queryId

required

string

Identifier of the query that executes while running the policy.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

4XX
5XX

Content type

application/json

{"message": "Invalid ..."
}

Report Rules

Lacework combines alert channels and report rules to provide a flexible method for routing reports. For report rules, you define information about which reports to send. For alert channels, you define where to send reports such as to Jira, Slack, or email.

Create Report Rule

Create a report rule in your Lacework instance by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/ReportRules

Get the unique identifiers for the alert channels (intGuidList) array by invoking the GET /api/v2/ReportRules endpoint.

In addition, the severity field is required if you create report rules for any of the following report types: awsCloudtrailEvents, awsComplianceEvents, azureActivityLogEvents, azureComplianceEvents, gcpAuditTrailEvents, gcpComplianceEvents, openShiftComplianceEvents, platformEvents, agentEvents.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

required	object When sending a request, use this object to define the new report rule. When included in a response, this object contains details of a report rule. You can use these attributes when searching for existing report rules by invoking a GET request.
intgGuidList required	Array of strings non-empty unique The alert channels for the rule to access.
required	object The report types that you want the rule to apply to.
type required	string Value: "Report" The data type as `Report`.

Responses

Request samples

Payload

Content type

application/json

{"filters": {"name": "string",
"description": "string",
"enabled": 1,
"resourceGroups": ["string"
],
"severity": [ ]
},
"intgGuidList": ["string"
],
"reportNotificationTypes": {"agentEvents": true,
"awsCis14": true,
"awsCisS3": true,
"awsCloudtrailEvents": true,
"awsComplianceEvents": true,
"awsCis14IsoIec270022022": true,
"awsCyberEssentials22": true,
"awsCsaCcm405": true,
"azureActivityLogEvents": true,
"azureCis": true,
"azureCis131": true,
"azureComplianceEvents": true,
"azurePci": true,
"azurePciRev2": true,
"azureSoc": true,
"azureSocRev2": true,
"azureIso27001": true,
"azureHipaa": true,
"azureNistCsf": true,
"azureNist80053Rev5": true,
"azureNist800171Rev2": true,
"gcpAuditTrailEvents": true,
"gcpCis": true,
"gcpComplianceEvents": true,
"gcpHipaa": true,
"gcpHipaaRev2": true,
"gcpIso27001": true,
"gcpCis12": true,
"gcpCis13": true,
"gcpK8s": true,
"gcpPci": true,
"gcpPciRev2": true,
"gcpSoc": true,
"gcpSocRev2": true,
"gcpNistCsf": true,
"gcpNist80053Rev4": true,
"gcpNist800171Rev2": true,
"hipaa": true,
"iso2700": true,
"k8sAuditLogEvents": true,
"nist800-53Rev4": true,
"nist800-171Rev2": true,
"openShiftCompliance": true,
"openShiftComplianceEvents": true,
"pci": true,
"platformEvents": true,
"soc": true,
"awsSocRev2": true,
"trendReport": true,
"awsPciDss321": true,
"awsNist80053Rev5": true,
"awsSoc2": true,
"awsNist800171Rev2": true,
"awsNistCsf": true,
"awsCmmc102": true,
"awsHipaa": true,
"awsIso270012013": true
},
"type": "Report"
}

Response samples

201
4XX
5XX

Content type

application/json

{"data": {"mcGuid": "QA42F6C8_83...",
"filters": {"name": "LW Rule 1",
"createdOrUpdatedBy": "info@example.com",
"createdOrUpdatedTime": "2021-01-12T23:16:08.418Z",
"enabled": 1,
"resourceGroups": ["QA402035_BA..."
],
"severity": [1,
2,
3
]
},
"intgGuidList": ["QA402035_32..."
],
"reportNotificationTypes": {"gcpCis": false,
"gcpComplianceEvents": false,
"trendReport": false,
"azurePci": true,
"agentEvents": false,
"awsCisS3": false,
"gcpAuditTrailEvents": false,
"openShiftCompliance": false,
"openShiftComplianceEvents": false,
"azureSoc": true,
"awsComplianceEvents": false,
"azureComplianceEvents": false,
"azureCis": true,
"azureActivityLogEvents": false,
"awsCloudtrailEvents": false
},
"type": "Report"
}
}

List All Report Rules

List all report rules in your Lacework instance, by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/ReportRules

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"mcGuid": "QA42F6C8_83...",
"filters": {"name": "LW Rule 1",
"createdOrUpdatedBy": "info@example.com",
"createdOrUpdatedTime": "2021-01-12T23:16:08.418Z",
"enabled": 1,
"resourceGroups": ["QA402035_BA..."
],
"severity": [1,
2,
3
]
},
"intgGuidList": ["QA402035_32..."
],
"reportNotificationTypes": {"gcpCis": false,
"gcpComplianceEvents": false,
"trendReport": false,
"azurePci": false,
"agentEvents": false,
"awsCisS3": true,
"gcpAuditTrailEvents": false,
"openShiftCompliance": false,
"openShiftComplianceEvents": false,
"azureSoc": false,
"awsComplianceEvents": true,
"azureComplianceEvents": false,
"azureCis": false,
"azureActivityLogEvents": false,
"awsCloudtrailEvents": true
},
"type": "Report"
},
{"mcGuid": "QA42F6C8_88...",
"filters": {"name": "LW Rule 2",
"createdOrUpdatedBy": "info@example.com",
"createdOrUpdatedTime": "2021-01-12T23:18:08.418Z",
"enabled": 1,
"resourceGroups": ["QA402035_BC..."
],
"severity": [1,
2,
3
]
},
"intgGuidList": ["QA402035_33..."
],
"reportNotificationTypes": {"gcpCis": false,
"gcpComplianceEvents": false,
"trendReport": false,
"azurePci": true,
"agentEvents": false,
"awsCisS3": false,
"gcpAuditTrailEvents": false,
"openShiftCompliance": false,
"openShiftComplianceEvents": false,
"azureSoc": true,
"awsComplianceEvents": false,
"azureComplianceEvents": false,
"azureCis": true,
"azureActivityLogEvents": false,
"awsCloudtrailEvents": false
},
"type": "Report"
}
]
}

Search Report Rules

Search all report rules in your Lacework instance by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/ReportRules/search

To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

Here are some example body payloads:

{ "filters": [ { "expression": "eq", "field": "name", "value": " Jane" } ] }
{ "filters": [ { "field": "mcGuid", "expression": "rlike", "value": "123ABC" } ] }
{ "filters": [ { "field": "mcGuid", "expression": "between", "values": [ "ABC_123", "DEC_456" ] } ] }
{ "filters": [ { "field": "intgGuidList", "expression": "eq", "value": "ABC_123" } ] }
{ "filters": [ { "field": "intgGuidList", "expression": "in", "values": [ "ABC_123", "DEF_456" ] } ] }
{ "filters": [ { "field": "filters.name", "expression": "ilike", "value": "slack" } ] }
{ "filters": [ { "field": "filters.resourceGroups", "expression": "eq", "value": "ABC_123" } ] }
{ "filters": [ { "field": "filters.severity", "expression": "eq", "value": "5" } ] }
{ "filters": [ { "field": "filters.eventCategory", "expression": "eq", "value": "App" } ] }
{ "filters": [ { "field": "reportNotificationTypes.agentEvents", "expression": "eq", "value": "false" } ] }

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"mcGuid": "QA42F6C8_83...",
"filters": {"name": "LW Rule 1",
"createdOrUpdatedBy": "info@example.com",
"createdOrUpdatedTime": "2021-01-12T23:16:08.418Z",
"enabled": 1,
"resourceGroups": ["QA402035_BA..."
],
"severity": [1,
2,
3
]
},
"intgGuidList": ["QA402035_32..."
],
"reportNotificationTypes": {"gcpCis": false,
"gcpComplianceEvents": false,
"trendReport": false,
"azurePci": false,
"agentEvents": false,
"awsCisS3": true,
"gcpAuditTrailEvents": false,
"openShiftCompliance": false,
"openShiftComplianceEvents": false,
"azureSoc": false,
"awsComplianceEvents": true,
"azureComplianceEvents": false,
"azureCis": false,
"azureActivityLogEvents": false,
"awsCloudtrailEvents": true
},
"type": "Report"
},
{"mcGuid": "QA42F6C8_88...",
"filters": {"name": "LW Rule 2",
"createdOrUpdatedBy": "info@example.com",
"createdOrUpdatedTime": "2021-01-12T23:18:08.418Z",
"enabled": 1,
"resourceGroups": ["QA402035_BC..."
],
"severity": [1,
2,
3
]
},
"intgGuidList": ["QA402035_33..."
],
"reportNotificationTypes": {"gcpCis": false,
"gcpComplianceEvents": false,
"trendReport": false,
"azurePci": true,
"agentEvents": false,
"awsCisS3": false,
"gcpAuditTrailEvents": false,
"openShiftCompliance": false,
"openShiftComplianceEvents": false,
"azureSoc": true,
"awsComplianceEvents": false,
"azureComplianceEvents": false,
"azureCis": true,
"azureActivityLogEvents": false,
"awsCloudtrailEvents": false
},
"type": "Report"
}
]
}

Report Rule Details

Get details about a report rule by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/ReportRules/{mcGuid}

Replace {mcGuid} with the mcGuid value returned for a report rule in the response when invoking the following endpoint: GET /api/v2/ReportRules.

path Parameters

mcGuid

required

string

Report Rule ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"mcGuid": "QA42F6C8_83...",
"filters": {"name": "LW Rule 1",
"createdOrUpdatedBy": "info@example.com",
"createdOrUpdatedTime": "2021-01-12T23:16:08.418Z",
"enabled": 1,
"resourceGroups": ["QA402035_BA..."
],
"severity": [1,
2,
3
]
},
"intgGuidList": ["QA402035_32..."
],
"reportNotificationTypes": {"gcpCis": false,
"gcpComplianceEvents": false,
"trendReport": false,
"azurePci": true,
"agentEvents": false,
"awsCisS3": false,
"gcpAuditTrailEvents": false,
"openShiftCompliance": false,
"openShiftComplianceEvents": false,
"azureSoc": true,
"awsComplianceEvents": false,
"azureComplianceEvents": false,
"azureCis": true,
"azureActivityLogEvents": false,
"awsCloudtrailEvents": false
},
"type": "Report"
}
}

Update Report Rules

Update a report rule by specifying parameters in the request body when invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/ReportRules/{mcGuid}

Replace {mcGuid} with the mcGuid value returned for a report rule in the response, when the GET /api/v2/ReportRules endpoint is invoked.

In addition, if the severity field doesn't exist for the report rule being updated, the severity field is required if you add any of the following report types: awsCloudtrailEvents, awsComplianceEvents, azureActivityLogEvents, azureComplianceEvents, gcpAuditTrailEvents, gcpComplianceEvents, openShiftComplianceEvents, platformEvents, agentEvents.

path Parameters

mcGuid

required

string

Report Rule ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object When sending a request, use this object to define the new report rule. When included in a response, this object contains details of a report rule. You can use these attributes when searching for existing report rules by invoking a GET request.
intgGuidList	Array of strings non-empty unique The alert channels for the rule to access.
	object The report types that you want the rule to apply to.

Responses

Request samples

Payload

Content type

application/json

{"filters": {"name": "string",
"description": "string",
"enabled": 1,
"resourceGroups": ["string"
],
"severity": [ ]
},
"intgGuidList": ["string"
],
"reportNotificationTypes": {"agentEvents": true,
"awsCis14": true,
"awsCisS3": true,
"awsCloudtrailEvents": true,
"awsComplianceEvents": true,
"awsCis14IsoIec270022022": true,
"awsCyberEssentials22": true,
"awsCsaCcm405": true,
"azureActivityLogEvents": true,
"azureCis": true,
"azureCis131": true,
"azureComplianceEvents": true,
"azurePci": true,
"azurePciRev2": true,
"azureSoc": true,
"azureSocRev2": true,
"azureIso27001": true,
"azureHipaa": true,
"azureNistCsf": true,
"azureNist80053Rev5": true,
"azureNist800171Rev2": true,
"gcpAuditTrailEvents": true,
"gcpCis": true,
"gcpComplianceEvents": true,
"gcpHipaa": true,
"gcpHipaaRev2": true,
"gcpIso27001": true,
"gcpCis12": true,
"gcpCis13": true,
"gcpK8s": true,
"gcpPci": true,
"gcpPciRev2": true,
"gcpSoc": true,
"gcpSocRev2": true,
"gcpNistCsf": true,
"gcpNist80053Rev4": true,
"gcpNist800171Rev2": true,
"hipaa": true,
"iso2700": true,
"k8sAuditLogEvents": true,
"nist800-53Rev4": true,
"nist800-171Rev2": true,
"openShiftCompliance": true,
"openShiftComplianceEvents": true,
"pci": true,
"platformEvents": true,
"soc": true,
"awsSocRev2": true,
"trendReport": true,
"awsPciDss321": true,
"awsNist80053Rev5": true,
"awsSoc2": true,
"awsNist800171Rev2": true,
"awsNistCsf": true,
"awsCmmc102": true,
"awsHipaa": true,
"awsIso270012013": true
}
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"mcGuid": "QA42F6C8_83...",
"filters": {"name": "LW Rule 1",
"createdOrUpdatedBy": "info@example.com",
"createdOrUpdatedTime": "2021-01-12T23:16:08.418Z",
"enabled": 1,
"resourceGroups": ["QA402035_BA..."
],
"severity": [1,
2,
3
]
},
"intgGuidList": ["QA402035_32..."
],
"reportNotificationTypes": {"gcpCis": false,
"gcpComplianceEvents": false,
"trendReport": false,
"azurePci": true,
"agentEvents": false,
"awsCisS3": false,
"gcpAuditTrailEvents": false,
"openShiftCompliance": false,
"openShiftComplianceEvents": false,
"azureSoc": true,
"awsComplianceEvents": false,
"azureComplianceEvents": false,
"azureCis": true,
"azureActivityLogEvents": false,
"awsCloudtrailEvents": false
},
"type": "Report"
}
}

Delete Report Rules

Delete a report rule by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/ReportRules/{mcGuid}

Replace {mcGuid} with the mcGuid value returned for a report rule in the response when invoking the following endpoint: GET /api/v2/ReportRules.

path Parameters

mcGuid

required

string

Report Rule ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

4XX
5XX

Content type

application/json

{"message": "Invalid ..."
}

Reports

Lacework combines details about non-compliant resources that are in violation into reports. You must configure at least one cloud integration with AWS, Azure, or GCP to receive these reports.

Reports

Get a specific report by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/Reports?primaryQueryId={primaryQueryId}&secondaryQueryId={secondaryQueryId}&format={format}&reportType={reportType}&severity={severity}&status={status}

Examples:

GET https://YourLacework.lacework.net/api/v2/Reports?primaryQueryId=343523252&format=json&reportType=HIPAA&severity=critical,high,medium&status=Compliant,NonCompliant

query Parameters

primaryQueryId	string The primary ID that is used to fetch the report; for example, AWS Account ID or Azure Tenant ID. Note: For GCP, use the `secondaryQueryId` attribute to provide your GCP Project ID.
secondaryQueryId	string The secondary ID that is used to fetch the report; for example, GCP Project ID or Azure Subscription ID. Note: For AWS, this parameter is not required. Use the GCP Projects or Azure Subscriptions endpoints in the Configurations API to get the IDs to use. Be sure to provide only the ID as this parameter value, excluding the project or subscription alias. That is, use "81A2D8F9-F8B6-3A5D-B3C7-99680EF0B89F", not "81A2D8F9-F8B6-3A5D-B3C7-99680EF0B89F (Pay-As-You-Go)".
format	string Default: "pdf" Enum: "json" "pdf" "csv" "html" The report's format.
reportType required	string Enum: "AWS_CIS_14" "AZURE_CIS_1_5" "GCP_CIS13" The name of the report type in API format, for example, AZURE_NIST_CSF_CIS_1_5. See Compliance Frameworks for a list of available reports. Note: Use `reportName` to get the report by the report definition's name instead.
severity	string Enum: "critical" "high" "medium" "low" "info" Severities to filter the report on, e.g. `severity=critical,high,medium`.
status	string Enum: "Compliant" "NonCompliant" "Suppressed" "CouldNotAssess" "Manual" Statuses to filter the report on, e.g. `status=Compliant,NonCompliant`.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"reportType": "AWS CIS Benchmark and S3",
"reportTitle": "AWS CIS Benchmark and S3",
"recommendations": [{"ACCOUNT_ID": "24903813429804",
"ACCOUNT_ALIAS": "aws-account",
"START_TIME": 1648833313141,
"SUPPRESSIONS": ["suppressions"
],
"INFO_LINK": "https://info-link.net/info/link",
"ASSESSED_RESOURCE_COUNT": 627,
"STATUS": "NonCompliant",
"REC_ID": "LW_S3_1",
"CATEGORY": "S3",
"SERVICE": "aws:s3",
"TITLE": "Ensure the S3 bucket ACL does not grant 'Everyone' READ permission [list S3 objects]",
"VIOLATIONS": [{"reasons": ["ReadAccessGranted"
],
"resource": "arn:aws:s3:::eco-s3-acl-aws"
},
{"reasons": ["ReadAccessGranted"
],
"resource": "arn:aws:s3:::ecosystem-s3-acl-aws"
}
],
"RESOURCE_COUNT": 632,
"SEVERITY": 1
}
],
"summary": [{"NUM_RECOMMENDATIONS": 160,
"NUM_SEVERITY_2_NON_COMPLIANCE": 60,
"NUM_SEVERITY_4_NON_COMPLIANCE": 4,
"NUM_SEVERITY_1_NON_COMPLIANCE": 23,
"NUM_COMPLIANT": 35,
"NUM_SEVERITY_3_NON_COMPLIANCE": 18,
"ASSESSED_RESOURCE_COUNT": 88129,
"NUM_SUPPRESSED": 0,
"NUM_SEVERITY_5_NON_COMPLIANCE": 1,
"NUM_NOT_COMPLIANT": 106,
"VIOLATED_RESOURCE_COUNT": 15823,
"SUPPRESSED_RESOURCE_COUNT": 0
}
],
"accountId": "24903813429804",
"accountAlias": "aws-account",
"reportTime": "2022-04-01T17:15:13.141Z"
}
]
}

Resource Groups

Resource groups provide a way to categorize Lacework-identifiable assets.

Create Resource Group

Create a resource group by specifying parameters in the request body when invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/ResourceGroups

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

resourceName required	string non-empty (?!^ +$)^.+$ The resource group's name.
resourceType required	string Default: "AWS" The resource type such as cloud accounts, containers, or machines. AWS
enabled	number Enum: 0 1 When sending a request, use this attribute to enable or disable a resource group. When included in a response, returns `1` for enabled resource groups, or returns `0` for disabled resource groups.
required	object The new resource group's properties. The data varies based on the value of the `type` attribute.

Responses

Request samples

Payload

Content type

application/json

Example

AWS

{"resourceName": "string",
"resourceType": "AWS",
"enabled": 1,
"props": {"description": "string",
"accountIds": ["string"
]
}
}

Response samples

201
4XX
5XX

Content type

application/json

{"data": {"guid": "LW_XYZ...",
"isDefault": 1,
"resourceGuid": "LWABC...",
"resourceName": "AWS Resource Group",
"resourceType": "AWS",
"enabled": 1,
"props": {"description": "AWS Resource Group",
"accountIds": ["827398290830"
],
"updatedBy": "abc@xyz.com",
"lastUpdated": "1611257592628"
},
"isDefaultInteger": 1,
"propsJson": {"description": "AWS Resource Group",
"accountIds": ["827398290830"
],
"updatedBy": "abc@xyz.com",
"lastUpdated": "1611257592628"
}
}
}

List All Resource Groups

Get a list of all resource groups for the account by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/ResourceGroups

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"guid": "LW_XYZ...",
"isDefault": "1",
"props": "{\"DESCRIPTION\":\"AWS Resource Group\",\"ACCOUNT_IDS\":[\"827398290830\"],\"UPDATED_BY\":abc@xyz.com,\"LAST_UPDATED\":1611257592628}",
"resourceGuid": "LWABC...",
"resourceName": "AWS Resource Group",
"resourceType": "AWS",
"enabled": 1,
"isDefaultInteger": 1,
"propsJson": {"description": "AWS Resource Group",
"accountIds": ["827398290830"
],
"updatedBy": "abc@xyz.com",
"lastUpdated": "1611257592628"
}
},
{"guid": "LW_XYZ...",
"isDefault": "0",
"props": "{\"DESCRIPTION\":\"GCP Resource Group\",\"ORGANIZATION\":\"817397103268\",\"PROJECTS\":[\"gcpProject\"],\"UPDATED_BY\":abc@xyz.com,\"LAST_UPDATED\":1611257592628}",
"resourceGuid": "LWDEF...",
"resourceName": "GCP Resource Group",
"resourceType": "GCP",
"enabled": 0,
"isDefaultInteger": 0,
"propsJson": {"description": "GCP Resource Group",
"organization": "817397103268",
"projects": ["gcpProject"
],
"updatedBy": "abc@xyz.com",
"lastUpdated": "1611257592638"
}
}
]
}

Search Resource Groups

Search resource groups by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/ResourceGroups/search

To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

In the request body, optionally specify the list of fields to return in the response by specifying the list in the returns array, for example, "returns":[ "name", "type", "enabled" ].

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"guid": "LW_XYZ...",
"isDefault": "1",
"props": "{\"DESCRIPTION\":\"AWS Resource Group\",\"ACCOUNT_IDS\":[\"827398290830\"],\"UPDATED_BY\":abc@xyz.com,\"LAST_UPDATED\":1611257592628}",
"resourceGuid": "LWABC...",
"resourceName": "AWS Resource Group",
"resourceType": "AWS",
"enabled": 1,
"isDefaultInteger": 1,
"propsJson": {"description": "AWS Resource Group",
"accountIds": ["827398290830"
],
"updatedBy": "abc@xyz.com",
"lastUpdated": "1611257592628"
}
},
{"guid": "LW_XYZ...",
"isDefault": "0",
"props": "{\"DESCRIPTION\":\"GCP Resource Group\",\"ORGANIZATION\":\"817397103268\",\"PROJECTS\":[\"gcpProject\"],\"UPDATED_BY\":abc@xyz.com,\"LAST_UPDATED\":1611257592628}",
"resourceGuid": "LWDEF...",
"resourceName": "GCP Resource Group",
"resourceType": "GCP",
"enabled": 0,
"isDefaultInteger": 0,
"propsJson": {"description": "GCP Resource Group",
"organization": "817397103268",
"projects": ["gcpProject"
],
"updatedBy": "abc@xyz.com",
"lastUpdated": "1611257592638"
}
}
]
}

Resource Groups Details

Get details about a resource group by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/ResourceGroups/{resourceGuid}

path Parameters

resourceGuid

required

string

Resource Group ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"guid": "LW_XYZ...",
"isDefault": 1,
"resourceGuid": "LWABC...",
"resourceName": "AWS Resource Group",
"resourceType": "AWS",
"enabled": 1,
"props": {"description": "AWS Resource Group",
"accountIds": ["827398290830"
],
"updatedBy": "abc@xyz.com",
"lastUpdated": "1611257592628"
},
"isDefaultInteger": 1,
"propsJson": {"description": "AWS Resource Group",
"accountIds": ["827398290830"
],
"updatedBy": "abc@xyz.com",
"lastUpdated": "1611257592628"
}
}
}

Update Resource Groups

Update a resource group by specifying parameters in the request body when invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/ResourceGroups/{resourceGuid}

In the request body, only specify the parameters that you want to update, for example, { "enabled" : 0 }.

path Parameters

resourceGuid

required

string

Resource Group ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

Only specify the parameter(s) that you want to update, for example, { "enabled" : 0 }.

resourceName	string non-empty (?!^ +$)^.+$ The resource group's name.
resourceType	string Default: "AWS" The resource type such as cloud accounts, containers, or machines. AWS
enabled	number Enum: 0 1 When sending a request, use this attribute to enable or disable a resource group. When included in a response, returns `1` for enabled resource groups, or returns `0` for disabled resource groups.
	object The new resource group's properties. The data varies based on the value of the `type` attribute.

Responses

Request samples

Payload

Content type

application/json

Example

AWS

{"resourceName": "string",
"resourceType": "AWS",
"enabled": 1,
"props": {"description": "string",
"accountIds": ["string"
]
}
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"guid": "LW_XYZ...",
"isDefault": 1,
"resourceGuid": "LWABC...",
"resourceName": "AWS Resource Group",
"resourceType": "AWS",
"enabled": 1,
"props": {"description": "AWS Resource Group",
"accountIds": ["827398290830"
],
"updatedBy": "abc@xyz.com",
"lastUpdated": "1611257592628"
},
"isDefaultInteger": 1,
"propsJson": {"description": "AWS Resource Group",
"accountIds": ["827398290830"
],
"updatedBy": "abc@xyz.com",
"lastUpdated": "1611257592628"
}
}
}

Delete Resource Groups

Delete a resource group by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/ResourceGroups/{resourceGuid}

path Parameters

resourceGuid

required

string

Resource Group ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

4XX
5XX

Content type

application/json

{"message": "Invalid ..."
}

Team Members (Deprecated)

Team members can be granted access to multiple Lacework accounts and have different roles for each account. Team members can also be granted organization-level roles. For more information, see Team Members.

Note: The TeamMembers API is deprecated and is unavailable if you have migrated to the new RBAC model in your Lacework Console. See Access Control for more information about the new RBAC model.

Create Team Members Deprecated

Create a team member in your Lacework instance by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/TeamMembers

Here is an example body payload:

{ "userName": "jane.smith@mycompany.com", "userEnabled": 1, "props": { "firstName": "Jane", "lastName": "Smith", "company": "myCompany", "accountAdmin": true } }

Note: This API is deprecated and is unavailable if you have migrated to the new RBAC model in your Lacework Console. See Access Control for more information about the new RBAC model.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

schemaOption	string Not required. With_Org-Access
required	object
orgAdmin	boolean Default: false When sending a request, set to `True` to make the team member an organization admin. Otherwise, set to `False`. When included in a response, returns the role assigned to the team member. Note: If the team member is currently an organization admin, Lacework ignores the `adminRoleAccounts` and `userRoleAccounts` attributes.
orgUser	boolean Default: false When sending a request, set to `True` to make the new member an organization user. Otherwise, set to `False` When included in a response, returns the role assigned to the new member. Note: If the team member is currently an organization user, Lacework will ignore the `userRoleAccounts` attribute.
adminRoleAccounts required	Array of strings A list of account names for which this team member will be an admin.
userRoleAccounts required	Array of strings A list of account names for which this team member will be a user.
userEnabled required	integer Enum: 1 0
userName required	string user email address

Responses

Request samples

Payload

Content type

application/json

Example

With_Org-Access

{"schemaOption": "With_Org-Access",
"props": {"firstName": "string",
"lastName": "string",
"company": "string",
"accountAdmin": false
},
"orgAdmin": false,
"orgUser": false,
"adminRoleAccounts": ["string"
],
"userRoleAccounts": ["string"
],
"userEnabled": 1,
"userName": "string"
}

Response samples

201
4XX
5XX

Content type

application/json

Example

With Org-Access

{"data": {"userName": "user1@example.com",
"orgAccount": true,
"url": "url",
"orgAdmin": false,
"orgUser": false,
"accounts": [{"admin": "true",
"custGuid": "CUST_GUID",
"userGuid": "USER1_GUID",
"userEnabled": 1
}
]
}
}

List All Team Members Deprecated

Get a list of team members in your Lacework instance by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/TeamMembers

Note: This API is deprecated and is unavailable if you have migrated to the new RBAC model in your Lacework Console. See Access Control for more information about the new RBAC model.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"props": {"firstName": "User1",
"lastName": "Test",
"accountAdmin": true
},
"userGuid": "USER1_GUID",
"custGuid": "CUST_GUID",
"userEnabled": 1,
"userName": "user1@example.com"
},
{"props": {"firstName": "User2",
"lastName": "Test",
"accountAdmin": true
},
"userGuid": "USER2_GUID",
"custGuid": "CUST_GUID",
"userEnabled": 1,
"userName": "user2@example.com"
}
]
}

Search Team Members Deprecated

Search all team members in your Lacework instance by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/TeamMembers/search

To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

You can filter on the following fields:

custGuid
userGuid
userName
userEnabled

Here is an example body payload:

{ "filters" : [ { "expression": "eq", "field": "userName", "value": "jane.smith@mycompany.com" } ] }

Note: This API is deprecated and is unavailable if you have migrated to the new RBAC model in your Lacework Console. See Access Control for more information about the new RBAC model.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"props": {"firstName": "User1",
"lastName": "Test",
"accountAdmin": true
},
"userGuid": "USER1_GUID",
"custGuid": "CUST_GUID",
"userEnabled": 1,
"userName": "user1@example.com"
},
{"props": {"firstName": "User2",
"lastName": "Test",
"accountAdmin": true
},
"userGuid": "USER2_GUID",
"custGuid": "CUST_GUID",
"userEnabled": 1,
"userName": "user2@example.com"
}
]
}

Team Member Details Deprecated

Get details about a team member by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/TeamMembers/{userGuid}

Replace {userGuid} with the userGuid value returned for a team member in the response when invoking the following endpoint: GET /api/v2/TeamMembers

Note: This API is deprecated and is unavailable if you have migrated to the new RBAC model in your Lacework Console. See Access Control for more information about the new RBAC model.

path Parameters

userGuid

required

string

User Guid

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

200
4XX
5XX

Content type

application/json

Example

With Org-Access

{"data": {"userName": "user1@example.com",
"orgAccount": true,
"url": "url",
"orgAdmin": false,
"orgUser": false,
"accounts": [{"admin": "true",
"custGuid": "CUST_GUID",
"userGuid": "USER1_GUID",
"userEnabled": 1
}
]
}
}

Update Team Member Deprecated

Optionally update the userName anduserEnabled settings and the props sub-settings of the passed in team member. Update these settings by invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/TeamMembers/{userGuid}

Replace {userGuid} with the userGuid value returned for a team member in the response, when invoking the following endpoint: GET /api/v2/TeamMembers.

Here is an example body payload:

{ "props": {"firstName":"Jane"} }

Note: This API is deprecated and is unavailable if you have migrated to the new RBAC model in your Lacework Console. See Access Control for more information about the new RBAC model.

path Parameters

userGuid

required

string

User Guid

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Request Body schema: application/json

schemaOption	string Not required. With_Org-Access
	object
orgAdmin	boolean Default: false When sending a request, set to `True` to make the team member an organization admin. Otherwise, set to `False`. When included in a response, returns the role assigned to the team member. Note: If the team member is currently an organization admin, Lacework ignores the `adminRoleAccounts` and `userRoleAccounts` attributes.
orgUser	boolean Default: false When sending a request, set to `True` to make the new member an organization user. Otherwise, set to `False` When included in a response, returns the role assigned to the new member. Note: If the team member is currently an organization user, Lacework will ignore the `userRoleAccounts` attribute.
adminRoleAccounts	Array of strings A list of account names for which this team member will be an admin.
userRoleAccounts	Array of strings A list of account names for which this team member will be a user.
userEnabled	integer Enum: 1 0

Responses

Request samples

Payload

Content type

application/json

Example

With_Org-Access

{"schemaOption": "With_Org-Access",
"props": {"firstName": "string",
"lastName": "string",
"company": "string",
"accountAdmin": false
},
"orgAdmin": false,
"orgUser": false,
"adminRoleAccounts": ["string"
],
"userRoleAccounts": ["string"
],
"userEnabled": 1
}

Response samples

200
4XX
5XX

Content type

application/json

Example

With Org-Access

{"data": {"userName": "user1@example.com",
"orgAccount": true,
"url": "url",
"orgAdmin": false,
"orgUser": false,
"accounts": [{"admin": "true",
"custGuid": "CUST_GUID",
"userGuid": "USER1_GUID",
"userEnabled": 1
}
]
}
}

Delete Team Member Deprecated

Delete a team member by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/TeamMembers/{userGuid}

Replace {userGuid} with the userGuid value returned for a team member in the response when invoking the following endpoint: GET /api/v2/TeamMembers

Note: This API is deprecated and is unavailable if you have migrated to the new RBAC model in your Lacework Console. See Access Control for more information about the new RBAC model.

path Parameters

userGuid

required

string

User Guid

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

4XX
5XX

Content type

application/json

{"message": "Invalid ..."
}

Team Users

Role-based access control (RBAC) gives you control over user access to resources based on a defined role at an account level.

The Team Users API works with the new Lacework role-based access control (RBAC) model. After you enable RBAC in the Lacework Console, the Team Users API is available and the legacy Team Members API (deprecated) is disabled. For more information on the legacy API, see the Team Members APIs.

The Team Users API works with users and groups at the account level only; organization-level users are not supported. For information on working with account level users in the Lacework Console, see Access Control at Account Level.

The Lacework RBAC model defines two types of users: standard users and service users. Standard user accounts are typically associated with specific people in your organization, while service users are often shared among people and typically represent a service, client, or other type of programmatic Lacework integration.

See Access Control Overview for details on users and groups in Lacework.

Create Team Users

Create a standard or service user in a Lacework account using the following endpoint:

POST /api/v2/TeamUsers

In the request body, specify the type of user to create, a standard user or service user, as well as properties of the user.

Here is an example body payload for a standard user:

{"type": "StandardUser", "name": "name_one", "company": "company_name", "email": "test_email", "userEnabled": 1}

Here is an example body payload for a service user:

{"type": "ServiceUser", "name": "name_one", "description": "service_user_description", "userEnabled": 1}

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

type required	string The user type. This type cannot be changed after the user is created. StandardUser
name required	string A name for the standard user.
userEnabled	number Default: 1 Enum: 0 1 When sending a request, use this attribute to enable or disable a team user's access. When included in a response, returns `1` for enabled team users, or returns `0` for disabled team users. NOTE: This will eventually change to being `true`/`false`.
company required	string The name of the business or organization associated with the user.
email required	string The user's email address.

Responses

Request samples

Payload

Content type

application/json

Example

StandardUser

{"type": "StandardUser",
"name": "string",
"userEnabled": 0,
"company": "string",
"email": "string"
}

Response samples

201
4XX
5XX

Content type

application/json

Example

StandardUser

{"data": {"name": "Support",
"company": "LW",
"email": "user@example.com",
"userGuid": "LWXYZ...",
"userEnabled": 1,
"type": "StandardUser",
"userGroups": [{"userGroupGuid": "BCFKL_1233245",
"userGroupName": "User group name"
}
],
"lastLoginTime": 1234567891011,
"orgAccess": "NO_ORG_ACCESS"
}
}

List All Team Users

Get a list of all users in a Lacework account, including both standard and service users, by invoking the following endpoint:

GET /api/v2/TeamUsers

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"name": "Support 1",
"company": "LW",
"email": "user1@example.com",
"userGuid": "LWXYZ...",
"userEnabled": 1,
"type": "StandardUser",
"userGroups": [{"userGroupGuid": "FLKDJF_23423",
"userGroupName": "Admin"
}
],
"lastLoginTime": 1234567891011,
"orgAccess": "NO_ORG_ACCESS"
},
{"name": "Support 2",
"description": "Some description",
"userGuid": "LWXYZ...",
"userEnabled": 1,
"serviceUserId": "dsfldsfask3dj334j",
"apiKeys": [{"createdDate": "Feb 03 2023 01:57",
"keyId": "KSJKJD_DK333...",
"createdUser": "Support User",
"status": "Active"
}
],
"userGroups": [{"userGroupGuid": "ABC_12345",
"userGroupName": "User group name"
}
],
"type": "ServiceUser",
"lastLoginTime": 1234567891011,
"orgAccess": "NO_ORG_ACCESS"
}
]
}

Team Users Details

Get details about a user in a Lacework Account by invoking the following endpoint:

GET /api/v2/TeamUsers/{userGuid}

Replace {userGuid} with the userGuid value of the standard or service user whose details you want to retrieve. You can get the userGuid for a user in the response to the "List All Team Users" endpoint.

path Parameters

id

required

string

User Guid

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

Example

StandardUser

{"data": {"name": "Support",
"company": "LW",
"email": "user@example.com",
"userGuid": "LWXYZ...",
"userEnabled": 1,
"type": "StandardUser",
"userGroups": [{"userGroupGuid": "BCFKL_1233245",
"userGroupName": "User group name"
}
],
"lastLoginTime": 1234567891011,
"orgAccess": "NO_ORG_ACCESS"
}
}

Update Team Users

Update an existing standard or service user by providing new values for the user properties to update using the following endpoint:

PATCH /api/v2/TeamUsers/{userGuid}

Replace {userGuid} with the userGuid value of the user you want to update. You can get the userGuid for a user in the response to the "List All Team Users" endpoint.

Here is an example body payload for a standard user:

{"name": "new_name", "userEnabled": 0}

Here is an example body payload for a service user:

{"name": "new_name", "userEnabled": 0, "description": "new_description"}

path Parameters

id

required

string

User Guid

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

type	string The user type. This type cannot be changed after the user is created. StandardUser
name	string A name for the standard user.
userEnabled	number Default: 1 Enum: 0 1 When sending a request, use this attribute to enable or disable a team user's access. When included in a response, returns `1` for enabled team users, or returns `0` for disabled team users. NOTE: This will eventually change to being `true`/`false`.

Responses

Request samples

Payload

Content type

application/json

Example

StandardUser

{"type": "StandardUser",
"name": "string",
"userEnabled": 0
}

Response samples

200
4XX
5XX

Content type

application/json

Example

StandardUser

{"data": {"name": "Support",
"company": "LW",
"email": "user@example.com",
"userGuid": "LWXYZ...",
"userEnabled": 1,
"type": "StandardUser",
"userGroups": [{"userGroupGuid": "BCFKL_1233245",
"userGroupName": "User group name"
}
],
"lastLoginTime": 1234567891011,
"orgAccess": "NO_ORG_ACCESS"
}
}

Delete Team Users

Delete a service or standard user to remove access for the user to the Lacework Console and Lacework APIs. Delete a user account using the following endpoint:

DELETE /api/v2/TeamUsers/{userGuid}

Replace {userGuid} with the userGuid value of the standard or service user whose details you want to retrieve. You can get the userGuid for a user in the response to the "List All Team Users" endpoint.

path Parameters

id

required

string

User Guid

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

4XX
5XX

Content type

application/json

{"message": "Invalid ..."
}

Template Files

Template Files are equivalent to CloudFormation template files.

AWS Config

For the file parameter, specify AwsConfig to download an AWS Config CloudFormation template for configuring an AWS Config integration to analyze AWS configuration compliance.

AWS Cloud Trail

For the file parameter, specify AwsCloudTrail to download an AWS CloudTrail CloudFormation template for configuring an AWS CloudTrail integration to monitor cloud account security.

AWS EKS Audit Logs

For the file parameter, specify AwsEksAudit to download an AWS EKS Audit Log template for configuring resources to allow monitoring of Kubernetes runtime security using audit logs on EKS (Step 1).

For the file parameter, specify AwsEksAuditSubscriptionFilter to download an AWS EKS Audit Log template for configuring an EKS cluster log group to monitor EKS runtime security. Optionally pass in intgGuid as a query parameter. This allows the intgGuid to get the SNS ARN, create the firehose ARN, and insert that into the template before returning it. This means you don't have to find the firehoseARN and insert it manually. Obtain the integration's intgGuid by using the GET https://YourLacework.lacework.net/api/v2/CloudAccounts endpoint (Step 2).

After downloading the template, you must upload and run the template file in the AWS Console. For information about setting up AWS CloudTrail and AWS Config integrations, see AWS Integration Using CloudFormation. For information on EKS Audit Log integration, see EKS Audit Log Integration. You must also create the integration in the Lacework Console.

Download Template File

Download the CloudFormation template from the Lacework Console for a specific template file name by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/TemplateFiles/{templateFileName}

Here is an example invocation:

GET https://YourLacework.lacework.net/api/v2/TemplateFiles/AwsConfig

Here is another example invocation:

GET https://YourLacework.lacework.net/api/v2/TemplateFiles/AwsCloudTrail

Optionally pass in intgGuid as a query parameter for the AwsEksAuditSubscriptionFilter template file name. Here is an example invocation:

GET https://YourLacework.lacework.net/api/v2/TemplateFiles/AwsEksAuditSubscriptionFilter?intgGuid=ROIJ898329....

path Parameters

templateFileName

required

string

Enum: "AwsCloudTrail" "AwsConfig"

The template's filename to download.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/octet-stream

Responses

Response samples

4XX
5XX

Content type

application/json

{"message": "Invalid ..."
}

User Groups

A user group associates Lacework service and standard users with specific permissions in Lacework. See Team Users for information about service and standard users.

Add Users to User Groups

Add one or more users to an existing user group using the following endpoint:

POST /api/v2/UserGroups/{userGroupGuid}/addUsers

Replace {userGroupGuid} with the userGroupGuid value of the user group you want to add users to. You can get the userGroupGuid for a user group from the User Groups section under Settings in the Lacework platform.

In the request body, specify the users to add to the group as an array of user IDs.

Here is an example body payload:

{"userGuids": ["some_user_id"]}

See Add Standard Users to a User Group for more information.

path Parameters

userGroupGuid

required

string

User Group ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

userGuids

required

Array of strings[ items non-empty ]

Responses

Request samples

Payload

Content type

application/json

{"userGuids": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"userGuids": ["fskdjfsdk..."
],
"userGroupGuid": "group43p2fspfos..."
}
}

Remove Users from User Groups

Remove one or more users from a user group using the following endpoint:

POST /api/v2/UserGroups/{userGroupGuid}/removeUsers.

Replace {userGroupGuid} with the userGroupGuid value of the user group you details to remove users from. You can get the userGroupGuid for a user group from the User Groups section under Settings in the Lacework platform.

In the request body, specify the users to remove from the group as an array of user IDs.

Here is an example body payload:

{"userGuids": ["some_user_id"]}

path Parameters

userGroupGuid

required

string

User Group ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

userGuids

required

Array of strings[ items non-empty ]

Responses

Request samples

Payload

Content type

application/json

{"userGuids": ["string"
]
}

Response samples

4XX
5XX

Content type

application/json

{"message": "Invalid ..."
}

User Profiles

An organization can contain multiple accounts so you can also manage components such as alerts, resource groups, team members, and audit logs at a more granular level inside an organization. For more information, see Organization Overview.

List Sub-accounts

List all sub-accounts that are managed by the YourLacework account by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/UserProfile

For example, if you specify the IT20.MyCompany organization account in YourLacework, this lists all sub-accounts of the IT20 account.

Here is an example invocation:

GET https://IT20.MyCompany.lacework.net/api/v2/UserProfile

The response reports details about organization accounts and non-organization accounts in addition to authorization and privilege details.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json
Org-Access	boolean Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access.
Account-Name	string Use this attribute to specify which sub-account to access.

Responses

Response samples

200
4XX
5XX

Content type

application/json

[{"username": "user@example.com",
"orgAccount": true,
"url": "url",
"orgAdmin": true,
"orgUser": false,
"accounts": [{"admin": true,
"accountName": "accountName1",
"custGuid": "custGuid1",
"userGuid": "userGuid1",
"userEnabled": 1
},
{"admin": true,
"accountName": "accountName2",
"custGuid": "custGuid2",
"userGuid": "userGuid2",
"userEnabled": 1
}
]
}
]

Vulnerabilities

Lacework provides the ability to assess, identify, and report vulnerabilities found in the operating system software packages in a Docker container image before the container image is deployed. Lacework also supports scanning of non-OS packages for programming languages (Java, Ruby, PHP, GO, NPM, .NET, Python).

Search Container Vulnerabilities

Search the scan (assessment), including the risk score and scan status, the vulnerabilities found in the scan, and statistics for those vulnerabilities by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Vulnerabilities/Containers/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter returned vulnerabilities by severity, vulnerability ID, machine ID, and more. For more information, see CONTAINER_VULN_DETAILS_V View.

The rlike and not_rlike operators are useful for filtering results. For example, the following expression limits results to those that have python in their featureKey name field:

"filters": [ { "expression": "rlike", "field": "featureKey.name", "value": ".*python.*" } ]

Here are additional example body payloads:

Here are some additional example body payloads:

{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "vulnId", "expression": "eq", "value": "CVE-2018-7169" } ] }
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "evalGuid", "expression": "eq", "value": "1234567a89012b34567890123cd56e78" } ] }
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "evalCtx.image_info.digest", "expression": "eq", "value": "sha256:2e05f1f668367c1fc0f1c9c02ee87521ed66541e6ebf0a31905b8cdd78d22611" }, { "field": "severity", "expression": "eq", "value": "Medium" } ],
"returns": [ "imageId", "severity", "status", "vulnId", "evalCtx", "fixInfo", "featureKey" ] }

To search for container vulnerabilities of only active containers, first use the "Search Containers" endpoint to get a list of active containers. Then call "Search Container Vulnerabilities" and pass the image IDs from the "Search Containers" results as a filter with the in filter type.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 11668,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/Vulnerabilities/Containers/AbcdEfgh123..."
}
},
"data": [{"cveProps": {"description": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).",
"link": "https://security-tracker.debian.org/tracker/CVE-2022-37434",
"metadata": {"NVD": {"CVSSv2": {"PublishedDateTime": "",
"Score": 0,
"Vectors": ""
},
"CVSSv3": {"ExploitabilityScore": 3.9,
"ImpactScore": 5.9,
"Score": 9.8,
"Vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
},
"RBS": {"CVSSv2": {"PublishedDateTime": "2022-09-01T08:37:46Z",
"Score": 9.3,
"Vectors": "AV:N/AC:M/Au:N/C:C/I:C/A:C"
},
"CVSSv3": {"ExploitabilityScore": 3.9,
"ImpactScore": 5.9,
"Score": 9.8,
"Vectors": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"classifications": [{"id": 46,
"name": "location_context"
},
{"id": 12,
"name": "attack_type_input_manip"
},
{"id": 63,
"name": "exploit_poc_public"
},
{"id": 41,
"name": "disclosure_verified"
},
{"id": 43,
"name": "disclosure_coordinated_disclosure"
},
{"id": 18,
"name": "impact_integrity"
},
{"id": 38,
"name": "solution_upgrade"
}
],
"cwe_id": {"CVE-2022-37434": "CWE-787",
"CVE-2023-21100": "CWE-787"
},
"disclosure_date": "2022-07-31T00:00:00Z",
"exploit_publish_date": ""
}
},
"source": "lacework"
},
"evalCtx": {"collector_type": "Inline scanner",
"cve_batch_info": [{"cve_created_time": "2024-01-25 17:16:03.206000000"
}
],
"image_info": {"created_time": 1659431892285,
"digest": "sha256:9ceb24f8c5f15c053d973a3610866f473690875dc13eb3282b45302189321040",
"id": "sha256:e09e90144645e02137d087f0dc059f4d2e3c6356ef8f9e40eeb15d1c901dbc73",
"registry": "",
"repo": "index.docker.io/library/postgres",
"scan_created_time": 1677354474,
"size": 376111959,
"status": "Success",
"tags": ["14.4"
],
"type": "Docker"
},
"integration_props": { },
"is_reeval": true,
"request_source": "INLINE_SCANNER",
"scan_batch_id": "63c97ddc-5f6b-4d7c-a133-8a3f26e48a32-1677354530988238402",
"scan_request_props": {"data_format_version": "1.0",
"environment": {"docker_version": {"error_message": "",
"version": {"Client": {"ApiVersion": "1.41",
"Arch": "amd64",
"BuildTime": "Thu Mar 24 01:48:21 2022",
"Context": "default",
"DefaultAPIVersion": "1.41",
"Experimental": true,
"GitCommit": "a224086",
"GoVersion": "go1.16.15",
"Os": "linux",
"Platform": {"Name": "Docker Engine - Community"
},
"Version": "20.10.14"
},
"Server": {"ApiVersion": "1.41",
"Arch": "amd64",
"BuildTime": "2022-05-12T09:15:28.000000000+00:00",
"Components": [{"Details": {"ApiVersion": "1.41",
"Arch": "amd64",
"BuildTime": "Thu May 12 09:15:28 2022",
"Experimental": "false",
"GitCommit": "f756502",
"GoVersion": "go1.17.10",
"KernelVersion": "5.13.0-1025-aws",
"MinAPIVersion": "1.12",
"Os": "linux"
},
"Name": "Engine",
"Version": "20.10.16"
},
{"Details": {"GitCommit": "212e8b6fa2f44b9c21b2798135fc6fb7c53efc16"
},
"Name": "containerd",
"Version": "1.6.4"
},
{"Details": {"GitCommit": "v1.1.1-0-g52de29d"
},
"Name": "runc",
"Version": "1.1.1"
},
{"Details": {"GitCommit": "de40ad0"
},
"Name": "docker-init",
"Version": "0.19.0"
}
],
"GitCommit": "f756502",
"GoVersion": "go1.17.10",
"KernelVersion": "5.13.0-1025-aws",
"MinAPIVersion": "1.12",
"Os": "linux",
"Platform": {"Name": "Docker Engine - Community"
},
"Version": "20.10.16"
}
}
},
"tags": {"build_id": "dev_build",
"build_plan": "dev_machine",
"ci_build": "false",
"hostname": "7e43af97c865",
"source": "local_image",
"user": "root"
}
},
"props": {"data_format_version": "1.0",
"scanner_version": "0.2.14"
},
"scan_start_time": 1677354474,
"scanner_version": "0.2.14"
},
"vuln_batch_id": "97D1C8F55B9F4CFF94D26D5D0FE6AFB8",
"vuln_created_time": "2024-01-25 17:16:03.206000000"
},
"evalGuid": "8692019f5885b6f400d09e5b2f314779",
"featureKey": {"name": "zlib",
"namespace": "debian:11",
"version": "1:1.2.11.dfsg-2+deb11u1"
},
"featureProps": {"feed": "lacework",
"introduced_in": "ADD file:0eae0dca665c7044bf242cb1fc92cb8ea744f5af2dd376a558c90bc47349aefe in /",
"layer": "sha256:92b250c0387d3b0ffc7ebb94ab2e5f87450799c8e612551185ae2b2cc941e39f",
"src": "var/lib/dpkg/status",
"version_format": "dpkg"
},
"packageStatus": "NO_AGENT_AVAILABLE",
"fixInfo": {"fix_available": 1,
"fixed_version": "1:1.2.11.dfsg-2+deb11u2"
},
"imageId": "sha256:e09e90144645e02137d087f0dc059f4d2e3c6356ef8f9e40eeb15d1c901dbc73",
"riskInfo": {"factors": ["cve",
"reachability",
"activeExploits",
"knownExploits"
],
"factors_breakdown": {"active_containers": 1,
"cve_counts": {"Critical": 9,
"High": 37,
"Medium": 34,
"Other": 53
},
"exploit_summary": {"disclosure_in_wild": "No",
"exploit_public": "Yes",
"exploit_virus_malware": "No",
"exploit_wormified": "No"
},
"internet_reachability": "Direct"
}
},
"riskScore": 10,
"cveRiskScore": 9.8,
"cveRiskInfo": {"cve": {"HOST_COUNT": 83,
"IMAGE_COUNT": 2923,
"PKG_COUNT": 3,
"SEVERITY_LEVEL": 4.9,
"score": 0.8628278617091608
}
},
"imageRiskInfo": {"factors": ["cve",
"reachability",
"activeExploits",
"knownExploits"
],
"factors_breakdown": {"active_containers": 1,
"cve_counts": {"Critical": 9,
"High": 37,
"Medium": 34,
"Other": 53
},
"exploit_summary": {"disclosure_in_wild": "No",
"exploit_public": "Yes",
"exploit_virus_malware": "No",
"exploit_wormified": "No"
},
"internet_reachability": "Direct"
}
},
"imageRiskScore": 10,
"severity": "Critical",
"startTime": "2024-01-25T18:21:38.458Z",
"status": "VULNERABLE",
"vulnId": "CVE-2022-37434"
}
]
}

Scan Container Vulnerabilities

Request that Lacework scans (evaluates) for vulnerabilities in the specified container image. Specify the container image by passing in a tag, repository, and registry in the body parameter. You must specify a container image and repository located in a registry domain that has already been integrated with Lacework.

For registries that are integrated using the Lacework generic Docker V2 Registry type, vulnerability scans can be started only by calling this API operation.

For registries that are integrated using any Lacework registry type except "Docker V2 Registry", vulnerability scans start when the container registry is initially integrated, when specified by the default scan schedule, or when this operation is called.

For more information, see https://docs.lacework.com/container-vulnerability-assessment-overview.

For more information about creating an API access key and token to run this operation and using this operation with organization resources, see https://docs.lacework.com/generate-api-access-keys-and-tokens.

Usage Example:

curl -X POST -H 'Content-Type: application/json' -d '{ "registry": "index.docker.io", "repository": "yourDockerOrg/yourRepository", "tag": "yourTag" }' "https://YourLacework.lacework.net/api/v2/Vulnerabilities/Containers/scan" -H "Authorization: Bearer YourAPIToken"

In the JSON body, do not prefix the registry or the repository with the http:// string.

This operation returns a unique requestId in the response that you can use to track the status of this scan/assessment.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

registry required	string The container registry to be assessed.
repository required	string The repository within the container registry to be assessed.
tag required	string The identifier tag as `key:value` pairs.

Responses

Request samples

Payload

Content type

application/json

{"registry": "index.docker.io",
"repository": "yourDockerOrg/yourRepository",
"tag": "yourTag"
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"requestId": "abcdef124...",
"status": "scanning"
}
}

Track Container Scan Status

Track the progress and return data about an on-demand vulnerability scan that was started by calling the POST /api/v2/Vulnerabilities/Containers/scan operation. You must pass in the unique request id returned in the response of the POST Vulnerabilities/Containers/scan operation. For example,

GET https://YourLacework.lacework.net/api/v2/Vulnerabilities/Containers/scan/abcdefgh-123...

When completed, the scan operation returns an evalGuid, which you can use to get the results of the scan by passing it to the "Search Container Vulnerabilities" endpoint:

POST https://YourLacework.lacework.net/api/v2/Vulnerabilities/Containers/search

Pass the evalGuid in the request body, for example:

{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "evalGuid", "expression": "eq", "value": "1234567a89012b34567890123cd56e78" } ] }

path Parameters

requestId

required

string

Assessment Request ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

Example

Completed

{"data": {"status": "completed",
"evalGuid": "1234567a89012b34567890123cd56e78"
}
}

Search Host Vulnerabilities

Search the scan (assessment), including the risk score and scan status, vulnerabilities found in the scan, and statistics about those vulnerabilities by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Vulnerabilities/Hosts/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days.

Optionally filter the returned vulnerabilities by severity, vulnerability ID, machine ID, and more. For more information, see HOST_VULN_DETAILS_V View.

The rlike and not_rlike operators are useful for filtering results. For example, the following expression limits results to those that have python in their featureKey name field:

"filters": [ { "expression": "rlike", "field": "featureKey.name", "value": ".*python.*" } ]

Here are some additional example body payloads:

{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "vulnId", "expression": "eq", "value": "CVE-2018-7169" } ] }
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "evalGuid", "expression": "eq", "value": "1234567a89012b34567890123cd56e78" } ] }
{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "machineTags.AmiId", "expression": "eq", "value": "ami-0d9ef0d809e365a36" }, { "field": "severity", "expression": "eq", "value": "Medium" } ],
"returns": [ "mid", "props", "severity", "status", "vulnId", "evalCtx", "fixInfo", "featureKey", "machineTags" ] }

Within request bodies, nested field names that contain one or more special characters—e.g., dot ("."), colon (":"), or slash ("/")—mus be enclosed in escaped double quotes. For example, the field name aws:ec2launchtemplate:version nested under the machineTags field would be rendered as follows:

"machineTags.\"aws:ec2launchtemplate:version\""

In a filter, the example would appear as follows:

{ "field": "machineTags.\"aws:ec2launchtemplate:version\"", "expression": "eq", "value": "3" }

In addition, forward slash characters within field names must be escaped with a backslash, as in the following example:

"machineTags.\"kubernetes.io\/cluster\/prod1\""

To search for host vulnerabilities of only online machines, first use the "Search Machines" endpoint to get a list of online machines. Then call "Search Host Vulnerabilities", passing the machine IDs from the "Search Machines" results as a filter with the in filter type.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	object The date/time range during which actions occurred.
	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"timeFilter": {"startTime": "string",
"endTime": "string"
},
"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"paging": {"rows": 5000,
"totalRows": 209082,
"urls": {"nextPage": "https://YourLacework.lacework.net/api/v2/Vulnerabilities/Hosts/AbcdEfgh123..."
}
},
"data": [{"cveProps": {"description": "In all versions of AppArmor mount rules are accidentally widened when compiled.",
"link": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-1585",
"metadata": {"NVD": {"CVSSv2": {"PublishedDateTime": "2019-04-22 16:29:01.303 +0000 UTC",
"Score": 7.5,
"Vectors": "AV:N/AC:L/Au:N/C:P/I:P/A:P"
},
"CVSSv3": {"ExploitabilityScore": 3.9,
"ImpactScore": 5.9,
"Score": 9.8,
"Vectors": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
},
"RBS": {"CVSSv2": {"PublishedDateTime": "2017-11-10T14:07:52Z",
"Score": 2.1,
"Vectors": "AV:L/AC:L/Au:N/C:N/I:P/A:N"
},
"CVSSv3": {"ExploitabilityScore": 0,
"ImpactScore": 0,
"Score": 0,
"Vectors": ""
},
"classifications": [{"id": 51,
"name": "vuln_security_software"
},
{"id": 4,
"name": "location_local"
},
{"id": 47,
"name": "vuln_authentication_required"
},
{"id": 15,
"name": "attack_type_other"
},
{"id": 18,
"name": "impact_integrity"
},
{"id": 45,
"name": "solution_unknown"
},
{"id": 21,
"name": "exploit_public"
},
{"id": 65,
"name": "disclosure_no_vendor_action"
}
],
"cwe_id": {"CVE-2016-1585": "CWE-254"
},
"disclosure_date": "2016-06-28T00:00:00Z",
"exploit_publish_date": "2016-08-25T00:00:00Z"
}
}
},
"endTime": "2024-01-25T23:00:00.000Z",
"evalCtx": {"collector_type": "Agentless",
"exception_props": [ ],
"hostname": "my-server-hostname"
},
"evalGuid": "309b8aadab8e604149a8dc9d64e3570d",
"featureKey": {"name": "apparmor",
"namespace": "ubuntu:20.04",
"package_active": -2,
"package_path": "var/lib/dpkg/status",
"version_installed": "2.13.3-7ubuntu5.3"
},
"packageStatus": "NO_AGENT_AVAILABLE",
"fixInfo": {"fix_available": "0",
"fixed_version": ""
},
"machineTags": {"Account": "991966387703",
"AmiId": "ami-0fa9f275b96db659b",
"ExternalIp": "0.0.0.0",
"Hostname": "my-server-hostname",
"InstanceId": "i-0e98011aba11a1234",
"InternalIp": "10.0.0.10",
"LaunchTime": "2024-01-24T20:47:45Z",
"MachineGuid": "4C57018B-EA72-5898-B0AA-3B1DEC19BBFD",
"Name": "cloud-activity",
"State": "running",
"VmInstanceType": "t2.medium",
"VmProvider": "AWS",
"VpcId": "vpc-01abc1111fb8f08ef",
"Zone": "us-east-2a",
"lw_InternetExposure": "Yes",
"lw_InternetExposureLastUpdated": "1706162400000"
},
"mid": 7112040530067849000,
"props": {"caa_enabled": 0,
"first_time_seen": "2024-01-24T22:00:00.000Z",
"isDailyJob": 1,
"kernel_status": "n/a",
"last_updated_time": "2024-01-25T22:00:00.000Z",
"os_out_of_date": false,
"os_type": "Linux",
"package_status": "N/A",
"reboot_required": false,
"updates_disabled": false
},
"region": "us-east-2",
"riskInfo": {"factors": ["cve",
"reachability",
"activeExploits",
"knownExploits",
"packageStatus"
],
"factors_breakdown": {"cve_counts_by_package_status": {"Active": {"Critical": 0,
"High": 0,
"Medium": 0,
"Other": 0
},
"Inactive": {"Critical": 0,
"High": 0,
"Medium": 0,
"Other": 0
},
"Other": {"Critical": 0,
"High": 7,
"Medium": 80,
"Other": 66
},
"Overall": {"Critical": 0,
"High": 7,
"Info": 13,
"Low": 53,
"Medium": 80
}
},
"exploit_summary": {"disclosure_in_wild": "No",
"exploit_public": "Yes",
"exploit_virus_malware": "No",
"exploit_wormified": "No"
},
"internet_reachability": "Direct"
}
},
"riskScore": 9.74,
"cveRiskScore": 9.8,
"cveRiskInfo": {"cve": {"HOST_COUNT": 1536,
"IMAGE_COUNT": 2032,
"PKG_COUNT": 1,
"SEVERITY_LEVEL": 4.9,
"score": 0.8330736355062025
}
},
"hostRiskInfo": {"factors": ["cve",
"reachability",
"activeExploits",
"knownExploits",
"packageStatus"
],
"factors_breakdown": {"cve_counts_by_package_status": {"Active": {"Critical": 0,
"High": 0,
"Medium": 0,
"Other": 0
},
"Inactive": {"Critical": 0,
"High": 0,
"Medium": 0,
"Other": 0
},
"Other": {"Critical": 0,
"High": 7,
"Medium": 80,
"Other": 66
},
"Overall": {"Critical": 0,
"High": 7,
"Info": 13,
"Low": 53,
"Medium": 80
}
},
"exploit_summary": {"disclosure_in_wild": "No",
"exploit_public": "Yes",
"exploit_virus_malware": "No",
"exploit_wormified": "No"
},
"internet_reachability": "Direct"
}
},
"hostRiskScore": 9.74,
"severity": "Medium",
"startTime": "2024-01-25T22:00:00.000Z",
"status": "Active",
"vulnId": "CVE-2016-1585"
}
]
}

Scan Software Packages

Request an on-demand vulnerability assessment of your software packages to determine if the packages contain any common vulnerabilities and exposures. The response for detected CVEs includes CVE details. Only packages managed by a package manager for supported operating systems are reported.

Use the body parameter to specify the list of packages to scan for. In the package list, separate each package entry with a comma. Here is the list of supported OS types with some osVer examples:

{ "os": "alpine", "osVer": "v3.1" ... }
{ "os": "amzn", "osVer": "2" ... }
{ "os": "amzn", "osVer": "2018.03" ... }
{ "os": "centos", "osVer": "5" ... }
{ "os": "debian", "osVer": "unstable" ... }
{ "os": "debian", "osVer": "11" ... }
{ "os": "oracle", "osVer": "8" ... }
{ "os": "rhel", "osVer": "8" ... }
{ "os": "ubuntu", "osVer": "19.10" ... }

For more information about creating an API access key and token to run this operation and using this operation with organization resources, see https://docs.lacework.com/generate-api-access-keys-and-tokens.

Usage Example:

curl -X POST -H 'Content-Type: application/json' -d '{ "osPkgInfoList": [ { "os":"Ubuntu", "osVer":"18.04", "pkg": "openssl","pkgVer": "1.1.1-1ubuntu2.1~18.04.5" } ] }' "https://YourLacework.lacework.net/api/v2/Vulnerabilities/SoftwarePackages/scan" -H "Authorization: Bearer YourAPIToken"

Note: Calls to this operation are rate limited to 10 calls per hour, per access key. If this rate limit is exceeded, an exception is thrown. Also, note that this operation is limited to 1k of packages per payload. If you require a payload larger than 1k, you must make multiple requests. For more information about creating an API access key and token to run this operation and using this operation with organization resources, see https://docs.lacework.com/generate-api-access-keys-and-tokens.

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

required

Array of objects non-empty [ items ]

A list of supported OS types.

Array (non-empty)

os	string The OS type.
osVer	string The OS version.
pkg	string The package name.
pkgVer	string The version of the package.

Responses

Request samples

Payload

Content type

application/json

{"osPkgInfoList": [{"os": "Ubuntu",
"osVer": "18.04",
"pkg": "openssl",
"pkgVer": "1.1.1-1ubuntu2.1~18.04.5"
}
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"osPkgInfo": {"namespace": "ubuntu:18.04",
"os": "Ubuntu",
"osVer": "18.04",
"pkg": "openssl",
"pkgVer": "1.1.1-1ubuntu2.1~18.04.5",
"versionFormat": "dpkg"
},
"vulnId": "CVE-2017-3731",
"severity": "Medium",
"featureKey": {"name": "openssl",
"namespace": "ubuntu:18.04"
},
"cveProps": {"cveBatchId": "087956A88D8B89A79D0DC1F2E5E8269C",
"description": "If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k.",
"link": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-3731",
"metadata": {"nvd": {"cvssv2": {"publisheddatetime": "2017-05-04T19:29Z",
"score": 5,
"vectors": "AV:N/AC:L/Au:N/C:N/I:N/A:P"
},
"cvssv3": {"exploitabilityscore": 3.9,
"impactscore": 3.6,
"score": 7.5,
"vectors": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
}
}
},
"fixInfo": {"fixAvailable": "1",
"fixedVersion": "0:1.0.2g-1ubuntu11"
},
"summary": {"evalCreatedTime": "2021-09-16 18:41:04.161 -0700",
"evalStatus": "MATCH_VULN",
"numFixableVuln": 10,
"numFixableVulnBySeverity": {"1": 0,
"2": 3,
"3": 5,
"4": 2,
"5": 0
},
"numTotal": 70,
"numVuln": 10,
"numVulnBySeverity": {"1": 0,
"2": 3,
"3": 5,
"4": 2,
"5": 0
}
},
"props": {"evalAlgo": "1001"
}
}
]
}

Vulnerability Exceptions

Lacework provides the ability to create exceptions for certain vulnerable resources and criteria. For example, a certain CVE for a certain package or all packages can be excepted until a set expiry time.

Create Vulnerability Exceptions

Create a vulnerability exception by specifying parameters in the request body when invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/VulnerabilityExceptions

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

exceptionName required	string non-empty (?!^ +$)^.+$ Name of the exception.
exceptionReason required	string Enum: "False Positive" "Accepted Risk" "Compensating Controls" "Fix Pending" "Other" Reason for creating an exception
	object The set of resources this exception can apply to. The data varies based on the value of the `exceptionType` attribute.
required	object When sending a request, use this object to define the criteria of the vulnerability to be excluded. The criteria value changes depending on the type of criteria selected.
expiryTime	string The exception's expiration date and time.
state	number Value: 1 State
required	object The vulnerability exception's properties.
exceptionType required	string Exception Type Container

Responses

Request samples

Payload

Content type

application/json

Example

Container

{"exceptionName": "string",
"exceptionReason": "False Positive",
"resourceScope": {"imageId": ["string"
],
"imageTag": ["string"
],
"registry": ["string"
],
"repository": ["string"
],
"namespace": ["string"
]
},
"vulnerabilityCriteria": {"cve": ["string"
],
"package": [{ }
],
"severity": ["Info"
],
"fixable": [0
]
},
"expiryTime": "string",
"state": 1,
"props": {"description": "string",
"createdBy": "string",
"updatedBy": "string"
},
"exceptionType": "Container"
}

Response samples

201
4XX
5XX

Content type

application/json

{"data": {"createdTime": "2021-12-18T08:30:00Z",
"exceptionGuid": "LWABC",
"exceptionName": "Container Vulnerability Exception",
"exceptionReason": "Accepted Risk",
"exceptionType": "Container",
"expiryTime": "2021-12-28T08:30:00Z",
"props": {"description": "This is a Container Vulnerability Exception",
"createdBy": "abc@xyz.com",
"updatedBy": "abc@xyz.com"
},
"resourceScope": {"registry": ["registry1",
"registry2"
]
},
"state": 1,
"updatedTime": "2021-12-18T08:30:00Z",
"vulnerabilityCriteria": {"severity": ["Low"
]
}
}
}

List All Vulnerability Exceptions

Get a list of all vulnerability exceptions for the account by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/VulnerabilityExceptions

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"createdTime": "2021-12-18T08:30:00Z",
"exceptionGuid": "LWABC",
"exceptionName": "Container Vulnerability Exception",
"exceptionReason": "Accepted Risk",
"exceptionType": "Container",
"expiryTime": "2021-12-28T08:30:00Z",
"props": {"description": "This is a Container Vulnerability Exception",
"createdBy": "abc@xyz.com",
"updatedBy": "abc@xyz.com"
},
"resourceScope": {"registry": ["registry1",
"registry2"
]
},
"state": 1,
"updatedTime": "2021-12-18T08:30:00Z",
"vulnerabilityCriteria": {"severity": ["Low"
]
}
},
{"createdTime": "2021-12-18T08:30:00Z",
"exceptionGuid": "LWDEF",
"exceptionName": "Host Vulnerability Exception",
"exceptionReason": "Other",
"exceptionType": "Host",
"expiryTime": "2021-12-28T08:30:00Z",
"props": {"description": "This is a Host Vulnerability Exception",
"createdBy": "abc@xyz.com",
"updatedBy": "abc@xyz.com"
},
"resourceScope": {"hostname": ["hostname"
]
},
"state": 1,
"updatedTime": "2021-12-18T08:30:00Z",
"vulnerabilityCriteria": {"severity": ["High",
"Medium"
]
}
}
]
}

Search Vulnerability Exceptions

Search vulnerability exceptions by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/VulnerabilityExceptions/search

To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

In the request body, optionally specify the list of fields to return in the response by specifying the list in the returns array. Here are some example body payloads:

{ "filters": [ { "field": "exceptionType", "expression": "eq", "value": "Host" } ] }
{ "filters": [ { "field": "exceptionType", "expression": "eq", "value": "Container" },
{ "field": "expiryTime", "expression": "gt", "value": "2021-01-01" } ],
"returns": [ "name", "exceptionType", "expiryTime" ] }

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"createdTime": "2021-12-18T08:30:00Z",
"exceptionGuid": "LWABC",
"exceptionName": "Container Vulnerability Exception",
"exceptionReason": "Accepted Risk",
"exceptionType": "Container",
"expiryTime": "2021-12-28T08:30:00Z",
"props": {"description": "This is a Container Vulnerability Exception",
"createdBy": "abc@xyz.com",
"updatedBy": "abc@xyz.com"
},
"resourceScope": {"registry": ["registry1",
"registry2"
]
},
"state": 1,
"updatedTime": "2021-12-18T08:30:00Z",
"vulnerabilityCriteria": {"severity": ["Low"
]
}
},
{"createdTime": "2021-12-18T08:30:00Z",
"exceptionGuid": "LWDEF",
"exceptionName": "Host Vulnerability Exception",
"exceptionReason": "Other",
"exceptionType": "Host",
"expiryTime": "2021-12-28T08:30:00Z",
"props": {"description": "This is a Host Vulnerability Exception",
"createdBy": "abc@xyz.com",
"updatedBy": "abc@xyz.com"
},
"resourceScope": {"hostname": ["hostname"
]
},
"state": 1,
"updatedTime": "2021-12-18T08:30:00Z",
"vulnerabilityCriteria": {"severity": ["High",
"Medium"
]
}
}
]
}

Vulnerability Exception Details

Get details about a vulnerability exception by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/VulnerabilityExceptions/{exceptionGuid}

path Parameters

exceptionGuid

required

string

Vulnerability Exception ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"createdTime": "2021-12-18T08:30:00Z",
"exceptionGuid": "LWABC",
"exceptionName": "Container Vulnerability Exception",
"exceptionReason": "Accepted Risk",
"exceptionType": "Container",
"expiryTime": "2021-12-28T08:30:00Z",
"props": {"description": "This is a Container Vulnerability Exception",
"createdBy": "abc@xyz.com",
"updatedBy": "abc@xyz.com"
},
"resourceScope": {"registry": ["registry1",
"registry2"
]
},
"state": 1,
"updatedTime": "2021-12-18T08:30:00Z",
"vulnerabilityCriteria": {"severity": ["Low"
]
}
}
}

Update Vulnerability Exceptions

Update a vulnerability exception by specifying parameters in the request body when invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/VulnerabilityExceptions/{exceptionGuid}

In the request body, only specify the parameters that you want to update, for example, { "exceptionReason" : "Other" }.

path Parameters

exceptionGuid

required

string

Vulnerability Exception ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

exceptionName	string non-empty (?!^ +$)^.+$ Name of the exception.
exceptionReason	string Enum: "False Positive" "Accepted Risk" "Compensating Controls" "Fix Pending" "Other" Reason for creating an exception
	object The set of resources this exception can apply to. The data varies based on the value of the `exceptionType` attribute.
	object When sending a request, use this object to define the criteria of the vulnerability to be excluded. The criteria value changes depending on the type of criteria selected.
expiryTime	string The exception's expiration date and time.
state	number Value: 1 State
	object The vulnerability exception's properties.

Responses

Request samples

Payload

Content type

application/json

Example

Container

{"exceptionName": "string",
"exceptionReason": "False Positive",
"resourceScope": {"imageId": ["string"
],
"imageTag": ["string"
],
"registry": ["string"
],
"repository": ["string"
],
"namespace": ["string"
]
},
"vulnerabilityCriteria": {"cve": ["string"
],
"package": [{ }
],
"severity": ["Info"
],
"fixable": [0
]
},
"expiryTime": "string",
"state": 1,
"props": {"description": "string",
"createdBy": "string",
"updatedBy": "string"
},
"exceptionType": "Container"
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"createdTime": "2021-12-18T08:30:00Z",
"exceptionGuid": "LWABC",
"exceptionName": "Container Vulnerability Exception",
"exceptionReason": "Accepted Risk",
"exceptionType": "Container",
"expiryTime": "2021-12-28T08:30:00Z",
"props": {"description": "This is a Container Vulnerability Exception",
"createdBy": "abc@xyz.com",
"updatedBy": "abc@xyz.com"
},
"resourceScope": {"registry": ["registry1",
"registry2"
]
},
"state": 1,
"updatedTime": "2021-12-18T08:30:00Z",
"vulnerabilityCriteria": {"severity": ["Low"
]
}
}
}

Delete Vulnerability Exceptions

Delete a vulnerability exception by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/VulnerabilityExceptions/{exceptionGuid}

path Parameters

exceptionGuid

required

string

Vulnerability Exception ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

4XX
5XX

Content type

application/json

{"message": "Invalid ..."
}

Vulnerability Policies

Lacework provides the ability to create container vulnerability policies to assess your container images at build and/or runtime based on your own unique requirements. For example, a policy can be created for any critical vulnerability with a fix available or a policy to target a specific CVE.

Create Vulnerability Policies

Create a vulnerability policy by specifying parameters in the request body when invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/VulnerabilityPolicies

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

policyType required	string The policy type such as `DockerFile`, `DockerConfig`, or `Image`. DockerFile
policyName required	string non-empty (?!^ +$)^.+$ Name of the policy.
policyEvalType	string Default: "local" Value: "local" The evaluation type to use for the policy. The default value is `local`.
severity required	string Enum: "Critical" "High" "Medium" "Low" "Info" The severity level of the policy; Info, Low, Medium, High, or Critical.
failOnViolation	number Default: 0 Enum: 0 1 When sending a request, use this attribute to define what action is taken when a policy failure occurs. Set to `1` to permit container image deployment to continue even when the policy fails. Set to `0` to block container image deployment when the policy fails.
alertOnViolation	number Default: 0 Enum: 0 1 When sending a request, set to `1` if you want to send alerts to an alert profile when a violation is detected. Set to `0` if you want to mute alerts when a violation is detected.
state required	number Enum: 0 1 When sending a request, set to `1` to enable the policy. Set to `0` to disable the policy.
required	object (VulnerabilityPolicies_DockerFile)
required	object The vulnerability policy's properties.

Responses

Request samples

Payload

Content type

application/json

Example

DockerFile

{"policyType": "DockerFile",
"policyName": "string",
"policyEvalType": "local",
"severity": "Critical",
"failOnViolation": 0,
"alertOnViolation": 0,
"state": 0,
"filter": {"rule": {"operator": "include",
"values": ["string"
]
},
"exception": {"operator": "include",
"values": ["string"
]
}
},
"props": {"description": "string",
"createdBy": "string",
"updatedBy": "string"
}
}

Response samples

201
4XX
5XX

Content type

application/json

{"data": {"policyGuid": "LWABC",
"policyName": "DockerFile Vulnerability Policy",
"policyType": "DockerFile",
"policyEvalType": "local",
"severity": "Critical",
"failOnViolation": 0,
"alertOnViolation": 0,
"filter": {"rule": {"operator": "include",
"values": ["setgid",
"setuid"
]
}
},
"state": 1,
"isDefault": 0,
"props": {"description": "This is a DockerFile Vulnerability Policy",
"createdBy": "abc@xyz.com",
"updatedBy": "abc@xyz.com"
},
"createdTime": "2022-03-04T22:32:14.685Z",
"updatedTime": "2022-03-04T22:32:14.685Z"
}
}

List All Vulnerability Policies

Get a list of all vulnerability policies for the account by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/VulnerabilityPolicies

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"policyGuid": "LWABC",
"policyName": "DockerFile Vulnerability Policy",
"policyType": "DockerFile",
"policyEvalType": "local",
"severity": "Critical",
"failOnViolation": 0,
"alertOnViolation": 0,
"filter": {"rule": {"operator": "include",
"values": ["setgid",
"setuid"
]
}
},
"state": 1,
"isDefault": 0,
"props": {"description": "This is a DockerFile Vulnerability Policy",
"createdBy": "abc@xyz.com",
"updatedBy": "abc@xyz.com"
},
"createdTime": "2022-03-04T22:32:14.685Z",
"updatedTime": "2022-03-04T22:32:14.685Z"
},
{"policyGuid": "LWABC",
"policyName": "CVE Vulnerability Policy",
"policyType": "CVE",
"policyEvalType": "local",
"severity": "High",
"failOnViolation": 0,
"alertOnViolation": 0,
"filter": {"cveIds": ["CVE-140"
]
},
"state": 1,
"isDefault": 0,
"props": {"description": "This is a CVE Vulnerability Policy",
"createdBy": "abc@xyz.com",
"updatedBy": "abc@xyz.com"
},
"createdTime": "2022-03-04T22:32:14.685Z",
"updatedTime": "2022-03-04T22:32:14.685Z"
}
]
}

Search Vulnerability Policies

Search vulnerability policies by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/VulnerabilityPolicies/search

To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

In the request body, optionally specify the list of fields to return in the response by specifying the list in the returns array. Here are some example body payloads:

{ "filters": [ { "field": "policyType", "expression": "eq", "value": "DockerFile" } ] }
{ "filters": [ { "field": "PolicyType", "expression": "eq", "value": "CVE" },
{ "field": "createdTime", "expression": "gt", "value": "2021-01-01" } ],
"returns": [ "name", "policyType", "createdTime" ] }

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

	Array of objects[ items ] One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.
returns	Array of strings Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Payload

Content type

application/json

{"filters": [{"expression": "eq",
"field": "string",
"value": "string",
"values": ["string"
]
}
],
"returns": ["string"
]
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": [{"policyGuid": "LWABC",
"policyName": "DockerFile Vulnerability Policy",
"policyType": "DockerFile",
"policyEvalType": "local",
"severity": "Critical",
"failOnViolation": 0,
"alertOnViolation": 0,
"filter": {"rule": {"operator": "include",
"values": ["setgid",
"setuid"
]
}
},
"state": 1,
"isDefault": 0,
"props": {"description": "This is a DockerFile Vulnerability Policy",
"createdBy": "abc@xyz.com",
"updatedBy": "abc@xyz.com"
},
"createdTime": "2022-03-04T22:32:14.685Z",
"updatedTime": "2022-03-04T22:32:14.685Z"
},
{"policyGuid": "LWABC",
"policyName": "CVE Vulnerability Policy",
"policyType": "CVE",
"policyEvalType": "local",
"severity": "High",
"failOnViolation": 0,
"alertOnViolation": 0,
"filter": {"cveIds": ["CVE-140"
]
},
"state": 1,
"isDefault": 0,
"props": {"description": "This is a CVE Vulnerability Policy",
"createdBy": "abc@xyz.com",
"updatedBy": "abc@xyz.com"
},
"createdTime": "2022-03-04T22:32:14.685Z",
"updatedTime": "2022-03-04T22:32:14.685Z"
}
]
}

Vulnerability Policy Details

Get details about a vulnerability policy by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/VulnerabilityPolicies/{policyGuid}

path Parameters

policyGuid

required

string

Vulnerability Policies ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"policyGuid": "LWABC",
"policyName": "DockerFile Vulnerability Policy",
"policyType": "DockerFile",
"policyEvalType": "local",
"severity": "Critical",
"failOnViolation": 0,
"alertOnViolation": 0,
"filter": {"rule": {"operator": "include",
"values": ["setgid",
"setuid"
]
}
},
"state": 1,
"isDefault": 0,
"props": {"description": "This is a DockerFile Vulnerability Policy",
"createdBy": "abc@xyz.com",
"updatedBy": "abc@xyz.com"
},
"createdTime": "2022-03-04T22:32:14.685Z",
"updatedTime": "2022-03-04T22:32:14.685Z"
}
}

Update Vulnerability Policies

Update a vulnerability policy by specifying parameters in the request body when invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/VulnerabilityPolicies/{policyGuid}

In the request body, only specify the parameters that you want to update, for example, { "severity" : "High" }.

path Parameters

policyGuid

required

string

Vulnerability Policies ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Request Body schema: application/json

policyType	string The policy type such as `DockerFile`, `DockerConfig`, or `Image`. DockerFile
policyName	string non-empty (?!^ +$)^.+$ Name of the policy.
policyEvalType	string Default: "local" Value: "local" The evaluation type to use for the policy. The default value is `local`.
severity	string Enum: "Critical" "High" "Medium" "Low" "Info" The severity level of the policy; Info, Low, Medium, High, or Critical.
failOnViolation	number Default: 0 Enum: 0 1 When sending a request, use this attribute to define what action is taken when a policy failure occurs. Set to `1` to permit container image deployment to continue even when the policy fails. Set to `0` to block container image deployment when the policy fails.
alertOnViolation	number Default: 0 Enum: 0 1 When sending a request, set to `1` if you want to send alerts to an alert profile when a violation is detected. Set to `0` if you want to mute alerts when a violation is detected.
state	number Enum: 0 1 When sending a request, set to `1` to enable the policy. Set to `0` to disable the policy.
	object (VulnerabilityPolicies_DockerFile)
	object The vulnerability policy's properties.

Responses

Request samples

Payload

Content type

application/json

Example

DockerFile

{"policyType": "DockerFile",
"policyName": "string",
"policyEvalType": "local",
"severity": "Critical",
"failOnViolation": 0,
"alertOnViolation": 0,
"state": 0,
"filter": {"rule": {"operator": "include",
"values": ["string"
]
},
"exception": {"operator": "include",
"values": ["string"
]
}
},
"props": {"description": "string",
"createdBy": "string",
"updatedBy": "string"
}
}

Response samples

200
4XX
5XX

Content type

application/json

{"data": {"policyGuid": "LWABC",
"policyName": "DockerFile Vulnerability Policy",
"policyType": "DockerFile",
"policyEvalType": "local",
"severity": "Critical",
"failOnViolation": 0,
"alertOnViolation": 0,
"filter": {"rule": {"operator": "include",
"values": ["setgid",
"setuid"
]
}
},
"state": 1,
"isDefault": 0,
"props": {"description": "This is a DockerFile Vulnerability Policy",
"createdBy": "abc@xyz.com",
"updatedBy": "abc@xyz.com"
},
"createdTime": "2022-03-04T22:32:14.685Z",
"updatedTime": "2022-03-04T22:32:14.685Z"
}
}

Delete Vulnerability Policies

Delete a vulnerability policy by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/VulnerabilityPolicies/{policyGuid}

path Parameters

policyGuid

required

string

Vulnerability Policies ID

header Parameters

Authorization required	string Bearer Access Token. For example, "Bearer {YourAPIToken}"
Content-Type required	string application/json

Responses

Response samples

4XX
5XX

Content type

application/json

{"message": "Invalid ..."
}

Webhooks

Send notifications from your integration using a server token or signature.

Webhooks by Server Tokens

Send notifications from your integration using a server token.

You must specify the integration's server token that was generated by the Lacework Console when you created the integration that subscribes to notifications.

For more information, see https://docs.lacework.com/integrate-a-docker-v2-registry.

For more information about creating an API access key and token to run this operation and using this operation with organization resources, see https://docs.lacework.com/generate-api-access-keys-and-tokens.

Usage Example:

curl -H 'Content-Type: {content-type}' -X POST -d '{notification-body}' "https://YourLacework.lacework.net/api/v2/Webhooks/ServerTokens/DockerV2" -H "Authorization: Bearer YourServerToken"

Note: If a container registry integration is unsubscribed from notifications and then subscribed again, the same server token is used.

path Parameters

type

required

string

Enum: "AzureCR" "DockerV2" "JFrog"

The integration type such as AzureCR, DockerV2, JFrog.

header Parameters

Authorization required	string Bearer Server Token. For example, "Bearer {YourServerToken}"
Content-Type required	string application/json

Request Body schema: application/json

Integration specific notification body

object

Responses

Request samples

Payload

Content type

application/json

{ }

Response samples

200
4XX
5XX

Content type

application/json

{ }

Webhooks by Signature

Send notifications from your integration using a signature.

You must specify the integration's server token that was generated by the Lacework Console when you created the integration that subscribes to notifications. For more information, see https://docs.lacework.com/integrate-github-container-registry.

Usage Example:

curl -H 'Content-Type: {content-type}' -X POST "https://YourLacework.lacework.net/api/v2/Webhooks/Signatures/GithubCR" -H "x-hub-signature-256: sha256=sha256 payload hash with YourServerToken as secret"

Note: For a container registry integration, use the same server token if you want to re-subscribe to notifications after unsubscribing.

path Parameters

type

required

string

Value: "GithubCR"

The integration type such as GithubCR.

header Parameters

x-hub-signature-256 required	string Example: x-hub-signature-256: sha256=123... When your secret token is set, Lacework uses it to create a hash signature with each payload. This hash signature is included with the headers of each request as `X-Hub-Signature-256`.
Content-Type required	string application/json

Responses

Response samples

200
4XX
5XX

Content type

application/json

{ }