Skip to main content

Lacework API 2.0 Documentation (2.0)

Download OpenAPI specification:Download

The Lacework API documentation is available directly from your Lacework application at the following URI: https://YourLacework.lacework.net/api/v2/docs, where YourLacework is your Lacework application.

No login to the Lacework Console is required. However, there is a link to the Lacework API 2.0 documentation from the Lacework Console. From the Help drop-down, select API Documentation and then API 2.0 Documentation.

All the Lacework API operations listed below require an API Access Token to allow access to the Lacework API. For more information about getting a temporary API Access Token to pass into these operations as a header, see https://docs.lacework.com/generate-api-access-keys-and-tokens.

You can run the Lacework APIs using your favorite REST API tools, such as curl or Postman. You can also run the Lacework API from the Lacework CLI. For more information, see Get Started with the Lacework CLI.

Overview

Conventions

  1. Parameters: Parameters follow the JSON conventions, i.e., camelcase or lowerCamelcase notation, for all parameter names in the query, request and response bodies, for example, startTime, endTime.

  2. Data Types: For the constant types of data sets, integrations, assets, and other resources, the convention is to use UpperCamelcase notation, for example, AlertChannels, AuditLogs, CloudActivities.

  3. Response Schema: A successful response returns either the HTTP 200 or 201 Status Code and a top-level property called data, which contains the result in the JSON format. A response returning the HTTP 4xx or 5xx Status Code returns the top-level property called message, which contains an error message.

  4. additionalProperties Keyword: For all response schemas, the additionalProperties keyword is set to true. This means additional fields or properties can be added to responses in the future. For information about the additionalProperties keyword, see the JSON Schema online documentation.

Simple & Advanced Search

The Lacework API provides simple and advanced searches for retrieving information.

For simple searches, specify a HTTP GET method with simple query parameters, for example, startTime, endTime.

For advanced searches, specify a HTTP POST method with filters in the request body. The filters in requests that have multiple filters are AND'd, that is, all filters conditions must be met to satisfy a match.

There are 16 filter types consisting of seven pairs and two unique operators, which are similar to the SQL comparison operators for database queries. The pairs are:

  • The eq operator allows you to specify a value that the field values of the result must be equal to. The ne operator means not equal to. Note the value field of the filters must be used; the values field of the filters cannot be used for eq and ne.

  • The in operator allows you to specify multiple values in the values field of the filters. The field values of the result must match one of the values. The not_in operator is the opposite of in. Note the value field of the filters cannot be used for in and not_in.

  • The like operator allows you to specify a pattern that the field values of the result must match. The not_like operator is the opposite of like. Note the values field of the filters cannot be used for like and not_like.

  • The ilike operator works similar to like but it makes the match case insensitive. The not_ilike operator is the opposite of ilike. Note the values field of the filters cannot be used for ilike and not_ilike.

  • The rlike operator matches the specified pattern represented by regular expressions (more info on RLIKE — Snowflake Documentation). The not_rlike operator is the opposite of rlike. Note the values field of the filters cannot be used for rlike and not_rlike.

  • The gt operator allows you to specify a value that the field values of the result must be greater than. The lt (less-than) operator is the opposite of gt. Note the values field of the filters cannot be used for gt and lt.

  • The ge operator allows you to specify a value that the field values of the result must be greater than or equal to. The le (less-than-or-equal-to) operator is the opposite of ge. Note the values field of the filters cannot be used for ge and le.

The unique operators are:

  • The between operator allows you to specify a range that the field values of the result must be within. The specified upper boundary must be larger/greater than the lower boundary. The two values of upper and lower boundaries must be set in the values field of the filters. Note the value field of the filters cannot be used for between.

  • The expr operator is reserved for future use.

Date & Time Formats

For date and time parameters, the time zone is always UTC and the following formats are supported:

  • yyyy-MM-dd for example, 2020-12-18

  • yyyy-MM-ddTHH for example, 2020-12-18T08

  • yyyy-MM-ddTHH:mm:ssZ for example 2020-12-18T08:00:00Z

  • yyyy-MM-ddTHH:mm:ss.SSSZ for example, 2020-12-18T08:00:00.000Z

Organization Level Access

An organization may have a primary account and multiple sub-accounts. If an access token is generated for the primary account and used as the authorization token, it can also be used for one of the sub-accounts with the additional header called Account-Name (case insensitive).

For example, if the primary account is xyz and the sub-account is xyz-sub1, set the Account-Name header to xyz-sub1.

For accessing the organization level data sets, a separate header called Org-Access (case insensitive) can be used. If this header is set to true (case insensitive) and the authorization token has the proper permissions (org admin), if specified, the Account-Name header is ignored, If the Org-Access header is not set to true, the Account-Name header is used, if specified.

For more information about creating and using access (bearer) tokens for accounts in an Organization, see Role-Based API Authentication for Organizations.

Pagination

Making calls to Lacework APIs could return a lot of results. Pagination of the results helps manage overall performance and makes the responses easier for you to handle by dividing the results into separate pages, each with a subset of the results.

The following row limits apply:

  • Row limit per page: 5,000 rows

  • Row limit of all pages of one result set: 500,000 rows

Pagination is available for some datasets, such as those that are searched with the /api/v2/Vulnerabilities/Containers/search or /api/v2/Entities/Machines/search endpoints.

Pagination metadata is located within the response's paging field, which contains information for rows, totalRows, and urls. The urls field contains the nextPage field with the Next Page URL. The Next Page URLs stay valid for 24 hours. No pagination is available for an API if the paging field is missing from a response.

To get the next page of the result, use the entire Next Page URL and send a GET request with the two required HTTP headers: "Authorization: Bearer {YourAPIToken}" and "Content-Type: application/json".

Example:

GET https://YourLacework.lacework.net/api/v2/Vulnerabilities/Containers/abcxyz...

See the right panel for response examples.

Rate Limiting

The current rate limit is 480 API requests per hour per user. When the total number of API requests on a one-hour rolling window exceeds the rate limit, the HTTP 429 Too Many Requests response status code is returned.

Lacework uses the token bucket algorithm to apply request rate limiting. Each API v2 functionality has its own bucket with 480 tokens and each request that you make removes one token from the bucket. For example, performing a GET /api/v2/AgentAccessTokens or a GET /api/v2/AgentAccessTokens/{ID} are both part of one functionality, which gets an agent access token, so each request removes one token from the same bucket. Similarly, updating an agent access token (PATCH /api/v2/AgentAccessTokens/{ID}) is a different functionality and disregards the ID to use the same bucket, so a token is removed from a different bucket.

Each request sends back three response headers following standard HTTP naming conventions for rate limiting. RateLimit-Limit is the total number of requests you can make in an hour, RateLimit-Remaining is the number of remaining requests, and RateLimit-Reset is how much time it will take (in seconds) before you can make another request once the limit is reached. For more information about RateLimit header fields, see IETF Draft 05.

POST Body Size Limit

Many Lacework API endpoints accept data as POST body content. POST body content is limited to 1 MB. Requests that exceed the 1 MB limit result in a 400 Bad Request error.

Response Status Codes

The Lacework API endpoints return the following HTTP response status codes.

Status CodeDefinitionDescription
200 OK The request has succeeded.
201 Created The request has been fulfilled and resulted in a new resource being created.
204 No Content The server has fulfilled the request but does not need to return an entity-body.
400 Bad Request The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications.
401 Unauthorized The request requires user authentication. If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials.
403 Forbidden The server understood the request, but is refusing to fulfill it. Authorization will not fix the issue and the request SHOULD NOT be repeated.
404 Not Found The server has not found anything matching the Request-URI.
405 Method Not Allowed The method specified in the Request-Line is not allowed for the resource identified by the Request-URI.
409 Conflict The request could not be completed due to a conflict with the current state of the resource.
429 Too Many Requests Too many requests occurred during the allotted time period and rate limiting was applied.
500 Internal Server Error The request did not complete due to an internal error on the server side. The server encountered an unexpected condition which prevented it from fulfilling the request.
503 Service Unavailable The server is currently unable to handle the request due to a temporary overloading or maintenance of the server.

Access Tokens

Generate access tokens for API requests.

Generate Access Tokens

Get access tokens for the API requests by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/access/tokens

After creating a secret key, administrators can generate Temporary API access (bearer) tokens that clients and client applications use to access the Lacework API. Create temporary API access (bearer) tokens by invoking the POST https://YourLacework.lacework.net/api/v2/access/tokens endpoint.

header Parameters
X-LW-UAKS
required
string

YourSecretKey

Content-Type
required
string

application/json

Request Body schema: application/json
keyId
required
string

YourAccessKeyID

expiryTime
required
integer

The access token's expiration (in seconds) that you want to set. Maximum value: 86400 (24 hours).

Responses

Request samples

Content type
application/json
{
  • "keyId": "YourSecretKey",
  • "expiryTime": 3600
}

Response samples

Content type
application/json
{
  • "expiresAt": "2021-08-18T08:00:00.000Z",
  • "token": "string"
}

Schemas

Get details about the available Lacework schemas.

Schema Details

Get a list of available Lacework schema types by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/schemas

Get details about a Lacework schema by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/schemas/{type}

Here is an example invocation:

GET https://YourLacework.lacework.net/api/v2/schemas/AuditLogs

path Parameters
type
required
string
Example: AuditLogs

When sending a request, use this parameter to specify the schema type. If not specified, the response returns all schema types. If specified, the response returns details of the requested schema.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
[
  • {
    },
  • {
    },
  • {
    },
  • {
    },
  • {
    },
  • {
    }
]

Schema Details of Subtype

Get details about a Lacework schema by specifying a schema type and subtype when invoking the endpoint.

GET https://YourLacework.lacework.net/api/v2/schemas/{type}/{subtype}

Here is an example invocation:

GET https://YourLacework.lacework.net/api/v2/schemas/AlertChannels/SlackChannel

path Parameters
type
required
string
Example: AlertChannels

When sending a request, use this parameter to specify the schema type. If not specified, the response returns all schema types. If specified, the response returns details of the requested schema.

subtype
required
string
Example: SlackChannel

The schema's subtype. If a type is subordinate to another type, it is called a subtype.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Activities

Get information about network activities detected through the agent.

Search Changed Files

Search for changed files in your environment by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Activities/ChangedFiles/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter the returned changed files by start time, end time, machine ID, file path, and more. For more information, see CHANGE_FILES_V View.

Here are some example body payloads:

  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "48011" } ] }
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "48011" }, { "field": "filePath", "expression": "eq", "value": "/usr/bin/curl" } ],
    "returns": [ "filePath", "filedataHash", "mid" ] }
header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Search Connections

Search for connections in your environment by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Activities/Connections/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter the returned connections by start time, end time, created time, machine ID, and more. For more information, see CONNECTIONS_V View.

Here are some example body payloads:

  • { "timeFilter": { "startTime": "2022-08-18T00:00:00Z", "endTime": "2022-08-18T02:00:00Z"}, "filters": [ { "field": "dstEntityId.mid", "expression": "eq", "value": "116018" } ] }
  • { "timeFilter": { "startTime": "2022-08-18T00:00:00Z", "endTime": "2022-08-18T02:00:00Z"}, "filters": [ { "field": "srcEntityId.mid", "expression": "eq", "value": "123456" }, { "field": "dstInBytes", "expression": "le", "value": "300000" } ],
    "returns": [ "dstEntityId", "dstEntityType", "srcEntityId", "srcEntityType" ] }
header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Search DNS Summaries

Search for DNS summaries in your environment by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Activities/DNSs/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter the returned DNS summaries by start time, end time, created time, machine ID, and more. For more information, see DNS_QUERY_V View.

Here are some example body payloads:

  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "48011" } ] }
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "48011" }, { "field": "fqdn", "expression": "eq", "value": "sqs.us-west-2.amazonaws.com" } ],
    "returns": [ "fqdn", "hostIpAddr", "mid" ] }
header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Search User Logins

Search for user logins in your environment by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Activities/UserLogins/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter the returned login activities by start time, end time, created time, machine ID, and more. For more information, see USER_LOGIN_V View.

Here are some example body payloads:

  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "48011" } ] }
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "48011" }, { "field": "username", "expression": "eq", "value": "ec2-user" } ],
    "returns": [ "username", "activityType", "activityTime" ] }
header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Agent Access Tokens

To connect to the Lacework instance, Lacework agents require an agent access token.

Create Agent Access Token

Create a new agent access token that an agent can use to connect and send data to your Lacework instance by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AgentAccessTokens

Here is an example body payload:

{ "tokenAlias": "prod", "tokenEnabled": "1" }

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The access token's properties, including createdTime and description.

tokenEnabled
required
string non-empty

The tokenEnabled property determines if an edit control is a "Text token" edit control. When the tokenEnabled property is set to 1, if the user enters a separator character or a carriage return (CR), a token is automatically added and the user can continue entering values in the control.

tokenAlias
required
string non-empty

The token's alias such as Ops Agent. Aliases help communicate the intended purpose of a token and are effective when a value with a single intent appears in multiple places.

Responses

Request samples

Content type
application/json
{
  • "props": {
    },
  • "tokenEnabled": "string",
  • "tokenAlias": "string"
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

List All Agent Access Tokens

Get a list of currently enabled agent access tokens in your Lacework instance by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AgentAccessTokens

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Search Agent Access Tokens

Search all enabled agent access tokens in your Lacework instance by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AgentAccessTokens/search

To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

You can filter on the following fields:

  • accessToken

  • createdTime

  • tokenAlias

  • tokenEnabled

  • version

Here is an example body payload:

{ "filters" : [ { "expression": "eq", "field": "tokenAlias", "value": "Eng" } ] }

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Agent Access Token Details

Get details about an agent access token by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AgentAccessTokens/{id}

You can get the {id} by invoking the GET /api/v2/AgentAccessTokens endpoint. Replace {id} with the long hexadecimal access token identifier returned in the accessToken field of the GET /api/v2/AgentAccessTokens endpoint response.

path Parameters
id
required
string

Agent Access Token {id}

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "data": {
    }
}

Update Agent Access Token

Optionally update the tokenEnabled settings of the passed in agent access token. Update these settings by invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/AgentAccessTokens/{id}

Get the agent access token id by calling the GET /api/v2/AgentAccessTokens endpoint.

Replace {id} with the long hexadecimal access token identifier returned in the accessToken field of the GET /api/v2/AgentAccessTokens endpoint response.

Here is an example body payload:

{ "tokenEnabled": "1" }

path Parameters
id
required
string

AgentAccessTokens {id}

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The access token's properties, including createdTime and description.

tokenEnabled
string non-empty

The tokenEnabled property determines if an edit control is a "Text token" edit control. When the tokenEnabled property is set to 1, if the user enters a separator character or a carriage return (CR), a token is automatically added and the user can continue entering values in the control.

Responses

Request samples

Content type
application/json
{
  • "props": {
    },
  • "tokenEnabled": "string"
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

Agent Information

View and verify information about all agents, including:

  • The hostname
  • The number of active and inactive agents
  • Machine tags information associated with the agents
  • The agent version

Search Agent Information

The Agent Information API enables you to retrieve information about all agents by invoking the following endpoint:

POST /api/v2/AgentInfo/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

You can optionally filter the information returned by agent status, agent version, IP address, and more. For details about what agent information is available, see AGENT_MANAGEMENT_V View.

Here are some example body payloads:

  • { "timeFilter": { "startTime" : "2022-04-28T00:00:00Z", "endTime": "2022-04-28T18:00:00Z"},
  • { "timeFilter": { "startTime": " 2022-04-28T00:00:00Z", "endTime": "2022-04-28T18:00:00Z"}, "filters" : [ { "field": "status", "expression": "eq", "value": "ACTIVE" }, { "field": "tags.VmProvider", "expression": "eq", "value" : "AWS" } ],
    "returns": [ "hostname", "ipAddr", "os" , "agentVersion", "status" ] }

Within request bodies, nested field names that contain one or more special characters—e.g., dot ("."), colon (":"), or slash ("/")—must be enclosed in escaped double quotes. For example, the field name aws:ec2launchtemplate:version nested under the tags field would be rendered as follows:

"tags.\"aws:ec2launchtemplate:version\""

In a filter, the example would appear as follows:

{ "field": "tags.\"aws:ec2launchtemplate:version\"", "expression": "eq", "value": "3" }

In addition, forward slash characters within field names must be escaped with a backslash, as in the following example:

"tags.\"kubernetes.io\/cluster\/prod1\""

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Alert Channels

Lacework combines alert channels with alert rules or report rules to provide a flexible method for routing alerts and reports.

  • For alert channels, you define where to send alerts or reports, such as to Jira, Slack, or email.
  • For alert rules, you define information about which alert types to send, such as critical and high severity compliance alerts.
  • For report rules, you define information about which reports to send.

Create Alert Channels

Create an alert channel by specifying parameters in the request body when invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AlertChannels

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
name
required
string (Name) non-empty (?!^ +$)^.+$

When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name.

type
required
string (Type)

When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type.

enabled
required
number (Enabled) [ 0 .. 1 ]

When sending a request, use this attribute to enable or disable an integration. When included in a response, returns 1 for an enabled integration or 0 for a disabled integration.

required
object

Responses

Request samples

Content type
application/json
Example
{
  • "name": "string",
  • "type": "AwsS3",
  • "enabled": 1,
  • "data": {
    }
}

Response samples

Content type
application/json
Example
{
  • "data": {
    }
}

List All Alert Channels

Get a list of alert channels for the current user by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AlertChannels

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
Example
{
  • "data": [
    ]
}

List Alert Channels by Type

Get a list of alert channels of the specified type by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AlertChannels/{type}

Here is an example invocation:

GET https://YourLacework.lacework.net/api/v2/AlertChannels/SlackChannel

path Parameters
type
required
string
Enum: "AwsS3" "CiscoSparkWebhook" "CloudwatchEb" "Datadog" "EmailUser" "GcpPubsub" "IbmQradar" "Jira" "MicrosoftTeams" "NewRelicInsights" "PagerDutyApi" "ServiceNowRest" "SlackChannel" "SplunkHec" "VictorOps" "Webhook"

Alert Channel Type

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
Example
{
  • "data": [
    ]
}

Search Alert Channels

Search alert channels by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AlertChannels/search

To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

In the request body, optionally specify the list of fields to return in the response by specifying the list in the returns array, for example, "returns":[ "name", "type", "enabled" ].

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
Example
{
  • "data": [
    ]
}

Test Alert Channels

Test the integration of an alert channel by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}/test

path Parameters
intgGuid
required
string

Alert Channel ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
{
  • "message": "Invalid ..."
}

Alert Channel Details

Get details about an alert channel by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}

path Parameters
intgGuid
required
string

Alert Channel ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
Example
{
  • "data": {
    }
}

Update Alert Channels

Update an alert channel by specifying parameters in the request body when invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}

In the request body, only specify the parameter(s) that you want to update, for example, { "enabled" : 0 }.

path Parameters
intgGuid
required
string

Alert Channel ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json

Only specify the parameter(s) that you want to update, for example, { "enabled" : 0 }.

name
string (Name) non-empty (?!^ +$)^.+$

When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name.

type
string (Type)

When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type.

enabled
number (Enabled) [ 0 .. 1 ]

When sending a request, use this attribute to enable or disable an integration. When included in a response, returns 1 for an enabled integration or 0 for a disabled integration.

object

Responses

Request samples

Content type
application/json
Example
{
  • "name": "string",
  • "type": "AwsS3",
  • "enabled": 1,
  • "data": {
    }
}

Response samples

Content type
application/json
Example
{
  • "data": {
    }
}

Update Alert Channels

Update an alert channel by specifying the entire object in the request body when invoking the following endpoint:

PUT https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}

In the request body, specify the entire object that you want to update, for example,

{"name": "string","type": "AwsS3", "enabled": 1, "data": {"s3CrossAccountCredentials": {"externalId": "string", "roleArn": "string", "bucketArn":"string"}} }.

path Parameters
intgGuid
required
string

Alert Channel ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
name
required
string (Name) non-empty (?!^ +$)^.+$

When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name.

type
required
string (Type)

When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type.

enabled
required
number (Enabled) [ 0 .. 1 ]

When sending a request, use this attribute to enable or disable an integration. When included in a response, returns 1 for an enabled integration or 0 for a disabled integration.

required
object

Responses

Request samples

Content type
application/json
Example
{
  • "name": "string",
  • "type": "AwsS3",
  • "enabled": 1,
  • "data": {
    }
}

Response samples

Content type
application/json
Example
{
  • "data": {
    }
}

Delete Alert Channels

Delete an alert channel by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}

path Parameters
intgGuid
required
string

Alert Channel ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
{
  • "message": "Invalid ..."
}

Alert Profiles

An alert profile is a set of metadata that defines how your LQL queries get consumed into events and alerts.

Alert profiles exist as a system. Lacework provides a set of predefined alert profiles to ensure that policy evaluation gives you useful results out of the box. To create your own customized profiles, you extend an existing alert profile and add your custom definitions to it. The predefined alert profiles and operations for defining and editing your own are exposed via Lacework API calls.

Create Alert Profiles

Create an alert profile that extends off of a current alert profile by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AlertProfiles

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
required
Array of objects[ items ]

An alert is a definition of content to create from the results of a resource's policy violation. The event name, subject, and description contained in the alert appear in pushed alerts and in the Lacework Console.

alertProfileId
required
string

Unique id within customer account for Alert Profile

extends
required
string

Base Lacework defined Alert Profile to inherit properties

Responses

Request samples

Content type
application/json
{
  • "alerts": [
    ],
  • "alertProfileId": "string",
  • "extends": "string"
}

Response samples

Content type
application/json
[
  • {
    }
]

List All Alert Profiles

Get all the alert profiles for the current user by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AlertProfiles

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Alert Profiles Details

Get the details to the specified alert profile by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}

path Parameters
id
required
string

Alert Profile id

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Update Alert Profiles

Update the alert templates of the specified alert profile by invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}

path Parameters
id
required
string

Alert Profile id

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
Array of objects[ items ]

An alert is a definition of content to create from the results of a resource's policy violation. The event name, subject, and description contained in the alert appear in pushed alerts and in the Lacework Console.

Array
name
string

A name that policies can use to refer to this definition when generating alerts

eventName
string

The name of the resulting alert

description
string

Summary of the resulting alert

subject
string

A high-level observation of the resulting alert

Responses

Request samples

Content type
application/json
{
  • "alerts": [
    ]
}

Response samples

Content type
application/json
[
  • {
    }
]

Delete Alert Profiles

Delete the specified alert profile by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}

path Parameters
id
required
string

Alert Profile id

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "message": "Invalid ..."
}

Create Alert Templates

Create a new alert template for a specified alert profile by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}/AlertTemplates

path Parameters
id
required
string

Alert Profile id

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
name
required
string

A name that policies can use to refer to this definition when generating alerts

eventName
required
string

The name of the resulting alert

description
required
string

Summary of the resulting alert

subject
required
string

A high-level observation of the resulting alert

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "eventName": "string",
  • "description": "string",
  • "subject": "string"
}

Response samples

Content type
application/json
[
  • {
    }
]

Update Alert Templates

Update an alert template for a specified alert profile by invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}/AlertTemplates/{alertTemplateName}

path Parameters
id
required
string

Alert Profile id

alertTemplateName
required
string

Alert Template Name

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
eventName
string

The name of the resulting alert

description
string

Summary of the resulting alert

subject
string

A high-level observation of the resulting alert

Responses

Request samples

Content type
application/json
{
  • "eventName": "string",
  • "description": "string",
  • "subject": "string"
}

Response samples

Content type
application/json
[
  • {
    }
]

Delete Alert Templates

Delete an alert template for a specified alert profile by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}/AlertTemplates/{alertTemplateName}

path Parameters
id
required
string

Alert Profile id

alertTemplateName
required
string

Alert Template Name

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "message": "Invalid ..."
}

Alert Rules

Lacework combines alert channels and alert rules to provide a flexible method for routing alerts. For alert channels, you define information about where to send alerts, such as to Jira, Slack, or email. For alert rules, you define information about which alert types to send, such as critical and high severity compliance alerts.

Create Alert Rules

Create an alert rule by specifying parameters in the request body when invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AlertRules

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
required
object

When sending a request, use this object to define the new alert rule. When included in a response, this object contains details of an alert rule. You can use these attributes when searching for existing alert rules by invoking a GET request.

intgGuidList
required
Array of strings non-empty unique

The alert channels for the rule to access.

type
required
string
Value: "Event"

The alert type.

Responses

Request samples

Content type
application/json
{
  • "filters": {
    },
  • "intgGuidList": [
    ],
  • "type": "Event"
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

List All Alert Rules

List all alert rules in your Lacework instance by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AlertRules

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Search Alert Rules

Search alert rules by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AlertRules/search

To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

Here are some example body payloads:

  • { "filters": [ { "field": "mcGuid", "expression": "rlike", "value": "123ABC" } ] }

  • { "filters": [ { "field": "mcGuid", "expression": "between", "values": [ "ABC_123", "DEC_456" ] } ] }

  • { "filters": [ { "field": "intgGuidList", "expression": "eq", "value": "ABC_123" } ] }

  • { "filters": [ { "field": "intgGuidList", "expression": "in", "values": [ "ABC_123", "DEF_456" ] } ] }

  • { "filters": [ { "field": "filters.name", "expression": "ilike", "value": "slack" } ] }

  • { "filters": [ { "field": "filters.resourceGroups", "expression": "eq", "value": "ABC_123" } ] }

  • { "filters": [ { "field": "filters.severity", "expression": "eq", "value": "5" } ] }

  • { "filters": [ { "field": "filters.eventCategory", "expression": "eq", "value": "App" } ] }

  • { "filters": [ { "field": "reportNotificationTypes.agentEvents", "expression": "eq", "value": "false" } ] }

In the request body, optionally specify the list of fields to return in the response by specifying the list in the returns array.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Alert Rule Details

Get details about an alert rule by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AlertRules/{mcGuid}

Replace {mcGuid} with the mcGuid value returned for an alert rule in the response when the GET /api/v2/AlertRules endpoint is invoked.

path Parameters
mcGuid
required
string

Alert Rule mcGuid

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
{
  • "data": {
    }
}

Update Alert Rules

Update an alert rule by specifying parameters in the request body when invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/AlertRules/{mcGuid}

Replace {mcGuid} with the mcGuid value returned for an alert rule in the response when the GET /api/v2/AlertRules endpoint is invoked. In the request body, only specify the parameters that you want to update.

path Parameters
mcGuid
required
string

Alert Rules mcGuid

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
object

When sending a request, use this object to define the new alert rule. When included in a response, this object contains details of an alert rule. You can use these attributes when searching for existing alert rules by invoking a GET request.

intgGuidList
Array of strings non-empty unique

The alert channels for the rule to access.

Responses

Request samples

Content type
application/json
{
  • "filters": {
    },
  • "intgGuidList": [
    ]
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

Delete Alert Rules

Delete an alert rule by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/AlertRules/{mcGuid}

Replace {mcGuid} with the mcGuid value returned for an alert rule in the response when the GET /api/v2/AlertRules endpoint is invoked.

path Parameters
mcGuid
required
string

Alert Rules mcGuid

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
{
  • "message": "Invalid ..."
}

Alerts

Lacework provides real-time alerts that are interactive and manageable. Each alert contains various metadata information, such as severity level, type, status, alert category, and associated tags.

You can also post a comment to an alert's timeline; or change an alert status from Open to Closed.

List Alerts

Get a list of alerts during the specified date range by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/Alerts?startTime={startTime}&endTime={endTime}

Use the following formats to specify the startTime and endTime:

  • yyyy-MM-dd for example, 2022-06-28

  • yyyy-MM-ddTHH for example, 2022-06-28T08

  • yyyy-MM-ddTHH:mm:ssZ for example, 2022-06-28T08:00:00Z

  • yyyy-MM-ddTHH:mm:ss.SSSZ for example, 2022-06-28T08:00:00.000Z

Here is an example invocation:

GET https://YourLacework.lacework .net/api/v2/Alerts?startTime=2022-06-30T00:00:00Z&endTime=2022-06-30T08:00:00Z

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days.

Pagination metadata is located within the response's paging field, which contains information for rows, totalRows, and urls. The urls field contains the nextPage field with the Next Page URL. The Next Page URLs stay valid for 24 hours.

To get the next page of the result, use the entire Next Page URL and send a GET request with the two required HTTP headers: "Authorization: Bearer {YourAPIToken}" and "Content-Type: application/json".

Example:

GET https://YourLacework.lacework.net/api/v2/Alerts/abcxyz123...

query Parameters
startTime
string

Returns only recorded actions that occurred after this timestamp.

endTime
string

Returns only recorded actions that occurred before this timestamp. If empty or missing, the current time is used.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Search Alerts

Search alerts by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Alerts/search

Optionally specify filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

For the timeFilter filter, these are the supported time formats:

  • yyyy-MM-dd for example, 2022-07-08

  • yyyy-MM-ddTHH for example, 2022-07-08T08

  • yyyy-MM-ddTHH:mm:ssZ for example, 2022-07-08T08:00:00Z

  • yyyy-MM-ddTHH:mm:ss.SSSZ for example, 2022-07-08T08:00:00.000Z

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To use the current time as the end time, exclude the endTime field.

To limit the returned result, optionally specify one or more filters in the request body. These fields can be set in the filters: alertId, alertType, severity, status, subCategory, category, and source.

You can optionally filter the returned alerts by one or more of the top-level fields. See Filter Alerts for the filter values.

Here are some example body payloads:

  • { "timeFilter": { "startTime": "2022-07-08T00:00:00Z", "endTime": "2022-07-08T08:00:00Z"}, "filters": [ { "field": "alertType", "expression": "eq", "value": "SuspiciousUserFailedLogin" } ] }
  • { "timeFilter": { "startTime": "2022-07-08T00:00:00Z", "endTime": "2022-07-08T08:00:00Z"}, "filters": [ { "field": "severity", "expression": "eq", "value": "Critical" }, { "field": "status", "expression": "eq", "value": "Open" } ],
    "returns": [ "alertId", "alertName", "alertType", "alertInfo" ] }

Pagination metadata is located within the response's paging field, which contains information for rows, totalRows, and urls. The urls field contains the nextPage field with the Next Page URL. The Next Page URLs stay valid for 24 hours.

To get the next page of the result, use the entire Next Page URL and send a GET request with the two required HTTP headers: "Authorization: Bearer {YourAPIToken}" and "Content-Type: application/json".

Example:

GET https://YourLacework.lacework.net/api/v2/Alerts/abcxyz123...

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Alert Details

Get details about an alert by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/Alerts/{alertId}?scope={scope}

You must specify a scope, as one of these options: Details, Investigation, Events, RelatedAlerts, Integrations, or Timeline.

path Parameters
alertId
required
string

Alert id

query Parameters
scope
required
string
Enum: "Details" "Investigation" "Events" "RelatedAlerts" "Integrations" "Timeline"

You must specify a scope, as one of these options.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
Example
{
  • "data": {
    }
}

Post Comments

Post a user comment on an alert’s timeline by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Alerts/{alertId}/comment

For details about alert timelines, see Timeline.

path Parameters
alertId
required
string

Alert id

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
comment
required
string

Responses

Request samples

Content type
application/json
{
  • "comment": "string"
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

Close Alerts

Change the status of an alert to closed by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Alerts/{alertId}/close

The body of the request should contain the reason for closing, from these options:

  • Other
  • False positive
  • Not enough information
  • Malicious and have resolution in place
  • Expected because of routine testing.

If you choose Other, the message field is required and should contain a brief explanation of why the alert is closed.

Note that a closed alert cannot be reopened.

For details about alert statuses, see Status.

path Parameters
alertId
required
string

Alert id

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
reason
required
number
Enum: 0 1 2 3 4

0 - Other

1 - False positive

2 - Not enough information

3 - Malicious and have resolution in place

4 - Expected because of routine testing

comment
string

If you choose 0 (Other), the comment field is required and should contain a brief explanation of why the alert is closed.

Responses

Request samples

Content type
application/json
{
  • "reason": 0,
  • "comment": "string"
}

Response samples

Content type
application/json
{
  • "message": "Invalid ..."
}

Audit Logs

Audit logs let you view the history of all actions performed within a Lacework account so you know who made changes to the system and when. For example, you can see who suppressed certain alerts, what time an authentication setting was modified, etc. For more information, see Audit Logs.

Audit Logs

Get audit logs by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AuditLogs

Optionally specify the startTime and endTime time range filters using the following formats:

  • yyyy-MM-dd for example, 2020-12-18

  • yyyy-MM-ddTHH for example, 2020-12-18T08

  • yyyy-MM-ddTHH:mm:ssZ for example, 2020-12-18T08:00:00Z

  • yyyy-MM-ddTHH:mm:ss.SSSZ for example, 2020-12-18T08:00:00.000Z

To use the current time as the end time, exclude the endTime parameter.

Here is an example invocation:

GET https://YourLacework.lacework.net/api/v2/AuditLogs?startTime=2020-12-11T08:00:00Z&endTime=2020-12-18T08:00:00Z

query Parameters
startTime
string

Returns only recorded actions that occurred after this timestamp.

endTime
string

Returns only recorded actions that occurred before this timestamp. If empty or missing, the current time is used.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Search Audit Logs

Search the audit logs by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AuditLogs/search

Optionally specify filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

For the timeFilter filter, these are the supported time formats:

  • yyyy-MM-dd for example, 2020-12-18

  • yyyy-MM-ddTHH for example, 2020-12-18T08

  • yyyy-MM-ddTHH:mm:ssZ for example, 2020-12-18T08:00:00Z

  • yyyy-MM-ddTHH:mm:ss.SSSZ, for example, 2020-12-18T08:00:00.000Z

To use the current time as the end time, exclude the endTime field.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json

Filters in the request body

object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Cloud Accounts

Cloud accounts are integrations between Lacework and cloud providers such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform.

Create Cloud Accounts

Create a cloud account by specifying parameters in the request body when invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/CloudAccounts

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
name
required
string (Name) non-empty (?!^ +$)^.+$

When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name.

type
required
string (Type)

When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type.

enabled
required
number (Enabled) [ 0 .. 1 ]

When sending a request, use this attribute to enable or disable an integration. When included in a response, returns 1 for an enabled integration or 0 for a disabled integration.

required
object

Responses

Request samples

Content type
application/json
Example
{
  • "name": "string",
  • "type": "AwsCfg",
  • "enabled": 1,
  • "data": {
    }
}

Response samples

Content type
application/json
Example
{
  • "data": {
    }
}

List All Cloud Accounts

Get a list of cloud accounts for the current user by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/CloudAccounts

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
Example
{
  • "data": [
    ]
}

List Cloud Accounts by Type

Get a list of cloud accounts of the specified type by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/CloudAccounts/{type}

Here is an example invocation:

GET https://YourLacework.lacework.net/api/v2/CloudAccounts/AwsCfg

path Parameters
type
required
string
Enum: "AwsCfg" "AwsCtSqs" "AwsEksAudit" "AwsUsGovCfg" "AwsUsGovCtSqs" "AzureAlSeq" "AzureCfg" "GcpAtSes" "GcpCfg"

Cloud Accounts Type

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
Example
{
  • "data": [
    ]
}

Search Cloud Accounts

Search cloud accounts by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/CloudAccounts/search

To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

In the request body, optionally specify the list of fields to return in the response by specifying the list in the returns array, for example, "returns":[ "name", "type", "enabled" ].

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
Example
{
  • "data": [
    ]
}

Cloud Accounts Details

Get details about a cloud account by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/CloudAccounts/{intgGuid}

path Parameters
intgGuid
required
string

Cloud Account ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
Example
{
  • "data": {
    }
}

Update Cloud Accounts

Update a cloud account by specifying parameters in the request body when invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/CloudAccounts/{intgGuid}

In the request body, only specify the parameters that you want to update, for example, { "enabled" : 0 }.

path Parameters
intgGuid
required
string

Cloud Account ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
name
string (Name) non-empty (?!^ +$)^.+$

When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name.

type
string (Type)

When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type.

enabled
number (Enabled) [ 0 .. 1 ]

When sending a request, use this attribute to enable or disable an integration. When included in a response, returns 1 for an enabled integration or 0 for a disabled integration.

object

Responses

Request samples

Content type
application/json
Example
{
  • "name": "string",
  • "type": "AwsCfg",
  • "enabled": 1,
  • "data": {
    }
}

Response samples

Content type
application/json
Example
{
  • "data": {
    }
}

Update Cloud Accounts

Update a cloud account by specifying the entire object in the request body when invoking the following endpoint:

PUT https://YourLacework.lacework.net/api/v2/CloudAccounts/{intgGuid}

In the request body, specify the entire object that you want to update, for example,

{"name": "string","type": "AwsCfg", "enabled": 1, "data": { "awsAccountId": "string", "crossAccountCredentials": {"externalId": "string", "roleArn": "string"}} }.

path Parameters
intgGuid
required
string

Cloud Account ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
name
required
string (Name) non-empty (?!^ +$)^.+$

When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name.

type
required
string (Type)

When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type.

enabled
required
number (Enabled) [ 0 .. 1 ]

When sending a request, use this attribute to enable or disable an integration. When included in a response, returns 1 for an enabled integration or 0 for a disabled integration.

required
object

Responses

Request samples

Content type
application/json
Example
{
  • "name": "string",
  • "type": "AwsCfg",
  • "enabled": 1,
  • "data": {
    }
}

Response samples

Content type
application/json
Example
{
  • "data": {
    }
}

Delete Cloud Accounts

Delete a cloud account by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/CloudAccounts/{intgGuid}

path Parameters
intgGuid
required
string

Cloud Account ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
{
  • "message": "Invalid ..."
}

Cloud Activities

Get information about cloud activities for the integrated AWS cloud accounts in your Lacework instance.

Cloud Activities

Get cloud activity details by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/CloudActivities

Optionally filter by specifying the startTime and endTime of a time range using the following formats:

  • yyyy-MM-dd for example, 2020-12-18

  • yyyy-MM-ddTHH for example, 2020-12-18T08

  • yyyy-MM-ddTHH:mm:ssZ for example, 2020-12-18T08:00:00Z

  • yyyy-MM-ddTHH:mm:ss.SSSZ for example, 2020-12-18T08:00:00.000Z

To use the current time as the end time, exclude the endTime parameter.

Here is an example invocation:

GET https://YourLacework.lacework.net/api/v2/CloudActivities?startTime=2020-12-11T08:00:00Z&endTime=2020-12-18T08:00:00Z

To use the current time as the end time, exclude the endTime parameter.

query Parameters
startTime
string

Returns only recorded actions that occurred after this timestamp.

endTime
string

Returns only recorded actions that occurred before this timestamp. If empty or missing, the current time is used.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Search Cloud Activities

Search cloud activities by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/CloudActivities/search

Optionally specify filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

For the timeFilter filter, these are the supported time formats:

  • yyyy-MM-dd for example, 2021-12-18

  • yyyy-MM-ddTHH for example, 2021-12-18T08

  • yyyy-MM-ddTHH:mm:ssZ for example, 2021-12-18T08:00:00Z

  • yyyy-MM-ddTHH:mm:ss.SSSZ for example, 2021-12-18T08:00:00.000Z

Here are some example body payloads:

  • { "timeFilter": { "startTime": "2021-12-11T00:00:00Z", "endTime": "2021-12-12T00:00:00Z"}, "filters": [ { "field": "eventType", "expression": "eq", "value": "NewUser" } ] }
  • { "timeFilter": { "startTime": "2021-12-11T00:00:00Z", "endTime": "2021-12-12T00:00:00Z"}, "filters": [ { "field": "eventType", "expression": "eq", "value": "NewUser" },
    { "field": "eventModel", "expression": "eq", "value": "AwsApiTracker" } ],
    "returns":[ "startTime", "endTime", "eventType", "eventActor", "eventModel" ] }

To use the current time as the end time, exclude the endTime field.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. If there are multiple conditions, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {