August 2023 Platform Releases

Generally Available

• Agentless Workload Scanning now supports scanning of container images managed by Containerd runtime - See Supported Container Image Formats for Agentless Workload Scanning for a list of supported container formats.
• Agentless Workload Scanning can now be integrated with Google Cloud - See Before you Start - Agentless Workload Scanning to see all supported integration options.
  • This feature was previously in public preview.
• Scanning of multiple/secondary volumes on hosts is now supported through Agentless Workload Scanning - Previously, only the root volume of a host could be scanned. See FAQs for details on volume mount compatibility and enablement with Agentless Workload Scanning.
• Scanning of stopped instances is now supported through Agentless Workload Scanning - By default, stopped instances are scanned with agentless integrations. See FAQs for details on enablement.
• RedHat Enterprise Linux 9 is now supported for vulnerability scanning (hosts and containers) - See Container Image Support and Host Image Support for a full list of supported operating systems.

Public Preview

• Pub/Sub-based Google Cloud audit log integration - You can set up a Pub/Sub-based Google Cloud audit log integration to route specific audit logs to a Pub/Sub topic in Google Cloud and enable the Lacework platform to ingest the logs from the Pub/Sub topic to report alerts for anomalous behavior.

  The Pub/Sub-based audit log integration method provides the following benefits:

  • The logs routed to the Pub/Sub topic are available for ingestion in a few minutes. This enables the Lacework platform to provide alerts for anomalous behavior faster than the Storage-based audit log integration method.
  • You can use the LW_ACT_GCP_ACTIVITY Lacework Query Language (LQL) datasource to create custom LQL policies to trigger alerts when policy-based violations are found in the audit logs. For more information, see Create Custom Policies.
  note

  The Pub/Sub-based audit log integration does not support the default Google Cloud audit log policies. You must use the LW_ACT_GCP_ACTIVITY LQL datasource to create custom LQL policies.

  For instructions on setting up a Pub/Sub-based audit log integration, see the following topics:

  • Google Cloud Integration - Guided Configuration
  • Pub/Sub-Based Google Cloud Integration - Terraform from Any Supported Host
  • Pub/Sub-Based Google Cloud Integration - Terraform from Google Cloud Shell
  • Pub/Sub-Based Google Cloud Audit Log Integration - Manual Configuration

  For instructions on migrating an existing Storage-based audit log integration to a Pub/Sub-based audit log integration, see the following topics:

  • Migrate From Storage-Based to Pub/Sub-Based Google Cloud Audit Log Integration Using Terraform
  • Migrate From Storage-Based to Pub/Sub-Based Google Cloud Audit Log Integration - Manual Configuration

• Attack path analysis adds support for the Google Cloud environment - Attack paths are now supported for the following Google Cloud assets:

  • Google Cloud SQL
  • Google Cloud Compute instances
  • GKE (Kubernetes NodePort and LoadBalancer services)
  • Container images container images exposed to the internet with a critical vulnerability

  The Lacework Console has the following updates:

  • The Top work items page Top risky hosts and Top risky data assets tables include attack paths to Compute instances and Cloud SQL. The page has a new cloud provider filter and revised table columns.
  • The Path investigation page includes new Exposure Polygraph nodes to support Google Cloud assets. The page has new Google Cloud-related sections for detailed information: Cloud SQL, Compute instances, firewall rules, and load balancers. The page has a new cloud provider filter and revised table columns.
  • The Alerts page supports Exposure Polygraphs for Google Cloud.
  • The Vulnerabilities page supports the internet exposure filter for Google Cloud.
  • The single machine dashboard includes Exposure Polygraphs for Google Cloud.

• Introduce Lacework Near Real-Time Alerting Solution, starting with Threat Intel Alerts - This new solution further reduces the time between detection and alert generation for high-confidence threats, allowing security teams to respond more quickly and minimizing potential impact on the organization.
  Near real-time threat intel alerts are dynamic and evolve as new events are detected, keeping alert volumes manageable. For more information, see Introduction to Threat Intel Alerts.

• The Host Vulnerability page now provides increased visibility into hosts with Code Aware Agent (CAA) functionality enabled. - The following additions have also been added:

  • Monitored by CAA filter to display hosts with codeaware enabled.
  • Statistics for Hosts monitored by Code Aware Agent (replaces 24-Hour Coverage).
  • When a vulnerability is found in more than one package, there is an expandable row to display each package affected in the Host Assessment Drawer - CVE tab.
  • When a package has more than one vulnerability, there is an expandable row to display each vulnerability in the Host Assessment Drawer - Packages tab.