Self Service Ingestion
Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
Lacework AWS CloudTrail | ✅ | ✅ | lacework_aws_cloudtrail | NDJSON | S3 | ||
Lacework GCP Audit | ✅ | ✅ | lacework_gcp_audit | NDJSON | S3 | ||
Lacework Azure Activity Logs | ✅ | ✅ | lacework_azure_activity_log | NDJSON | S3 | ||
Lacework Agent | ✅ | ✅ | lacework_agent | NDJSON | S3 |
Overview
Lacework is the data-driven security platform for the cloud, that collects and analyses various logs and telemetries for the main cloud vendors (AWS, Azure, GCP, etc.).
Hunters supports the integration of Lacework to the data lake, as well as presenting alerts by Lacework in the Hunters portal and correlating them to related signals.
Supported data types
Lacework AWS CloudTrail
Table name: lacework_aws_cloudtrail
Lacework integrates with AWS CloudTrail to enhance its security monitoring and threat detection capabilities. By analyzing CloudTrail logs, Lacework can identify unusual and potentially malicious activity within an AWS environment.
Learn more here.
Lacework GCP Audit
Table name: lacework_gcp_audit
Lacework utilizes GCP Audit Logs to enhance security monitoring and threat detection across GCP environments. By analyzing these logs, Lacework can identify unusual activities, potential security risks, misconfigurations, and compliance violations within GCP projects.
Learn more here.
Lacework Azure Activity Logs
Table name: lacework_azure_activity_log
Lacework analyzes Azure Activity Logs for signs of suspicious activities and potential security threats, such as unauthorized access attempts, unusual API calls, or changes to network security groups. This continuous monitoring helps detect and mitigate threats early.
For the native schema by Lacework, see here.
Lacework Agent
Table name: lacework_agent
Lacework Agent is a continuous monitoring system that collects and monitors metadata of all the processes associated with a network activity. We support all sub-datatypes Lacework Agent has. For the native schemas of all the sub-datatypes by Lacework agent, see the Agent dataset section here.
Send data to Hunters
Hunters supports the ingestion of Lacework logs via an intermediary AWS S3 bucket.
Follow this guide by Lacework for exporting events to an S3 bucket.
💡Tip
To ensure a proper ingestion to Hunters, make sure the resulted structure in your S3 bucket matches the resulted structure in the linked Lacework docs. To examine the resulte structure in S3, see here.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
📘Note
When onboarding Lacework using your S3 bucket, follow Lacework's integration prerequisites and add the External ID to your bucket's policy.
When onboarding Lacework using a Hunter-hosted bucket, provide Hunters Support with the External ID so we can add it to the bucket policy on our side.
Expected format
Logs are expected in JSON format.
Example - Lacework AWS CloudTrail
{"END_TIME":"Sun, 26 Sep 2021 00:00:00 -0700","ENTITY_MAP":{"CT_User":[{"KEY":{"account":"1234567890","mfa":0,"principalId":"11111111111","username":"AWSAccount/11111111111"},"PROPS":{"api_list":["GetBucketAcl"],"region_list":["us-east-1"]}}],"Region":[{"KEY":{"region":"us-east-1"},"PROPS":{"account_list":["1234567890"]}}]},"EVENT_ACTOR":"Aws","EVENT_ID":123456,"EVENT_MODEL":"AwsApiTracker","EVENT_TYPE":"NewAccount","START_TIME":"Sat, 25 Sep 2021 23:00:00 -0700"}
Example - Lacework GCP Audit (sub-datatype: users_login)
{"END_TIME":"Wed, 04 Jan 2023 05:00:00 -0800","ENTITY_MAP":{"CallerIpAddress":[{"KEY":{"ip_addr":"1.1.1.1"},"PROPS":{"location":{"city_name":"aaa","country_code":"AA","country_name":"III","region_name":"TTT"}}}],"GcpIdentity":[{"KEY":{"principal_email":"person@org.com"},"PROPS":{"project_list":[{"method_name":"v1.compute.regionBackendServices.patch","service_name":"compute.googleapis.com"},{"method_name":"v1.compute.regionTargetHttpsProxies.setSslCertificates","service_name":"compute.googleapis.com"}]}}],"GcpRegion":[{"KEY":{"region":"us-central2"},"PROPS":{}}],"Method":[{"KEY":{"method_name":"v1.compute.regionBackendServices.patch","service_name":"compute.googleapis.com222","severity":"NOTICE"},"PROPS":{"last_seen_time":"1672838144000","service_list":[{"organization_id":"","project_id":"1111","service":"compute.googleapis.com"}]}},{"KEY":{"method_name":"v1.compute.regionTargetHttpsProxies.setSslCertificates","service_name":"compute.googleapis.com","severity":"NOTICE"},"PROPS":{"last_seen_time":"1672838144000","service_list":[{"organization_id":"","project_id":"1111","service":"compute.googleapis.com"}]}}],"Project":[{"KEY":{"organization_id":"","project_id":"1111"},"PROPS":{}}]},"EVENT_ACTOR":"GcpAuditTrail","EVENT_ID":33333,"EVENT_MODEL":"GcpApiTracker","EVENT_TYPE":"GcpServiceAccessedInRegion","START_TIME":"Wed, 04 Jan 2023 04:00:00 -0800"}
Example - Lacework Azure Activity (sub-datatype: users_login)
{"END_TIME":"Thu, 06 Oct 2022 12:00:00 -0700","ENTITY_MAP":{"AzureApiCallerIpAddress":[{"KEY":{"entity_kind":"caller_ip_address","entity_value":"1.1.1.1"},"PROPS":{"ctype":"ghjk3456ghjk3456","entity":"lkjh567lkjh567","eventCategory":"Administrative","operationName":"WRITE","principalId":"aaaa66666","providerName":"MICROSOFT.INSIGHTS","resourceId":"\/SUBSCRIPTIONS\/AAA111-SSS222-DDD333-FFF444\/RESOURCEGROUPS\/PROD-mabad-mabad\/PROVIDERS\/MICROSOFT.NETWORK\/NETWORKSECURITYGROUPS\/PROD-COSIGNER-SECURITY-GROUP\/PROVIDERS\/MICROSOFT.INSIGHTS\/EXTENDEDDIAGNOSTICSETTINGS\/FLOWLOGS","resourceType":"EXTENDEDDIAGNOSTICSETTINGS","resultType":"Success","severity":0,"subscriptionName":"mabad-mabad","tenantName":"aa11-ss22-dd33-ffee"}},{"KEY":{"entity_kind":"caller_ip_address","entity_value":"1.1.1.1"},"PROPS":{"ctype":"insights","entity":"MICROSOFT.INSIGHTS","eventCategory":"Administrative","operationName":"WRITE","principalId":"aaaa66666","providerName":"insights","resourceId":"\/SUBSCRIPTIONS\/AA11-SS22-DD33-FF44\/RESOURCEGROUPS\/PROD-mabad-mabad\/PROVIDERS\/MICROSOFT.NETWORK\/NETWORKSECURITYGROUPS\/PROD-COSIGNER-SECURITY-GROUP\/PROVIDERS\/MICROSOFT.INSIGHTS\/EXTENDEDDIAGNOSTICSETTINGS\/FLOWLOGS","resourceType":"EXTENDEDDIAGNOSTICSETTINGS","resultType":"Success","severity":0,"subscriptionName":"mabad-mabad","tenantName":"ggg555-fff444-ddd333-ss234"}}],"AzureApiOperationName":[{"KEY":{"entity_kind":"operation_name","entity_value":"WRITE"},"PROPS":{"callerIpAddress":"1.1.1.1","ctype":"insights","entity":"MICROSOFT.INSIGHTS","eventCategory":"Administrative","principalId":"lkjh0987lkjh0987","providerName":"insights","resourceId":"\/SUBSCRIPTIONS\/HHH666-GGG555-FFF444-FFF444\/RESOURCEGROUPS\/PROD-mabad-mabad\/PROVIDERS\/MICROSOFT.NETWORK\/NETWORKSECURITYGROUPS\/PROD-COSIGNER-SECURITY-GROUP\/PROVIDERS\/MICROSOFT.INSIGHTS\/EXTENDEDDIAGNOSTICSETTINGS\/FLOWLOGS","resourceType":"EXTENDEDDIAGNOSTICSETTINGS","resultType":"Success","severity":0,"subscriptionName":"mabad-mabad","tenantName":"SDFG-09SDFG-09DFG-09"}},{"KEY":{"entity_kind":"operation_name","entity_value":"WRITE"},"PROPS":{"callerIpAddress":"1.1.1.1","ctype":"hjk2l345hjkl345","entity":"asd5678asd5678asd","eventCategory":"Administrative","principalId":"098a7sdf0987sdf","providerName":"MICROSOFT.INSIGHTS","resourceId":"\/SUBSCRIPTIONS\/AA11-SS22-DD33-FF44\/RESOURCEGROUPS\/PROD-mabad-mabad\/PROVIDERS\/MICROSOFT.NETWORK\/NETWORKSECURITYGROUPS\/PROD-COSIGNER-SECURITY-GROUP\/PROVIDERS\/MICROSOFT.INSIGHTS\/EXTENDEDDIAGNOSTICSETTINGS\/FLOWLOGS","resourceType":"EXTENDEDDIAGNOSTICSETTINGS","resultType":"Success","severity":0,"subscriptionName":"mabad-mabad","tenantName":"hjkl4567hjkl4567"}}],"AzureApiPrincipalId":[{"KEY":{"entity_kind":"principal_id","entity_value":"asdf7890asdf7890asdf7890"},"PROPS":{"callerIpAddress":"1.1.1.1","ctype":"asdf7890asdf7890asdf7890","entity":"asdf7890asdf7890asdf7890","eventCategory":"Administrative","operationName":"WRITE","providerName":"MICROSOFT.INSIGHTS","resourceId":"\/SUBSCRIPTIONS\/AAA111-SSS222-DDD333-FFF444\/RESOURCEGROUPS\/PROD-mabad-mabad\/PROVIDERS\/MICROSOFT.NETWORK\/NETWORKSECURITYGROUPS\/PROD-COSIGNER-SECURITY-GROUP\/PROVIDERS\/MICROSOFT.INSIGHTS\/EXTENDEDDIAGNOSTICSETTINGS\/FLOWLOGS","resourceType":"EXTENDEDDIAGNOSTICSETTINGS","resultType":"Success","severity":0,"subscriptionName":"mabad-mabad","tenantName":"aa11-ss22-dd33-ff44"}},{"KEY":{"entity_kind":"principal_id","entity_value":"asdf7890asdf7890asdf7890"},"PROPS":{"callerIpAddress":"1.1.1.1","ctype":"insights","entity":"MICROSOFT.INSIGHTS","eventCategory":"Administrative","operationName":"WRITE","providerName":"insights","resourceId":"\/SUBSCRIPTIONS\/AAA111-SSS222-DDD333-FFF444\/RESOURCEGROUPS\/PROD-mabad-mabad\/PROVIDERS\/MICROSOFT.NETWORK\/NETWORKSECURITYGROUPS\/PROD-COSIGNER-SECURITY-GROUP\/PROVIDERS\/MICROSOFT.INSIGHTS\/EXTENDEDDIAGNOSTICSETTINGS\/FLOWLOGS","resourceType":"EXTENDEDDIAGNOSTICSETTINGS","resultType":"Success","severity":0,"subscriptionName":"mabad-mabad","tenantName":"aa11-ss22-dd33-ff44"}}],"AzureApiResourceId":[{"KEY":{"entity_kind":"resource_id","entity_value":"\/SUBSCRIPTIONS\/AAA111-SSS222-DDD333-FFF444\/RESOURCEGROUPS\/PROD-mabad-mabad\/PROVIDERS\/MICROSOFT.NETWORK\/NETWORKSECURITYGROUPS\/PROD-COSIGNER-SECURITY-GROUP\/PROVIDERS\/MICROSOFT.INSIGHTS\/EXTENDEDDIAGNOSTICSETTINGS\/FLOWLOGS"},"PROPS":{"callerIpAddress":"1.1.1.1","ctype":"insights","entity":"MICROSOFT.INSIGHTS","eventCategory":"Administrative","operationName":"WRITE","principalId":"asdf7890asdf7890asdf7890","providerName":"insights","resourceType":"EXTENDEDDIAGNOSTICSETTINGS","resultType":"Success","severity":0,"subscriptionName":"mabad-mabad","tenantName":"aa11-ss22-dd33-ff44"}},{"KEY":{"entity_kind":"resource_id","entity_value":"\/SUBSCRIPTIONS\/AAA111-SSS222-DDD333-FFF444\/RESOURCEGROUPS\/PROD-mabad-mabad\/PROVIDERS\/MICROSOFT.NETWORK\/NETWORKSECURITYGROUPS\/PROD-COSIGNER-SECURITY-GROUP\/PROVIDERS\/MICROSOFT.INSIGHTS\/EXTENDEDDIAGNOSTICSETTINGS\/FLOWLOGS"},"PROPS":{"callerIpAddress":"1.1.1.1","ctype":"asdf7890asdf7890asdf7890","entity":"asdf7890asdf7890asdf7890","eventCategory":"Administrative","operationName":"WRITE","principalId":"asdf7890asdf7890asdf7890","providerName":"MICROSOFT.INSIGHTS","resourceType":"EXTENDEDDIAGNOSTICSETTINGS","resultType":"Success","severity":0,"subscriptionName":"mabad-mabad","tenantName":"aa11-ss22-dd33-ff44"}}],"AzureApiResourceType":[{"KEY":{"entity_kind":"resource_type","entity_value":"EXTENDEDDIAGNOSTICSETTINGS"},"PROPS":{"callerIpAddress":"1.1.1.1","ctype":"insights","entity":"MICROSOFT.INSIGHTS","eventCategory":"Administrative","operationName":"WRITE","principalId":"asdf7890asdf7890asdf7890","providerName":"insights","resourceId":"\/SUBSCRIPTIONS\/AAA111-SSS222-DDD333-FFF444\/RESOURCEGROUPS\/PROD-mabad-mabad\/PROVIDERS\/MICROSOFT.NETWORK\/NETWORKSECURITYGROUPS\/PROD-COSIGNER-SECURITY-GROUP\/PROVIDERS\/MICROSOFT.INSIGHTS\/EXTENDEDDIAGNOSTICSETTINGS\/FLOWLOGS","resultType":"Success","severity":0,"subscriptionName":"mabad-mabad","tenantName":"aa11-ss22-dd33-ff44"}},{"KEY":{"entity_kind":"resource_type","entity_value":"EXTENDEDDIAGNOSTICSETTINGS"},"PROPS":{"callerIpAddress":"1.1.1.1","ctype":"asdf7890asdf7890asdf7890","entity":"asdf7890asdf7890asdf7890","eventCategory":"Administrative","operationName":"WRITE","principalId":"asdf7890asdf7890asdf7890","providerName":"MICROSOFT.INSIGHTS","resourceId":"\/SUBSCRIPTIONS\/AAA111-SSS222-DDD333-FFF444\/RESOURCEGROUPS\/PROD-mabad-mabad\/PROVIDERS\/MICROSOFT.NETWORK\/NETWORKSECURITYGROUPS\/PROD-COSIGNER-SECURITY-GROUP\/PROVIDERS\/MICROSOFT.INSIGHTS\/EXTENDEDDIAGNOSTICSETTINGS\/FLOWLOGS","resultType":"Success","severity":0,"subscriptionName":"mabad-mabad","tenantName":"aa11-ss22-dd33-ff44"}}],"AzureApiResultType":[{"KEY":{"entity_kind":"result_type","entity_value":"Success"},"PROPS":{"callerIpAddress":"1.1.1.1","ctype":"asdf7890asdf7890asdf7890","entity":"asdf7890asdf7890asdf7890","eventCategory":"Administrative","operationName":"WRITE","principalId":"asdf7890asdf7890asdf7890","providerName":"MICROSOFT.INSIGHTS","resourceId":"\/SUBSCRIPTIONS\/AAA111-SSS222-DDD333-FFF444\/RESOURCEGROUPS\/PROD-mabad-mabad\/PROVIDERS\/MICROSOFT.NETWORK\/NETWORKSECURITYGROUPS\/PROD-COSIGNER-SECURITY-GROUP\/PROVIDERS\/MICROSOFT.INSIGHTS\/EXTENDEDDIAGNOSTICSETTINGS\/FLOWLOGS","resourceType":"EXTENDEDDIAGNOSTICSETTINGS","severity":0,"subscriptionName":"mabad-mabad","tenantName":"aa11-ss22-dd33-ff44"}},{"KEY":{"entity_kind":"result_type","entity_value":"Success"},"PROPS":{"callerIpAddress":"1.1.1.1","ctype":"insights","entity":"MICROSOFT.INSIGHTS","eventCategory":"Administrative","operationName":"WRITE","principalId":"asdf7890asdf7890asdf7890","providerName":"insights","resourceId":"\/SUBSCRIPTIONS\/AAA111-SSS222-DDD333-FFF444\/RESOURCEGROUPS\/PROD-mabad-mabad\/PROVIDERS\/MICROSOFT.NETWORK\/NETWORKSECURITYGROUPS\/PROD-COSIGNER-SECURITY-GROUP\/PROVIDERS\/MICROSOFT.INSIGHTS\/EXTENDEDDIAGNOSTICSETTINGS\/FLOWLOGS","resourceType":"EXTENDEDDIAGNOSTICSETTINGS","severity":0,"subscriptionName":"mabad-mabad","tenantName":"aa11-ss22-dd33-ff44"}}],"AzureApiTenantName":[{"KEY":{"entity_kind":"tenant_name","entity_value":"aa11-ss22-dd33-ff44"},"PROPS":{"callerIpAddress":"1.1.1.1","ctype":"asdf7890asdf7890asdf7890","entity":"asdf7890asdf7890asdf7890","eventCategory":"Administrative","operationName":"WRITE","principalId":"asdf7890asdf7890asdf7890","providerName":"MICROSOFT.INSIGHTS","resourceId":"\/SUBSCRIPTIONS\/AAA111-SSS222-DDD333-FFF444\/RESOURCEGROUPS\/PROD-mabad-mabad\/PROVIDERS\/MICROSOFT.NETWORK\/NETWORKSECURITYGROUPS\/PROD-COSIGNER-SECURITY-GROUP\/PROVIDERS\/MICROSOFT.INSIGHTS\/EXTENDEDDIAGNOSTICSETTINGS\/FLOWLOGS","resourceType":"EXTENDEDDIAGNOSTICSETTINGS","resultType":"Success","severity":0,"subscriptionName":"mabad-mabad"}},{"KEY":{"entity_kind":"tenant_name","entity_value":"aa11-ss22-dd33-ff44"},"PROPS":{"callerIpAddress":"1.1.1.1","ctype":"insights","entity":"MICROSOFT.INSIGHTS","eventCategory":"Administrative","operationName":"WRITE","principalId":"asdf7890asdf7890asdf7890","providerName":"insights","resourceId":"\/SUBSCRIPTIONS\/AAA111-SSS222-DDD333-FFF444\/RESOURCEGROUPS\/PROD-mabad-mabad\/PROVIDERS\/MICROSOFT.NETWORK\/NETWORKSECURITYGROUPS\/PROD-COSIGNER-SECURITY-GROUP\/PROVIDERS\/MICROSOFT.INSIGHTS\/EXTENDEDDIAGNOSTICSETTINGS\/FLOWLOGS","resourceType":"EXTENDEDDIAGNOSTICSETTINGS","resultType":"Success","severity":0,"subscriptionName":"mabad-mabad"}}]},"EVENT_ACTOR":"AzureActivityLog","EVENT_ID":76501,"EVENT_MODEL":"AzureApiTracker","EVENT_TYPE":"NewAzureService","START_TIME":"Thu, 06 Oct 2022 11:00:00 -0700"}
Example - Lacework GCP Audit
{"END_TIME":"Wed, 04 Jan 2023 05:00:00 -0800","ENTITY_MAP":{"CallerIpAddress":[{"KEY":{"ip_addr":"1.1.1.1"},"PROPS":{"location":{"city_name":"aaa","country_code":"AA","country_name":"III","region_name":"TTT"}}}],"GcpIdentity":[{"KEY":{"principal_email":"person@org.com"},"PROPS":{"project_list":[{"method_name":"v1.compute.regionBackendServices.patch","service_name":"compute.googleapis.com"},{"method_name":"v1.compute.regionTargetHttpsProxies.setSslCertificates","service_name":"compute.googleapis.com"}]}}],"GcpRegion":[{"KEY":{"region":"us-central2"},"PROPS":{}}],"Method":[{"KEY":{"method_name":"v1.compute.regionBackendServices.patch","service_name":"compute.googleapis.com222","severity":"NOTICE"},"PROPS":{"last_seen_time":"1672838144000","service_list":[{"organization_id":"","project_id":"1111","service":"compute.googleapis.com"}]}},{"KEY":{"method_name":"v1.compute.regionTargetHttpsProxies.setSslCertificates","service_name":"compute.googleapis.com","severity":"NOTICE"},"PROPS":{"last_seen_time":"1672838144000","service_list":[{"organization_id":"","project_id":"1111","service":"compute.googleapis.com"}]}}],"Project":[{"KEY":{"organization_id":"","project_id":"1111"},"PROPS":{}}]},"EVENT_ACTOR":"GcpAuditTrail","EVENT_ID":33333,"EVENT_MODEL":"GcpApiTracker","EVENT_TYPE":"GcpServiceAccessedInRegion","START_TIME":"Wed, 04 Jan 2023 04:00:00 -0800"}
Example - Lacework Azure Activity
{"END_TIME":"Thu, 06 Oct 2022 12:00:00 -0700","ENTITY_MAP":{"AzureApiCallerIpAddress":[{"KEY":{"entity_kind":"caller_ip_address","entity_value":"1.1.1.1"},"PROPS":{"ctype":"ghjk3456ghjk3456","entity":"lkjh567lkjh567","eventCategory":"Administrative","operationName":"WRITE","principalId":"aaaa66666","providerName":"MICROSOFT.INSIGHTS","resourceId":"\/SUBSCRIPTIONS\/AAA111-SSS222-DDD333-FFF444\/RESOURCEGROUPS\/PROD-mabad-mabad\/PROVIDERS\/MICROSOFT.NETWORK\/NETWORKSECURITYGROUPS\/PROD-COSIGNER-SECURITY-GROUP\/PROVIDERS\/MICROSOFT.INSIGHTS\/EXTENDEDDIAGNOSTICSETTINGS\/FLOWLOGS","resourceType":"EXTENDEDDIAGNOSTICSETTINGS","resultType":"Success","severity":0,"subscriptionName":"mabad-mabad","tenantName":"aa11-ss22-dd33-ffee"}},{"KEY":{"entity_kind":"caller_ip_address","entity_value":"1.1.1.1"},"PROPS":{"ctype":"insights","entity":"MICROSOFT.INSIGHTS","eventCategory":"Administrative","operationName":"WRITE","principalId":"aaaa66666","providerName":"insights","resourceId":"\/SUBSCRIPTIONS\/AA11-SS22-DD33-FF44\/RESOURCEGROUPS\/PROD-mabad-mabad\/PROVIDERS\/MICROSOFT.NETWORK\/NETWORKSECURITYGROUPS\/PROD-COSIGNER-SECURITY-GROUP\/PROVIDERS\/MICROSOFT.INSIGHTS\/EXTENDEDDIAGNOSTICSETTINGS\/FLOWLOGS","resourceType":"EXTENDEDDIAGNOSTICSETTINGS","resultType":"Success","severity":0,"subscriptionName":"mabad-mabad","tenantName":"ggg555-fff444-ddd333-ss234"}}],"AzureApiOperationName":[{"KEY":{"entity_kind":"operation_name","entity_value":"WRITE"},"PROPS":{"callerIpAddress":"1.1.1.1","ctype":"insights","entity":"MICROSOFT.INSIGHTS","eventCategory":"Administrative","principalId":"lkjh0987lkjh0987","providerName":"insights","resourceId":"\/SUBSCRIPTIONS\/HHH666-GGG555-FFF444-FFF444\/RESOURCEGROUPS\/PROD-mabad-mabad\/PROVIDERS\/MICROSOFT.NETWORK\/NETWORKSECURITYGROUPS\/PROD-COSIGNER-SECURITY-GROUP\/PROVIDERS\/MICROSOFT.INSIGHTS\/EXTENDEDDIAGNOSTICSETTINGS\/FLOWLOGS","resourceType":"EXTENDEDDIAGNOSTICSETTINGS","resultType":"Success","severity":0,"subscriptionName":"mabad-mabad","tenantName":"SDFG-09SDFG-09DFG-09"}},{"KEY":{"entity_kind":"operation_name","entity_value":"WRITE"},"PROPS":{"callerIpAddress":"1.1.1.1","ctype":"hjk2l345hjkl345","entity":"asd5678asd5678asd","eventCategory":"Administrative","principalId":"098a7sdf0987sdf","providerName":"MICROSOFT.INSIGHTS","resourceId":"\/SUBSCRIPTIONS\/AA11-SS22-DD33-FF44\/RESOURCEGROUPS\/PROD-mabad-mabad\/PROVIDERS\/MICROSOFT.NETWORK\/NETWORKSECURITYGROUPS\/PROD-COSIGNER-SECURITY-GROUP\/PROVIDERS\/MICROSOFT.INSIGHTS\/EXTENDEDDIAGNOSTICSETTINGS\/FLOWLOGS","resourceType":"EXTENDEDDIAGNOSTICSETTINGS","resultType":"Success","severity":0,"subscriptionName":"mabad-mabad","tenantName":"hjkl4567hjkl4567"}}],"AzureApiPrincipalId":[{"KEY":{"entity_kind":"principal_id","entity_value":"asdf7890asdf7890asdf7890"},"PROPS":{"callerIpAddress":"1.1.1.1","ctype":"asdf7890asdf7890asdf7890","entity":"asdf7890asdf7890asdf7890","eventCategory":"Administrative","operationName":"WRITE","providerName":"MICROSOFT.INSIGHTS","resourceId":"\/SUBSCRIPTIONS\/AAA111-SSS222-DDD333-FFF444\/RESOURCEGROUPS\/PROD-mabad-mabad\/PROVIDERS\/MICROSOFT.NETWORK\/NETWORKSECURITYGROUPS\/PROD-COSIGNER-SECURITY-GROUP\/PROVIDERS\/MICROSOFT.INSIGHTS\/EXTENDEDDIAGNOSTICSETTINGS\/FLOWLOGS","resourceType":"EXTENDEDDIAGNOSTICSETTINGS","resultType":"Success","severity":0,"subscriptionName":"mabad-mabad","tenantName":"aa11-ss22-dd33-ff44"}},{"KEY":{"entity_kind":"principal_id","entity_value":"asdf7890asdf7890asdf7890"},"PROPS":{"callerIpAddress":"1.1.1.1","ctype":"insights","entity":"MICROSOFT.INSIGHTS","eventCategory":"Administrative","operationName":"WRITE","providerName":"insights","resourceId":"\/SUBSCRIPTIONS\/AAA111-SSS222-DDD333-FFF444\/RESOURCEGROUPS\/PROD-mabad-mabad\/PROVIDERS\/MICROSOFT.NETWORK\/NETWORKSECURITYGROUPS\/PROD-COSIGNER-SECURITY-GROUP\/PROVIDERS\/MICROSOFT.INSIGHTS\/EXTENDEDDIAGNOSTICSETTINGS\/FLOWLOGS","resourceType":"EXTENDEDDIAGNOSTICSETTINGS","resultType":"Success","severity":0,"subscriptionName":"mabad-mabad","tenantName":"aa11-ss22-dd33-ff44"}}],"AzureApiResourceId":[{"KEY":{"entity_kind":"resource_id","entity_value":"\/SUBSCRIPTIONS\/AAA111-SSS222-DDD333-FFF444\/RESOURCEGROUPS\/PROD-mabad-mabad\/PROVIDERS\/MICROSOFT.NETWORK\/NETWORKSECURITYGROUPS\/PROD-COSIGNER-SECURITY-GROUP\/PROVIDERS\/MICROSOFT.INSIGHTS\/EXTENDEDDIAGNOSTICSETTINGS\/FLOWLOGS"},"PROPS":{"callerIpAddress":"1.1.1.1","ctype":"insights","entity":"MICROSOFT.INSIGHTS","eventCategory":"Administrative","operationName":"WRITE","principalId":"asdf7890asdf7890asdf7890","providerName":"insights","resourceType":"EXTENDEDDIAGNOSTICSETTINGS","resultType":"Success","severity":0,"subscriptionName":"mabad-mabad","tenantName":"aa11-ss22-dd33-ff44"}},{"KEY":{"entity_kind":"resource_id","entity_value":"\/SUBSCRIPTIONS\/AAA111-SSS222-DDD333-FFF444\/RESOURCEGROUPS\/PROD-mabad-mabad\/PROVIDERS\/MICROSOFT.NETWORK\/NETWORKSECURITYGROUPS\/PROD-COSIGNER-SECURITY-GROUP\/PROVIDERS\/MICROSOFT.INSIGHTS\/EXTENDEDDIAGNOSTICSETTINGS\/FLOWLOGS"},"PROPS":{"callerIpAddress":"1.1.1.1","ctype":"asdf7890asdf7890asdf7890","entity":"asdf7890asdf7890asdf7890","eventCategory":"Administrative","operationName":"WRITE","principalId":"asdf7890asdf7890asdf7890","providerName":"MICROSOFT.INSIGHTS","resourceType":"EXTENDEDDIAGNOSTICSETTINGS","resultType":"Success","severity":0,"subscriptionName":"mabad-mabad","tenantName":"aa11-ss22-dd33-ff44"}}],"AzureApiResourceType":[{"KEY":{"entity_kind":"resource_type","entity_value":"EXTENDEDDIAGNOSTICSETTINGS"},"PROPS":{"callerIpAddress":"1.1.1.1","ctype":"insights","entity":"MICROSOFT.INSIGHTS","eventCategory":"Administrative","operationName":"WRITE","principalId":"asdf7890asdf7890asdf7890","providerName":"insights","resourceId":"\/SUBSCRIPTIONS\/AAA111-SSS222-DDD333-FFF444\/RESOURCEGROUPS\/PROD-mabad-mabad\/PROVIDERS\/MICROSOFT.NETWORK\/NETWORKSECURITYGROUPS\/PROD-COSIGNER-SECURITY-GROUP\/PROVIDERS\/MICROSOFT.INSIGHTS\/EXTENDEDDIAGNOSTICSETTINGS\/FLOWLOGS","resultType":"Success","severity":0,"subscriptionName":"mabad-mabad","tenantName":"aa11-ss22-dd33-ff44"}},{"KEY":{"entity_kind":"resource_type","entity_value":"EXTENDEDDIAGNOSTICSETTINGS"},"PROPS":{"callerIpAddress":"1.1.1.1","ctype":"asdf7890asdf7890asdf7890","entity":"asdf7890asdf7890asdf7890","eventCategory":"Administrative","operationName":"WRITE","principalId":"asdf7890asdf7890asdf7890","providerName":"MICROSOFT.INSIGHTS","resourceId":"\/SUBSCRIPTIONS\/AAA111-SSS222-DDD333-FFF444\/RESOURCEGROUPS\/PROD-mabad-mabad\/PROVIDERS\/MICROSOFT.NETWORK\/NETWORKSECURITYGROUPS\/PROD-COSIGNER-SECURITY-GROUP\/PROVIDERS\/MICROSOFT.INSIGHTS\/EXTENDEDDIAGNOSTICSETTINGS\/FLOWLOGS","resultType":"Success","severity":0,"subscriptionName":"mabad-mabad","tenantName":"aa11-ss22-dd33-ff44"}}],"AzureApiResultType":[{"KEY":{"entity_kind":"result_type","entity_value":"Success"},"PROPS":{"callerIpAddress":"1.1.1.1","ctype":"asdf7890asdf7890asdf7890","entity":"asdf7890asdf7890asdf7890","eventCategory":"Administrative","operationName":"WRITE","principalId":"asdf7890asdf7890asdf7890","providerName":"MICROSOFT.INSIGHTS","resourceId":"\/SUBSCRIPTIONS\/AAA111-SSS222-DDD333-FFF444\/RESOURCEGROUPS\/PROD-mabad-mabad\/PROVIDERS\/MICROSOFT.NETWORK\/NETWORKSECURITYGROUPS\/PROD-COSIGNER-SECURITY-GROUP\/PROVIDERS\/MICROSOFT.INSIGHTS\/EXTENDEDDIAGNOSTICSETTINGS\/FLOWLOGS","resourceType":"EXTENDEDDIAGNOSTICSETTINGS","severity":0,"subscriptionName":"mabad-mabad","tenantName":"aa11-ss22-dd33-ff44"}},{"KEY":{"entity_kind":"result_type","entity_value":"Success"},"PROPS":{"callerIpAddress":"1.1.1.1","ctype":"insights","entity":"MICROSOFT.INSIGHTS","eventCategory":"Administrative","operationName":"WRITE","principalId":"asdf7890asdf7890asdf7890","providerName":"insights","resourceId":"\/SUBSCRIPTIONS\/AAA111-SSS222-DDD333-FFF444\/RESOURCEGROUPS\/PROD-mabad-mabad\/PROVIDERS\/MICROSOFT.NETWORK\/NETWORKSECURITYGROUPS\/PROD-COSIGNER-SECURITY-GROUP\/PROVIDERS\/MICROSOFT.INSIGHTS\/EXTENDEDDIAGNOSTICSETTINGS\/FLOWLOGS","resourceType":"EXTENDEDDIAGNOSTICSETTINGS","severity":0,"subscriptionName":"mabad-mabad","tenantName":"aa11-ss22-dd33-ff44"}}],"AzureApiTenantName":[{"KEY":{"entity_kind":"tenant_name","entity_value":"aa11-ss22-dd33-ff44"},"PROPS":{"callerIpAddress":"1.1.1.1","ctype":"asdf7890asdf7890asdf7890","entity":"asdf7890asdf7890asdf7890","eventCategory":"Administrative","operationName":"WRITE","principalId":"asdf7890asdf7890asdf7890","providerName":"MICROSOFT.INSIGHTS","resourceId":"\/SUBSCRIPTIONS\/AAA111-SSS222-DDD333-FFF444\/RESOURCEGROUPS\/PROD-mabad-mabad\/PROVIDERS\/MICROSOFT.NETWORK\/NETWORKSECURITYGROUPS\/PROD-COSIGNER-SECURITY-GROUP\/PROVIDERS\/MICROSOFT.INSIGHTS\/EXTENDEDDIAGNOSTICSETTINGS\/FLOWLOGS","resourceType":"EXTENDEDDIAGNOSTICSETTINGS","resultType":"Success","severity":0,"subscriptionName":"mabad-mabad"}},{"KEY":{"entity_kind":"tenant_name","entity_value":"aa11-ss22-dd33-ff44"},"PROPS":{"callerIpAddress":"1.1.1.1","ctype":"insights","entity":"MICROSOFT.INSIGHTS","eventCategory":"Administrative","operationName":"WRITE","principalId":"asdf7890asdf7890asdf7890","providerName":"insights","resourceId":"\/SUBSCRIPTIONS\/AAA111-SSS222-DDD333-FFF444\/RESOURCEGROUPS\/PROD-mabad-mabad\/PROVIDERS\/MICROSOFT.NETWORK\/NETWORKSECURITYGROUPS\/PROD-COSIGNER-SECURITY-GROUP\/PROVIDERS\/MICROSOFT.INSIGHTS\/EXTENDEDDIAGNOSTICSETTINGS\/FLOWLOGS","resourceType":"EXTENDEDDIAGNOSTICSETTINGS","resultType":"Success","severity":0,"subscriptionName":"mabad-mabad"}}]},"EVENT_ACTOR":"AzureActivityLog","EVENT_ID":76501,"EVENT_MODEL":"AzureApiTracker","EVENT_TYPE":"NewAzureService","START_TIME":"Thu, 06 Oct 2022 11:00:00 -0700"}
Example - Lacework Agent (sub-datatype: users_login)
{"ACTIVITY_TIME":"Mon, 15 Mar 2021 17:42:23 -0700","ACTIVITY_TYPE":"LOGIN","CREATED_TIME":"Tue, 05 Jul 2022 19:38:52 -0700","MID":540,"SOURCE_IP_ADDR":"0.0.0.0","UID":1234567,"USERNAME":"user1"}