Overview

Lacework is the data-driven security platform for the cloud, that collects and analyses various logs and telemetries for the main cloud vendors (AWS, Azure, GCP, etc.).

Hunters supports the integration of Lacework to the data lake, as well as presenting alerts by Lacework in the Hunters portal and correlating them to related signals.

Supported Data Types

  • Lacework AWS Cloudtrail - alerts by Lacework over AWS Cloudtrail logs. For the native schema by Lacework, see here.

Sending Data to Hunters

In order to send data by Lacework to Hunters, please follow the guide by Lacework for exporting events to an S3 bucket; to see the resulted structure in S3, see here.

After following the guide, please share with Hunters access to the resulted bucket and share the relevant access keys with the Hunters team.

An example for an expected file format as exported by Lacework:

Lacework AWS Cloudtrail example file

{"END_TIME":"Sun, 26 Sep 2021 00:00:00 -0700","ENTITY_MAP":{"CT_User":[{"KEY":{"account":"1234567890","mfa":0,"principalId":"11111111111","username":"AWSAccount/11111111111"},"PROPS":{"api_list":["GetBucketAcl"],"region_list":["us-east-1"]}}],"Region":[{"KEY":{"region":"us-east-1"},"PROPS":{"account_list":["1234567890"]}}]},"EVENT_ACTOR":"Aws","EVENT_ID":123456,"EVENT_MODEL":"AwsApiTracker","EVENT_TYPE":"NewAccount","START_TIME":"Sat, 25 Sep 2021 23:00:00 -0700"}