Lacework is the data-driven security platform for the cloud, that collects and analyses various logs and telemetries for the main cloud vendors (AWS, Azure, GCP, etc.).

Hunters supports the integration of Lacework to the data lake, as well as presenting alerts by Lacework in the Hunters portal and correlating them to related signals.

Supported Data Types

  • Lacework AWS Cloudtrail - alerts by Lacework over AWS Cloudtrail logs. For the native schema by Lacework, see here.

  • Lacework Agent - Lacework Agent is a continuous monitoring system that collects and monitors metadata of all the processes associated with a network activity. We support all sub-datatypes Lacework Agent has. For the native schemas of all the sub-datatypes by Lacework agent, see the Agent dataset section here.

Sending Data to Hunters

In order to send data by Lacework to Hunters, please follow the guide by Lacework for exporting events to an S3 bucket; to see the resulted structure in S3, see here. To ensure a proper ingestion to Hunters, make sure that the resulted structure in your S3 bucket matches the resulted structure in the linked Lacework docs.

After following the guide, please share with Hunters access to the resulted bucket and share the relevant access keys with the Hunters team.

An example for an expected file format as exported by Lacework for the Lacework AWS Cloudtrail datatype :

Lacework AWS Cloudtrail example file

{"END_TIME":"Sun, 26 Sep 2021 00:00:00 -0700","ENTITY_MAP":{"CT_User":[{"KEY":{"account":"1234567890","mfa":0,"principalId":"11111111111","username":"AWSAccount/11111111111"},"PROPS":{"api_list":["GetBucketAcl"],"region_list":["us-east-1"]}}],"Region":[{"KEY":{"region":"us-east-1"},"PROPS":{"account_list":["1234567890"]}}]},"EVENT_ACTOR":"Aws","EVENT_ID":123456,"EVENT_MODEL":"AwsApiTracker","EVENT_TYPE":"NewAccount","START_TIME":"Sat, 25 Sep 2021 23:00:00 -0700"}

An example for an expected file format as exported by Lacework for the Lacework Agent datatype (sub-datatype users_login in this case):

Lacework agent users_login example file

{"ACTIVITY_TIME":"Mon, 15 Mar 2021 17:42:23 -0700","ACTIVITY_TYPE":"LOGIN","CREATED_TIME":"Tue, 05 Jul 2022 19:38:52 -0700","MID":540,"SOURCE_IP_ADDR":"","UID":1234567,"USERNAME":"user1"}