Lacework Community

Recent activity
Help others
Categories

New continuous visibility capabilities and codsec updates from Lacework

New updates to Lacework’s platform this week help create better continuous visibility for customers: Continuous Threat Exposure Management (CTEM)The Lacework platform’s CTEM functionality offers continuous visibility into cloud resources, delivering event-driven architecture. This cutting-edge technology allows security teams to detect and manage risks in real time, reducing the mean time to remediate and enhancing overall security posture. Lacework’s code security features have also been improved:Smart Fix: Integrated with the Software Composition Analysis (SCA) tools from Lacework, Smart Fix for third-party software streamlines remediation by automatically determining the optimal upgrade path for vulnerable dependencies at the package level. This dramatically reduces the workload for developers and enhances the security of cloud applications.Secrets detection + static application security testing (SAST): Beyond SCA, new tools from Lacework now offer powerful detection capabilities th

810

2 months ago

Grant MartinCommunity Manager

Lacework News and Notes

Lacework joins forces with Fortinet

We’ve got some exciting news for the Lacework CommunityWe’re thrilled to announce that Lacework has entered into a definitive agreement to be acquired by Fortinet. This marks a significant milestone in our journey to revolutionize cloud security.Check out our blog to read the full story.What’s this mean for you?Enhanced security solutions: By combining our AI-powered cloud security innovations with Fortinet’s comprehensive solutions, we’ll bring even more robust protection for your cloud environments Global reach: Fortinet’s extensive resources and global scale will help us serve you better and bring our solutions to a broader audience Continued innovation: We’ll continue to focus on pioneering technologies like machine learning and AI while enhancing the product you’ve come to know and loveA big thank you to our customers and community. Your trust and feedback along the way have been invaluable in helping us shape our company and our product. This acquisition is a celebration of our p

2 months ago

jbonnerLacer

Practitioner Tools (API/CLI /LQL)

Is there a visual representation / map of all available table joins for LQL/LPP data sources?

For us visual learners 😎 AgentN/APlatformCurrentCloudN/A

2 months ago

abeneshLacer

Practitioner Tools (API/CLI /LQL)

Visualising LQL Datasources

LQL has a ton of Datasources that can be queried in a plethora of ways.Some of these Datasources are even related to each other.When faced with the challenge of building a custom LQL Query, I’ve built a little tool that helps you find these Datasources and their relationships in a visual way. You can also search for keywords and highlight the Datasource Neighbors: Hovering over one of the Sources and clićking the link takes you to the respective Datasource documentation.Since each tenant might have a different set of Datasources available, there is no public Datasource Map available, which is why you’ll need to run a quick python script to create your individual graph. Usage is very simple:pip install laceworksdk pyvispython datasource_visualizer.py --profile your-lacework-cli-profile Your browser will open up the Map after a few seconds. It’ll be be a HTML file you can reference whenever you need to look something up.No need to run the script everytime. This is just needed when dataso

2 months ago

Grant MartinCommunity Manager

Lacework News and Notes

Join us at a Lacework NYSE CISO event: June 13, 2024

Security peers:On June 13, 2024, Lacework is hosting a CISO networking event at the New York Stock Exchange in New York, New York.The free event is focused on elevating cybersecurity expertise in the boardroom; attendees will have the opportunity to:Hear from a panel of seasoned board members who understand the critical role of cybersecurity representation Learn how to enhance your personal brand and position yourself as a board-ready candidate Discover strategies to overcome common challenges in securing a board position Acquire practical tips and advice for conducting a successful board role search Connect with fellow CISOs during our networking mixerWe’d love to have you. Please register for the event here.

2 months ago

Grant MartinCommunity Manager

Introducing Lacework Edge

Lacework Edge, an innovative solution for data-driven security service edge (SSE), launches this week to provide secure, optimal connectivity from any user or device to the internet at large. Edge users will benefit from:Secure access to private applications: Zero-trust access to all internal and SaaS applications, replacing VPNs for legacy apps and optimizing for the cloud to offer improved performance, cost savings, and streamlined management. Web security: Secure web gateway capabilities with DNS reputation and malware detection, reducing cyber-attack risks and increasing productivity by enforcing web filtering policies. Data security: Monitors documents within ecosystems like Microsoft Office365, Google Workspace, and Dropbox, ensuring the protection of sensitive information, regulatory compliance, and efficient workflows.More on this new capability from Lacework is available in the Lacework newsroom or on the Lacework blog. Reach out to your account team for a demo.

910

2 months ago

steven.sorannoLacer

General Platform Administration and Configuration

How to set up Okta SAML JIT for a single account in Lacework?

General Instructions for setup:Complete the steps in the following documentation in order to set up an App Integration in Okta with all the Lacework Service Provider information. Note: In following the above instructions make sure to add the following required attribute statements to the App Integration for JIT access: If you are using a Lacework Organization with multiple accounts, additional attribute statements must also be added for Organization level roles. Lacework Organization Admin Role Lacework Organization User Role For more information about attribute statements, reference the following documentation: https://docs.lacework.net/onboarding/configure-saml-jit-with-okta Once the App integration is created in Okta with all the correct attribute statements, select the "View SAML setup instructions" option to view the SAML app details. Log back into lacework and add these IDP metadata details to the Lacework Authentication page. Navigate back to

2 months ago

Grant MartinCommunity Manager

New context panels and Composite Alerts for Kubernetes and potential penetration tests

Incident responders are constantly sifting through alerts from multiple security tools these to determine the priority and authenticity of potential threats. Recognizing this challenge, Lacework has introduced several enhancements aimed at saving time for security teams.Lacework's recent automation of Composite Alerts for Kubernetes (K8s) is designed to detect early signs of user and service account credential compromises — common vulnerabilities in the widely exposed K8s clusters. Moreover, the addition of Context Panels simplifies the alert review process by providing crucial details in a single, consolidated view, streamlining investigations and decision-making.Beyond the typical response to security vulnerabilities, Lacework is taking proactive measures to address risks before they escalate. Their approach focuses on anomaly detection, which plays a crucial role during the critical window before vulnerabilities like xz-utils are publicly known. This preemptive strategy ensures that

970

3 months ago

Grant MartinCommunity Manager

Lacework Smart Fix: The smart way to remediate cloud risks

Smart Fix, a new feature from Lacework, allows developers to focus on what they do best: building and innovating. Smart Fix combines the unparalleled speed and accuracy of Lacework code security with automatic remediation for third-party code vulnerabilities, making it easier than ever to deliver secure code fast. Check out the Smart Fix blog post and press release to learn more.

1140

3 months ago

therockvalleyParticipant

Cloud Workload Security

Has anyone figured out a way to create resource groups based on pod labels?

I’m trying to create container resource groups based on pod labels, but these do not seem to be available.In specific I want to be able to create resource groups and queries based on the output of: kubectl get pod my_pod -n my_namespace -o=jsonpath='{.metadata.labels}'Below is an example of what I would like to do in query terms:filter { containers.PROPS_LABELS["my_pod_label_key"] = "my_pod_label_value" }(this won’t actually work afaik, just an illustration of what I’m after)Seems like a rather obvious thing to be able to do. Wondering is there is an apparent trick I’m missing.AgentN/APlatformTuning Lacework/CustomizationCloudN/A

3 months ago

jbonnerLacer

Practitioner Tools (API/CLI /LQL)

Is there a visual representation / map of all available table joins for LQL/LPP data sources?

For us visual learners 😎 AgentN/APlatformCurrentCloudN/A

2 months ago

steven.sorannoLacer

General Platform Administration and Configuration

How to set up Okta SAML JIT for a single account in Lacework?

2 months ago

therockvalleyParticipant

Cloud Workload Security

Has anyone figured out a way to create resource groups based on pod labels?

3 months ago

steven.sorannoLacer

Practitioner Tools (API/CLI /LQL)

How can I identify and list all security groups associated with ECS fargate tasks?

In AWS all ECS fargate tasks run in the “awsvpc” networking mode which means that each task gets its own Elastic Network Interface (ENI). Since each task gets an ENI, this means that a security group must also be attached to the task and we can search for this security group id using LQL. The query below will filter for any network interface that is associated to an ECS task and will return the security group associated to that ENI. queryId: LWCustomCompliance_ECS_fargate_security_groupsqueryText: |- { source { LW_CFG_AWS_EC2_NETWORK_INTERFACES as interface, array_to_rows(interface.RESOURCE_CONFIG:Groups) as groups } filter{ RESOURCE_ID::String in { source { LW_CFG_AWS_ECS_DESCRIBE_TASKS as task, array_to_rows(task.RESOURCE_CONFIG:attachments) as attachments, array_to_rows(attachments:details) as details } filter { details:value::String like any("eni-%") } return {

3 months ago

scott.russellCommunity Manager

General Platform Administration and Configuration

What does "Close as False Positive" button actually do?

A lot of you may have noticed a button appearing on your alerts that says "Close as False Positive." But what does it actually do? Well, let me tell ya! For our reference, this is the button I'm referring to: So what does it do? Well, I'm sure you've probably clicked it thinking that it would prevent that type of alert from showing up again (believe me, I did the same thing). But that's not exactly what it does. When you click "Close as False Positive," you're essentially closing the alert in the same way you would if you clicked the "Close" button. The only difference is that when you click "Close as False Positive," you're actually providing Lacework with some extra feedback. This feedback is then sent to our ML/data team for further analysis. At which point they can make adjustments to the detection engine based on that feedback. That's all good and dandy, but what if I want to prevent that type of alert from showing up again? Well, in that case, you'll want to create exceptions for

4 months ago

steven.sorannoLacer

Vulnerability Management

How to set up the Lacework Proxy Scanner to integrate with a Sonatype Nexus Registry with multiple repositories?

Instructions for how to create a proxy scanner integration can be found in the following documentation. However, it is important to note that the example config.yml provided in the "Configure the Proxy Scanner" section is intended for a connection to a single Nexus repository with one domain/port. If there is a need to have the proxy scanner to scan multiple repositories, the config.yml file for the proxy scanner needs to have multiple registry domains, one for each repository since in Nexus, repositories are configured and run on separate ports. An example of a proxy scanner config.yaml file for multiple repositories can be found below. scan_public_registries: falsestatic_cache_location: /opt/lacework/cachedefault_registry:lacework: account_name: lacework-account integration_access_token: ****registries: - domain: NEXUS-FQDN:<port> name: NEXUS1 ssl: true is_public: false credentials: user_name: "userinregistry" password: "*****" notification_type:

4 months ago

CSA TeamCommunity Manager

Cloud Management Security (CSPM, IaC Security, UEBA)

What are the differences between Lacework and GCP's Cloud Asset Inventory?

If this is you:I’ve recently come across one of Google Cloud’s offerings, Cloud Asset Inventory, and I’m curious what the difference is between that and what Lacework has to offer?Then check out the answer below! AgentN/APlatformUsing Lacework/OperationalizingCloudGCP

4 months ago

steven.sorannoLacer

Practitioner Tools (API/CLI /LQL)

How can I pull Kubernetes Compliance report data via the Lacework API?

The following Lacework API endpoint, “/api/v2/Configs/ComplianceEvaluations/search”, will enable you to export Kubernetes Compliance report data in json format. Below is an example using this endpoint to pull all Kubernetes Compliance data for a set timeframe. When using this endpoint, ensure that the payload has dataset set to “K8sCompliance” to filter out any CSP compliance data.lacework api post "/api/v2/Configs/ComplianceEvaluations/search" -d '{ "timeFilter": { "startTime": "2024-03-12T20:30:00Z", "endTime": "2024-03-13T22:30:00Z"},"dataset": "K8sCompliance" }'The output of this command will be a json array of objects detailing all the Kubernetes Compliance Violations with each object looking similar to the example below:{ "account": { "AccountId": "XXXXXXXXXXXX", "accountId": "XXXXXXXXXXXX" }, "evalType": "LW_K8S_SA", "id": "lacework-global-315", "reason": "EKS cluster does not have all logging categories enabled", "recommendation":

4 months ago

steven.sorannoLacer

Cloud Management Security (CSPM, IaC Security, UEBA)

When investigating an identity in the identities dossier, how can I determine what AWS IAM policy a specific permission is a part of in AWS?

When reviewing an identity in the identity explorer, it is possible to export all entitlements tied to the identity being reviewed. From this export additional fields can be seen one of which is the policy that each action is a part of along with the role/user it is attached to. To export an entitlements list as a CSV follow the below steps:Navigate to Identities > Explore: Identities, select the identity that you want to investigate. Select the Entitlements tab to display all the entitlements that identity has and select the service you want to export. Once the service is selected, click the download icon to download the csv export which includes the policy name in column F. Example CSV Output: Principal ID Account ID Account Alias Service name Resource Policy name Updated time Actions Used Last Used Revoked Condition arn:aws:iam::XXXXXXXXXXXX:root XXXXXXXXXXXX

5 months ago

craigbeyerjrLacer

General Platform Administration and Configuration

Can I customize Jira tickets created by Lacework alerts?

Yes, absolutely! If your organization configured Jira as a Lacework Alert Channel, you can easily apply a custom template. In this post, we will develop a custom Jira template that will accomplish the following:Map the severity of Lacework Alerts to Jira's severity field Customize the default Summary field naming convention Several of our customers take advantage of custom templates to override a variety of other default Jira settings. You can learn more about custom Jira templates here. To develop a custom Jira template, start by creating a .json file and copy/paste the following json content.{ "fields": { "summary": "Lacework - $event_severity_str - $event_type" }, "severity": { "Critical": { "id": "1" }, "High": { "id": "2" }, "Medium": { "id": "3" }, "Low": { "id": "4" }, "Info": { "id": "5" } }} In the above template, we are renaming the J

5 months ago

Getting Started

All of the basics to get started in the Lacework Community

Community Welcome and Guidelines

4 topics
21 Replies

General Platform Administration and Configuration

22 topics
19 Replies

Lacework News and Notes

14 topics
1 Reply

General Security Discussion

Discussion and thought leadership on the cloud security industry

What's Next in Security

1 topic
1 Reply

Cloud Security In Practice

5 topics
9 Replies

Hack'd Resources

1 topic
1 Reply

Lacework Platform Q&A

Specific questions and discussions related to Lacework and cloud security environments

Vulnerability Management

8 topics
10 Replies

Cloud Workload Security

8 topics
10 Replies

Cloud Management Security (CSPM, IaC Security, UEBA)

9 topics
5 Replies

Practitioner Tools (API/CLI /LQL)

10 topics
6 Replies

Alert Investigation

2 topics
1 Reply

Leaderboard

Show full leaderboard

Recently awarded badges

scott.russellhas earned the badge Customer Success Architect
craigbeyerjrhas earned the badge Customer Success Architect
steven.sorannohas earned the badge Customer Success Architect
Ahmed Abugharbiahas earned the badge Customer Success Architect
arrlacehas earned the badge Customer Success Architect

Show all badges

Welcome to our community

Community Q&A and Discussion

Product updates

Support

Lacework Academy

Featured topics

Getting Started

Community Welcome and Guidelines

General Platform Administration and Configuration

Lacework News and Notes

General Security Discussion

What's Next in Security

Cloud Security In Practice

Hack'd Resources

Lacework Platform Q&A

Vulnerability Management

Cloud Workload Security

Cloud Management Security (CSPM, IaC Security, UEBA)

Practitioner Tools (API/CLI /LQL)

Alert Investigation

Leaderboard

Recently awarded badges

Cloud Detection and Response: Market Growth as an Enterprise Requirement

Need more help?

Documentation

Contact support

Release Notes

Welcome to our community

Featured topics

Leaderboard

Recently awarded badges

Cloud Detection and Response: Market Growth as an Enterprise Requirement

Need more help?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded