openapi: 3.0.3 info: title: Lacework API 2.0 Documentation description: >- The Lacework API documentation is available directly from your Lacework application at the following URI: `https://YourLacework.lacework.net/api/v2/docs`, where `YourLacework` is your Lacework application. No login to the Lacework Console is required. However, there is a link to the Lacework API 2.0 documentation from the Lacework Console. From the **Help** drop-down, select **API 2.0 Documentation**. All the Lacework API operations listed below require an API Access Token to allow access to the Lacework API. For more information about getting a temporary API Access Token to pass into these operations as a header, see https://www.laceworkplatform.com/generate-api-access-keys-and-tokens. You can run the Lacework APIs using your favorite REST API tools such as curl or Postman. Example curl commands are listed in the API 2.0 documentation provided by the **Help** > **API** 2.0 Documentation menu option in the Lacework Console. You can also run the Lacework API from the **Lacework CLI**. For more information, see [Get Started with the Lacework CLI](https://www.laceworkplatform.com/cli). termsOfService: https://www.laceworkplatform.com/terms-of-use/ contact: name: Lacework, Inc. url: https://www.laceworkplatform.com/contact email: info@lacework.net license: name: Lacework Use License url: https://www.laceworkplatform.com/terms-of-use/ version: '2.0' tags: - name: OVERVIEW x-displayName: Overview description: |-

Conventions

1. **Parameters:** Parameters follow the JSON conventions, i.e., camelcase or lowerCamelcase notation, for all parameter names in the query, request and response bodies, for example, `startTime`, `endTime`. 2. **Data Types:** For the constant types of data sets, integrations, assets, and other resources, the convention is to use UpperCamelcase notation, for example, `AlertChannels`, `AuditLogs`, `CloudActivities`. 3. **Response Schema:** A successful response returns either the HTTP 200 or 201 Status Code and a top-level property called `data`, which contains the result in the JSON format. A response returning the HTTP 4xx or 5xx Status Code returns the top-level property called `message`, which contains an error message. 4. `additionalProperties` **Keyword**: For all response schemas, the `additionalProperties` keyword is set to `true`. This means additional fields or properties can be added to responses in the future. For information about the `additionalProperties` keyword, see the [JSON Schema online documentation](http://json-schema.org/understanding-json-schema/reference/object.html#additional-properties).

Simple & Advanced Search

The Lacework API provides simple and advanced searches for retrieving information. For simple searches, specify a HTTP GET method with simple query parameters, for example, `startTime`, `endTime`. For advanced searches, specify a HTTP POST method with filters in the request body. There are 16 filter types consisting of 7 pairs and 2 unique operators that are similar to the SQL comparison operators for database queries. The 7 pairs are: * The `eq` operator allows you to specify a value that the field values of the result must be equal to. The `ne` operator means not equal to. Note the `value` field of the `filters` must be used; the `values` field of the `filters` cannot be used for `eq` and `ne`. * The `in` operator allows you to specify multiple values in the `values` field of the `filters`. The field values of the result must match one of the values. The `not_in` operator is the opposite of `in`. Note the `value` field of the `filters` cannot be used for `in` and `not_in`. * The `like` operator allows you to specify a pattern that the field values of the result must match. The `not_like` operator is the opposite of `like`. Note the `values` field of the `filters` cannot be used for `like` and `not_like`. * The `ilike` operator works similar to `like` but it makes the match case insensitive. The `not_ilike` operator is the opposite of `ilike`. Note the `values` field of the `filters` cannot be used for `ilike` and `not_ilike`. * The `rlike` operator matches the specified pattern represented by regular expressions (more info on [RLIKE — Snowflake Documentation](https://docs.snowflake.com/en/sql-reference/functions/rlike.html)). The `not_rlike` operator is the opposite of `rlike`. Note the `values` field of the `filters` cannot be used for `rlike` and `not_rlike`. * The `gt` operator allows you to specify a value that the field values of the result must be `greater than`. The `lt` (less-than) operator is the opposite of `gt`. Note the `values` field of the `filters` cannot be used for `gt` and `lt`. * The `ge` operator allows you to specify a value that the field values of the result must be `greater than or equal to`. The `le` (less-than-or-equal-to) operator is the opposite of `ge`. Note the `values` field of the `filters` cannot be used for `ge` and `le`. The 2 unique operators are: * The `between` operator allows you to specify a range that the field values of the result must be within. The specified upper boundary must be larger/greater than the lower boundary. The two values of upper and lower boundaries must be set in the `values` field of the `filters`. Note the `value` field of the `filters` cannot be used for `between`. * The `expr` operator is reserved for future use.

Date & Time Formats

For date and time parameters, the time zone is always UTC and the following formats are supported: * `yyyy-MM-dd` for example, `2020-12-18` * `yyyy-MM-ddTHH` for example, `2020-12-18T08` * `yyyy-MM-ddTHH:mm:ssZ` for example `2020-12-18T08:00:00Z` * `yyyy-MM-ddTHH:mm:ss.SSSZ` for example, `2020-12-18T08:00:00.000Z`

Organization Level Access

An organization may have a primary account and multiple sub-accounts. If an access token is generated for the primary account and used as the authorization token, it can also be used for one of the sub-accounts with the additional header called `Account-Name` (case insensitive). For example, if the primary account is `xyz` and the sub-account is `xyz-sub1`, set the `Account-Name` header to `xyz-sub1`. For accessing the organization level data sets, a separate header called `Org-Access` (case insensitive) can be used. If this header is set to `true` (case insensitive) and the authorization token has the proper permissions (org admin), if specified, the `Account-Name` header is ignored, If the `Org-Access` header is not set to `true`, the `Account-Name` header is used, if specified. For more information about creating and using access (bearer) tokens for accounts in an Organization, see Role-Based API Authentication for Organizations.

Pagination

Making calls to Lacework APIs could return a lot of results. Pagination of the results helps manage overall performance and makes the responses easier for you to handle by dividing the results into separate pages, each with a subset of the results. The following row limits apply: * Row limit per page: 5,000 rows * Row limit of all pages of one result set: 500,000 rows Pagination is available for some datasets, such as those that are searched with the `/api/v2/Vulnerabilities/Containers/search` or `/api/v2/Entities/Machines/search` endpoints. Pagination metadata is located within the response's `paging` field, which contains information for `rows`, `totalRows`, and `urls`. The `urls` field contains the `nextPage` field with the Next Page URL. The Next Page URLs stay valid for 24 hours. No pagination is available for an API if the `paging` field is missing from a response. To get the next page of the result, use the entire Next Page URL and send a GET request with the two required HTTP headers: "Authorization: Bearer {YourAPIToken}" and "Content-Type: application/json". Example: > `GET https://YourLacework.lacework.net/api/v2/Vulnerabilities/Containers/abcxyz...` See the right panel for response examples.

Rate Limiting

The current rate limit is 480 API requests per hour per user. When the total number of API requests on a one-hour rolling window exceeds the rate limit, the HTTP 429 Too Many Requests response status code is returned. Lacework uses the token bucket algorithm to apply request rate limiting. Each API v2 functionality has its own bucket with 480 tokens and each request that you make removes one token from the bucket. For example, performing a `GET /api/v2/AgentAccessTokens` or a `GET /api/v2/AgentAccessTokens/{ID}` are both part of one functionality, which gets an agent access token, so each request removes one token from the same bucket. Similarly, updating an agent access token (`PATCH /api/v2/AgentAccessTokens/{ID}`) is a different functionality and disregards the ID to use the same bucket, so a token is removed from a different bucket. Each request sends back three response headers following standard HTTP naming conventions for rate limiting. `RateLimit-Limit` is the total number of requests you can make in an hour, `RateLimit-Remaining` is the number of remaining requests, and `RateLimit-Reset` is how much time it will take (in seconds) before you can make another request once the limit is reached. For more information about RateLimit header fields, see [IETF Draft 05](https://tools.ietf.org/id/draft-polli-ratelimit-headers-05.html)

Response Status Codes

The Lacework API endpoints return the following HTTP response status codes.
Status CodeDefinitionDescription
200 OK The request has succeeded.
201 Created The request has been fulfilled and resulted in a new resource being created.
204 No Content The server has fulfilled the request but does not need to return an entity-body.
400 Bad Request The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications.
401 Unauthorized The request requires user authentication. If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials.
403 Forbidden The server understood the request, but is refusing to fulfill it. Authorization will not fix the issue and the request SHOULD NOT be repeated.
404 Not Found The server has not found anything matching the Request-URI.
405 Method Not Allowed The method specified in the Request-Line is not allowed for the resource identified by the Request-URI.
409 Conflict The request could not be completed due to a conflict with the current state of the resource.
429 Too Many Requests Too many requests occurred during the allotted time period and rate limiting was applied.
500 Internal Server Error The request did not complete due to an internal error on the server side. The server encountered an unexpected condition which prevented it from fulfilling the request.
503 Service Unavailable The server is currently unable to handle the request due to a temporary overloading or maintenance of the server.
- name: ACCESS_TOKENS x-displayName: Access Tokens description: >- [Generate access tokens](https://www.laceworkplatform.com/generate-api-access-keys-and-tokens) for API requests. - name: SCHEMAS x-displayName: Schemas description: Get details about the available Lacework schemas. - name: Activities x-displayName: Activities description: Get information about network activities detected through the agent. - name: AgentAccessTokens x-displayName: Agent Access Tokens description: >- To connect to the Lacework instance, Lacework agents require an [agent access token](https://www.laceworkplatform.com/agent-access-tokens). - name: AgentInfo x-displayName: Agent Information description: |- View and verify information about all agents, including: * The hostname * The number of active and inactive agents * Machine tags information associated with the agents * The agent version - name: AlertChannels x-displayName: Alert Channels description: >- Lacework combines [alert channels](https://www.laceworkplatform.com/about-alert-channels) with [alert rules](https://www.laceworkplatform.com/alert-rules) or [report rules](https://www.laceworkplatform.com/report-rules) to provide a flexible method for routing alerts and reports. - name: AlertProfiles x-displayName: Alert Profiles description: >- An alert profile is a set of metadata that defines how your LQL queries get consumed into events and alerts. Alert profiles exist as a system. Lacework provides a set of predefined alert profiles to ensure that policy evaluation gives you useful results out of the box. To create your own customized profiles, you extend an existing alert profile and add your custom definitions to it. The predefined alert profiles and operations for defining and editing your own are exposed via Lacework API calls. - name: AlertRules x-displayName: Alert Rules description: >- Lacework combines [alert channels](https://www.laceworkplatform.com/about-alert-channels) and [alert rules](https://www.laceworkplatform.com/alert-rules) to provide a flexible method for routing alerts. For [alert channels](https://www.laceworkplatform.com/about-alert-channels), you define information about where to send alerts, such as to Jira, Slack, or email. For [alert rules](https://www.laceworkplatform.com/alert-rules), you define information about which alert types to send, such as critical and high severity compliance alerts. - name: Alerts x-displayName: Alerts description: >- Lacework provides real-time alerts that are interactive and manageable. Each alert contains various metadata information, such as severity level, type, status, alert category, and associated tags. You can also post a comment to an [alert's timeline](https://www.laceworkplatform.com/view-alerts#timeline); or change an [alert status](https://www.laceworkplatform.com/view-alerts#status) from Open to Closed. - name: AuditLogs x-displayName: Audit Logs description: >- Audit logs let you view the history of all actions performed within a Lacework account so you know who made changes to the system and when. For example, you can see who suppressed certain alerts, what time an authentication setting was modified, etc. For more information, see [Audit Logs](https://www.laceworkplatform.com/audit-logs). - name: CloudAccounts x-displayName: Cloud Accounts description: >- Cloud accounts are integrations between Lacework and cloud providers such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform. - name: CloudActivities x-displayName: Cloud Activities description: >- Get information about cloud activities for the integrated AWS cloud accounts in your Lacework instance. - name: Configs x-displayName: Configurations description: Get information about compliance configurations. - name: ContainerRegistries x-displayName: Container Registries description: >- Lacework provides the ability to assess, identify, and report vulnerabilities found in the operating system software packages in a Docker container image. After integrating a container registry in Lacework, Lacework finds all container images in the registry repositories, assesses those container images for software packages with known vulnerabilities, and reports them. - name: ContractInfo x-displayName: Contract Info description: Get Lacework contract information. - name: DataExportRules x-displayName: Data Export Rules description: >- S3 data export allows you to export data collected from your Lacework account and send it to an S3 bucket of your choice. You can extend Lacework processed/normalized data to report/visualize alone or combine with other business/security data to get insights and make meaningful business decisions. - name: Datasources x-displayName: Datasources description: Get schema details for all datasources that you can query using LQL. - name: Entities x-displayName: Entities description: >- Lacework continuously monitors machines in your environment and maintains data on both running and non-running virtual machines. - name: Events x-displayName: Events description: View and verify the evidence or observation details of individual events. - name: Exceptions x-displayName: Policy Exceptions description: >- Policy exceptions are a mechanism used to maintain the policies but allow you to circumvent one or more restrictions. - name: Inventory x-displayName: Inventory description: >- View and monitor in-use cloud resources' risk, compliance, and configuration changes. For more details about snapshots of resources, see [Resource Inventory](https://www.laceworkplatform.com/category/resource-inventory). - name: OrganizationInfo x-displayName: Organization Info description: >- Return information about whether the Lacework account is an organization account and, if it is, what the organization account URL is by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/OrganizationInfo` - name: Policies x-displayName: Policies description: >- Policies are a mechanism used to add annotated metadata to queries for improving the context of alerts, reports, and information displayed in the Lacework Console. You can fully customize policies. - name: Queries x-displayName: Queries description: >- Queries are the mechanism used to interactively request information from a specific curated datasource. Queries have a defined structure for authoring detections. - name: ReportRules x-displayName: Report Rules description: >- Lacework combines [alert channels](https://www.laceworkplatform.com/about-alert-channels) and [report rules](https://www.laceworkplatform.com/report-rules) to provide a flexible method for routing reports. For [report rules](https://www.laceworkplatform.com/report-rules), you define information about which reports to send. For [alert channels](https://www.laceworkplatform.com/about-alert-channels), you define where to send reports such as to Jira, Slack, or email. - name: Reports x-displayName: Reports description: >- Lacework combines details about non-compliant resources that are in violation into reports. You must configure at least one cloud integration with AWS, Azure, or GCP to receive these reports. - name: ResourceGroups x-displayName: Resource Groups description: Resource groups provide a way to categorize Lacework-identifiable assets. - name: TeamMembers x-displayName: Team Members description: >- Team members can be granted access to multiple Lacework accounts and have different roles for each account. Team members can also be granted organization-level roles. For more information, see [Team Members](https://www.laceworkplatform.com/team-members). **Note**: The TeamMembers API is deprecated and is unavailable if you have migrated to the new RBAC model in your Lacework Console. See [Access Control](https://www.laceworkplatform.com/console/access-control-nav) for more information about the new RBAC model. - name: TemplateFiles x-displayName: Template Files description: |- Template Files are equivalent to CloudFormation template files. **AWS Config** For the file parameter, specify AwsConfig to download an AWS Config CloudFormation template for configuring an AWS Config integration to analyze AWS configuration compliance. **AWS Cloud Trail** For the file parameter, specify AwsCloudTrail to download an AWS CloudTrail CloudFormation template for configuring an AWS CloudTrail integration to monitor cloud account security. **AWS EKS Audit Logs** For the file parameter, specify AwsEksAudit to download an AWS EKS Audit Log template for configuring resources to allow monitoring of Kubernetes runtime security using audit logs on EKS [(Step 1)](https://www.laceworkplatform.com/eks-audit-log-integration-overview#what-happens-during-step-1). For the file parameter, specify AwsEksAuditSubscriptionFilter to download an AWS EKS Audit Log template for configuring an EKS cluster log group to monitor EKS runtime security. Optionally pass in `intgGuid` as a query parameter. This allows the intgGuid to get the SNS ARN, create the firehose ARN, and insert that into the template before returning it. This means you don't have to find the firehoseARN and insert it manually. Obtain the integration's intgGuid by using the `GET https://YourLacework.lacework.net/api/v2/CloudAccounts` endpoint [(Step 2)](https://www.laceworkplatform.com/eks-audit-log-integration-overview#what-happens-during-step-2). After downloading the template, you must upload and run the template file in the AWS Console. For information about setting up AWS CloudTrail and AWS Config integrations, see https://www.laceworkplatform.com/initial-setup-of-aws-cloudtrail-and-config-integration. For information about setting up AWS EKS integrations, see https://www.laceworkplatform.com/category/eks-audit-log-integrations. You must also create the integration in the Lacework Console. - name: UserProfile x-displayName: User Profiles description: >- An organization can contain multiple accounts so you can also manage components such as alerts, resource groups, team members, and audit logs at a more granular level inside an organization. For more information, see [Organization Overview](https://www.laceworkplatform.com/organization-overview). - name: Vulnerabilities x-displayName: Vulnerabilities description: >- Lacework provides the ability to assess, identify, and report vulnerabilities found in the operating system software packages in a Docker container image before the container image is deployed. Lacework also supports scanning of non-OS packages for programming languages (Java, Ruby, PHP, GO, NPM, .NET, Python). - name: VulnerabilityExceptions x-displayName: Vulnerability Exceptions description: >- Lacework provides the ability to create exceptions for certain vulnerable resources and criteria. For example, a certain CVE for a certain package or all packages can be excepted until a set expiry time. - name: VulnerabilityPolicies x-displayName: Vulnerability Policies description: >- Lacework provides the ability to create container vulnerability policies to assess your container images at build and/or runtime based on your own unique requirements. For example, a policy can be created for any critical vulnerability with a fix available or a policy to target a specific CVE. - name: Webhooks x-displayName: Webhooks description: >- Send notifications from your integration using a server token or signature. paths: /api/v2/access/tokens: post: tags: - ACCESS_TOKENS summary: Generate Access Tokens description: >- Get access tokens for the API requests by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/access/tokens` After creating a secret key, administrators can generate Temporary API access (bearer) tokens that clients and client applications use to access the Lacework API. Create temporary API access (bearer) tokens by invoking the `POST https://YourLacework.lacework.net/api/v2/access/tokens` endpoint. parameters: - in: header name: X-LW-UAKS description: YourSecretKey required: true schema: type: string - in: header name: Content-Type description: application/json required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ApiV2AccessTokens' responses: '201': description: A temporary access (bearer) token is returned. content: application/json: schema: $ref: '#/components/schemas/ResponseApiV2AccessTokens' 4XX: description: Client Error content: application/json: schema: $ref: '#/components/schemas/Response4xxApiV2AccessTokens' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/schemas/{type}: get: tags: - SCHEMAS summary: Schema Details description: >- Get a list of available Lacework schema types by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/schemas` Get details about a Lacework schema by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/schemas/{type}` Here is an example invocation: > `GET https://YourLacework.lacework.net/api/v2/schemas/AuditLogs` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: type in: path description: >- When sending a request, use this parameter to specify the schema type. If not specified, the response returns all schema types. If specified, the response returns details of the requested schema. required: true schema: type: string example: AuditLogs responses: '200': description: 'No Error (see example: schema of AuditLogs)' content: application/json: schema: $ref: '#/components/schemas/ResponseApiV2SchemasType' 4XX: description: Client Error content: application/json: schema: $ref: '#/components/schemas/ResponseInvalidApiV2SchemasType' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/schemas/{type}/{subtype}: get: tags: - SCHEMAS summary: Schema Details of Subtype description: >- Get details about a Lacework schema by specifying a schema type and subtype when invoking the endpoint. > `GET https://YourLacework.lacework.net/api/v2/schemas/{type}/{subtype}` Here is an example invocation: > `GET https://YourLacework.lacework.net/api/v2/schemas/AlertChannels/SlackChannel` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - in: path name: type description: >- When sending a request, use this parameter to specify the schema type. If not specified, the response returns all schema types. If specified, the response returns details of the requested schema. required: true schema: type: string example: AlertChannels - in: path name: subtype description: >- The schema's subtype. If a type is subordinate to another type, it is called a subtype. required: true schema: type: string example: SlackChannel responses: '200': description: 'No Error (see example: schema of /api/v2/AlertChannels/SlackChannel)' content: application/json: schema: $ref: '#/components/schemas/ResponseApiV2SchemasTypeSubtype' 4XX: description: Client Error content: application/json: schema: $ref: '#/components/schemas/ResponseInvalidApiV2SchemasTypeSubtype' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Activities/ChangedFiles/search: post: tags: - Activities summary: Search Changed Files description: >- Search for changed files in your environment by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/Activities/ChangedFiles/search` Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. You can optionally filter the returned changed files by start time, end time, machine id, file path and/or other fields. For more information, see https://www.laceworkplatform.com/changefilesv-view. Here are some example `body` payloads: * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "mid", "expression": "eq", "value": "48011" } ] }` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "mid", "expression": "eq", "value": "48011" }, { "field": "filePath", "expression": "eq", "value": "/usr/bin/curl" } ],` `"returns": [ "filePath", "filedataHash", "mid" ] }` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS' responses: '200': $ref: >- #/components/responses/responseActivities_ChangedFilesList_Response_Schema '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Activities/Connections/search: post: tags: - Activities summary: Search Connections description: >- Search for connections in your environment by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/Activities/Connections/search` Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. You can optionally filter the returned connections by start time, end time, created time, machine id, and/or other fields. For more information, see https://www.laceworkplatform.com/connectionsv-view. Here are some example `body` payloads: * `{ "timeFilter": { "startTime": "2022-08-18T00:00:00Z", "endTime": "2022-08-18T02:00:00Z"},` `"filters": [ { "field": "dstEntityId.mid", "expression": "eq", "value": "116018" } ] }` * `{ "timeFilter": { "startTime": "2022-08-18T00:00:00Z", "endTime": "2022-08-18T02:00:00Z"},` `"filters": [ { "field": "srcEntityId.mid", "expression": "eq", "value": "123456" }, { "field": "dstInBytes", "expression": "le", "value": "300000" } ],` `"returns": [ "dstEntityId", "dstEntityType", "srcEntityId", "srcEntityType" ] }` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS' responses: '200': $ref: >- #/components/responses/responseActivities_ConnectionsList_Response_Schema '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Activities/DNSs/search: post: tags: - Activities summary: Search DNS Summaries description: >- Search for DNS summaries in your environment by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/Activities/DNSs/search` Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. You can optionally filter the returned DNS summaries by start time, end time, created time, machine id, and/or other fields. For more information, see https://www.laceworkplatform.com/dnsqueryv-view. Here are some example `body` payloads: * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "mid", "expression": "eq", "value": "48011" } ] }` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "mid", "expression": "eq", "value": "48011" }, { "field": "fqdn", "expression": "eq", "value": "sqs.us-west-2.amazonaws.com" } ],` `"returns": [ "fqdn", "hostIpAddr", "mid" ] }` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS' responses: '200': $ref: '#/components/responses/responseActivities_DNSsList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Activities/UserLogins/search: post: tags: - Activities summary: Search User Logins description: >- Search for user logins in your environment by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/Activities/UserLogins/search` Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. You can optionally filter the returned login activities by start time, end time, created time, machine id, and/or other fields. For more information, see https://www.laceworkplatform.com/userloginv-view. Here are some example `body` payloads: * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "mid", "expression": "eq", "value": "48011" } ] }` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "mid", "expression": "eq", "value": "48011" }, { "field": "username", "expression": "eq", "value": "ec2-user" } ],` `"returns": [ "username", "activityType", "activityTime" ] }` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS' responses: '200': $ref: >- #/components/responses/responseActivities_UserLoginsList_Response_Schema '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/AgentAccessTokens: post: tags: - AgentAccessTokens summary: Create Agent Access Token description: > Create a new agent access token that an agent can use to connect and send data to your Lacework instance by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/AgentAccessTokens` Here is an example `body` payload: > `{ "tokenAlias": "prod", "tokenEnabled": "1" }` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AgentAccessTokens_Create_Schema' responses: '201': $ref: '#/components/responses/responseAgentAccessTokens_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' get: tags: - AgentAccessTokens summary: List All Agent Access Tokens description: >- Get a list of currently enabled agent access tokens in your Lacework instance by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/AgentAccessTokens` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' responses: '200': $ref: '#/components/responses/responseAgentAccessTokensList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/AgentAccessTokens/search: post: tags: - AgentAccessTokens summary: Search Agent Access Tokens description: >+ Search all enabled agent access tokens in your Lacework instance by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/AgentAccessTokens/search` To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the [Simple & Advanced Search section](/api/v2/docs/#tag/OVERVIEW). You can filter on the following fields: * `accessToken` * `createdTime` * `tokenAlias` * `tokenEnabled` * `version` Here is an example `body` payload: > `{ "filters" : [ { "expression": "eq", "field": "tokenAlias", "value": "Eng" } ] } ` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_FILTERS' responses: '200': $ref: '#/components/responses/responseAgentAccessTokensList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/AgentAccessTokens/{id}: get: tags: - AgentAccessTokens summary: Agent Access Token Details description: >- Get details about an agent access token by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/AgentAccessTokens/{id}` You can get the `{id}` by invoking the `GET /api/v2/AgentAccessTokens` endpoint. Replace `{id}` with the long hexadecimal access token identifier returned in the `accessToken` field of the `GET /api/v2/AgentAccessTokens` endpoint response. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: id in: path description: Agent Access Token {id} required: true schema: type: string responses: '200': $ref: '#/components/responses/responseAgentAccessTokens_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' patch: tags: - AgentAccessTokens summary: Update Agent Access Token description: >+ Optionally update the `tokenEnabled` settings of the passed in agent access token. Update these settings by invoking the following endpoint: > `PATCH https://YourLacework.lacework.net/api/v2/AgentAccessTokens/{id}` Get the agent access token id by calling the `GET /api/v2/AgentAccessTokens` endpoint. Replace `{id}` with the long hexadecimal access token identifier returned in the `accessToken` field of the `GET /api/v2/AgentAccessTokens` endpoint response. Here is an example `body` payload: > `{ "tokenEnabled": "1" }` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: id in: path description: AgentAccessTokens {id} required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AgentAccessTokens_Update_Schema' responses: '200': $ref: '#/components/responses/responseAgentAccessTokens_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/AgentInfo/search: post: tags: - AgentInfo summary: Search Agent Information description: >- The Agent Information API enables you to retrieve information about all agents by invoking the following endpoint: > `POST /api/v2/AgentInfo/search` For details about what agent information is available, see [AGENT_MANAGEMENT_V View](https://www.laceworkplatform.com/console/agentmanagementv-view). Here are some example `body` payloads: * `{ "timeFilter": { "startTime" : "2022-04-28T00:00:00Z", "endTime": "2022-04-28T18:00:00Z"},` * `{ "timeFilter": { "startTime": " 2022-04-28T00:00:00Z", "endTime": "2022-04-28T18:00:00Z"},` `"filters" : [ { "field": "status", "expression": "eq", "value": "ACTIVE" }, { "field": "tags.VmProvider", "expression": "eq", "value" : "AWS" } ],` `"returns": [ "hostname", "ipAddr", "os" , "agentVersion", "status" ] }` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS' responses: '200': $ref: '#/components/responses/responseAgentInfoList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/AlertChannels: post: tags: - AlertChannels summary: Create Alert Channels description: >- Create an alert channel by specifying parameters in the request body when invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/AlertChannels` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AlertChannels_Create_Schema' responses: '201': $ref: '#/components/responses/responseAlertChannels_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' get: tags: - AlertChannels summary: List All Alert Channels description: >- Get a list of alert channels for the current user by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/AlertChannels` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' responses: '200': $ref: '#/components/responses/responseAlertChannelsList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/AlertChannels/{type}: get: tags: - AlertChannels summary: List Alert Channels by Type description: >- Get a list of alert channels of the specified type by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/AlertChannels/{type}` Here is an example invocation: > `GET https://YourLacework.lacework.net/api/v2/AlertChannels/SlackChannel` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' - name: type in: path description: Alert Channel Type required: true schema: type: string enum: - AwsS3 - CiscoSparkWebhook - CloudwatchEb - Datadog - EmailUser - GcpPubsub - IbmQradar - Jira - MicrosoftTeams - NewRelicInsights - PagerDutyApi - ServiceNowRest - SlackChannel - SplunkHec - VictorOps - Webhook responses: '200': $ref: '#/components/responses/responseAlertChannelsList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/AlertChannels/search: post: tags: - AlertChannels summary: Search Alert Channels description: |- Search alert channels by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/AlertChannels/search` To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the [Simple & Advanced Search section](/api/v2/docs/#tag/OVERVIEW). In the request body, optionally specify the list of fields to return in the response by specifying the list in the `returns` array, for example, `"returns":[ "name", "type", "enabled" ]`. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_FILTERS' responses: '200': $ref: '#/components/responses/responseAlertChannelsList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/AlertChannels/{intgGuid}/test: post: tags: - AlertChannels summary: Test Alert Channels description: >- Test the integration of an alert channel by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}/test` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' - name: intgGuid in: path description: Alert Channel ID required: true schema: type: string responses: '204': description: Success 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/AlertChannels/{intgGuid}: get: tags: - AlertChannels summary: Alert Channel Details description: |- Get details about an alert channel by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' - name: intgGuid in: path description: Alert Channel ID required: true schema: type: string responses: '200': $ref: '#/components/responses/responseAlertChannels_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' patch: tags: - AlertChannels summary: Update Alert Channels description: >- Update an alert channel by specifying parameters in the request body when invoking the following endpoint: > `PATCH https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}` In the request body, only specify the parameter(s) that you want to update, for example, `{ "enabled" : 0 }`. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' - name: intgGuid in: path description: Alert Channel ID required: true schema: type: string requestBody: required: true description: >- Only specify the parameter(s) that you want to update, for example, `{ "enabled" : 0 }`. content: application/json: schema: $ref: '#/components/schemas/AlertChannels_Update_Schema' responses: '200': $ref: '#/components/responses/responseAlertChannels_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' put: tags: - AlertChannels summary: Update Alert Channels description: >- Update an alert channel by specifying the entire object in the request body when invoking the following endpoint: > `PUT https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}` In the request body, specify the entire object that you want to update, for example, > `{"name": "string","type": "AwsS3", "enabled": 1, > "data": {"s3CrossAccountCredentials": {"externalId": "string", "roleArn": "string", "bucketArn":"string"}} }`. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' - name: intgGuid in: path description: Alert Channel ID required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AlertChannels_Create_Schema' responses: '200': $ref: '#/components/responses/responseAlertChannels_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' delete: tags: - AlertChannels summary: Delete Alert Channels description: |- Delete an alert channel by invoking the following endpoint: > `DELETE https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' - name: intgGuid in: path description: Alert Channel ID required: true schema: type: string responses: '204': description: >- No response content is returned and the request was successfully completed with no errors. 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/AlertProfiles: post: tags: - AlertProfiles summary: Create Alert Profiles description: >- Create an alert profile that extends off of a current alert profile by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/AlertProfiles` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AlertProfiles_Create_Schema' responses: '201': $ref: '#/components/responses/responseAlertProfiles_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' get: tags: - AlertProfiles summary: List All Alert Profiles description: >- Get all the alert profiles for the current user by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/AlertProfiles` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' responses: '200': $ref: '#/components/responses/responseAlertProfilesList_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/AlertProfiles/{id}: get: tags: - AlertProfiles summary: Alert Profiles Details description: >- Get the details to the specified alert profile by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: id in: path description: Alert Profile id required: true schema: type: string responses: '200': $ref: '#/components/responses/responseAlertProfiles_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' patch: tags: - AlertProfiles summary: Update Alert Profiles description: >- Update the alert templates of the specified alert profile by invoking the following endpoint: > `PATCH https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: id in: path description: Alert Profile id required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AlertProfiles_Update_Schema' responses: '200': $ref: '#/components/responses/responseAlertProfiles_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' delete: tags: - AlertProfiles summary: Delete Alert Profiles description: |- Delete the specified alert profile by invoking the following endpoint: > `DELETE https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: id in: path description: Alert Profile id required: true schema: type: string responses: '204': description: Success 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/AlertProfiles/{id}/AlertTemplates: post: tags: - AlertProfiles summary: Create Alert Templates description: >- Create a new alert template for a specified alert profile by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}/AlertTemplates` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: id in: path description: Alert Profile id required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AlertProfiles_AlertTemplates_Create_Schema' responses: '200': $ref: '#/components/responses/responseAlertProfiles_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/AlertProfiles/{id}/AlertTemplates/{alertTemplateName}: patch: tags: - AlertProfiles summary: Update Alert Templates description: >- Update an alert template for a specified alert profile by invoking the following endpoint: > `PATCH https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}/AlertTemplates/{alertTemplateName}` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: id in: path description: Alert Profile id required: true schema: type: string - name: alertTemplateName in: path description: Alert Template Name required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AlertProfiles_AlertTemplates_Update_Schema' responses: '200': $ref: '#/components/responses/responseAlertProfiles_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' delete: tags: - AlertProfiles summary: Delete Alert Templates description: >- Delete an alert template for a specified alert profile by invoking the following endpoint: > `DELETE https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}/AlertTemplates/{alertTemplateName}` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: id in: path description: Alert Profile id required: true schema: type: string - name: alertTemplateName in: path description: Alert Template Name required: true schema: type: string responses: '204': description: Success 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/AlertRules: post: tags: - AlertRules summary: Create Alert Rules description: >- Create an alert rule by specifying parameters in the request body when invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/AlertRules` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AlertRules_Create_Schema' responses: '201': $ref: '#/components/responses/responseAlertRules_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' get: tags: - AlertRules summary: List All Alert Rules description: >- List all alert rules in your Lacework instance by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/AlertRules` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' responses: '200': $ref: '#/components/responses/responseAlertRulesList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/AlertRules/search: post: tags: - AlertRules summary: Search Alert Rules description: |- Search alert rules by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/AlertRules/search` To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the [Simple & Advanced Search section](/api/v2/docs/#tag/OVERVIEW). Here are some example `body` payloads: * `{ "filters": [ { "field": "mcGuid", "expression": "rlike", "value": "123ABC" } ] } ` * `{ "filters": [ { "field": "mcGuid", "expression": "between", "values": [ "ABC_123", "DEC_456" ] } ] }` * `{ "filters": [ { "field": "intgGuidList", "expression": "eq", "value": "ABC_123" } ] } ` * `{ "filters": [ { "field": "intgGuidList", "expression": "in", "values": [ "ABC_123", "DEF_456" ] } ] } ` * `{ "filters": [ { "field": "filters.name", "expression": "ilike", "value": "slack" } ] } ` * `{ "filters": [ { "field": "filters.resourceGroups", "expression": "eq", "value": "ABC_123" } ] } ` * `{ "filters": [ { "field": "filters.severity", "expression": "eq", "value": "5" } ] } ` * `{ "filters": [ { "field": "filters.eventCategory", "expression": "eq", "value": "App" } ] } ` * `{ "filters": [ { "field": "reportNotificationTypes.agentEvents", "expression": "eq", "value": "false" } ] } ` In the request body, optionally specify the list of fields to return in the response by specifying the list in the `returns` array. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_FILTERS' responses: '200': $ref: '#/components/responses/responseAlertRulesList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/AlertRules/{mcGuid}: get: tags: - AlertRules summary: Alert Rule Details description: |- Get details about an alert rule by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/AlertRules/{mcGuid}` Replace `{mcGuid}` with the `mcGuid` value returned for an alert rule in the response when the `GET /api/v2/AlertRules` endpoint is invoked. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' - name: mcGuid in: path description: Alert Rule mcGuid required: true schema: type: string responses: '200': $ref: '#/components/responses/responseAlertRules_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' patch: tags: - AlertRules summary: Update Alert Rules description: >- Update an alert rule by specifying parameters in the request body when invoking the following endpoint: > `PATCH https://YourLacework.lacework.net/api/v2/AlertRules/{mcGuid}` Replace `{mcGuid}` with the `mcGuid` value returned for an alert rule in the response when the `GET /api/v2/AlertRules` endpoint is invoked. In the request body, only specify the parameters that you want to update. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' - name: mcGuid in: path description: Alert Rules mcGuid required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AlertRules_Update_Schema' responses: '200': $ref: '#/components/responses/responseAlertRules_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' delete: tags: - AlertRules summary: Delete Alert Rules description: |- Delete an alert rule by invoking the following endpoint: > `DELETE https://YourLacework.lacework.net/api/v2/AlertRules/{mcGuid}` Replace `{mcGuid}` with the `mcGuid` value returned for an alert rule in the response when the `GET /api/v2/AlertRules` endpoint is invoked. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' - name: mcGuid in: path description: Alert Rules mcGuid required: true schema: type: string responses: '204': description: Success 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Alerts: get: tags: - Alerts summary: List Alerts description: >- Get a list of alerts during the specified date range by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/Alerts?startTime={startTime}&endTime={endTime}` Use the following formats to specify the `startTime` and `endTime`: * `yyyy-MM-dd` for example, `2022-06-28` * `yyyy-MM-ddTHH` for example, `2022-06-28T08` * `yyyy-MM-ddTHH:mm:ssZ` for example, `2022-06-28T08:00:00Z` * `yyyy-MM-ddTHH:mm:ss.SSSZ` for example, `2022-06-28T08:00:00.000Z` Here is an example invocation: > `GET https://YourLacework.lacework .net/api/v2/Alerts?startTime=2022-06-30T00:00:00Z&endTime=2022-06-30T08:00:00Z` Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. Pagination metadata is located within the response's `paging` field, which contains information for `rows`, `totalRows`, and `urls`. The `urls` field contains the `nextPage` field with the Next Page URL. The Next Page URLs stay valid for 24 hours. To get the next page of the result, use the entire Next Page URL and send a GET request with the two required HTTP headers: "Authorization: Bearer {YourAPIToken}" and "Content-Type: application/json". Example: > `GET https://YourLacework.lacework.net/api/v2/Alerts/abcxyz123...` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramStartTime' - $ref: '#/components/parameters/paramEndTime' responses: '200': $ref: '#/components/responses/responseAlertsList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Alerts/search: post: tags: - Alerts summary: Search Alerts description: |- Search alerts by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/Alerts/search` Optionally specify filters in the request body. For more information about using filters, see the [Simple & Advanced Search section](/api/v2/docs/#tag/OVERVIEW). For the `timeFilter` filter, these are the supported time formats: * `yyyy-MM-dd` for example, `2022-07-08` * `yyyy-MM-ddTHH` for example, `2022-07-08T08` * `yyyy-MM-ddTHH:mm:ssZ` for example, `2022-07-08T08:00:00Z` * `yyyy-MM-ddTHH:mm:ss.SSSZ` for example, `2022-07-08T08:00:00.000Z` Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. To limit the returned result, optionally specify one or more filters in the request body. These fields can be set in the filters: `alertId`, `alertType`, `severity`, and `status`. You can optionally filter the returned alerts by one or more of the top-level fields. Here are some example `body` payloads: * `{ "timeFilter": { "startTime": "2022-07-08T00:00:00Z", "endTime": "2022-07-08T08:00:00Z"}}` `"filters": [ { "field": "alertType", "expression": "eq", "value": "SuspiciousUserFailedLogin" } ] }` * `{ "timeFilter": { "startTime": "2022-07-08T00:00:00Z", "endTime": "2022-07-08T08:00:00Z"},` `"filters": [ { "field": "severity", "expression": "eq", "value": "Critical" }, { "field": "status", "expression": "eq", "value": "Open" } ],` `"returns": [ "alertId", "alertName", "alertType", "alertInfo" ] }` Pagination metadata is located within the response's `paging` field, which contains information for `rows`, `totalRows`, and `urls`. The `urls` field contains the `nextPage` field with the Next Page URL. The Next Page URLs stay valid for 24 hours. To get the next page of the result, use the entire Next Page URL and send a GET request with the two required HTTP headers: "Authorization: Bearer {YourAPIToken}" and "Content-Type: application/json". Example: > `GET https://YourLacework.lacework.net/api/v2/Alerts/abcxyz123...` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: >- #/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS_FOR_ALERTS responses: '200': $ref: '#/components/responses/responseAlertsList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Alerts/{alertId}: get: tags: - Alerts summary: Alert Details description: |- Get details about an alert by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/Alerts/{alertId}?scope={scope}` You must specify a scope, as one of these options: `Details`, `Investigation`, `Events`, `RelatedAlerts`, `Integrations`, or `Timeline`. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: alertId in: path description: Alert id required: true schema: type: string - name: scope in: query description: You must specify a scope, as one of these options. required: true schema: type: string enum: - Details - Investigation - Events - RelatedAlerts - Integrations - Timeline responses: '200': $ref: '#/components/responses/responseAlerts_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Alerts/{alertId}/comment: post: tags: - Alerts summary: Post Comments description: >- Post a user comment on an alert’s timeline by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/Alerts/{alertId}/comment` For details about alert timelines, see [Timeline](https://lacework-alerts.netlify.app/view-alerts#timeline). parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: alertId in: path description: Alert id required: true schema: type: string requestBody: required: true content: application/json: schema: required: - comment properties: comment: type: string responses: '200': $ref: '#/components/responses/responseAlerts_Comment_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Alerts/{alertId}/close: post: tags: - Alerts summary: Close Alerts description: >- Change the status of an alert to closed by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/Alerts/{alertId}/close` The body of the request should contain the reason for closing, from these options: * Other * False positive * Not enough information * Malicious and have resolution in place * Expected because of routine testing. If you choose `Other`, the message field is required and should contain a brief explanation of why the alert is closed. Note that a closed alert cannot be reopened. For details about alert statuses, see [Status](https://lacework-alerts.netlify.app/view-alerts#status). parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: alertId in: path description: Alert id required: true schema: type: string requestBody: required: true content: application/json: schema: required: - reason properties: reason: type: number description: |- 0 - Other 1 - False positive 2 - Not enough information 3 - Malicious and have resolution in place 4 - Expected because of routine testing enum: - 0 - 1 - 2 - 3 - 4 comment: type: string description: >- If you choose `0` (`Other`), the comment field is required and should contain a brief explanation of why the alert is closed. responses: '204': description: Success 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/AuditLogs: get: tags: - AuditLogs summary: Audit Logs description: |- Get audit logs by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/AuditLogs` Optionally specify the `startTime` and `endTime` time range filters using the following formats: * `yyyy-MM-dd` for example, `2020-12-18` * `yyyy-MM-ddTHH` for example, `2020-12-18T08` * `yyyy-MM-ddTHH:mm:ssZ` for example, `2020-12-18T08:00:00Z` * `yyyy-MM-ddTHH:mm:ss.SSSZ` for example, `2020-12-18T08:00:00.000Z` Here is an example invocation: > `GET https://YourLacework.lacework.net/api/v2/AuditLogs?startTime=2020-12-11T08:00:00Z&endTime=2020-12-18T08:00:00Z` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' - $ref: '#/components/parameters/paramStartTime' - $ref: '#/components/parameters/paramEndTime' responses: '200': $ref: '#/components/responses/responseAuditLogsList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/AuditLogs/search: post: tags: - AuditLogs summary: Search Audit Logs description: |- Search the audit logs by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/AuditLogs/search` Optionally specify filters in the request body. For more information about using filters, see the [Simple & Advanced Search section](/api/v2/docs/#tag/OVERVIEW). For the `timeFilter` filter, these are the supported time formats: * `yyyy-MM-dd` for example, `2020-12-18` * `yyyy-MM-ddTHH` for example, `2020-12-18T08` * `yyyy-MM-ddTHH:mm:ssZ` for example, `2020-12-18T08:00:00Z` * `yyyy-MM-ddTHH:mm:ss.SSSZ`, for example, `2020-12-18T08:00:00.000Z` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' requestBody: required: true description: Filters in the request body content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS' responses: '200': $ref: '#/components/responses/responseAuditLogsList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/CloudAccounts: post: tags: - CloudAccounts summary: Create Cloud Accounts description: >- Create a cloud account by specifying parameters in the request body when invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/CloudAccounts` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CloudAccounts_Create_Schema' responses: '201': $ref: '#/components/responses/responseCloudAccounts_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' get: tags: - CloudAccounts summary: List All Cloud Accounts description: >- Get a list of cloud accounts for the current user by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/CloudAccounts` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' responses: '200': $ref: '#/components/responses/responseCloudAccountsList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/CloudAccounts/{type}: get: tags: - CloudAccounts summary: List Cloud Accounts by Type description: >- Get a list of cloud accounts of the specified type by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/CloudAccounts/{type}` Here is an example invocation: > `GET https://YourLacework.lacework.net/api/v2/CloudAccounts/AwsCfg` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' - name: type in: path description: Cloud Accounts Type required: true schema: type: string enum: - AwsCfg - AwsCtSqs - AwsEksAudit - AwsUsGovCfg - AwsUsGovCtSqs - AzureAlSeq - AzureCfg - GcpAtSes - GcpCfg responses: '200': $ref: '#/components/responses/responseCloudAccountsList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/CloudAccounts/search: post: tags: - CloudAccounts summary: Search Cloud Accounts description: |- Search cloud accounts by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/CloudAccounts/search` To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the [Simple & Advanced Search section](/api/v2/docs/#tag/OVERVIEW). In the request body, optionally specify the list of fields to return in the response by specifying the list in the `returns` array, for example, `"returns":[ "name", "type", "enabled" ]`. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_FILTERS' responses: '200': $ref: '#/components/responses/responseCloudAccountsList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/CloudAccounts/{intgGuid}: get: tags: - CloudAccounts summary: Cloud Accounts Details description: |- Get details about a cloud account by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/CloudAccounts/{intgGuid}` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' - name: intgGuid in: path description: Cloud Account ID required: true schema: type: string responses: '200': $ref: '#/components/responses/responseCloudAccounts_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' patch: tags: - CloudAccounts summary: Update Cloud Accounts description: >- Update a cloud account by specifying parameters in the request body when invoking the following endpoint: > `PATCH https://YourLacework.lacework.net/api/v2/CloudAccounts/{intgGuid}` In the request body, only specify the parameters that you want to update, for example, `{ "enabled" : 0 }`. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' - name: intgGuid in: path description: Cloud Account ID required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CloudAccounts_Update_Schema' responses: '200': $ref: '#/components/responses/responseCloudAccounts_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' put: tags: - CloudAccounts summary: Update Cloud Accounts description: >- Update a cloud account by specifying the entire object in the request body when invoking the following endpoint: > `PUT https://YourLacework.lacework.net/api/v2/CloudAccounts/{intgGuid}` In the request body, specify the entire object that you want to update, for example, > `{"name": "string","type": "AwsCfg", "enabled": 1, > "data": { "awsAccountId": "string", "crossAccountCredentials": {"externalId": "string", "roleArn": "string"}} }`. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' - name: intgGuid in: path description: Cloud Account ID required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CloudAccounts_Create_Schema' responses: '200': $ref: '#/components/responses/responseCloudAccounts_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' delete: tags: - CloudAccounts summary: Delete Cloud Accounts description: |- Delete a cloud account by invoking the following endpoint: > `DELETE https://YourLacework.lacework.net/api/v2/CloudAccounts/{intgGuid}` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' - name: intgGuid in: path description: Cloud Account ID required: true schema: type: string responses: '204': description: Success 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/CloudActivities: get: tags: - CloudActivities summary: Cloud Activities description: |- Get cloud activity details by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/CloudActivities` Optionally filter by specifying the `startTime` and `endTime` of a time range using the following formats: * `yyyy-MM-dd` for example, `2020-12-18` * `yyyy-MM-ddTHH` for example, `2020-12-18T08` * `yyyy-MM-ddTHH:mm:ssZ` for example, `2020-12-18T08:00:00Z` * `yyyy-MM-ddTHH:mm:ss.SSSZ` for example, `2020-12-18T08:00:00.000Z` Here is an example invocation: > `GET https://YourLacework.lacework.net/api/v2/CloudActivities?startTime=2020-12-11T08:00:00Z&endTime=2020-12-18T08:00:00Z` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramStartTime' - $ref: '#/components/parameters/paramEndTime' responses: '200': $ref: '#/components/responses/responseCloudActivitiesList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/CloudActivities/search: post: tags: - CloudActivities summary: Search Cloud Activities description: |- Search cloud activities by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/CloudActivities/search` Optionally specify filters in the request body. For more information about using filters, see the [Simple & Advanced Search section](/api/v2/docs/#tag/OVERVIEW). For the `timeFilter` filter, these are the supported time formats: * `yyyy-MM-dd` for example, `2021-12-18` * `yyyy-MM-ddTHH` for example, `2021-12-18T08` * `yyyy-MM-ddTHH:mm:ssZ` for example, `2021-12-18T08:00:00Z` * `yyyy-MM-ddTHH:mm:ss.SSSZ` for example, `2021-12-18T08:00:00.000Z` Here are some example `body` payloads: * `{ "timeFilter": { "startTime": "2021-12-11T00:00:00Z", "endTime": "2021-12-12T00:00:00Z"},` `"filters": [ { "field": "eventType", "expression": "eq", "value": "NewUser" } ] }` * `{ "timeFilter": { "startTime": "2021-12-11T00:00:00Z", "endTime": "2021-12-12T00:00:00Z"},` `"filters": [ { "field": "eventType", "expression": "eq", "value": "NewUser" },` `{ "field": "eventModel", "expression": "eq", "value": "AwsApiTracker" } ],` `"returns":[ "startTime", "endTime", "eventType", "eventActor", "eventModel" ] }` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS' responses: '200': $ref: '#/components/responses/responseCloudActivitiesList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Configs/ComplianceEvaluations/search: post: tags: - Configs summary: Search Compliance Evaluations description: >- Search for compliance evaluations (with details such as compliance status, violated resources, reason, recommendation, account info, etc.) for a specified cloud provider within the last 90 days by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/Configs/ComplianceEvaluations/search` This view reports details about compliance violations identified by cloud assessments for all supported and configured cloud provider types: AWS, Azure, and GCP. Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. You must specify a dataset. The possible datasets are `AwsCompliance`, `AzureCompliance`, and `GcpCompliance`. You can optionally filter the returned compliance evaluations by report time, account, section, id, and/or other fields. For more information, see [CLOUD_COMPLIANCE_V View](https://www.laceworkplatform.com/cloudcompliancev-view). Here are some example `body` payloads: * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"dataset": "AwsCompliance" }` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "status", "expression": "eq", "value": "NonCompliant" }, { "field": "account.AccountId", "expression": "eq", "value": "812212113623" } ],` `"returns": [ "account", "id", "recommendation", "severity", "status" ],` `"dataset": "AzureCompliance" }` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/Dataset_Request_Body_Schema' responses: '200': $ref: >- #/components/responses/responseConfigs_ComplianceEvaluationsList_Response_Schema '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/ContainerRegistries: post: tags: - ContainerRegistries summary: Create Container Registries description: >- Create a container registry by specifying parameters in the request body when invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/ContainerRegistries` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ContainerRegistries_Create_Schema' responses: '201': $ref: '#/components/responses/responseContainerRegistries_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' get: tags: - ContainerRegistries summary: List All Container Registries description: >- Get a list of container registries for the current user by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/ContainerRegistries` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' responses: '200': $ref: >- #/components/responses/responseContainerRegistriesList_Response_Schema '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/ContainerRegistries/{type}/{subtype}: get: tags: - ContainerRegistries summary: List Container Registries by Type description: >- Get a list of container registries of the specified type by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/ContainerRegistries/{type}/{subtype}` Here is an example invocation: > `GET https://YourLacework.lacework.net/api/v2/ContainerRegistries/ContVulnCfg/AWS_ECR` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' - name: type in: path description: Container Registry Type required: true schema: type: string enum: - ContVulnCfg - name: subtype in: path description: Container Registry Subtype required: true schema: type: string $ref: '#/components/schemas/ContainerRegistriesSubtype' responses: '200': $ref: >- #/components/responses/responseContainerRegistriesList_Response_Schema 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/ContainerRegistries/search: post: tags: - ContainerRegistries summary: Search Container Registries description: |- Search container registries by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/ContainerRegistries/search` To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the [Simple & Advanced Search section](/api/v2/docs/#tag/OVERVIEW). In the request body, optionally specify the list of fields to return in the response by specifying the list in the `returns` array, for example, `"returns":[ "name", "type", "enabled" ]`. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_FILTERS' responses: '200': $ref: >- #/components/responses/responseContainerRegistriesList_Response_Schema '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/ContainerRegistries/{intgGuid}/mapPolicies: post: tags: - ContainerRegistries summary: Map policies to Container Registries description: >- Map specific policies to a container registry by invoking the following endpoint: `POST https://YourLacework.lacework.net/api/v2/ContainerRegistries/{intgGuid}/mapPolicies` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' - name: intgGuid in: path description: The container registry's ID. required: true schema: type: string requestBody: required: true content: application/json: schema: properties: evaluate: type: boolean description: >- Set to `True` if you want to evaluate all policies for this integration. Otherwise, set to `False`. policyGuids: type: array description: A list of all policy IDs to map to this integration. items: type: string responses: '200': $ref: '#/components/responses/responseContainerRegistries_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/ContainerRegistries/{intgGuid}: get: tags: - ContainerRegistries summary: Container Registry Details description: >- Get details about a container registry by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/ContainerRegistries/{intgGuid}` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' - name: intgGuid in: path description: The container registry's ID. required: true schema: type: string responses: '200': $ref: '#/components/responses/responseContainerRegistries_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' patch: tags: - ContainerRegistries summary: Update Container Registries description: >- Update a container registry by specifying parameters in the request body when invoking the following endpoint: > `PATCH https://YourLacework.lacework.net/api/v2/ContainerRegistries/{intgGuid}` In the request body, only specify the parameters that you want to update, for example, `{ "enabled" : 0 }`. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' - name: intgGuid in: path description: The container registry's ID. required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ContainerRegistries_Update_Schema' responses: '200': $ref: '#/components/responses/responseContainerRegistries_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' delete: tags: - ContainerRegistries summary: Delete Container Registries description: |- Delete a container registry by invoking the following endpoint: > `DELETE https://YourLacework.lacework.net/api/v2/ContainerRegistries/{intgGuid}` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' - name: intgGuid in: path description: The container registry's ID. required: true schema: type: string responses: '204': description: Success 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/ContractInfo: get: tags: - ContractInfo summary: Contract Info description: >- Return contract details about the Lacework licenses found in the Lacework instance by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/ContractInfo` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' responses: '200': $ref: '#/components/responses/responseContractInfoList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/DataExportRules: post: tags: - DataExportRules summary: Create Data Export Rules description: >- Create a data export rule by specifying parameters in the request body when invoking the following endpoint: `POST https://YourLacework.lacework.net/api/v2/DataExportRules` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/DataExportRules_Create_Schema' responses: '201': $ref: '#/components/responses/responseDataExportRules_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' get: tags: - DataExportRules summary: List All Data Export Rules description: >- List all data export rules in your Lacework Application by invoking the following endpoint: `GET https://YourLacework.lacework.net/api/v2/DataExportRules` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' responses: '200': $ref: '#/components/responses/responseDataExportRulesList_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/DataExportRules/search: post: tags: - DataExportRules summary: Search Data Export Rules description: |- Search data export rules by invoking the following endpoint: `POST https://YourLacework.lacework.net/api/v2/DataExportRules/search` To limit the returned result, optionally specify one or more filters in the request body. Here are some example `body` payloads: * `{ "filters": [ { "field": "mcGuid", "expression": "rlike", "value": "123ABC" } ] } ` * `{ "filters": [ { "field": "mcGuid", "expression": "between", "values": [ "ABC_123", "DEC_456" ] } ] }` * `{ "filters": [ { "field": "intgGuidList", "expression": "eq", "value": "ABC_123" } ] } ` * `{ "filters": [ { "field": "intgGuidList", "expression": "in", "values": [ "ABC_123", "DEF_456" ] } ] } ` * `{ "filters": [ { "field": "filters.name", "expression": "ilike", "value": "slack" } ] } ` * `{ "filters": [ { "field": "filters.profileVersions", "expression": "eq", "value": "V1" } ] } ` In the request body, optionally specify the list of fields to return in the response by specifying the list in the `returns` array. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_FILTERS' responses: '200': $ref: '#/components/responses/responseDataExportRulesList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/DataExportRules/{mcGuid}: get: tags: - DataExportRules summary: Data Export Rule Details description: |- Get details about a data export rule by invoking the following endpoint: `GET https://YourLacework.lacework.net/api/v2/DataExportRules/{mcGuid}` Replace `{mcGuid}` with the `mcGuid` value returned for a data export rule in the response when the `GET /api/v2/DataExportRules` endpoint is invoked. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' - name: mcGuid in: path description: Data Export Rule ID required: true schema: type: string responses: '200': $ref: '#/components/responses/responseDataExportRules_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' patch: tags: - DataExportRules summary: Update Data Export Rules description: >- Update a data export rule by specifying parameters in the request body when invoking the following endpoint: `PATCH https://YourLacework.lacework.net/api/v2/DataExportRules/{mcGuid}` Replace `{mcGuid}` with the `mcGuid` value returned for a data export rule in the response when the `GET /api/v2/DataExportRules` endpoint is invoked. In the request body, only specify the parameters that you want to update, for example, `{ "enabled" : 0 }`. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' - name: mcGuid in: path description: Data Export Rule ID required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/DataExportRules_Update_Schema' responses: '200': $ref: '#/components/responses/responseDataExportRules_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' put: tags: - DataExportRules summary: Update Data Export Rules description: >- Update a data export rule by specifying the entire object in the request body when invoking the following endpoint: `PUT https://YourLacework.lacework.net/api/v2/DataExportRules/{mcGuid}` In the request body, specify the entire object that you want to update, for example, > `{"mcGuid": "string", "filters": {"name": "string", "description": "string", "enabled": 1, "profileVersions": ["V1"]}, "intgGuidList": ["string"], "type": "Dataexport"}`. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' - name: mcGuid in: path description: Data Export Rule ID required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/DataExportRules_Create_Schema' responses: '200': $ref: '#/components/responses/responseDataExportRules_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' delete: tags: - DataExportRules summary: Delete DataExportRules description: |- Delete a data export rule by invoking the following endpoint: `DELETE https://YourLacework.lacework.net/api/v2/DataExportRules/{mcGuid}` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' - name: mcGuid in: path description: Data Export Rule ID required: true schema: type: string responses: '204': description: Success 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Datasources: get: tags: - Datasources summary: List All Datasources description: >- List all available datasources in your Lacework instance by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/Datasources` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' responses: '200': $ref: '#/components/responses/responseDatasourcesList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Datasources/{datasource}: get: tags: - Datasources summary: Datasource Details description: >- Get details about a single datasource by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/Datasources/{datasource}` Replace `{datasource}` with the `name` value returned for a datasource in the response when invoking the following endpoint: `GET /api/v2/Datasources`. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: datasource in: path description: The datasource's name. required: true schema: type: string responses: '200': $ref: '#/components/responses/responseDatasources_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Entities/Applications/search: post: tags: - Entities summary: Search Applications description: >- Search for applications running on the machine with an agent within the last 90 days. Get details such as the application name, username, machine, etc. by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/Entities/Applications/search` Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. You can optionally filter the returned applications by application name, username, machine, and/or other fields. For more information, see https://www.laceworkplatform.com/applicationsv-view. Here are some example `body` payloads: * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "containerInfo.pod_type", "expression": "eq", "value": "lacework-agent" } ],` `"returns": [ "appName", "exePath", "containerInfo", "mid", "username" ] }` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS' responses: '200': $ref: >- #/components/responses/responseEntities_ApplicationsList_Response_Schema '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Entities/CommandLines/search: post: tags: - Entities summary: Search Active Command Lines description: >- Search for active command line invocations in your environment across machines. Get details such as the created time, command line hash, and name of the command line executable by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/Entities/CommandLines/search` Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. You can optionally filter the returned command line invocations by the created time, command line hash, and name of the command line executable. For more information, see https://www.laceworkplatform.com/cmdlinev-view. Here are some example `body` payloads: * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "cmdlineHash", "expression": "eq", "value": "12345sdlfkhk54l5..." } ] }` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "cmdlineHash", "expression": "eq", "value": "12345sdlfkhk54l5..." }, { "field": "cmdline", "expression": "eq", "value": "some command" } ],` `"returns": [ "cmdline", "cmdlineHash" ] }` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS' responses: '200': $ref: >- #/components/responses/responseEntities_CommandLinesList_Response_Schema '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Entities/Containers/search: post: tags: - Entities summary: Search Active Containers description: >- Search for active containers in your environment. Get details such as the container name, pod name, tags, etc. by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/Entities/Containers/search` Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. You can optionally filter the returned containers by the container name, pod name, tags and/or other fields. For more information, see https://www.laceworkplatform.com/containersummaryv-view. Here are some example `body` payloads: * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "propsContainer.IMAGE_TAG", "expression": "eq", "value": "v1.7.0-eksbuild.1" } ],` `"returns": [ "containerName", "imageId", "podName", "propsContainer", "tags" ] }` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS' responses: '200': $ref: >- #/components/responses/responseEntities_ContainersList_Response_Schema '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Entities/Files/search: post: tags: - Entities summary: Search Active Files description: >- Search for active files in your environment. Get details such as the path to the file, file size, date of file modification, etc. by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/Entities/Files/search` Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. You can optionally filter the returned files by the path to the file, file size, date of file modification and/or other fields. For more information, see https://www.laceworkplatform.com/allfilesv-view. Here are some example `body` payloads: * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "filePath", "expression": "eq", "value": "somePath" } ],` `"returns": [ "filePath", "filedataHash", "mid", "size" ] }` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS' responses: '200': $ref: '#/components/responses/responseEntities_FilesList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Entities/Images/search: post: tags: - Entities summary: Search Images description: >- Search for container images in your environment. Get details such as the image id, image size, repository name, etc. by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/Entities/Images/search` Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. You can optionally filter the returned images by image id, image size, repository name, and/or other fields. For more information, see https://www.laceworkplatform.com/imagev-view. Here are some example `body` payloads: * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "size", "expression": "eq", "value": "434" } ],` `"returns": [ "imageId", "mid", "repo", "size" ] }` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS' responses: '200': $ref: '#/components/responses/responseEntities_ImagesList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Entities/InternalIPAddresses/search: post: tags: - Entities summary: Search Internal IP Addresses description: >- Search for internal IP addresses in your environment. Get details such as the start time, IP address, machine id, etc. by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/Entities/InternalIPAddresses/search` Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. You can optionally filter the returned addresses by the start time, IP address, machine id and/or other fields. For more information, see https://www.laceworkplatform.com/internalipav-view. Here are some example `body` payloads: * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "ipAddr", "expression": "eq", "value": "10.123.456.1" } ],` `"returns": [ "ipAddr" ] }` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS' responses: '200': $ref: >- #/components/responses/responseEntities_InternalIPAddressesList_Response_Schema '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Entities/K8sPods/search: post: tags: - Entities summary: Search K8s Pods description: >- Search for Kubernetes pods in your environment. Get details such as the pod name, IP address assigned to the pod, and other pod statistics by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/Entities/K8sPods/search` Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. You can optionally filter the returned pods by machine id, pod name, primary IP address, and/or other fields. For more information, see https://www.laceworkplatform.com/podsummaryv-view. Here are some example `body` payloads: * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "propsContainer.IMAGE_ID", "expression": "eq", "value": "sha256:9e862c010bf39766f9821926848754adccf58225aa652cc18a97fccba273df39" } ],` `"returns": [ "mid", "podName", "propsContainer" ] }` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS' responses: '200': $ref: '#/components/responses/responseEntities_K8sPodsList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Entities/Machines/search: post: tags: - Entities summary: Search Machines description: >- Search for machines in your environment. Get details such as the machine id, host name of the machine, and other machine statistics by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/Entities/Machines/search` Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. You can optionally filter the returned machines by machine id, host name, primary ip address, and/or other fields. For more information, see https://www.laceworkplatform.com/machinesummaryv-view. Here are some example `body` payloads: * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "machineTags.ExternalIp", "expression": "eq", "value": "35.163.78.148" } ],` `"returns": [ "hostname", "machineTags", "mid", "primaryIpAddr" ] }` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS' responses: '200': $ref: '#/components/responses/responseEntities_MachinesList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Entities/MachineDetails/search: post: tags: - Entities summary: Search Machine Details description: >- Search for machine details in your environment. Get details such as the machine id, host name of the machine, domain associated with the machine, kernel type of the machine, and other machine statistics by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/Entities/MachineDetails/search` Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. You can optionally filter the returned machines by machine id, host name, domain, os, os version, and/or other fields. For more information, see https://www.laceworkplatform.com/machinedetailsv-view. Here are some example `body` payloads: * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "tags.AmiId", "expression": "eq", "value": "ami-0b83c6233cdbe5c3e" } ],` `"returns": [ "hostname", "mid", "awsInstanceId", "awsZone", "tags" ] }` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS' responses: '200': $ref: >- #/components/responses/responseEntities_MachineDetailsList_Response_Schema '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Entities/NetworkInterfaces/search: post: tags: - Entities summary: Search Network Interfaces description: >- Search for network interfaces in your environment. Get details such as the interface name, machine id, hardware address associated with the interface, etc. by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/Entities/NetworkInterfaces/search` Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. You can optionally filter the returned interfaces by the interface name, machine id, the hardware address associated with the interface, and/or other fields. For more information, see https://www.laceworkplatform.com/interfacesv-view. Here are some example `body` payloads: * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "name", "expression": "eq", "value": "someName" } ],` `"returns": [ "name", "mid", "hwAddr", "ipAddr" ] }` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS' responses: '200': $ref: >- #/components/responses/responseEntities_NetworkInterfacesList_Response_Schema '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Entities/NewFileHashes/search: post: tags: - Entities summary: Search New File Hashes description: >- Search for new file hashes in your environment. Get details such as the file hash, start time, and end time by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/Entities/NewFileHashes/search` Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. You can optionally filter the returned file hashes by the file hash, start time, or end time. For more information, see https://www.laceworkplatform.com/newhashesv-view. Here are some example `body` payloads: * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "filedataHash", "expression": "eq", "value": "2394832980909eoifjof3209032840i39r02390" } ],` `"returns": [ "filedataHash" ] }` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS' responses: '200': $ref: >- #/components/responses/responseEntities_NewFileHashesList_Response_Schema '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Entities/Packages/search: post: tags: - Entities summary: Search Packages description: >- Search for package in your environment. Get details such as the machine id that contains the package, package name, package version, and other package statistics by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/Entities/Packages/search` Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. You can optionally filter the returned packages by machine id, version, package architecture type, and/or other fields. For more information, see https://www.laceworkplatform.com/packagev-view. Here are some example `body` payloads: * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "packageName", "expression": "eq", "value": "package-1" } ],` `"returns": [ "packageName", "mid", "version" ] }` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS' responses: '200': $ref: '#/components/responses/responseEntities_PackagesList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Entities/Processes/search: post: tags: - Entities summary: Search Active Processes description: >- Search for active processes in your environment. Get details such as the process id, username that started the process, path to the file, parent process id, etc. by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/Entities/Processes/search` Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. You can optionally filter the returned processes by the process id, username that started the process, path to the file, parent process id and/or other fields. For more information, see https://www.laceworkplatform.com/processsummaryv-view. Here are some example `body` payloads: * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "ppid", "expression": "eq", "value": "0044" } ],` `"returns": [ "pid", "ppid", "cmdlineHash", "mid", "uid", "username" ] }` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS' responses: '200': $ref: >- #/components/responses/responseEntities_ProcessesList_Response_Schema '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Entities/Users/search: post: tags: - Entities summary: Search Users description: >- Search for users in your environment. Get details such as the username, machine id, user id, etc. by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/Entities/Users/search` Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. You can optionally filter the returned users by username, machine id, user id, and/or other fields. For more information, see https://www.laceworkplatform.com/userdetailsv-view. Here are some example `body` payloads: * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "username", "expression": "eq", "value": "someUser" } ],` `"returns": [ "username", "uid", "mid" ] }` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS' responses: '200': $ref: '#/components/responses/responseEntities_UsersList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Events/search: post: tags: - Events summary: Search Events description: >- The Events API enables you to retrieve the evidence or observation details by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/Events/search` Lacework highly recommends specifying a time range in the request to narrow the search. If no time range is specified, the request uses the default time range of 24 hours before the current time. The maximum time range per API request is seven days. You can optionally filter the returned users by `eventType`, `srcType`, and/or other fields. Here are some example `body` payloads: * `{ "timeFilter": { "startTime": "2022-03-18T00:00:00Z", "endTime": "2022-03-18T12:00:00Z"}}` * `{ "timeFilter": { "startTime": "2022-03-18T00:00:00Z", "endTime": "2022-03-18T12:00:00Z"},` `"filters": [ { "field": "eventType", "expression": "eq", "value": "CloudTrailDefaultAlert" } ] }` * `{ "timeFilter": { "startTime": "2022-03-18T00:00:00Z", "endTime": "2022-03-18T12:00:00Z"},` `"filters": [ { "field": "srcType", "expression": "eq", "value": "AwsResource" }, { "field": "srcEvent.awsRegion", "expression": "eq", "value": "us-west-2" } ],` `"returns": [ "id", "srcEvent", "srcType" ] }` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS' responses: '200': $ref: '#/components/responses/responseEventsList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Exceptions: post: tags: - Exceptions summary: Create Policy Exceptions description: >- Create exceptions for a specific policy by specifying the exception metadata when invoking the following endpoint: > `POST /api/v2/Exceptions?policyId={policyId}` Replace `{policyId}` with the `policyId` value returned for an LQL policy in the response when invoking the following endpoint: > `GET /api/v2/Policies` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramPolicyId' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/Exceptions_Create_Schema' responses: '201': $ref: '#/components/responses/responseExceptions_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' get: tags: - Exceptions summary: List All Policy Exceptions description: >- Get all existing exceptions of a specific policy by invoking the following endpoint: > `GET /api/v2/Exceptions?policyId={policyId}` Replace `{policyId}` with the `policyId` value returned for an LQL policy in the response when invoking the following endpoint: > `GET /api/v2/Policies` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramPolicyId' responses: '200': $ref: '#/components/responses/responseExceptionsList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Exceptions/{exceptionId}: get: tags: - Exceptions summary: Policy Exception Details description: >- Get details about an existing exception applied to a specific policy by invoking the following endpoint: > `GET /api/v2/Exceptions/{exceptionId}?policyId={policyId}` Replace `{policyId}` with the `policyId` value returned for an LQL policy in the response when when invoking the following endpoint: > `GET /api/v2/Policies` Replace `{exceptionId}` with the `exceptionId` value returned for an LQL policy in the response when invoking the following endpoint: > `GET /api/v2/Exceptions?policyId={policyId}` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: exceptionId in: path description: Exception ID required: true schema: type: string - $ref: '#/components/parameters/paramPolicyId' responses: '200': $ref: '#/components/responses/responseExceptions_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' patch: tags: - Exceptions summary: Update Policy Exceptions description: >- Update an existing exception applied to a specific policy by invoking the following endpoint: > `PATCH /api/v2/Exceptions/{exceptionId}?policyId={policyId}` Replace `{policyId}` with the `policyId` value returned for an LQL policy in the response when invoking the following endpoint: > `GET /api/v2/Policies` Replace `{exceptionId}` with the `exceptionId` value returned for an LQL policy in the response when invoking the following endpoint: > `GET /api/v2/Exceptions?policyId={policyId}` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: exceptionId in: path description: Exception ID required: true schema: type: string - $ref: '#/components/parameters/paramPolicyId' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/Exceptions_Update_Schema' responses: '200': $ref: '#/components/responses/responseExceptions_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' delete: tags: - Exceptions summary: Delete Policy Exceptions description: >- Delete an existing exception applied to a specific policy by invoking the following endpoint: > `DELETE /api/v2/Exceptions/{exceptionId}?policyId={policyId}` Replace `{policyId}` with the `policyId` value returned for an LQL policy in the response when invoking the following endpoint: > `GET /api/v2/Policies` Replace `{exceptionId}` with the `exceptionId` value returned for an LQL policy in the response when invoking the following endpoint: > `GET /api/v2/Exceptions?policyId={policyId}` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: exceptionId in: path description: Exception ID required: true schema: type: string - $ref: '#/components/parameters/paramPolicyId' responses: '204': description: Success 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Inventory/search: post: tags: - Inventory summary: Search Inventory description: >- The Inventory API enables you to retrieve information about resources in your cloud integrations, such as virtual machines, S3 buckets, security groups, and more, using the following endpoint: > `POST /api/v2/Inventory/search` By default, Lacework collects resource information once a day. You can view and modify when resource collection starts using the Compliance Report Schedule [setting](https://www.laceworkplatform.com/console/general-settings#resource-management-collection-schedule). The time filter allows you to see your resource inventory at a specific point of time. When using the Inventory API, keep in mind that the information returned reflects the inventory when the resource collector last ran within the specified time range. If you use a recent time range that does not encompass the last time inventory collection occurred, the query returns an empty array. In this case, expand the time span to include the last collection time. For details about what cloud resource information is available, see [CLOUD_CONFIGURATION_V View](https://www.laceworkplatform.com/console/cloudconfigurationv-view). Here are some example `body` payloads: * `{ "timeFilter": { "startTime" : "2022-06-08T00:00:00Z", "endTime": "2022-06-10T12:00:00Z"},` `"csp": "AWS" }` * `{ "timeFilter": { "startTime": "2022-06-08T00:00:00Z", "endTime": "2022-06-10T12:00:00Z"},` `"filters" : [ { "field": "resourceConfig.Architecture", "expression": "eq", "value": "x86_64" }, { "field": "resourceRegion", "expression": "eq", "value" : "us-east-2" } ],` `"returns": [ "cloudDetails", "csp", "resourceConfig" , "resourceId", "resourceType" ],` `"csp": "GCP" }` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/Dataset_2_Request_Body_Schema' responses: '200': $ref: '#/components/responses/responseInventoryList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/OrganizationInfo: get: tags: - OrganizationInfo summary: Organization Info description: >- Return information about whether the Lacework account is an organization account and, if it is, what the organization account URL is by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/OrganizationInfo` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' responses: '200': $ref: '#/components/responses/responseOrganizationInfoList_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Queries: post: tags: - Queries summary: Create Queries description: >- Create a Lacework Query Language (LQL) query by specifying parameters in the request body when invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/Queries` This creates the LQL query in your Lacework instance so you can use it in an LQL custom policy and view it in the Lacework Console. You can get the unique identifiers for the LQL queries (`queryIdList`) array by invoking the `GET /api/v2/Queries` endpoint. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/Queries_Create_Schema' responses: '201': $ref: '#/components/responses/responseQueries_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' get: tags: - Queries summary: List All Queries description: >- List all registered LQL queries in your Lacework instance by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/Queries` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' responses: '200': $ref: '#/components/responses/responseQueriesList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Queries/execute: post: tags: - Queries summary: Execute Queries description: >- Run an LQL query by specifying parameters in the request body by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/Queries/execute` The response is the data that the query finds in the datasource for the specified time period. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: required: - query properties: query: required: - queryText properties: queryText: description: The query to execute type: string options: $ref: '#/components/schemas/Query_Execute_Options' arguments: type: array items: description: Argument for a query parameter properties: name: description: The parameter name. type: string value: description: The argument value (type must match LQL type) type: string responses: '200': $ref: '#/components/responses/responseQueriesExecute' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Queries/{queryId}/execute: post: tags: - Queries summary: Execute Queries by ID description: >- Run an existing LQL query registered in your Lacework instance by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/Queries/{queryId}/execute` Replace `{queryId}` with the `queryId` value returned for an LQL query in the response when the `GET /api/v2/Queries` endpoint is invoked. The response is the data that the query finds in the datasource for the specified time period. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: queryId in: path description: Identifier of the query that executes while running the policy. required: true schema: type: string requestBody: required: false content: application/json: schema: properties: options: $ref: '#/components/schemas/Query_Execute_Options' arguments: type: array items: description: Argument for a query parameter properties: name: description: The parameter name. type: string value: description: The argument value (type must match LQL type) type: string responses: '200': $ref: '#/components/responses/responseQueriesExecute' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Queries/validate: post: tags: - Queries summary: Validate Queries description: >- Validate an LQL query by specifying parameters in the request body by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/Queries/validate` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: required: - queryText properties: queryText: description: >- When sending a request, provide a human-readable text syntax for specifying selection, filtering, and manipulation of data. type: string responses: '200': $ref: '#/components/responses/responseQueriesValidate' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Queries/{queryId}: get: tags: - Queries summary: Query Details description: |- Get details about a single LQL query by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/Queries/{queryId}` Replace `{queryId}` with the `queryId` value returned for an LQL query in the response when the `GET /api/v2/Queries` endpoint is invoked. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: queryId in: path description: Identifier of the query that executes while running the policy. required: true schema: type: string responses: '200': $ref: '#/components/responses/responseQueries_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' patch: tags: - Queries summary: Update Queries description: >- Update an existing LQL query registered in your Lacework instance by invoking the following endpoint: > `PATCH https://YourLacework.lacework.net/api/v2/Queries/{queryId}` Replace `{queryId}` with the `queryId` value returned for an LQL query in the response when the `GET /api/v2/Queries` endpoint is invoked. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: queryId in: path description: Identifier of the query that executes while running the policy. required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/Queries_Update_Schema' responses: '200': $ref: '#/components/responses/responseQueries_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' delete: tags: - Queries summary: Delete Queries description: >- Delete a Lacework Query Language (LQL) query registered in your Lacework instance by invoking the following endpoint: > `DELETE https://YourLacework.lacework.net/api/v2/Queries/{queryId}` Replace `{queryId}` with the `queryId` value returned for an LQL query in the response when invoking the following endpoint: `GET /api/v2/Queries`. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: queryId in: path description: Identifier of the query that executes while running the policy. required: true schema: type: string responses: '204': description: Success 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Policies: post: tags: - Policies summary: Create Policies description: >- Create a Lacework Query Language (LQL) policy by specifying parameters in the request body when invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/Policies` This creates the LQL policy in your Lacework instance so you can view it in the Lacework Console. You can get the unique identifiers for the LQL policies (`policyIdList`) array by invoking the `GET /api/v2/Policies` endpoint. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/Policies_Create_Schema' responses: '201': $ref: '#/components/responses/responsePolicies_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' get: tags: - Policies summary: List All Policies description: >- List all registered LQL policies in your Lacework instance, by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/Policies` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' responses: '200': $ref: '#/components/responses/responsePoliciesList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Policies/Tags: get: tags: - Policies summary: Policy Tags description: Get a list of policy tags parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' responses: '200': $ref: '#/components/responses/responsePolicyTags_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Policies/{policyId}: get: tags: - Policies summary: Policy Details description: >- Get details about a single LQL policy by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/Policies/{policyId}` Replace `{policyId}` with the `policyId` value returned for an LQL policy in the response when the `GET /api/v2/Policies` endpoint is invoked. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: policyId in: path description: Policy ID required: true schema: type: string responses: '200': $ref: '#/components/responses/responsePolicies_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' patch: tags: - Policies summary: Update Policies description: >- Update an existing LQL policy registered in your Lacework instance by specifying parameters in the request body when invoking the following endpoint: > `PATCH https://YourLacework.lacework.net/api/v2/Policies/{policyId}` Replace `{policyId}` with the `policyId` value returned for an LQL policy in the response when the `GET /api/v2/Policies` endpoint is invoked. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: policyId in: path description: Policy ID required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/Policies_Update_Schema' responses: '200': $ref: '#/components/responses/responsePolicies_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' delete: tags: - Policies summary: Delete Policies description: >- Delete an LQL custom policy registered in your Lacework instance by invoking the following endpoint: > `DELETE https://YourLacework.lacework.net/api/v2/Policies/{policyId}` Replace `{policyId}` with the `policyId` value returned for an LQL policy in the response when the `GET /api/v2/Policies` endpoint is invoked. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: policyId in: path description: Policy ID required: true schema: type: string responses: '204': description: Success 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/ReportRules: post: tags: - ReportRules summary: Create Report Rule description: >- Create a report rule in your Lacework instance by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/ReportRules` Get the unique identifiers for the alert channels (`intGuidList`) array by invoking the `GET /api/v2/ReportRules` endpoint. In addition, the severity field is required if you create report rules for any of the following report types: `awsCloudtrailEvents`, `awsComplianceEvents`, `azureActivityLogEvents`, `azureComplianceEvents`, `gcpAuditTrailEvents`, `gcpComplianceEvents`, `openShiftComplianceEvents`, `platformEvents`, `agentEvents`. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ReportRules_Create_Schema' responses: '201': $ref: '#/components/responses/responseReportRules_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' get: tags: - ReportRules summary: List All Report Rules description: >- List all report rules in your Lacework instance, by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/ReportRules` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' responses: '200': $ref: '#/components/responses/responseReportRulesList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/ReportRules/search: post: tags: - ReportRules summary: Search Report Rules description: >- Search all report rules in your Lacework instance by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/ReportRules/search` To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the [Simple & Advanced Search section](/api/v2/docs/#tag/OVERVIEW). Here are some example `body` payloads: * `{ "filters": [ { "expression": "eq", "field": "name", "value": " Jane" } ] } ` * `{ "filters": [ { "field": "mcGuid", "expression": "rlike", "value": "123ABC" } ] } ` * `{ "filters": [ { "field": "mcGuid", "expression": "between", "values": [ "ABC_123", "DEC_456" ] } ] }` * `{ "filters": [ { "field": "intgGuidList", "expression": "eq", "value": "ABC_123" } ] } ` * `{ "filters": [ { "field": "intgGuidList", "expression": "in", "values": [ "ABC_123", "DEF_456" ] } ] } ` * `{ "filters": [ { "field": "filters.name", "expression": "ilike", "value": "slack" } ] } ` * `{ "filters": [ { "field": "filters.resourceGroups", "expression": "eq", "value": "ABC_123" } ] } ` * `{ "filters": [ { "field": "filters.severity", "expression": "eq", "value": "5" } ] } ` * `{ "filters": [ { "field": "filters.eventCategory", "expression": "eq", "value": "App" } ] } ` * `{ "filters": [ { "field": "reportNotificationTypes.agentEvents", "expression": "eq", "value": "false" } ] } ` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_FILTERS' responses: '200': $ref: '#/components/responses/responseReportRulesList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/ReportRules/{mcGuid}: get: tags: - ReportRules summary: Report Rule Details description: |- Get details about a report rule by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/ReportRules/{mcGuid}` Replace `{mcGuid}` with the `mcGuid` value returned for a report rule in the response when invoking the following endpoint: `GET /api/v2/ReportRules`. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: mcGuid in: path description: Report Rule ID required: true schema: type: string responses: '200': $ref: '#/components/responses/responseReportRules_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' patch: tags: - ReportRules summary: Update Report Rules description: >- Update a report rule by specifying parameters in the request body when invoking the following endpoint: > `PATCH https://YourLacework.lacework.net/api/v2/ReportRules/{mcGuid}` Replace `{mcGuid}` with the `mcGuid` value returned for a report rule in the response, when the `GET /api/v2/ReportRules` endpoint is invoked. In addition, if the severity field doesn't exist for the report rule being updated, the severity field is required if you add any of the following report types: `awsCloudtrailEvents`, `awsComplianceEvents`, `azureActivityLogEvents`, `azureComplianceEvents`, `gcpAuditTrailEvents`, `gcpComplianceEvents`, `openShiftComplianceEvents`, `platformEvents`, `agentEvents`. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: mcGuid in: path description: Report Rule ID required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ReportRules_Update_Schema' responses: '200': $ref: '#/components/responses/responseReportRules_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' delete: tags: - ReportRules summary: Delete Report Rules description: |- Delete a report rule by invoking the following endpoint: > `DELETE https://YourLacework.lacework.net/api/v2/ReportRules/{mcGuid}` Replace `{mcGuid}` with the `mcGuid` value returned for a report rule in the response when invoking the following endpoint: `GET /api/v2/ReportRules`. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: mcGuid in: path description: Report Rule ID required: true schema: type: string responses: '204': description: Success 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Reports: get: tags: - Reports summary: Reports description: |+ Get a specific report by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/Reports?primaryQueryId={primaryQueryId}&secondaryQueryId={secondaryQueryId}&format={format}&reportType={reportType}` Examples: > `GET https://YourLacework.lacework.net/api/v2/Reports?primaryQueryId=343523252&format=json&reportType=HIPAA` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: primaryQueryId in: query description: >- The primary ID that is used to fetch the report; for example, AWS Account ID or Azure Tenant ID. **Note:** For GCP, use the `secondaryQueryId` attribute to provide your GCP Project ID. schema: type: string - name: secondaryQueryId in: query description: >- The secondary ID that is used to fetch the report; for example, GCP Project ID or Azure Subscription ID. **Note:** For AWS, this parameter is not required. schema: type: string - name: format in: query description: The report's format. schema: type: string default: pdf enum: - json - pdf - csv - html - name: reportType in: query description: The report's notification type; for example, AZURE_NIST_CSF. required: true schema: type: string enum: - AZURE_CIS - AZURE_CIS_131 - AZURE_SOC - AZURE_SOC_Rev2 - AZURE_PCI - AZURE_PCI_Rev2 - AZURE_ISO_27001 - AZURE_NIST_CSF - AZURE_NIST_800_53_REV5 - AZURE_NIST_800_171_REV2 - AZURE_HIPAA - AWS_CIS_S3 - NIST_800-53_Rev4 - NIST_800-171_Rev2 - ISO_2700 - HIPAA - SOC - AWS_SOC_Rev2 - GCP_HIPAA - PCI - GCP_CIS - GCP_SOC - GCP_CIS12 - GCP_K8S - GCP_PCI_Rev2 - GCP_SOC_Rev2 - GCP_HIPAA_Rev2 - GCP_ISO_27001 - GCP_NIST_CSF - GCP_NIST_800_53_REV4 - GCP_NIST_800_171_REV2 - GCP_PCI - AWS_CIS_14 - GCP_CIS13 - AWS_CMMC_1.02 - AWS_HIPAA - AWS_ISO_27001:2013 - AWS_NIST_CSF - AWS_NIST_800-171_rev2 - AWS_NIST_800-53_rev5 - AWS_PCI_DSS_3.2.1 - AWS_SOC_2 - LW_AWS_SEC_ADD_1_0 - AZURE_ISO_27001:2013_CIS_1_5 - AZURE_SOC_2_CIS_1_5 - AZURE_NIST_CSF_CIS_1_5 - AZURE_CIS_1_5 - AZURE_HIPAA_CIS_1_5 - AZURE_NIST_800-171_rev2_CIS_1_5 - AZURE_PCI_DSS_3_2_1_CIS_1_5 - AZURE_NIST_800-53_rev5_CIS_1_5 responses: '200': $ref: '#/components/responses/responseReportsList_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/ResourceGroups: post: tags: - ResourceGroups summary: Create Resource Group description: >- Create a resource group by specifying parameters in the request body when invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/ResourceGroups` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ResourceGroups_Create_Schema' responses: '201': $ref: '#/components/responses/responseResourceGroups_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' get: tags: - ResourceGroups summary: List All Resource Groups description: >- Get a list of all resource groups for the account by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/ResourceGroups` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' responses: '200': $ref: '#/components/responses/responseResourceGroupsList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/ResourceGroups/search: post: tags: - ResourceGroups summary: Search Resource Groups description: |- Search resource groups by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/ResourceGroups/search` To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the [Simple & Advanced Search section](/api/v2/docs/#tag/OVERVIEW). In the request body, optionally specify the list of fields to return in the response by specifying the list in the `returns` array, for example, `"returns":[ "name", "type", "enabled" ]`. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_FILTERS' responses: '200': $ref: '#/components/responses/responseResourceGroupsList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/ResourceGroups/{resourceGuid}: get: tags: - ResourceGroups summary: Resource Groups Details description: |- Get details about a resource group by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/ResourceGroups/{resourceGuid}` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' - name: resourceGuid in: path description: Resource Group ID required: true schema: type: string responses: '200': $ref: '#/components/responses/responseResourceGroups_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' patch: tags: - ResourceGroups summary: Update Resource Groups description: >- Update a resource group by specifying parameters in the request body when invoking the following endpoint: > `PATCH https://YourLacework.lacework.net/api/v2/ResourceGroups/{resourceGuid}` In the request body, only specify the parameters that you want to update, for example, `{ "enabled" : 0 }`. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' - name: resourceGuid in: path description: Resource Group ID required: true schema: type: string requestBody: required: true description: >- Only specify the parameter(s) that you want to update, for example, `{ "enabled" : 0 }`. content: application/json: schema: $ref: '#/components/schemas/ResourceGroups_Update_Schema' responses: '200': $ref: '#/components/responses/responseResourceGroups_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' delete: tags: - ResourceGroups summary: Delete Resource Groups description: |- Delete a resource group by invoking the following endpoint: > `DELETE https://YourLacework.lacework.net/api/v2/ResourceGroups/{resourceGuid}` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' - name: resourceGuid in: path description: Resource Group ID required: true schema: type: string responses: '204': description: >- No response content is returned and the request was successfully completed with no errors. 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/TeamMembers: post: tags: - TeamMembers summary: Create Team Members deprecated: true description: >- Create a team member in your Lacework instance by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/TeamMembers` Here is an example `body` payload: > `{ "userName": "jane.smith@mycompany.com", "userEnabled": 1, "props": { "firstName": "Jane", "lastName": "Smith", "company": "myCompany", "accountAdmin": true } }` **Note**: This API is deprecated and is unavailable if you have migrated to the new RBAC model in your Lacework Console. See [Access Control](https://www.laceworkplatform.com/console/access-control-nav) for more information about the new RBAC model. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/TeamMembers_Create_Schema' responses: '201': $ref: '#/components/responses/responseTeamMembers_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' get: tags: - TeamMembers summary: List All Team Members deprecated: true description: >- Get a list of team members in your Lacework instance by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/TeamMembers` **Note**: This API is deprecated and is unavailable if you have migrated to the new RBAC model in your Lacework Console. See [Access Control](https://www.laceworkplatform.com/console/access-control-nav) for more information about the new RBAC model. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' responses: '200': $ref: '#/components/responses/responseTeamMembersList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/TeamMembers/search: post: tags: - TeamMembers summary: Search Team Members deprecated: true description: >- Search all team members in your Lacework instance by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/TeamMembers/search` To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the [Simple & Advanced Search section](/api/v2/docs/#tag/OVERVIEW). You can filter on the following fields: * `custGuid` * `userGuid` * `userName` * `userEnabled` Here is an example `body` payload: > `{ "filters" : [ { "expression": "eq", "field": "userName", "value": "jane.smith@mycompany.com" } ] } ` **Note**: This API is deprecated and is unavailable if you have migrated to the new RBAC model in your Lacework Console. See [Access Control](https://www.laceworkplatform.com/console/access-control-nav) for more information about the new RBAC model. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_FILTERS' responses: '200': $ref: '#/components/responses/responseTeamMembersList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/TeamMembers/{userGuid}: get: tags: - TeamMembers summary: Team Member Details deprecated: true description: |- Get details about a team member by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/TeamMembers/{userGuid}` Replace `{userGuid}` with the `userGuid` value returned for a team member in the response when invoking the following endpoint: `GET /api/v2/TeamMembers` **Note**: This API is deprecated and is unavailable if you have migrated to the new RBAC model in your Lacework Console. See [Access Control](https://www.laceworkplatform.com/console/access-control-nav) for more information about the new RBAC model. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' - name: userGuid in: path description: User Guid required: true schema: type: string responses: '200': $ref: '#/components/responses/responseTeamMembers_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' patch: tags: - TeamMembers summary: Update Team Member deprecated: true description: >- Optionally update the `userName` and`userEnabled` settings and the `props` sub-settings of the passed in team member. Update these settings by invoking the following endpoint: > `PATCH https://YourLacework.lacework.net/api/v2/TeamMembers/{userGuid}` Replace `{userGuid}` with the `userGuid` value returned for a team member in the response, when invoking the following endpoint: `GET /api/v2/TeamMembers`. Here is an example `body` payload: > `{ "props": {"firstName":"Jane"} }` **Note**: This API is deprecated and is unavailable if you have migrated to the new RBAC model in your Lacework Console. See [Access Control](https://www.laceworkplatform.com/console/access-control-nav) for more information about the new RBAC model. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' - name: userGuid in: path description: User Guid required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/TeamMembers_Update_Schema' responses: '200': $ref: '#/components/responses/responseUpdateTeamMember' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' delete: tags: - TeamMembers summary: Delete Team Member deprecated: true description: |- Delete a team member by invoking the following endpoint: > `DELETE https://YourLacework.lacework.net/api/v2/TeamMembers/{userGuid}` Replace `{userGuid}` with the `userGuid` value returned for a team member in the response when invoking the following endpoint: `GET /api/v2/TeamMembers` **Note**: This API is deprecated and is unavailable if you have migrated to the new RBAC model in your Lacework Console. See [Access Control](https://www.laceworkplatform.com/console/access-control-nav) for more information about the new RBAC model. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' - name: userGuid in: path description: User Guid required: true schema: type: string responses: '204': description: Success 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/TemplateFiles/{templateFileName}: get: tags: - TemplateFiles summary: Download Template File description: >- Download the CloudFormation template from the Lacework Console for a specific template file name by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/TemplateFiles/{templateFileName}` Here is an example invocation: > `GET https://YourLacework.lacework.net/api/v2/TemplateFiles/AwsConfig` Here is another example invocation: > `GET https://YourLacework.lacework.net/api/v2/TemplateFiles/AwsCloudTrail` Optionally pass in `intgGuid` as a query parameter for the `AwsEksAuditSubscriptionFilter` template file name. Here is an example invocation: > `GET https://YourLacework.lacework.net/api/v2/TemplateFiles/AwsEksAuditSubscriptionFilter?intgGuid=ROIJ898329....` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeOctet' - name: templateFileName in: path description: The template's filename to download. required: true schema: type: string enum: - AwsCloudTrail - AwsConfig responses: '200': $ref: '#/components/responses/responseTemplateFilesList_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/UserProfile: get: tags: - UserProfile summary: List Sub-accounts description: >- List all sub-accounts that are managed by the `YourLacework` account by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/UserProfile` For example, if you specify the `IT20.MyCompany` organization account in `YourLacework`, this lists all sub-accounts of the `IT20` account. Here is an example invocation: > `GET https://IT20.MyCompany.lacework.net/api/v2/UserProfile` The response reports details about organization accounts and non-organization accounts in addition to authorization and privilege details. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - $ref: '#/components/parameters/paramOrgAccessHeader' - $ref: '#/components/parameters/paramAccountNameHeader' responses: '200': $ref: '#/components/responses/responseUserProfileList_Response_Schema' '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Vulnerabilities/Containers/search: post: tags: - Vulnerabilities summary: Search Container Vulnerabilities description: >- Search the scan (assessment), including the scan status, vulnerabilities found in the scan, and those vulnerabilities' statistics by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/Vulnerabilities/Containers/search` Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. You can optionally filter the returned vulnerabilities by severity, vulnerability id, machine id, and/or other fields. For more information, see https://www.laceworkplatform.com/containervulndetailsv-view. Here are some example `body` payloads: * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "vulnId", "expression": "eq", "value": "CVE-2018-7169" } ] }` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "evalGuid", "expression": "eq", "value": "1234567a89012b34567890123cd56e78" } ] }` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "evalCtx.image_info.digest", "expression": "eq", "value": "sha256:2e05f1f668367c1fc0f1c9c02ee87521ed66541e6ebf0a31905b8cdd78d22611" }, { "field": "severity", "expression": "eq", "value": "Medium" } ],` `"returns": [ "imageId", "severity", "status", "vulnId", "evalCtx", "fixInfo", "featureKey" ] }` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS' responses: '200': $ref: >- #/components/responses/responseVulnerabilities_ContainersList_Response_Schema '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Vulnerabilities/Containers/scan: post: tags: - Vulnerabilities summary: Scan Container Vulnerabilities description: >- Request that Lacework scans (evaluates) for vulnerabilities in the specified container image. Specify the container image by passing in a tag, repository, and registry in the body parameter. You must specify a container image and repository located in a registry domain that has already been integrated with Lacework. For registries that are integrated using the Lacework generic `Docker V2 Registry` type, vulnerability scans can be started only by calling this API operation. For registries that are integrated using any Lacework registry type except *"Docker V2 Registry"*, vulnerability scans start when the container registry is initially integrated, when specified by the default scan schedule, or when this operation is called. For more information, see https://www.laceworkplatform.com/container-vulnerability-assessment-overview. For more information about creating an API access key and token to run this operation and using this operation with organization resources, see https://www.laceworkplatform.com/generate-api-access-keys-and-tokens. Usage Example: > `curl -X POST -H 'Content-Type: application/json' -d '{ "registry": "index.docker.io", "repository": "yourDockerOrg/yourRepository", "tag": "yourTag" }' "https://YourLacework.lacework.net/api/v2/Vulnerabilities/Containers/scan" -H "Authorization: Bearer YourAPIToken"` In the JSON body, do not prefix the registry or the repository with the `http://` string. This operation returns a unique requestId in the response that you can use to track the status of this scan/assessment. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: >- #/components/schemas/Vulnerability_Container_Scan_Request_Body_Schema responses: '200': $ref: '#/components/responses/responseAsync_Scan_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Vulnerabilities/Containers/scan/{requestId}: get: tags: - Vulnerabilities summary: Track Container Scan Status description: >- Track the progress and return data about an on-demand vulnerability scan that was started by calling the `POST /api/v2/Vulnerabilities/Containers/scan` operation. You must pass in the unique request id returned in the response of the POST Vulnerabilities/Containers/scan operation. For example, > `GET https://YourLacework.lacework.net/api/v2/Vulnerabilities/Containers/scan/abcdefgh-123...` When completed, the scan operation returns an `evalGuid`, which you can use to get the results of the scan by passing it to the "Search Container Vulnerabilities" endpoint: > `POST https://YourLacework.lacework.net/api/v2/Vulnerabilities/Containers/search` Pass the `evalGuid` in the request body, for example: > `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "evalGuid", "expression": "eq", "value": "1234567a89012b34567890123cd56e78" } ] }` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: requestId in: path description: Assessment Request ID required: true schema: type: string responses: '200': $ref: '#/components/responses/responseAsync_Scan_Status_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Vulnerabilities/Hosts/search: post: tags: - Vulnerabilities summary: Search Host Vulnerabilities description: >- Search the scan (assessment), including the scan status, vulnerabilities found in the scan, and statistics about those vulnerabilities by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/Vulnerabilities/Hosts/search` Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days. Optionally filter the returned vulnerabilities by severity, vulnerability id, machine id, and/or other fields. For more information, see https://www.laceworkplatform.com/hostvulndetailsv-view. Here are some example `body` payloads: * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "vulnId", "expression": "eq", "value": "CVE-2018-7169" } ] }` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "evalGuid", "expression": "eq", "value": "1234567a89012b34567890123cd56e78" } ] }` * `{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"},` `"filters": [ { "field": "machineTags.AmiId", "expression": "eq", "value": "ami-0d9ef0d809e365a36" }, { "field": "severity", "expression": "eq", "value": "Medium" } ],` `"returns": [ "mid", "severity", "status", "vulnId", "evalCtx", "fixInfo", "featureKey", "machineTags" ] }` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS' responses: '200': $ref: >- #/components/responses/responseVulnerabilities_HostsList_Response_Schema '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Vulnerabilities/SoftwarePackages/scan: post: tags: - Vulnerabilities summary: Scan Software Packages description: >- Request an on-demand vulnerability assessment of your software packages to determine if the packages contain any common vulnerabilities and exposures. The response for detected CVEs includes CVE details. Only packages managed by a package manager for supported operating systems are reported. Use the body parameter to specify the list of packages to scan for. In the package list, separate each package entry with a comma. Here is the list of supported OS types with some osVer examples: * `{ "os": "alpine", "osVer": "v3.1" ... }` * `{ "os": "amzn", "osVer": "2" ... }` * `{ "os": "amzn", "osVer": "2018.03" ... }` * `{ "os": "centos", "osVer": "5" ... }` * `{ "os": "debian", "osVer": "unstable" ... }` * `{ "os": "debian", "osVer": "11" ... }` * `{ "os": "oracle", "osVer": "8" ... }` * `{ "os": "rhel", "osVer": "8" ... }` * `{ "os": "ubuntu", "osVer": "19.10" ... }` For more information about creating an API access key and token to run this operation and using this operation with organization resources, see https://www.laceworkplatform.com/generate-api-access-keys-and-tokens. Usage Example: > `curl -X POST -H 'Content-Type: application/json' -d '{ "osPkgInfoList": [ { "os":"Ubuntu", "osVer":"18.04", "pkg": "openssl","pkgVer": "1.1.1-1ubuntu2.1~18.04.5" } ] }' "https://YourLacework.lacework.net/api/v2/Vulnerabilities/SoftwarePackages/scan" -H "Authorization: Bearer YourAPIToken"` Note: Calls to this operation are rate limited to 10 calls per hour, per access key. If this rate limit is exceeded, an exception is thrown. Also, note that this operation is limited to 1k of packages per payload. If you require a payload larger than 1k, you must make multiple requests. For more information about creating an API access key and token to run this operation and using this operation with organization resources, see https://www.laceworkplatform.com/generate-api-access-keys-and-tokens. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: >- #/components/schemas/Vulnerability_SW_Pkg_Scan_Request_Body_Schema responses: '200': $ref: >- #/components/responses/responseVulnerability_SW_Package_Scan_Response_Schema 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/VulnerabilityExceptions: post: tags: - VulnerabilityExceptions summary: Create Vulnerability Exceptions description: >- Create a vulnerability exception by specifying parameters in the request body when invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/VulnerabilityExceptions` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/VulnerabilityExceptions_Create_Schema' responses: '201': $ref: >- #/components/responses/responseVulnerabilityExceptions_Response_Schema 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' get: tags: - VulnerabilityExceptions summary: List All Vulnerability Exceptions description: >- Get a list of all vulnerability exceptions for the account by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/VulnerabilityExceptions` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' responses: '200': $ref: >- #/components/responses/responseVulnerabilityExceptionsList_Response_Schema '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/VulnerabilityExceptions/search: post: tags: - VulnerabilityExceptions summary: Search Vulnerability Exceptions description: |- Search vulnerability exceptions by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/VulnerabilityExceptions/search` To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the [Simple & Advanced Search section](/api/v2/docs/#tag/OVERVIEW). In the request body, optionally specify the list of fields to return in the response by specifying the list in the `returns` array. Here are some example `body` payloads: * `{ "filters": [ { "field": "exceptionType", "expression": "eq", "value": "Host" } ] }` * `{ "filters": [ { "field": "exceptionType", "expression": "eq", "value": "Container" },` `{ "field": "expiryTime", "expression": "gt", "value": "2021-01-01" } ],` `"returns": [ "name", "exceptionType", "expiryTime" ] }` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_FILTERS' responses: '200': $ref: >- #/components/responses/responseVulnerabilityExceptionsList_Response_Schema '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/VulnerabilityExceptions/{exceptionGuid}: get: tags: - VulnerabilityExceptions summary: Vulnerability Exception Details description: >- Get details about a vulnerability exception by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/VulnerabilityExceptions/{exceptionGuid}` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: exceptionGuid in: path description: Vulnerability Exception ID required: true schema: type: string responses: '200': $ref: >- #/components/responses/responseVulnerabilityExceptions_Response_Schema 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' patch: tags: - VulnerabilityExceptions summary: Update Vulnerability Exceptions description: >- Update a vulnerability exception by specifying parameters in the request body when invoking the following endpoint: > `PATCH https://YourLacework.lacework.net/api/v2/VulnerabilityExceptions/{exceptionGuid}` In the request body, only specify the parameters that you want to update, for example, `{ "exceptionReason" : "Other" }`. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: exceptionGuid in: path description: Vulnerability Exception ID required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/VulnerabilityExceptions_Update_Schema' responses: '200': $ref: >- #/components/responses/responseVulnerabilityExceptions_Response_Schema 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' delete: tags: - VulnerabilityExceptions summary: Delete Vulnerability Exceptions description: |- Delete a vulnerability exception by invoking the following endpoint: > `DELETE https://YourLacework.lacework.net/api/v2/VulnerabilityExceptions/{exceptionGuid}` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: exceptionGuid in: path description: Vulnerability Exception ID required: true schema: type: string responses: '204': description: Success 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/VulnerabilityPolicies: post: tags: - VulnerabilityPolicies summary: Create Vulnerability Policies description: >- Create a vulnerability policy by specifying parameters in the request body when invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/VulnerabilityPolicies` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/VulnerabilityPolicies_Create_Schema' responses: '201': $ref: '#/components/responses/responseVulnerabilityPolicies_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' get: tags: - VulnerabilityPolicies summary: List All Vulnerability Policies description: >- Get a list of all vulnerability policies for the account by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/VulnerabilityPolicies` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' responses: '200': $ref: >- #/components/responses/responseVulnerabilityPoliciesList_Response_Schema 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/VulnerabilityPolicies/search: post: tags: - VulnerabilityPolicies summary: Search Vulnerability Policies description: |- Search vulnerability policies by invoking the following endpoint: > `POST https://YourLacework.lacework.net/api/v2/VulnerabilityPolicies/search` To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the [Simple & Advanced Search section](/api/v2/docs/#tag/OVERVIEW). In the request body, optionally specify the list of fields to return in the response by specifying the list in the `returns` array. Here are some example `body` payloads: * `{ "filters": [ { "field": "policyType", "expression": "eq", "value": "DockerFile" } ] }` * `{ "filters": [ { "field": "PolicyType", "expression": "eq", "value": "CVE" },` `{ "field": "createdTime", "expression": "gt", "value": "2021-01-01" } ],` `"returns": [ "name", "policyType", "createdTime" ] }` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_FILTERS' responses: '200': $ref: >- #/components/responses/responseVulnerabilityPoliciesList_Response_Schema '204': description: No Data 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/VulnerabilityPolicies/{policyGuid}: get: tags: - VulnerabilityPolicies summary: Vulnerability Policy Details description: >- Get details about a vulnerability policy by invoking the following endpoint: > `GET https://YourLacework.lacework.net/api/v2/VulnerabilityPolicies/{policyGuid}` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: policyGuid in: path description: Vulnerability Policies ID required: true schema: type: string responses: '200': $ref: '#/components/responses/responseVulnerabilityPolicies_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' patch: tags: - VulnerabilityPolicies summary: Update Vulnerability Policies description: >- Update a vulnerability policy by specifying parameters in the request body when invoking the following endpoint: > `PATCH https://YourLacework.lacework.net/api/v2/VulnerabilityPolicies/{policyGuid}` In the request body, only specify the parameters that you want to update, for example, `{ "severity" : "High" }`. parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: policyGuid in: path description: Vulnerability Policies ID required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/VulnerabilityPolicies_Update_Schema' responses: '200': $ref: '#/components/responses/responseVulnerabilityPolicies_Response_Schema' 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' delete: tags: - VulnerabilityPolicies summary: Delete Vulnerability Policies description: |- Delete a vulnerability policy by invoking the following endpoint: > `DELETE https://YourLacework.lacework.net/api/v2/VulnerabilityPolicies/{policyGuid}` parameters: - $ref: '#/components/parameters/paramAuthHeader' - $ref: '#/components/parameters/paramContentTypeHeader' - name: policyGuid in: path description: Vulnerability Policies ID required: true schema: type: string responses: '204': description: Success 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Webhooks/ServerTokens/{type}: post: tags: - Webhooks summary: Webhooks by Server Tokens description: |- Send notifications from your integration using a server token. You must specify the integration's server token that was generated by the Lacework Console when you created the integration that subscribes to notifications. For more information, see https://www.laceworkplatform.com/integrate-a-docker-v2-registry. For more information about creating an API access key and token to run this operation and using this operation with organization resources, see https://www.laceworkplatform.com/generate-api-access-keys-and-tokens. Usage Example: > `curl -H 'Content-Type: {content-type}' -X POST -d '{notification-body}' "https://YourLacework.lacework.net/api/v2/Webhooks/ServerTokens/DockerV2" -H "Authorization: Bearer YourServerToken"` Note: If a container registry integration is unsubscribed from notifications and then subscribed again, the same server token is used. parameters: - $ref: '#/components/parameters/paramAuthHeaderServerToken' - $ref: '#/components/parameters/paramContentTypeHeader' - in: path name: type required: true description: The integration type such as `AzureCR`, `DockerV2`, `JFrog`. schema: type: string enum: - AzureCR - DockerV2 - JFrog requestBody: required: true description: Integration specific notification body content: application/json: schema: type: object responses: '200': description: No Error (integration specific response content) content: application/json: schema: type: object 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' /api/v2/Webhooks/Signatures/{type}: post: tags: - Webhooks summary: Webhooks by Signature description: |- Send notifications from your integration using a signature. You must specify the integration's server token that was generated by the Lacework Console when you created the integration that subscribes to notifications. For more information, see https://www.laceworkplatform.com/integrate-github-container-registry. Usage Example: > `curl -H 'Content-Type: {content-type}' -X POST "https://YourLacework.lacework.net/api/v2/Webhooks/Signatures/GithubCR" -H "x-hub-signature-256: sha256=sha256 payload hash with YourServerToken as secret"` Note: For a container registry integration, use the same server token if you want to re-subscribe to notifications after unsubscribing. parameters: - $ref: '#/components/parameters/paramAuthHeaderSignature' - $ref: '#/components/parameters/paramContentTypeHeader' - in: path name: type required: true description: The integration type such as `GithubCR`. schema: type: string enum: - GithubCR responses: '200': description: No Error (integration specific response content) content: application/json: schema: type: object 4XX: $ref: '#/components/responses/response4XX' 5XX: $ref: '#/components/responses/responseInternalError' components: parameters: paramAuthHeader: name: Authorization in: header description: Bearer Access Token. For example, "Bearer {YourAPIToken}" required: true schema: type: string paramAuthHeaderServerToken: name: Authorization in: header description: Bearer Server Token. For example, "Bearer {YourServerToken}" required: true schema: type: string paramAuthHeaderSignature: name: x-hub-signature-256 in: header description: >- When your secret token is set, Lacework uses it to create a hash signature with each payload. This hash signature is included with the headers of each request as `X-Hub-Signature-256`. required: true schema: type: string example: 'x-hub-signature-256: sha256=123...' paramContentTypeHeader: name: Content-Type in: header description: application/json required: true schema: type: string paramOrgAccessHeader: name: Org-Access in: header description: >- Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the `Account-Name` attribute to specify which account to access. schema: type: boolean paramAccountNameHeader: name: Account-Name in: header description: Use this attribute to specify which sub-account to access. schema: type: string paramContentTypeOctet: name: Content-Type in: header description: application/octet-stream required: true schema: type: string paramStartTime: name: startTime in: query description: Returns only recorded actions that occurred after this timestamp. schema: type: string paramEndTime: name: endTime in: query description: Returns only recorded actions that occurred before this timestamp. schema: type: string paramPolicyId: name: policyId in: query description: Policy ID required: true schema: type: string schemas: Activities_ChangedFiles_Response_Schema: properties: startTime: type: string description: The time and date when the hourly aggregation time period starts. endTime: type: string mid: type: integer filePath: type: string filedataHash: type: string mtime: type: string size: type: integer threatInfo: type: string additionalProperties: true Activities_Connections_Response_Schema: properties: startTime: type: string endTime: type: string srcEntityType: type: string srcEntityId: type: object dstEntityType: type: string dstEntityId: type: object srcInBytes: type: integer srcOutBytes: type: integer dstInBytes: type: integer dstOutBytes: type: integer endpointDetails: type: object numConns: type: integer additionalProperties: true Activities_DNSs_Response_Schema: properties: createdTime: type: string mid: type: integer fqdn: type: string hostIpAddr: type: string ttl: type: integer dnsServerIp: type: string additionalProperties: true Activities_UserLogins_Response_Schema: properties: createdTime: type: string mid: type: integer activityTime: type: string activityType: type: string username: type: string uid: type: integer sourceIpAddr: type: string additionalProperties: true AgentAccessTokens: allOf: - $ref: '#/components/schemas/AgentAccessTokens_Create_Schema' - type: object properties: accessToken: type: string createdTime: type: string props: type: string version: type: string AgentAccessTokens_Create_Schema: allOf: - $ref: '#/components/schemas/AgentAccessTokens_Update_Schema' - type: object required: - tokenAlias - tokenEnabled properties: tokenAlias: type: string minItems: 1 description: >- The token's alias such as Ops Agent. Aliases help communicate the intended purpose of a token and are effective when a value with a single intent appears in multiple places. AgentAccessTokens_Response_Schema: allOf: - $ref: '#/components/schemas/AgentAccessTokens_Create_Schema' - type: object properties: accessToken: type: string description: The new agent access token. createdTime: type: string description: The time and date when the token was issued by Lacework. version: type: string description: The Lacework Agent's version. additionalProperties: true AgentAccessTokens_Update_Schema: type: object properties: props: type: object description: >- The access token's properties, including `createdTime` and `description`. properties: description: type: string description: A brief description of the token creation. os: type: string description: The operating system. tokenEnabled: type: string minItems: 1 description: >- The `tokenEnabled` property determines if an edit control is a "Text token" edit control. When the `tokenEnabled` property is set to `1`, if the user enters a separator character or a carriage return (CR), a token is automatically added and the user can continue entering values in the control. AgentInfo_Response_Schema: properties: agentVersion: type: string createdTime: type: string hostname: type: string ipAddr: type: string lastUpdate: type: string mid: type: integer mode: type: string os: type: string status: type: string tags: type: object additionalProperties: true AlertChannels_AwsS3_Create_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_AwsS3_Update_Schema' - type: object required: - type - enabled - name - data properties: data: properties: s3CrossAccountCredentials: properties: externalId: title: External ID type: string minLength: 1 roleArn: title: Role ARN type: string pattern: >- ^arn:aws(-[a-zA-Z]+)?:iam:([a-zA-Z0-9-_]+)?:([0-9]{12}):([a-zA-Z0-9_-]+)([/:][a-zA-Z0-9_-]+)*$ bucketArn: title: Bucket ARN type: string pattern: >- ^arn:aws(-[a-zA-Z]+)?:s3:([a-zA-Z0-9-_]+)?:([0-9]{12})?:([a-zA-Z0-9_-]+)([/:][a-zA-Z0-9_-]+)*$ required: - externalId - roleArn - bucketArn type: object required: - s3CrossAccountCredentials type: object AlertChannels_AwsS3_Response_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_AwsS3_Create_Schema' - type: object properties: isOrg: title: Is Org Integration type: number description: >- Returns `1` if the access token has organization admin permissions. Otherwise, returns `0`. default: 0 minimum: 0 maximum: 1 props: title: Props type: object description: The integration's properties. createdOrUpdatedBy: description: The user who created or who last updated the integration. type: string createdOrUpdatedTime: description: >- The timestamp for when the integration was created or last updated. type: string intgGuid: description: The integration’s globally unique identifier. type: string state: description: >- The integration’s real-time state, such as Pending, Success, or Error. type: object additionalProperties: true AlertChannels_AwsS3_Update_Schema: properties: name: title: Name type: string description: >- When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. pattern: (?!^ +$)^.+$ minLength: 1 type: title: Type type: string description: >- When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. enum: - AwsS3 enabled: title: Enabled type: number description: >- When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration. minimum: 0 maximum: 1 example: 1 data: properties: s3CrossAccountCredentials: properties: externalId: title: External ID type: string minLength: 1 roleArn: title: Role ARN type: string pattern: >- ^arn:aws(-[a-zA-Z]+)?:iam:([a-zA-Z0-9-_]+)?:([0-9]{12}):([a-zA-Z0-9_-]+)([/:][a-zA-Z0-9_-]+)*$ bucketArn: title: Bucket ARN type: string pattern: >- ^arn:aws(-[a-zA-Z]+)?:s3:([a-zA-Z0-9-_]+)?:([0-9]{12})?:([a-zA-Z0-9_-]+)([/:][a-zA-Z0-9_-]+)*$ type: object type: object AlertChannels_CiscoSparkWebhook_Create_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_CiscoSparkWebhook_Update_Schema' - type: object required: - type - enabled - name - data properties: data: properties: webhook: title: Webhook type: string description: The URL of your incoming webhook. pattern: >- ^https://(api.ciscospark|webexapis).com/v1/webhooks/incoming([/][a-zA-Z0-9#-_]+)+$ required: - webhook type: object AlertChannels_CiscoSparkWebhook_Response_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_CiscoSparkWebhook_Create_Schema' - type: object properties: isOrg: title: Is Org Integration type: number description: >- Returns `1` if the access token has organization admin permissions. Otherwise, returns `0`. default: 0 minimum: 0 maximum: 1 props: title: Props type: object description: The integration's properties. createdOrUpdatedBy: description: The user who created or who last updated the integration. type: string createdOrUpdatedTime: description: >- The timestamp for when the integration was created or last updated. type: string intgGuid: description: The integration’s globally unique identifier. type: string state: description: >- The integration’s real-time state, such as Pending, Success, or Error. type: object additionalProperties: true AlertChannels_CiscoSparkWebhook_Update_Schema: properties: name: title: Name type: string description: >- When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. pattern: (?!^ +$)^.+$ minLength: 1 type: title: Type type: string description: >- When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. enum: - CiscoSparkWebhook enabled: title: Enabled type: number description: >- When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration. minimum: 0 maximum: 1 example: 1 data: properties: webhook: title: Webhook type: string description: The URL of your incoming webhook. pattern: >- ^https://(api.ciscospark|webexapis).com/v1/webhooks/incoming([/][a-zA-Z0-9#-_]+)+$ type: object AlertChannels_CloudwatchEb_Create_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_CloudwatchEb_Update_Schema' - type: object required: - type - enabled - name - data properties: data: properties: issueGrouping: title: Group Issues by type: string description: >- Whether you want to group multiple events of a single type into a single event. Choosing `Events` results in a single event being created when Lacework detects compliance events of the same type on multiple resources. Choosing `Resources` results in multiple events being created, one for each resource. See [Create an Amazon CloudWatch Alert Channel](https://www.laceworkplatform.com/onboarding/amazon-event-bridge#create-an-amazon-cloudwatch-alert-channel). default: Events enum: - Events - Resources eventBusArn: title: Event Bus ARN type: string description: >- The ARN of your Amazon CloudWatch event bus, which uses the following format:
`arn:aws:events:::event-bus/`
Replace `REGION` , `YOUR-ACCOUNT-ID` and `YOUR-EVENT-BUS-NAME` with your values. pattern: >- ^arn:aws(-[a-zA-Z]+)?:events:([a-zA-Z0-9]{1}[a-zA-Z0-9-]+[a-zA-Z0-9]{1}):([0-9]{12}):([a-zA-Z0-9_-]+)([/:][a-zA-Z0-9_-]+)?$ required: - eventBusArn type: object AlertChannels_CloudwatchEb_Response_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_CloudwatchEb_Create_Schema' - type: object properties: isOrg: title: Is Org Integration type: number description: >- Returns `1` if the access token has organization admin permissions. Otherwise, returns `0`. default: 0 minimum: 0 maximum: 1 props: title: Props type: object description: The integration's properties. createdOrUpdatedBy: description: The user who created or who last updated the integration. type: string createdOrUpdatedTime: description: >- The timestamp for when the integration was created or last updated. type: string intgGuid: description: The integration’s globally unique identifier. type: string state: description: >- The integration’s real-time state, such as Pending, Success, or Error. type: object additionalProperties: true AlertChannels_CloudwatchEb_Update_Schema: properties: name: title: Name type: string description: >- When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. pattern: (?!^ +$)^.+$ minLength: 1 type: title: Type type: string description: >- When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. enum: - CloudwatchEb enabled: title: Enabled type: number description: >- When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration. minimum: 0 maximum: 1 example: 1 data: properties: issueGrouping: title: Group Issues by type: string description: >- Whether you want to group multiple events of a single type into a single event. Choosing `Events` results in a single event being created when Lacework detects compliance events of the same type on multiple resources. Choosing `Resources` results in multiple events being created, one for each resource. See [Create an Amazon CloudWatch Alert Channel](https://www.laceworkplatform.com/onboarding/amazon-event-bridge#create-an-amazon-cloudwatch-alert-channel). default: Events enum: - Events - Resources eventBusArn: title: Event Bus ARN type: string description: >- The ARN of your Amazon CloudWatch event bus, which uses the following format:
`arn:aws:events:::event-bus/`
Replace `REGION` , `YOUR-ACCOUNT-ID` and `YOUR-EVENT-BUS-NAME` with your values. pattern: >- ^arn:aws(-[a-zA-Z]+)?:events:([a-zA-Z0-9]{1}[a-zA-Z0-9-]+[a-zA-Z0-9]{1}):([0-9]{12}):([a-zA-Z0-9_-]+)([/:][a-zA-Z0-9_-]+)?$ type: object AlertChannels_Create_Schema: oneOf: - $ref: '#/components/schemas/AlertChannels_AwsS3_Create_Schema' - $ref: '#/components/schemas/AlertChannels_CiscoSparkWebhook_Create_Schema' - $ref: '#/components/schemas/AlertChannels_CloudwatchEb_Create_Schema' - $ref: '#/components/schemas/AlertChannels_Datadog_Create_Schema' - $ref: '#/components/schemas/AlertChannels_EmailUser_Create_Schema' - $ref: '#/components/schemas/AlertChannels_GcpPubsub_Create_Schema' - $ref: '#/components/schemas/AlertChannels_IbmQradar_Create_Schema' - $ref: '#/components/schemas/AlertChannels_Jira_Create_Schema' - $ref: '#/components/schemas/AlertChannels_MicrosoftTeams_Create_Schema' - $ref: '#/components/schemas/AlertChannels_NewRelicInsights_Create_Schema' - $ref: '#/components/schemas/AlertChannels_PagerDutyApi_Create_Schema' - $ref: '#/components/schemas/AlertChannels_ServiceNowRest_Create_Schema' - $ref: '#/components/schemas/AlertChannels_SlackChannel_Create_Schema' - $ref: '#/components/schemas/AlertChannels_SplunkHec_Create_Schema' - $ref: '#/components/schemas/AlertChannels_VictorOps_Create_Schema' - $ref: '#/components/schemas/AlertChannels_Webhook_Create_Schema' discriminator: propertyName: type mapping: AwsS3: '#/components/schemas/AlertChannels_AwsS3_Create_Schema' CiscoSparkWebhook: '#/components/schemas/AlertChannels_CiscoSparkWebhook_Create_Schema' CloudwatchEb: '#/components/schemas/AlertChannels_CloudwatchEb_Create_Schema' Datadog: '#/components/schemas/AlertChannels_Datadog_Create_Schema' EmailUser: '#/components/schemas/AlertChannels_EmailUser_Create_Schema' GcpPubsub: '#/components/schemas/AlertChannels_GcpPubsub_Create_Schema' IbmQradar: '#/components/schemas/AlertChannels_IbmQradar_Create_Schema' Jira: '#/components/schemas/AlertChannels_Jira_Create_Schema' MicrosoftTeams: '#/components/schemas/AlertChannels_MicrosoftTeams_Create_Schema' NewRelicInsights: '#/components/schemas/AlertChannels_NewRelicInsights_Create_Schema' PagerDutyApi: '#/components/schemas/AlertChannels_PagerDutyApi_Create_Schema' ServiceNowRest: '#/components/schemas/AlertChannels_ServiceNowRest_Create_Schema' SlackChannel: '#/components/schemas/AlertChannels_SlackChannel_Create_Schema' SplunkHec: '#/components/schemas/AlertChannels_SplunkHec_Create_Schema' VictorOps: '#/components/schemas/AlertChannels_VictorOps_Create_Schema' Webhook: '#/components/schemas/AlertChannels_Webhook_Create_Schema' AlertChannels_Datadog_Create_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_Datadog_Update_Schema' - type: object required: - type - enabled - name - data properties: data: properties: datadogType: title: Datadog Service type: string description: >- The Datadog service to use in the alert channel such as Logs Detail, Logs Summary, or Events Summary. default: Logs Detail enum: - Logs Detail - Logs Summary - Events Summary datadogSite: title: Datadog Site type: string description: >- The Datadog site you want to store your logs, either the US or Europe. default: com enum: - com - eu - us - us3 - us5 - us1-fed apiKey: title: API Key type: string description: YourApiKey minLength: 1 format: password required: - datadogType - datadogSite - apiKey type: object AlertChannels_Datadog_Response_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_Datadog_Create_Schema' - type: object properties: isOrg: title: Is Org Integration type: number description: >- Returns `1` if the access token has organization admin permissions. Otherwise, returns `0`. default: 0 minimum: 0 maximum: 1 props: title: Props type: object description: The integration's properties. createdOrUpdatedBy: description: The user who created or who last updated the integration. type: string createdOrUpdatedTime: description: >- The timestamp for when the integration was created or last updated. type: string intgGuid: description: The integration’s globally unique identifier. type: string state: description: >- The integration’s real-time state, such as Pending, Success, or Error. type: object additionalProperties: true AlertChannels_Datadog_Update_Schema: properties: name: title: Name type: string description: >- When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. pattern: (?!^ +$)^.+$ minLength: 1 type: title: Type type: string description: >- When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. enum: - Datadog enabled: title: Enabled type: number description: >- When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration. minimum: 0 maximum: 1 example: 1 data: properties: datadogType: title: Datadog Service type: string description: >- The Datadog service to use in the alert channel such as Logs Detail, Logs Summary, or Events Summary. default: Logs Detail enum: - Logs Detail - Logs Summary - Events Summary datadogSite: title: Datadog Site type: string description: >- The Datadog site you want to store your logs, either the US or Europe. default: com enum: - com - eu - us - us3 - us5 - us1-fed apiKey: title: API Key type: string description: YourApiKey minLength: 1 format: password type: object AlertChannels_EmailUser_Create_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_EmailUser_Update_Schema' - type: object required: - type - enabled - name - data properties: data: properties: channelProps: required: - recipients properties: recipients: type: string minLength: 1 description: The list of email addresses to send alerts to. type: object type: object required: - channelProps AlertChannels_EmailUser_Response_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_EmailUser_Create_Schema' - type: object properties: isOrg: title: Is Org Integration type: number description: >- Returns `1` if the access token has organization admin permissions. Otherwise, returns `0`. default: 0 minimum: 0 maximum: 1 props: title: Props type: object description: The integration's properties. createdOrUpdatedBy: description: The user who created or who last updated the integration. type: string createdOrUpdatedTime: description: >- The timestamp for when the integration was created or last updated. type: string intgGuid: description: The integration’s globally unique identifier. type: string state: description: >- The integration’s real-time state, such as Pending, Success, or Error. type: object additionalProperties: true AlertChannels_EmailUser_Update_Schema: properties: name: title: Name type: string description: >- When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. pattern: (?!^ +$)^.+$ minLength: 1 type: title: Type type: string description: >- When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. enum: - EmailUser enabled: title: Enabled type: number description: >- When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration. minimum: 0 maximum: 1 example: 1 data: properties: channelProps: properties: recipients: type: string minLength: 1 description: The list of email addresses to send alerts to. type: object type: object AlertChannels_GcpPubsub_Create_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_GcpPubsub_Update_Schema' - type: object required: - type - enabled - name - data properties: data: properties: issueGrouping: title: Group Issues by type: string description: >- Whether you want to group multiple events of a single type into a single message. Choosing `Events` results in a single message being created when Lacework detects compliance events of the same type on multiple resources. Choosing `Resources` results in multiple messages being created, one for each resource. See [Create a GCP Pub/Sub Alert Channel](https://www.laceworkplatform.com/onboarding/google-cloud-pubsub#create-a-gcp-pubsub-alert-channel). default: Events enum: - Events - Resources credentials: properties: clientId: title: Client ID type: string description: Your GCP Pub/Sub's client ID. minLength: 1 privateKeyId: title: Private Key ID type: string description: Your GCP Pub/Sub's private key. minLength: 1 clientEmail: title: Client Email type: string description: >- The Client Email name provided when creating the new service account. pattern: >- ^[\w!#$%&’*+/=?`{|}~^-]+(?:\.[\w!#$%&’*+/=?`{|}~^-]+)*@(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]{2,6}$ minLength: 1 privateKey: title: Private Key type: string description: Your GCP Pub/Sub's private key certificate. minLength: 1 type: object description: Your GCP Pub/Sub's credentials. required: - clientId - clientEmail - privateKeyId - privateKey projectId: title: Project ID type: string description: Your GCP Pub/Sub's project ID. minLength: 1 topicId: title: Topic ID type: string description: The topic ID to use in this alert channel. minLength: 1 required: - projectId - topicId - credentials type: object AlertChannels_GcpPubsub_Response_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_GcpPubsub_Create_Schema' - type: object properties: isOrg: title: Is Org Integration type: number description: >- Returns `1` if the access token has organization admin permissions. Otherwise, returns `0`. default: 0 minimum: 0 maximum: 1 props: title: Props type: object description: The integration's properties. createdOrUpdatedBy: description: The user who created or who last updated the integration. type: string createdOrUpdatedTime: description: >- The timestamp for when the integration was created or last updated. type: string intgGuid: description: The integration’s globally unique identifier. type: string state: description: >- The integration’s real-time state, such as Pending, Success, or Error. type: object additionalProperties: true AlertChannels_GcpPubsub_Update_Schema: properties: name: title: Name type: string description: >- When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. pattern: (?!^ +$)^.+$ minLength: 1 type: title: Type type: string description: >- When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. enum: - GcpPubsub enabled: title: Enabled type: number description: >- When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration. minimum: 0 maximum: 1 example: 1 data: properties: issueGrouping: title: Group Issues by type: string description: >- Whether you want to group multiple events of a single type into a single message. Choosing `Events` results in a single message being created when Lacework detects compliance events of the same type on multiple resources. Choosing `Resources` results in multiple messages being created, one for each resource. See [Create a GCP Pub/Sub Alert Channel](https://www.laceworkplatform.com/onboarding/google-cloud-pubsub#create-a-gcp-pubsub-alert-channel). default: Events enum: - Events - Resources credentials: properties: clientId: title: Client ID type: string description: Your GCP Pub/Sub's client ID. minLength: 1 privateKeyId: title: Private Key ID type: string description: Your GCP Pub/Sub's private key. minLength: 1 clientEmail: title: Client Email type: string description: >- The Client Email name provided when creating the new service account. pattern: >- ^[\w!#$%&’*+/=?`{|}~^-]+(?:\.[\w!#$%&’*+/=?`{|}~^-]+)*@(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]{2,6}$ minLength: 1 privateKey: title: Private Key type: string description: Your GCP Pub/Sub's private key certificate. minLength: 1 type: object description: Your GCP Pub/Sub's credentials. projectId: title: Project ID type: string description: Your GCP Pub/Sub's project ID. minLength: 1 topicId: title: Topic ID type: string description: The topic ID to use in this alert channel. minLength: 1 type: object AlertChannels_IbmQradar_Create_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_IbmQradar_Update_Schema' - type: object required: - type - enabled - name - data properties: data: properties: qradarCommType: title: Communication Type type: string description: >- The issue group to use in this alert channel such as Events, Resources. default: HTTPS enum: - HTTPS - HTTPS Self Signed Cert qradarHostUrl: title: QRadar Host Url type: string description: Your domain name or IP address of QRadar. pattern: .+[a-zA-Z0-9]$ minLength: 1 qradarHostPort: title: QRadar Host Port type: number description: Your listen port defined in QRadar. minimum: 0 maximum: 65535 required: - qradarCommType - qradarHostUrl type: object AlertChannels_IbmQradar_Response_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_IbmQradar_Create_Schema' - type: object properties: isOrg: title: Is Org Integration type: number description: >- Returns `1` if the access token has organization admin permissions. Otherwise, returns `0`. default: 0 minimum: 0 maximum: 1 props: title: Props type: object description: The integration's properties. createdOrUpdatedBy: description: The user who created or who last updated the integration. type: string createdOrUpdatedTime: description: >- The timestamp for when the integration was created or last updated. type: string intgGuid: description: The integration’s globally unique identifier. type: string state: description: >- The integration’s real-time state, such as Pending, Success, or Error. type: object additionalProperties: true AlertChannels_IbmQradar_Update_Schema: properties: name: title: Name type: string description: >- When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. pattern: (?!^ +$)^.+$ minLength: 1 type: title: Type type: string description: >- When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. enum: - IbmQradar enabled: title: Enabled type: number description: >- When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration. minimum: 0 maximum: 1 example: 1 data: properties: qradarCommType: title: Communication Type type: string description: >- The issue group to use in this alert channel such as Events, Resources. default: HTTPS enum: - HTTPS - HTTPS Self Signed Cert qradarHostUrl: title: QRadar Host Url type: string description: Your domain name or IP address of QRadar. pattern: .+[a-zA-Z0-9]$ minLength: 1 qradarHostPort: title: QRadar Host Port type: number description: Your listen port defined in QRadar. minimum: 0 maximum: 65535 type: object AlertChannels_Jira_Create_Schema: required: - type - enabled - name - data properties: name: title: Name type: string description: >- When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. pattern: (?!^ +$)^.+$ minLength: 1 type: title: Type type: string description: >- When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. enum: - Jira enabled: title: Enabled type: number description: >- When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration. minimum: 0 maximum: 1 example: 1 data: oneOf: - $ref: >- #/components/schemas/AlertChannels_Jira_data_JIRA_CLOUD_Create_Schema - $ref: >- #/components/schemas/AlertChannels_Jira_data_JIRA_SERVER_Create_Schema discriminator: propertyName: jiraType mapping: JIRA_CLOUD: >- #/components/schemas/AlertChannels_Jira_data_JIRA_CLOUD_Create_Schema JIRA_SERVER: >- #/components/schemas/AlertChannels_Jira_data_JIRA_SERVER_Create_Schema AlertChannels_Jira_Response_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_Jira_Create_Schema' - type: object properties: isOrg: title: Is Org Integration type: number description: >- Returns `1` if the access token has organization admin permissions. Otherwise, returns `0`. default: 0 minimum: 0 maximum: 1 props: title: Props type: object description: The integration's properties. createdOrUpdatedBy: description: The user who created or who last updated the integration. type: string createdOrUpdatedTime: description: >- The timestamp for when the integration was created or last updated. type: string intgGuid: description: The integration’s globally unique identifier. type: string state: description: >- The integration’s real-time state, such as Pending, Success, or Error. type: object additionalProperties: true AlertChannels_Jira_Update_Schema: properties: name: title: Name type: string description: >- When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. pattern: (?!^ +$)^.+$ minLength: 1 type: title: Type type: string description: >- When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. enum: - Jira enabled: title: Enabled type: number description: >- When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration. minimum: 0 maximum: 1 example: 1 data: oneOf: - $ref: >- #/components/schemas/AlertChannels_Jira_data_JIRA_CLOUD_Update_Schema - $ref: >- #/components/schemas/AlertChannels_Jira_data_JIRA_SERVER_Update_Schema discriminator: propertyName: jiraType mapping: JIRA_CLOUD: >- #/components/schemas/AlertChannels_Jira_data_JIRA_CLOUD_Update_Schema JIRA_SERVER: >- #/components/schemas/AlertChannels_Jira_data_JIRA_SERVER_Update_Schema AlertChannels_Jira_data_JIRA_CLOUD_Create_Schema: properties: jiraType: title: Jira Type type: string description: The Jira product you are using such as Jira Cloud or Jira Server. enum: - JIRA_CLOUD default: JIRA_CLOUD bidirectionalConfig: title: Configuration type: string default: Unidirectional enum: - Unidirectional - Bidirectional issueGrouping: title: Group Issues by type: string description: >- Whether you want to group multiple events of a single type into a single Jira issue. Choosing `Events` results in a single Jira issue being created when Lacework detects compliance events of the same type on multiple resources. Choosing `Resources` results in multiple Jira issues being created, one for each resource. See [Create a Jira Alert Channel](https://www.laceworkplatform.com/onboarding/jira#create-a-jira-alert-channel). default: Events enum: - Events - Resources jiraUrl: title: Jira URL type: string description: The URL of your Jira implementation. pattern: '[a-zA-Z0-9]\.(atlassian\.net|jira\.com)$' minLength: 1 projectId: title: Jira Project Key type: string description: >- The Jira project where the new Jira issues should be created. Note that the specified Jira Issue type must exist in the specified Jira project prior to creating the Lacework Jira channel. minLength: 1 issueType: title: Issue Type type: string description: >- The Jira Issue type (such as a Bug) to create when a new Jira issue is created. minLength: 1 username: title: Username type: string description: The Jira user name. Lacework recommends a dedicated Jira user. minLength: 1 apiToken: title: API Token type: string description: Your Jira API Token. format: password minLength: 1 customTemplateFile: title: Custom Template File description: >- The custom template file to populate values from a custom template JSON file. format: data-url type: string required: - jiraUrl - username - apiToken - issueType - projectId title: JIRA_CLOUD type: object AlertChannels_Jira_data_JIRA_CLOUD_Update_Schema: properties: jiraType: title: Jira Type type: string description: The Jira product you are using such as Jira Cloud or Jira Server. enum: - JIRA_CLOUD default: JIRA_CLOUD bidirectionalConfig: title: Configuration type: string default: Unidirectional enum: - Unidirectional - Bidirectional issueGrouping: title: Group Issues by type: string description: >- Whether you want to group multiple events of a single type into a single Jira issue. Choosing `Events` results in a single Jira issue being created when Lacework detects compliance events of the same type on multiple resources. Choosing `Resources` results in multiple Jira issues being created, one for each resource. See [Create a Jira Alert Channel](https://www.laceworkplatform.com/onboarding/jira#create-a-jira-alert-channel). default: Events enum: - Events - Resources jiraUrl: title: Jira URL type: string description: The URL of your Jira implementation. pattern: '[a-zA-Z0-9]\.(atlassian\.net|jira\.com)$' minLength: 1 projectId: title: Jira Project Key type: string description: >- The Jira project where the new Jira issues should be created. Note that the specified Jira Issue type must exist in the specified Jira project prior to creating the Lacework Jira channel. minLength: 1 issueType: title: Issue Type type: string description: >- The Jira Issue type (such as a Bug) to create when a new Jira issue is created. minLength: 1 username: title: Username type: string description: The Jira user name. Lacework recommends a dedicated Jira user. minLength: 1 apiToken: title: API Token type: string description: Your Jira API Token. format: password minLength: 1 customTemplateFile: title: Custom Template File description: >- The custom template file to populate values from a custom template JSON file. format: data-url type: string title: JIRA_CLOUD type: object AlertChannels_Jira_data_JIRA_SERVER_Create_Schema: properties: jiraType: title: Jira Type type: string description: | The Jira product you are using such as Jira Cloud or Jira Server. enum: - JIRA_SERVER default: JIRA_SERVER bidirectionalConfig: title: Configuration type: string default: Unidirectional enum: - Unidirectional - Bidirectional issueGrouping: title: Group Issues by type: string description: >- Whether you want to group multiple events of a single type into a single Jira issue. Choosing `Events` results in a single Jira issue being created when Lacework detects compliance events of the same type on multiple resources. Choosing `Resources` results in multiple Jira issues being created, one for each resource. See [Create a Jira Alert Channel](https://www.laceworkplatform.com/onboarding/jira#create-a-jira-alert-channel). default: Events enum: - Events - Resources jiraUrl: title: Jira URL type: string description: The URL of your Jira implementation. pattern: '[A-Za-z0-9\/\-&?_.=:]+' minLength: 1 projectId: title: Jira Project Key type: string description: >- The Jira project where the new Jira issues should be created. Note that the specified Jira Issue type must exist in the specified Jira project prior to creating the Lacework Jira channel. minLength: 1 issueType: title: Issue Type type: string description: >- The Jira Issue type (such as a Bug) to create when a new Jira issue is created. minLength: 1 username: title: Username type: string description: The Jira user name. Lacework recommends using a dedicated Jira user. minLength: 1 password: title: Password type: string description: The password to the Jira user specified in the `username` attribute. format: password minLength: 1 customTemplateFile: title: Custom Template File description: >- The custom template file to populate values from a custom template JSON file. format: data-url type: string required: - jiraUrl - username - password - issueType - projectId title: JIRA_SERVER type: object AlertChannels_Jira_data_JIRA_SERVER_Update_Schema: properties: jiraType: title: Jira Type type: string description: | The Jira product you are using such as Jira Cloud or Jira Server. enum: - JIRA_SERVER default: JIRA_SERVER bidirectionalConfig: title: Configuration type: string default: Unidirectional enum: - Unidirectional - Bidirectional issueGrouping: title: Group Issues by type: string description: >- Whether you want to group multiple events of a single type into a single Jira issue. Choosing `Events` results in a single Jira issue being created when Lacework detects compliance events of the same type on multiple resources. Choosing `Resources` results in multiple Jira issues being created, one for each resource. See [Create a Jira Alert Channel](https://www.laceworkplatform.com/onboarding/jira#create-a-jira-alert-channel). default: Events enum: - Events - Resources jiraUrl: title: Jira URL type: string description: The URL of your Jira implementation. pattern: '[A-Za-z0-9\/\-&?_.=:]+' minLength: 1 projectId: title: Jira Project Key type: string description: >- The Jira project where the new Jira issues should be created. Note that the specified Jira Issue type must exist in the specified Jira project prior to creating the Lacework Jira channel. minLength: 1 issueType: title: Issue Type type: string description: >- The Jira Issue type (such as a Bug) to create when a new Jira issue is created. minLength: 1 username: title: Username type: string description: The Jira user name. Lacework recommends using a dedicated Jira user. minLength: 1 password: title: Password type: string description: The password to the Jira user specified in the `username` attribute. format: password minLength: 1 customTemplateFile: title: Custom Template File description: >- The custom template file to populate values from a custom template JSON file. format: data-url type: string title: JIRA_SERVER type: object AlertChannels_MicrosoftTeams_Create_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_MicrosoftTeams_Update_Schema' - type: object required: - type - enabled - name - data properties: data: properties: teamsUrl: title: Webhook URL type: string description: The URL of your Microsoft Teams incoming webhook. pattern: >- ^https://[a-zA-Z0-9-_\.]*(outlook|webhook).office.com/webhook[a-zA-Z0-9#-_]*([/][a-zA-Z0-9#-_]+)+$ required: - teamsUrl type: object AlertChannels_MicrosoftTeams_Response_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_MicrosoftTeams_Create_Schema' - type: object properties: isOrg: title: Is Org Integration type: number description: >- Returns `1` if the access token has organization admin permissions. Otherwise, returns `0`. default: 0 minimum: 0 maximum: 1 props: title: Props type: object description: The integration's properties. createdOrUpdatedBy: description: The user who created or who last updated the integration. type: string createdOrUpdatedTime: description: >- The timestamp for when the integration was created or last updated. type: string intgGuid: description: The integration’s globally unique identifier. type: string state: description: >- The integration’s real-time state, such as Pending, Success, or Error. type: object additionalProperties: true AlertChannels_MicrosoftTeams_Update_Schema: properties: name: title: Name type: string description: >- When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. pattern: (?!^ +$)^.+$ minLength: 1 type: title: Type type: string description: >- When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. enum: - MicrosoftTeams enabled: title: Enabled type: number description: >- When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration. minimum: 0 maximum: 1 example: 1 data: properties: teamsUrl: title: Webhook URL type: string description: The URL of your Microsoft Teams incoming webhook. pattern: >- ^https://[a-zA-Z0-9-_\.]*(outlook|webhook).office.com/webhook[a-zA-Z0-9#-_]*([/][a-zA-Z0-9#-_]+)+$ type: object AlertChannels_NewRelicInsights_Create_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_NewRelicInsights_Update_Schema' - type: object required: - type - enabled - name - data properties: data: properties: insertKey: title: Insert Key type: string description: >- Your New Relic Insert Key. See [Add an Insert Key](https://www.laceworkplatform.com/new-relic#add-an-insert-key) minLength: 1 accountId: title: Account ID type: number description: Your New Relic account ID. minLength: 1 region: title: Region type: string description: The data center (US or EU) to access. default: US enum: - US - EU required: - insertKey - accountId type: object AlertChannels_NewRelicInsights_Response_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_NewRelicInsights_Create_Schema' - type: object properties: isOrg: title: Is Org Integration type: number description: >- Returns `1` if the access token has organization admin permissions. Otherwise, returns `0`. default: 0 minimum: 0 maximum: 1 props: title: Props type: object description: The integration's properties. createdOrUpdatedBy: description: The user who created or who last updated the integration. type: string createdOrUpdatedTime: description: >- The timestamp for when the integration was created or last updated. type: string intgGuid: description: The integration’s globally unique identifier. type: string state: description: >- The integration’s real-time state, such as Pending, Success, or Error. type: object additionalProperties: true AlertChannels_NewRelicInsights_Update_Schema: properties: name: title: Name type: string description: >- When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. pattern: (?!^ +$)^.+$ minLength: 1 type: title: Type type: string description: >- When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. enum: - NewRelicInsights enabled: title: Enabled type: number description: >- When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration. minimum: 0 maximum: 1 example: 1 data: properties: insertKey: title: Insert Key type: string description: >- Your New Relic Insert Key. See [Add an Insert Key](https://www.laceworkplatform.com/new-relic#add-an-insert-key) minLength: 1 accountId: title: Account ID type: number description: Your New Relic account ID. minLength: 1 region: title: Region type: string description: The data center (US or EU) to access. default: US enum: - US - EU type: object AlertChannels_PagerDutyApi_Create_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_PagerDutyApi_Update_Schema' - type: object required: - type - enabled - name - data properties: data: properties: apiIntgKey: title: API Integration Key type: string description: Your Integration Key. minLength: 1 required: - apiIntgKey type: object AlertChannels_PagerDutyApi_Response_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_PagerDutyApi_Create_Schema' - type: object properties: isOrg: title: Is Org Integration type: number description: >- Returns `1` if the access token has organization admin permissions. Otherwise, returns `0`. default: 0 minimum: 0 maximum: 1 props: title: Props type: object description: The integration's properties. createdOrUpdatedBy: description: The user who created or who last updated the integration. type: string createdOrUpdatedTime: description: >- The timestamp for when the integration was created or last updated. type: string intgGuid: description: The integration’s globally unique identifier. type: string state: description: >- The integration’s real-time state, such as Pending, Success, or Error. type: object additionalProperties: true AlertChannels_PagerDutyApi_Update_Schema: properties: name: title: Name type: string description: >- When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. pattern: (?!^ +$)^.+$ minLength: 1 type: title: Type type: string description: >- When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. enum: - PagerDutyApi enabled: title: Enabled type: number description: >- When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration. minimum: 0 maximum: 1 example: 1 data: properties: apiIntgKey: title: API Integration Key type: string description: Your Integration Key. minLength: 1 type: object AlertChannels_Response_Schema: oneOf: - $ref: '#/components/schemas/AlertChannels_AwsS3_Response_Schema' - $ref: '#/components/schemas/AlertChannels_CiscoSparkWebhook_Response_Schema' - $ref: '#/components/schemas/AlertChannels_CloudwatchEb_Response_Schema' - $ref: '#/components/schemas/AlertChannels_Datadog_Response_Schema' - $ref: '#/components/schemas/AlertChannels_EmailUser_Response_Schema' - $ref: '#/components/schemas/AlertChannels_GcpPubsub_Response_Schema' - $ref: '#/components/schemas/AlertChannels_IbmQradar_Response_Schema' - $ref: '#/components/schemas/AlertChannels_Jira_Response_Schema' - $ref: '#/components/schemas/AlertChannels_MicrosoftTeams_Response_Schema' - $ref: '#/components/schemas/AlertChannels_NewRelicInsights_Response_Schema' - $ref: '#/components/schemas/AlertChannels_PagerDutyApi_Response_Schema' - $ref: '#/components/schemas/AlertChannels_ServiceNowRest_Response_Schema' - $ref: '#/components/schemas/AlertChannels_SlackChannel_Response_Schema' - $ref: '#/components/schemas/AlertChannels_SplunkHec_Response_Schema' - $ref: '#/components/schemas/AlertChannels_VictorOps_Response_Schema' - $ref: '#/components/schemas/AlertChannels_Webhook_Response_Schema' discriminator: propertyName: type mapping: AwsS3: '#/components/schemas/AlertChannels_AwsS3_Response_Schema' CiscoSparkWebhook: '#/components/schemas/AlertChannels_CiscoSparkWebhook_Response_Schema' CloudwatchEb: '#/components/schemas/AlertChannels_CloudwatchEb_Response_Schema' Datadog: '#/components/schemas/AlertChannels_Datadog_Response_Schema' EmailUser: '#/components/schemas/AlertChannels_EmailUser_Response_Schema' GcpPubsub: '#/components/schemas/AlertChannels_GcpPubsub_Response_Schema' IbmQradar: '#/components/schemas/AlertChannels_IbmQradar_Response_Schema' Jira: '#/components/schemas/AlertChannels_Jira_Response_Schema' MicrosoftTeams: '#/components/schemas/AlertChannels_MicrosoftTeams_Response_Schema' NewRelicInsights: '#/components/schemas/AlertChannels_NewRelicInsights_Response_Schema' PagerDutyApi: '#/components/schemas/AlertChannels_PagerDutyApi_Response_Schema' ServiceNowRest: '#/components/schemas/AlertChannels_ServiceNowRest_Response_Schema' SlackChannel: '#/components/schemas/AlertChannels_SlackChannel_Response_Schema' SplunkHec: '#/components/schemas/AlertChannels_SplunkHec_Response_Schema' VictorOps: '#/components/schemas/AlertChannels_VictorOps_Response_Schema' Webhook: '#/components/schemas/AlertChannels_Webhook_Response_Schema' AlertChannels_ServiceNowRest_Create_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_ServiceNowRest_Update_Schema' - type: object required: - type - enabled - name - data properties: data: properties: issueGrouping: title: Group Issues by type: string description: >- Whether you want to group multiple events of a single type into a single ServiceNow incident. Choosing `Events` results in a single ServiceNow incident being created when Lacework detects compliance events of the same type on multiple resources. Choosing `Resources` results in multiple compliance incidents being created, one for each resource. See [Create a ServiceNow Alert Channel](https://www.laceworkplatform.com/servicenow#create-a-servicenow-alert-channel). default: Events enum: - Events - Resources userName: title: User Name type: string description: Your ServiceNow username. minLength: 1 password: title: Password type: string description: Your ServiceNow password. format: password minLength: 1 instanceUrl: title: Instance URL type: string description: Your ServiceNow server. pattern: ^https://[A-Za-z0-9]+[.]{1}service-now[.]{1}com/?$ customTemplateFile: title: Custom Template File description: >- The custom template file to populate values from a custom template JSON file. format: data-url type: string required: - userName - password - instanceUrl type: object AlertChannels_ServiceNowRest_Response_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_ServiceNowRest_Create_Schema' - type: object properties: isOrg: title: Is Org Integration type: number description: >- Returns `1` if the access token has organization admin permissions. Otherwise, returns `0`. default: 0 minimum: 0 maximum: 1 props: title: Props type: object description: The integration's properties. createdOrUpdatedBy: description: The user who created or who last updated the integration. type: string createdOrUpdatedTime: description: >- The timestamp for when the integration was created or last updated. type: string intgGuid: description: The integration’s globally unique identifier. type: string state: description: >- The integration’s real-time state, such as Pending, Success, or Error. type: object additionalProperties: true AlertChannels_ServiceNowRest_Update_Schema: properties: name: title: Name type: string description: >- When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. pattern: (?!^ +$)^.+$ minLength: 1 type: title: Type type: string description: >- When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. enum: - ServiceNowRest enabled: title: Enabled type: number description: >- When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration. minimum: 0 maximum: 1 example: 1 data: properties: issueGrouping: title: Group Issues by type: string description: >- Whether you want to group multiple events of a single type into a single ServiceNow incident. Choosing `Events` results in a single ServiceNow incident being created when Lacework detects compliance events of the same type on multiple resources. Choosing `Resources` results in multiple compliance incidents being created, one for each resource. See [Create a ServiceNow Alert Channel](https://www.laceworkplatform.com/servicenow#create-a-servicenow-alert-channel). default: Events enum: - Events - Resources userName: title: User Name type: string description: Your ServiceNow username. minLength: 1 password: title: Password type: string description: Your ServiceNow password. format: password minLength: 1 instanceUrl: title: Instance URL type: string description: Your ServiceNow server. pattern: ^https://[A-Za-z0-9]+[.]{1}service-now[.]{1}com/?$ customTemplateFile: title: Custom Template File description: >- The custom template file to populate values from a custom template JSON file. format: data-url type: string type: object AlertChannels_SlackChannel_Create_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_SlackChannel_Update_Schema' - type: object required: - type - enabled - name - data properties: data: properties: slackUrl: title: Slack Incoming Webhook URL type: string description: The URL of your Slack incoming webhook. pattern: >- (^https://hooks.slack.com([/][a-zA-Z0-9#-_]+)+$)|(^https://mattermost..+$) required: - slackUrl type: object AlertChannels_SlackChannel_Response_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_SlackChannel_Create_Schema' - type: object properties: isOrg: title: Is Org Integration type: number description: >- Returns `1` if the access token has organization admin permissions. Otherwise, returns `0`. default: 0 minimum: 0 maximum: 1 props: title: Props type: object description: The integration's properties. createdOrUpdatedBy: description: The user who created or who last updated the integration. type: string createdOrUpdatedTime: description: >- The timestamp for when the integration was created or last updated. type: string intgGuid: description: The integration’s globally unique identifier. type: string state: description: >- The integration’s real-time state, such as Pending, Success, or Error. type: object additionalProperties: true AlertChannels_SlackChannel_Update_Schema: properties: name: title: Name type: string description: >- When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. pattern: (?!^ +$)^.+$ minLength: 1 type: title: Type type: string description: >- When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. enum: - SlackChannel enabled: title: Enabled type: number description: >- When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration. minimum: 0 maximum: 1 example: 1 data: properties: slackUrl: title: Slack Incoming Webhook URL type: string description: The URL of your Slack incoming webhook. pattern: >- (^https://hooks.slack.com([/][a-zA-Z0-9#-_]+)+$)|(^https://mattermost..+$) type: object AlertChannels_SplunkHec_Create_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_SplunkHec_Update_Schema' - type: object required: - type - enabled - name - data properties: data: properties: issueGrouping: title: Group Issues by type: string description: >- Whether you want to group multiple events of a single type into a single event. Choosing Events results in a single event being created when Lacework detects compliance events of the same type on multiple resources. Choosing Resources results in multiple events being created, one for each resource. See [Create a Splunk Alert Channel](https://www.laceworkplatform.com/onboarding/splunk). default: Events enum: - Events - Resources hecToken: title: HEC Token type: string description: >- Your Splunk HEC token. To find your HEC token, navigate to Splunk Web, then click **Data Inputs > HttpEvent Collector**. minLength: 1 channel: title: Channel type: string description: >- Channels are designed so that you assign a unique channel to each client that sends data to HEC. Each channel has a channel identifier (ID), which must be a Globally Unique Identifier (GUID) but can be randomly generated. You assign channel IDs simply by including them in requests as shown in the examples above. When Splunk Enterprise sees a new channel identifier, it creates a new channel. minLength: 1 host: title: Host type: string description: >- The resolvable hostname or IP address of your Splunk instance (such as `https-inputs-.splunkcloud.com`). minLength: 1 port: title: Port type: number description: The destination port for forwarding alerts [80 or 443]. minimum: 0 maximum: 65536 ssl: title: SSL type: boolean description: >- When sending a request, use this attribute to enable or disable the SSL encryption. When included in a response, returns `1` for enabled SSL encryption, or returns `0` for disabled SSL encryption. eventData: title: Event Data type: object description: Details of the event's data structure. required: - index - source properties: index: title: Index type: string description: The Splunk index to use in this alert channel. minLength: 1 source: title: Source type: string description: The Splunk source to use in this alert channel. minLength: 1 sourceType: title: Source Type type: string default: _json enum: - _json - lacework:alerts required: - hecToken - host - port - eventData type: object AlertChannels_SplunkHec_Response_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_SplunkHec_Create_Schema' - type: object properties: isOrg: title: Is Org Integration type: number description: >- Returns `1` if the access token has organization admin permissions. Otherwise, returns `0`. default: 0 minimum: 0 maximum: 1 props: title: Props type: object description: The integration's properties. createdOrUpdatedBy: description: The user who created or who last updated the integration. type: string createdOrUpdatedTime: description: >- The timestamp for when the integration was created or last updated. type: string intgGuid: description: The integration’s globally unique identifier. type: string state: description: >- The integration’s real-time state, such as Pending, Success, or Error. type: object additionalProperties: true AlertChannels_SplunkHec_Update_Schema: properties: name: title: Name type: string description: >- When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. pattern: (?!^ +$)^.+$ minLength: 1 type: title: Type type: string description: >- When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. enum: - SplunkHec enabled: title: Enabled type: number description: >- When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration. minimum: 0 maximum: 1 example: 1 data: properties: issueGrouping: title: Group Issues by type: string description: >- Whether you want to group multiple events of a single type into a single event. Choosing Events results in a single event being created when Lacework detects compliance events of the same type on multiple resources. Choosing Resources results in multiple events being created, one for each resource. See [Create a Splunk Alert Channel](https://www.laceworkplatform.com/onboarding/splunk). default: Events enum: - Events - Resources hecToken: title: HEC Token type: string description: >- Your Splunk HEC token. To find your HEC token, navigate to Splunk Web, then click **Data Inputs > HttpEvent Collector**. minLength: 1 channel: title: Channel type: string description: >- Channels are designed so that you assign a unique channel to each client that sends data to HEC. Each channel has a channel identifier (ID), which must be a Globally Unique Identifier (GUID) but can be randomly generated. You assign channel IDs simply by including them in requests as shown in the examples above. When Splunk Enterprise sees a new channel identifier, it creates a new channel. minLength: 1 host: title: Host type: string description: >- The resolvable hostname or IP address of your Splunk instance (such as `https-inputs-.splunkcloud.com`). minLength: 1 port: title: Port type: number description: The destination port for forwarding alerts [80 or 443]. minimum: 0 maximum: 65536 ssl: title: SSL type: boolean description: >- When sending a request, use this attribute to enable or disable the SSL encryption. When included in a response, returns `1` for enabled SSL encryption, or returns `0` for disabled SSL encryption. eventData: title: Event Data type: object description: Details of the event's data structure. properties: index: title: Index type: string description: The Splunk index to use in this alert channel. minLength: 1 source: title: Source type: string description: The Splunk source to use in this alert channel. minLength: 1 sourceType: title: Source Type type: string default: _json enum: - _json - lacework:alerts type: object AlertChannels_Update_Schema: oneOf: - $ref: '#/components/schemas/AlertChannels_AwsS3_Update_Schema' - $ref: '#/components/schemas/AlertChannels_CiscoSparkWebhook_Update_Schema' - $ref: '#/components/schemas/AlertChannels_CloudwatchEb_Update_Schema' - $ref: '#/components/schemas/AlertChannels_Datadog_Update_Schema' - $ref: '#/components/schemas/AlertChannels_EmailUser_Update_Schema' - $ref: '#/components/schemas/AlertChannels_GcpPubsub_Update_Schema' - $ref: '#/components/schemas/AlertChannels_IbmQradar_Update_Schema' - $ref: '#/components/schemas/AlertChannels_Jira_Update_Schema' - $ref: '#/components/schemas/AlertChannels_MicrosoftTeams_Update_Schema' - $ref: '#/components/schemas/AlertChannels_NewRelicInsights_Update_Schema' - $ref: '#/components/schemas/AlertChannels_PagerDutyApi_Update_Schema' - $ref: '#/components/schemas/AlertChannels_ServiceNowRest_Update_Schema' - $ref: '#/components/schemas/AlertChannels_SlackChannel_Update_Schema' - $ref: '#/components/schemas/AlertChannels_SplunkHec_Update_Schema' - $ref: '#/components/schemas/AlertChannels_VictorOps_Update_Schema' - $ref: '#/components/schemas/AlertChannels_Webhook_Update_Schema' discriminator: propertyName: type mapping: AwsS3: '#/components/schemas/AlertChannels_AwsS3_Update_Schema' CiscoSparkWebhook: '#/components/schemas/AlertChannels_CiscoSparkWebhook_Update_Schema' CloudwatchEb: '#/components/schemas/AlertChannels_CloudwatchEb_Update_Schema' Datadog: '#/components/schemas/AlertChannels_Datadog_Update_Schema' EmailUser: '#/components/schemas/AlertChannels_EmailUser_Update_Schema' GcpPubsub: '#/components/schemas/AlertChannels_GcpPubsub_Update_Schema' IbmQradar: '#/components/schemas/AlertChannels_IbmQradar_Update_Schema' Jira: '#/components/schemas/AlertChannels_Jira_Update_Schema' MicrosoftTeams: '#/components/schemas/AlertChannels_MicrosoftTeams_Update_Schema' NewRelicInsights: '#/components/schemas/AlertChannels_NewRelicInsights_Update_Schema' PagerDutyApi: '#/components/schemas/AlertChannels_PagerDutyApi_Update_Schema' ServiceNowRest: '#/components/schemas/AlertChannels_ServiceNowRest_Update_Schema' SlackChannel: '#/components/schemas/AlertChannels_SlackChannel_Update_Schema' SplunkHec: '#/components/schemas/AlertChannels_SplunkHec_Update_Schema' VictorOps: '#/components/schemas/AlertChannels_VictorOps_Update_Schema' Webhook: '#/components/schemas/AlertChannels_Webhook_Update_Schema' AlertChannels_VictorOps_Create_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_VictorOps_Update_Schema' - type: object required: - type - enabled - name - data properties: data: properties: intgUrl: title: Integration URL type: string description: The VictorOps REST endpoint URL. maxLength: 2083 pattern: >- ^https:\/\/alert.victorops.com\/integrations\/generic\/([0-9]+)\/alert\/[a-zA-Z0-9-._~!$&'()*+%,;=:@]+\/[a-zA-Z0-9-._~!$&'()*+%,;=:@]+$ required: - intgUrl type: object AlertChannels_VictorOps_Response_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_VictorOps_Create_Schema' - type: object properties: isOrg: title: Is Org Integration type: number description: >- Returns `1` if the access token has organization admin permissions. Otherwise, returns `0`. default: 0 minimum: 0 maximum: 1 props: title: Props type: object description: The integration's properties. createdOrUpdatedBy: description: The user who created or who last updated the integration. type: string createdOrUpdatedTime: description: >- The timestamp for when the integration was created or last updated. type: string intgGuid: description: The integration’s globally unique identifier. type: string state: description: >- The integration’s real-time state, such as Pending, Success, or Error. type: object additionalProperties: true AlertChannels_VictorOps_Update_Schema: properties: name: title: Name type: string description: >- When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. pattern: (?!^ +$)^.+$ minLength: 1 type: title: Type type: string description: >- When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. enum: - VictorOps enabled: title: Enabled type: number description: >- When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration. minimum: 0 maximum: 1 example: 1 data: properties: intgUrl: title: Integration URL type: string description: The VictorOps REST endpoint URL. maxLength: 2083 pattern: >- ^https:\/\/alert.victorops.com\/integrations\/generic\/([0-9]+)\/alert\/[a-zA-Z0-9-._~!$&'()*+%,;=:@]+\/[a-zA-Z0-9-._~!$&'()*+%,;=:@]+$ type: object AlertChannels_Webhook_Create_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_Webhook_Update_Schema' - type: object required: - type - enabled - name - data properties: data: properties: webhookUrl: title: Webhook URL type: string description: The Webhook URL endpoint. pattern: https:\/\/[A-Za-z0-9\/\-&?_.=:]+ required: - webhookUrl type: object AlertChannels_Webhook_Response_Schema: allOf: - $ref: '#/components/schemas/AlertChannels_Webhook_Create_Schema' - type: object properties: isOrg: title: Is Org Integration type: number description: >- Returns `1` if the access token has organization admin permissions. Otherwise, returns `0`. default: 0 minimum: 0 maximum: 1 props: title: Props type: object description: The integration's properties. createdOrUpdatedBy: description: The user who created or who last updated the integration. type: string createdOrUpdatedTime: description: >- The timestamp for when the integration was created or last updated. type: string intgGuid: description: The integration’s globally unique identifier. type: string state: description: >- The integration’s real-time state, such as Pending, Success, or Error. type: object additionalProperties: true AlertChannels_Webhook_Update_Schema: properties: name: title: Name type: string description: >- When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. pattern: (?!^ +$)^.+$ minLength: 1 type: title: Type type: string description: >- When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. enum: - Webhook enabled: title: Enabled type: number description: >- When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration. minimum: 0 maximum: 1 example: 1 data: properties: webhookUrl: title: Webhook URL type: string description: The Webhook URL endpoint. pattern: https:\/\/[A-Za-z0-9\/\-&?_.=:]+ type: object AlertProfiles_AlertTemplates_Create_Schema: required: - name - eventName - description - subject allOf: - $ref: '#/components/schemas/AlertProfiles_AlertTemplates_Update_Schema' - type: object properties: name: type: string description: >- A name that policies can use to refer to this definition when generating alerts AlertProfiles_AlertTemplates_Update_Schema: type: object properties: eventName: type: string description: The name of the resulting alert description: type: string description: Summary of the resulting alert subject: type: string description: A high-level observation of the resulting alert AlertProfiles_Create_Schema: allOf: - $ref: '#/components/schemas/AlertProfiles_Update_Schema' - type: object required: - alertProfileId - extends - alerts properties: alertProfileId: description: Unique id within customer account for Alert Profile type: string extends: type: string description: Base Lacework defined Alert Profile to inherit properties alerts: type: array description: >- An alert is a definition of content to create from the results of a resource's policy violation. The event name, subject, and description contained in the alert appear in pushed alerts and in the Lacework Console. items: type: object required: - name - eventName - description - subject properties: name: type: string description: >- A name that policies can use to refer to this definition when generating alerts eventName: type: string description: The name of the resulting alert description: type: string description: Summary of the resulting alert subject: type: string description: A high-level observation of the resulting alert AlertProfiles_Response_Schema: allOf: - $ref: '#/components/schemas/AlertProfiles_Create_Schema' - type: object properties: fields: type: array description: >- A field is a declaration of a field to be mapped in from an LQL query. Only LQL result fields that are declared as an alert profile field are mapped into event details and alerts. Fields returned by a query that are not listed as an alert profile field won't be mapped into event details and alerts. items: type: object properties: name: type: string description: Name of the field descriptionKeys: type: array description: >- A description key is a placeholder variable that you can use in an alert definition's subject and/or description. Description keys can refer to LQL query result fields and can also refer to other available data (such as metadata, like the name of a policy). Only description keys can be referred to by an alert definition. A field must be used in a description key to be available in an alert. items: type: object properties: name: type: string description: Name of the description key spec: type: string description: Specification of the description key additionalProperties: true AlertProfiles_Update_Schema: type: object properties: alerts: type: array description: >- An alert is a definition of content to create from the results of a resource's policy violation. The event name, subject, and description contained in the alert appear in pushed alerts and in the Lacework Console. items: type: object properties: name: type: string description: >- A name that policies can use to refer to this definition when generating alerts eventName: type: string description: The name of the resulting alert description: type: string description: Summary of the resulting alert subject: type: string description: A high-level observation of the resulting alert AlertRules: allOf: - $ref: '#/components/schemas/AlertRules_Create_Schema' - type: object properties: mcGuid: type: string AlertRules_Create_Schema: allOf: - $ref: '#/components/schemas/AlertRules_Update_Schema' - type: object required: - filters - intgGuidList - type properties: type: type: string description: The alert type. enum: - Event filters: type: object description: >- When sending a request, use this object to define the new alert rule. When included in a response, this object contains details of an alert rule. You can use these attributes when searching for existing alert rules by invoking a GET request. required: - name - enabled - severity properties: name: type: string description: The alert rule's name. minLength: 1 description: type: string description: Summary of the alert rule. enabled: description: >- When sending a request, use this attribute to enable or disable an alert rule. When included in a response, returns `1` for enabled alert rules, or returns `0` for disabled alert rules. enum: - 0 - 1 example: 1 resourceGroups: type: array description: The resource groups that you want the rule to apply to. items: type: string eventCategory: type: array description: The event categories that you want the rule to apply to. uniqueItems: true items: enum: - Compliance - App - Cloud - File - Machine - User - Platform - K8sActivity severity: description: >- The severity levels that you want the rule to apply to, where 1 = Critical, 2 = High, 3 = Medium, 4 = Low, and 5 = Info. type: array minItems: 1 uniqueItems: true items: enum: - 1 - 2 - 3 - 4 - 5 AlertRules_Response_Schema: allOf: - $ref: '#/components/schemas/AlertRules_Create_Schema' - type: object properties: mcGuid: type: string description: Alert Rule ID additionalProperties: true AlertRules_Update_Schema: type: object properties: filters: type: object description: >- When sending a request, use this object to define the new alert rule. When included in a response, this object contains details of an alert rule. You can use these attributes when searching for existing alert rules by invoking a GET request. properties: name: type: string description: The alert rule's name. minLength: 1 description: type: string description: Summary of the alert rule. enabled: description: >- When sending a request, use this attribute to enable or disable an alert rule. When included in a response, returns `1` for enabled alert rules, or returns `0` for disabled alert rules. enum: - 0 - 1 example: 1 resourceGroups: type: array description: The resource groups that you want the rule to apply to. items: type: string eventCategory: type: array description: The event categories that you want the rule to apply to. uniqueItems: true items: enum: - Compliance - App - Cloud - File - Machine - User - Platform - K8sActivity severity: description: >- The severity levels that you want the rule to apply to, where 1 = Critical, 2 = High, 3 = Medium, 4 = Low, and 5 = Info. type: array minItems: 1 uniqueItems: true items: enum: - 1 - 2 - 3 - 4 - 5 intgGuidList: type: array description: The alert channels for the rule to access. minItems: 1 uniqueItems: true items: type: string Alerts_Details_Response_Schema: properties: entityMap: type: object additionalProperties: true Alerts_Details_Response_Schema_Finalized: allOf: - type: object properties: scope: description: >- This field is used for the response schema option; it will not be in the response. type: string enum: - Details - type: object properties: data: allOf: - $ref: '#/components/schemas/Alerts_Response_Schema' - $ref: '#/components/schemas/Alerts_Details_Response_Schema' Alerts_Events_Response_Schema: properties: awsRegion: type: string description: The AWS region where the event occurred. eventName: type: string description: The name of the event. eventSource: type: string description: >- The source domain of the event or where the event occurred, such as `rds.amazonaws.com`. sourceIpAddress: type: string description: >- The IP address from which a request associated with the event was made. recipientAccountId: type: string description: The account ID that received the event. mfa: type: boolean description: Whether MFA is enabled. eventTime: type: string description: A timestamp reflecting when the event occurred. userIdentity: type: object description: The user associated with the event. additionalEventInfo: type: object description: Additional information associated with the event, if available. requestParameters: type: object description: Type-specific request parameters associated with the event. additionalProperties: true Alerts_Events_Response_Schema_Finalized: allOf: - type: object properties: scope: description: >- This field is used for the response schema option; it will not be in the response. type: string enum: - Events - type: object properties: data: allOf: - $ref: '#/components/schemas/Alerts_Events_Response_Schema' Alerts_Integrations_Response_Schema: properties: alertChannel: type: object description: The name of the alert channel. alertIntegrationId: type: string description: The integration identifier. alertId: type: number description: The alert identifier. integrationType: type: string description: The integration type, such as Jira or ServiceNow. integrationContext: type: object description: Arbitrary fields needed for the specific integration type. intgGuid: type: string description: The unique global identifier for the integration. lastSyncTime: type: string description: The last time Lacework synchronized data with the integrated system. alertIntegrationStatus: type: string description: >- Status specific to the integration type, such as a Jira issue status. status: type: string description: The integration status. isBidirectional: type: boolean description: Whether the integration supports bidirectional events. additionalProperties: true Alerts_Integrations_Response_Schema_Finalized: allOf: - type: object properties: scope: description: >- This field is used for the response schema option; it will not be in the response. type: string enum: - Integrations - type: object properties: data: allOf: - $ref: '#/components/schemas/Alerts_Integrations_Response_Schema' Alerts_Investigation_Response_Schema: properties: data: type: array items: type: object properties: question: type: string description: >- Lacework-defined investigative questions that may help uncover unexpected behaviors relevant to the event. answer: type: string description: The answer to the investigative question, `Yes` or `No`. additionalProperties: true Alerts_Investigation_Response_Schema_Finalized: allOf: - type: object properties: scope: description: >- This field is used for the response schema option; it will not be in the response. type: string enum: - Investigation - $ref: '#/components/schemas/Alerts_Investigation_Response_Schema' Alerts_RelatedAlerts_Response_Schema: properties: eventType: type: string description: The event type of the related alert. eventId: type: string description: The ID of the related alert. severity: type: string description: The Severity of the related alert. startTime: type: string description: >- The start time of the alert time range in which the related alert occurred. endTime: type: string description: >- The end time of the alert time range in which the related alert occurred. eventModel: type: string description: The event model of the related alert. eventProps: type: object description: The event properties of the related alert. rank: type: number description: The rank of the related alert based on a similarity score. eventInfo: type: object description: >- Information associated with the related event, such as its description. eventName: type: string description: The name of the related alert. additionalProperties: true Alerts_RelatedAlerts_Response_Schema_Finalized: allOf: - type: object properties: scope: description: >- This field is used for the response schema option; it will not be in the response. type: string enum: - RelatedAlerts - type: object properties: data: allOf: - $ref: '#/components/schemas/Alerts_RelatedAlerts_Response_Schema' Alerts_Response_Schema: properties: alertId: type: integer description: Alert ID alertType: type: string description: The alert type alertName: type: string description: The alert name such as `Service called GCP API` alertInfo: type: object description: Details of the alert properties: description: type: string description: The alert description provides why the potential threat occurred subject: type: string description: >- The alert subject. In some cases, the alert subject can be the same as the alert name. severity: type: string description: >- The alert's severity level. See [Alert Severity](https://www.laceworkplatform.com/alert-severity). startTime: type: string description: The time and date when the potential threat started endTime: type: string description: The time and date when the potential threat ended lastUserUpdatedTime: type: string description: >- The timestamp for when a user selected a [primary integration](https://www.laceworkplatform.com/jira#bidirectional-integration) or updated the alert status status: type: string description: The current status of the alert additionalProperties: true Alerts_Timeline_Response_Schema: properties: alertChannel: type: object description: The name of the alert channel. id: type: number description: The timeline item identifier. alertId: type: number description: The alert identifier. entryType: type: string description: The type of timeline item. entryAuthorType: type: string description: >- The timeline item author type, among `SystemUpdate`, `UserUpdate`, or `Integration`. intgGuid: type: string description: The integration's globally unique identifier. message: type: object description: The message associated with the timline item. externalTime: type: string description: >- The timestamp when the timeline item was generated according to the external alert platform. user: type: object description: The user who created the timeline item. updateContext: type: object description: Context information associated with the timeline item. alertIntegration: type: object description: Information about the alert channel integration. additionalProperties: true Alerts_Timeline_Response_Schema_Finalized: allOf: - type: object properties: scope: description: >- This field is used for the response schema option; it will not be in the response. type: string enum: - Timeline - type: object properties: data: allOf: - $ref: '#/components/schemas/Alerts_Timeline_Response_Schema' ApiV2AccessTokens: type: object required: - keyId - expiryTime properties: keyId: type: string description: YourAccessKeyID example: YourSecretKey expiryTime: type: integer description: >- The access token's expiration (in seconds) that you want to set. Maximum value: 86400 (24 hours). example: 3600 AuditLogs_Response_Schema: properties: createdTime: type: string description: The creation timestamp of the log file. accountName: type: string description: The account name associated with the logged action. userName: type: string description: The username of the user associated with the logged action. eventName: type: string userAction: type: string description: >- Summary of the action such as `Login with OAuth Succeeded` or `Alert Channel Created`. eventDescription: type: string description: >- Summary of the event such as `User test-user@test-domain.net logged in to ALERTPLATFORM account using OAuth credentials`. additionalProperties: true CloudAccounts_AwsCfg_Create_Schema: allOf: - $ref: '#/components/schemas/CloudAccounts_AwsCfg_Update_Schema' - type: object required: - type - enabled - name - data properties: data: properties: awsAccountId: type: string title: Account ID description: >- Your AWS account identifier or alias. This is the Account ID specified for the Cross-Account IAM role created as a preparatory task in [AWS Integration Prerequisites](https://www.laceworkplatform.com/aws-integration-prerequisites). crossAccountCredentials: properties: externalId: title: External ID type: string description: >- The AWS external ID that is associated with the cross-account role that Lacework uses to access your AWS resource. This is the External ID specified for the Cross-Account IAM role in your preparatory integration of AWS described in [AWS Integration Prerequisites](https://www.laceworkplatform.com/aws-integration-prerequisites). minLength: 1 roleArn: title: Role ARN type: string description: >- The ARN of the cross-account role that Lacework uses to access your AWS resources. This is the ARN specified for the Cross-Account IAM role in your preparatory integration of AWS described in [AWS Integration Prerequisites](https://www.laceworkplatform.com/aws-integration-prerequisites). pattern: >- ^arn:aws(-[a-zA-Z]+)?:iam:([a-zA-Z0-9-_]+)?:([0-9]{12}):([a-zA-Z0-9_-]+)([/:][a-zA-Z0-9_-]+)*$ required: - externalId - roleArn type: object description: >- Details of the cross-account role that Lacework uses to access your AWS resource. required: - crossAccountCredentials type: object CloudAccounts_AwsCfg_Response_Schema: allOf: - $ref: '#/components/schemas/CloudAccounts_AwsCfg_Create_Schema' - type: object properties: isOrg: title: Is Org Integration type: number description: >- Returns `1` if the access token has organization admin permissions. Otherwise, returns `0`. default: 0 minimum: 0 maximum: 1 props: title: Props type: object description: The integration's properties. createdOrUpdatedBy: description: The user who created or who last updated the integration. type: string createdOrUpdatedTime: description: >- The timestamp for when the integration was created or last updated. type: string intgGuid: description: The integration’s globally unique identifier. type: string state: description: >- The integration’s real-time state, such as Pending, Success, or Error. type: object additionalProperties: true CloudAccounts_AwsCfg_Update_Schema: properties: name: title: Name type: string description: >- When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. pattern: (?!^ +$)^.+$ minLength: 1 type: title: Type type: string description: >- When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. enum: - AwsCfg enabled: title: Enabled type: number description: >- When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration. minimum: 0 maximum: 1 example: 1 data: properties: awsAccountId: type: string title: Account ID description: >- Your AWS account identifier or alias. This is the Account ID specified for the Cross-Account IAM role created as a preparatory task in [AWS Integration Prerequisites](https://www.laceworkplatform.com/aws-integration-prerequisites). crossAccountCredentials: properties: externalId: title: External ID type: string description: >- The AWS external ID that is associated with the cross-account role that Lacework uses to access your AWS resource. This is the External ID specified for the Cross-Account IAM role in your preparatory integration of AWS described in [AWS Integration Prerequisites](https://www.laceworkplatform.com/aws-integration-prerequisites). minLength: 1 roleArn: title: Role ARN type: string description: >- The ARN of the cross-account role that Lacework uses to access your AWS resources. This is the ARN specified for the Cross-Account IAM role in your preparatory integration of AWS described in [AWS Integration Prerequisites](https://www.laceworkplatform.com/aws-integration-prerequisites). pattern: >- ^arn:aws(-[a-zA-Z]+)?:iam:([a-zA-Z0-9-_]+)?:([0-9]{12}):([a-zA-Z0-9_-]+)([/:][a-zA-Z0-9_-]+)*$ type: object description: >- Details of the cross-account role that Lacework uses to access your AWS resource. type: object CloudAccounts_AwsCtSqs_Create_Schema: allOf: - $ref: '#/components/schemas/CloudAccounts_AwsCtSqs_Update_Schema' - type: object required: - type - enabled - name - data properties: data: properties: awsAccountId: type: string title: Account ID description: >- Your AWS account identifier or alias. This is the Account ID specified for the Cross-Account IAM role created as a preparatory task in [AWS Integration Prerequisites](https://www.laceworkplatform.com/aws-integration-prerequisites). crossAccountCredentials: properties: externalId: title: External ID type: string description: >- The AWS external ID that is associated with the cross-account role that Lacework uses to access your AWS resource. This is the External ID specified for the Cross-Account IAM role created as a preparatory task in [AWS Integration Prerequisites](https://www.laceworkplatform.com/aws-integration-prerequisites). minLength: 1 roleArn: title: Role ARN type: string description: >- The ARN of the cross-account role that Lacework uses to access your AWS resources. This is the ARN specified for the Cross-Account IAM role created as a preparatory task in [AWS Integration Prerequisites](https://www.laceworkplatform.com/aws-integration-prerequisites). pattern: >- ^arn:aws(-[a-zA-Z]+)?:iam:([a-zA-Z0-9-_]+)?:([0-9]{12}):([a-zA-Z0-9_-]+)([/:][a-zA-Z0-9_-]+)*$ required: - externalId - roleArn type: object description: >- Details of the cross-account role that Lacework uses to access your AWS resource. queueUrl: title: SQSQueueURL type: string description: >- The Amazon Simple Queue Service (SQS) URL value. This is the SQS Queue URL specified for the Cross-Account IAM role created as a preparatory task in [AWS Integration Prerequisites](https://www.laceworkplatform.com/aws-integration-prerequisites). pattern: >- ^((http[s]?|ftp):\/)?\/?([^:\/\s]+)((\/\w+)*\/)([\w\-\.]+[^#?\s]+)(.*)?(#[\w\-]+)?$ accountMappingFile: title: Account Mapping File format: data-url description: >- The mapping file to use in the integration. The account mapping file is a JSON file that maps AWS accounts to Lacework accounts within a Lacework organization. See [Account Mapping File](https://www.laceworkplatform.com/setup-of-organization-aws-cloudtrail-integration#account-mapping-file). type: string pattern: (^data:.+;base64,)(.+$) accountMapping: type: object description: >- If your organization has enabled the [Lacework Organization](https://www.laceworkplatform.com/organization-overview) feature, when sending a request, you can specify a comma-separated list of AWS organization names that match Lacework sub-account names. Based on this AWS organization-to-Lacework sub-account name mapping, Lacework adds your AWS accounts to the appropriate Lacework sub-accounts. AWS organization names and Lacework sub-account names must match. When included in a response, returns a comma-separated list of AWS organization names that match Lacework sub-account names. required: - queueUrl - crossAccountCredentials type: object CloudAccounts_AwsCtSqs_Response_Schema: allOf: - $ref: '#/components/schemas/CloudAccounts_AwsCtSqs_Create_Schema' - type: object properties: isOrg: title: Is Org Integration type: number description: >- Returns `1` if the access token has organization admin permissions. Otherwise, returns `0`. default: 0 minimum: 0 maximum: 1 props: title: Props type: object description: The integration's properties. createdOrUpdatedBy: description: The user who created or who last updated the integration. type: string createdOrUpdatedTime: description: >- The timestamp for when the integration was created or last updated. type: string intgGuid: description: The integration’s globally unique identifier. type: string state: description: >- The integration’s real-time state, such as Pending, Success, or Error. type: object additionalProperties: true CloudAccounts_AwsCtSqs_Update_Schema: properties: name: title: Name type: string description: >- When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. pattern: (?!^ +$)^.+$ minLength: 1 type: title: Type type: string description: >- When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. enum: - AwsCtSqs enabled: title: Enabled type: number description: >- When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration. minimum: 0 maximum: 1 example: 1 data: properties: awsAccountId: type: string title: Account ID description: >- Your AWS account identifier or alias. This is the Account ID specified for the Cross-Account IAM role created as a preparatory task in [AWS Integration Prerequisites](https://www.laceworkplatform.com/aws-integration-prerequisites). crossAccountCredentials: properties: externalId: title: External ID type: string description: >- The AWS external ID that is associated with the cross-account role that Lacework uses to access your AWS resource. This is the External ID specified for the Cross-Account IAM role created as a preparatory task in [AWS Integration Prerequisites](https://www.laceworkplatform.com/aws-integration-prerequisites). minLength: 1 roleArn: title: Role ARN type: string description: >- The ARN of the cross-account role that Lacework uses to access your AWS resources. This is the ARN specified for the Cross-Account IAM role created as a preparatory task in [AWS Integration Prerequisites](https://www.laceworkplatform.com/aws-integration-prerequisites). pattern: >- ^arn:aws(-[a-zA-Z]+)?:iam:([a-zA-Z0-9-_]+)?:([0-9]{12}):([a-zA-Z0-9_-]+)([/:][a-zA-Z0-9_-]+)*$ type: object description: >- Details of the cross-account role that Lacework uses to access your AWS resource. queueUrl: title: SQSQueueURL type: string description: >- The Amazon Simple Queue Service (SQS) URL value. This is the SQS Queue URL specified for the Cross-Account IAM role created as a preparatory task in [AWS Integration Prerequisites](https://www.laceworkplatform.com/aws-integration-prerequisites). pattern: >- ^((http[s]?|ftp):\/)?\/?([^:\/\s]+)((\/\w+)*\/)([\w\-\.]+[^#?\s]+)(.*)?(#[\w\-]+)?$ accountMappingFile: title: Account Mapping File format: data-url description: >- The mapping file to use in the integration. The account mapping file is a JSON file that maps AWS accounts to Lacework accounts within a Lacework organization. See [Account Mapping File](https://www.laceworkplatform.com/setup-of-organization-aws-cloudtrail-integration#account-mapping-file). type: string pattern: (^data:.+;base64,)(.+$) accountMapping: type: object description: >- If your organization has enabled the [Lacework Organization](https://www.laceworkplatform.com/organization-overview) feature, when sending a request, you can specify a comma-separated list of AWS organization names that match Lacework sub-account names. Based on this AWS organization-to-Lacework sub-account name mapping, Lacework adds your AWS accounts to the appropriate Lacework sub-accounts. AWS organization names and Lacework sub-account names must match. When included in a response, returns a comma-separated list of AWS organization names that match Lacework sub-account names. type: object CloudAccounts_AwsEksAudit_Create_Schema: allOf: - $ref: '#/components/schemas/CloudAccounts_AwsEksAudit_Update_Schema' - type: object required: - type - enabled - name - data properties: data: properties: crossAccountCredentials: properties: externalId: title: External ID type: string description: >- The AWS external ID that is associated with the cross-account role that Lacework uses to access your AWS resource. This is the External ID specified for the Cross-Account IAM role in your preparatory integration of AWS described in [AWS Integration Prerequisites](https://www.laceworkplatform.com/aws-integration-prerequisites). minLength: 1 roleArn: title: Role ARN type: string description: >- The ARN of the cross-account role that Lacework uses to access your AWS resources. This is the ARN specified for the Cross-Account IAM role in your preparatory integration of AWS described in [AWS Integration Prerequisites](https://www.laceworkplatform.com/aws-integration-prerequisites). pattern: >- ^arn:aws(-[a-zA-Z]+)?:iam:([a-zA-Z0-9-_]+)?:([0-9]{12}):([a-zA-Z0-9_-]+)([/:][a-zA-Z0-9_-]+)*$ required: - externalId - roleArn type: object description: >- Details of the cross-account role that Lacework uses to access your AWS resource. snsArn: title: SNS ARN type: string description: >- The ARN of the SNS topic. An SNS topic is a communication channel for SQS queue messaging from your AWS environment to Lacework. See [SNS Topic](https://www.laceworkplatform.com/aws-integration-prerequisites#sns-topic). pattern: >- ^arn:aws(-[a-zA-Z]+)?:sns:([a-zA-Z0-9-_]+)?:([0-9]{12}):([a-zA-Z0-9_-]+)([/:][a-zA-Z0-9_-]+)*$ required: - snsArn - crossAccountCredentials type: object CloudAccounts_AwsEksAudit_Response_Schema: allOf: - $ref: '#/components/schemas/CloudAccounts_AwsEksAudit_Create_Schema' - type: object properties: isOrg: title: Is Org Integration type: number description: >- Returns `1` if the access token has organization admin permissions. Otherwise, returns `0`. default: 0 minimum: 0 maximum: 1 props: title: Props type: object description: The integration's properties. createdOrUpdatedBy: description: The user who created or who last updated the integration. type: string createdOrUpdatedTime: description: >- The timestamp for when the integration was created or last updated. type: string intgGuid: description: The integration’s globally unique identifier. type: string state: description: >- The integration’s real-time state, such as Pending, Success, or Error. type: object additionalProperties: true CloudAccounts_AwsEksAudit_Update_Schema: properties: name: title: Name type: string description: >- When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. pattern: (?!^ +$)^.+$ minLength: 1 type: title: Type type: string description: >- When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. enum: - AwsEksAudit enabled: title: Enabled type: number description: >- When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration. minimum: 0 maximum: 1 example: 1 data: properties: crossAccountCredentials: properties: externalId: title: External ID type: string description: >- The AWS external ID that is associated with the cross-account role that Lacework uses to access your AWS resource. This is the External ID specified for the Cross-Account IAM role in your preparatory integration of AWS described in [AWS Integration Prerequisites](https://www.laceworkplatform.com/aws-integration-prerequisites). minLength: 1 roleArn: title: Role ARN type: string description: >- The ARN of the cross-account role that Lacework uses to access your AWS resources. This is the ARN specified for the Cross-Account IAM role in your preparatory integration of AWS described in [AWS Integration Prerequisites](https://www.laceworkplatform.com/aws-integration-prerequisites). pattern: >- ^arn:aws(-[a-zA-Z]+)?:iam:([a-zA-Z0-9-_]+)?:([0-9]{12}):([a-zA-Z0-9_-]+)([/:][a-zA-Z0-9_-]+)*$ type: object description: >- Details of the cross-account role that Lacework uses to access your AWS resource. snsArn: title: SNS ARN type: string description: >- The ARN of the SNS topic. An SNS topic is a communication channel for SQS queue messaging from your AWS environment to Lacework. See [SNS Topic](https://www.laceworkplatform.com/aws-integration-prerequisites#sns-topic). pattern: >- ^arn:aws(-[a-zA-Z]+)?:sns:([a-zA-Z0-9-_]+)?:([0-9]{12}):([a-zA-Z0-9_-]+)([/:][a-zA-Z0-9_-]+)*$ type: object CloudAccounts_AwsUsGovCfg_Create_Schema: allOf: - $ref: '#/components/schemas/CloudAccounts_AwsUsGovCfg_Update_Schema' - type: object required: - type - enabled - name - data properties: data: properties: accessKeyCredentials: properties: accountId: title: Account ID type: string description: Your AWS account identifier or alias. pattern: ^\d{12}$ accessKeyId: title: Access Key ID type: string description: The AccessKeyId value from your AWS console. pattern: (^|[^A-Z0-9])[A-Z0-9]{20}(?![A-Z0-9]) secretAccessKey: title: Secret Access Key type: string description: The SecretAccessKey value from your AWS console. format: password pattern: (^|[^A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=]) required: - accountId - accessKeyId - secretAccessKey type: object description: >- The credentials of your AWS GovCloud account. AWS GovCloud (US-East and US-West) are isolated regions within AWS for customers to host sensitive data for supporting their regulated workflows. required: - accessKeyCredentials type: object CloudAccounts_AwsUsGovCfg_Response_Schema: allOf: - $ref: '#/components/schemas/CloudAccounts_AwsUsGovCfg_Create_Schema' - type: object properties: isOrg: title: Is Org Integration type: number description: >- Returns `1` if the access token has organization admin permissions. Otherwise, returns `0`. default: 0 minimum: 0 maximum: 1 props: title: Props type: object description: The integration's properties. createdOrUpdatedBy: description: The user who created or who last updated the integration. type: string createdOrUpdatedTime: description: >- The timestamp for when the integration was created or last updated. type: string intgGuid: description: The integration’s globally unique identifier. type: string state: description: >- The integration’s real-time state, such as Pending, Success, or Error. type: object additionalProperties: true CloudAccounts_AwsUsGovCfg_Update_Schema: properties: name: title: Name type: string description: >- When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. pattern: (?!^ +$)^.+$ minLength: 1 type: title: Type type: string description: >- When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. enum: - AwsUsGovCfg enabled: title: Enabled type: number description: >- When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration. minimum: 0 maximum: 1 example: 1 data: properties: accessKeyCredentials: properties: accountId: title: Account ID type: string description: Your AWS account identifier or alias. pattern: ^\d{12}$ accessKeyId: title: Access Key ID type: string description: The AccessKeyId value from your AWS console. pattern: (^|[^A-Z0-9])[A-Z0-9]{20}(?![A-Z0-9]) secretAccessKey: title: Secret Access Key type: string description: The SecretAccessKey value from your AWS console. format: password pattern: (^|[^A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=]) type: object description: >- The credentials of your AWS GovCloud account. AWS GovCloud (US-East and US-West) are isolated regions within AWS for customers to host sensitive data for supporting their regulated workflows. type: object CloudAccounts_AwsUsGovCtSqs_Create_Schema: allOf: - $ref: '#/components/schemas/CloudAccounts_AwsUsGovCtSqs_Update_Schema' - type: object required: - type - enabled - name - data properties: data: properties: accessKeyCredentials: properties: accountId: title: Account ID type: string description: Your AWS account identifier or alias. pattern: ^\d{12}$ accessKeyId: title: Access Key ID type: string description: The AccessKeyId value from your AWS console. pattern: (^|[^A-Z0-9])[A-Z0-9]{20}(?![A-Z0-9]) secretAccessKey: title: Secret Access Key type: string description: The SecretAccessKey value from your AWS console. format: password pattern: (^|[^A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=]) required: - accountId - accessKeyId - secretAccessKey type: object description: >- The credentials of your AWS GovCloud account. AWS GovCloud (US-East and US-West) are isolated regions within AWS for customers to host sensitive data for supporting their regulated workflows. queueUrl: title: SQSQueueURL type: string description: >- Your AWS account identifier or alias. This is the Account ID specified for the Cross-Account IAM role created as a preparatory task in [AWS Integration Prerequisites](https://www.laceworkplatform.com/aws-integration-prerequisites). pattern: >- ^((http[s]?|ftp):\/)?\/?([^:\/\s]+)((\/\w+)*\/)([\w\-\.]+[^#?\s]+)(.*)?(#[\w\-]+)?$ required: - queueUrl - accessKeyCredentials type: object CloudAccounts_AwsUsGovCtSqs_Response_Schema: allOf: - $ref: '#/components/schemas/CloudAccounts_AwsUsGovCtSqs_Create_Schema' - type: object properties: isOrg: title: Is Org Integration type: number description: >- Returns `1` if the access token has organization admin permissions. Otherwise, returns `0`. default: 0 minimum: 0 maximum: 1 props: title: Props type: object description: The integration's properties. createdOrUpdatedBy: description: The user who created or who last updated the integration. type: string createdOrUpdatedTime: description: >- The timestamp for when the integration was created or last updated. type: string intgGuid: description: The integration’s globally unique identifier. type: string state: description: >- The integration’s real-time state, such as Pending, Success, or Error. type: object additionalProperties: true CloudAccounts_AwsUsGovCtSqs_Update_Schema: properties: name: title: Name type: string description: >- When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. pattern: (?!^ +$)^.+$ minLength: 1 type: title: Type type: string description: >- When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. enum: - AwsUsGovCtSqs enabled: title: Enabled type: number description: >- When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration. minimum: 0 maximum: 1 example: 1 data: properties: accessKeyCredentials: properties: accountId: title: Account ID type: string description: Your AWS account identifier or alias. pattern: ^\d{12}$ accessKeyId: title: Access Key ID type: string description: The AccessKeyId value from your AWS console. pattern: (^|[^A-Z0-9])[A-Z0-9]{20}(?![A-Z0-9]) secretAccessKey: title: Secret Access Key type: string description: The SecretAccessKey value from your AWS console. format: password pattern: (^|[^A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=]) type: object description: >- The credentials of your AWS GovCloud account. AWS GovCloud (US-East and US-West) are isolated regions within AWS for customers to host sensitive data for supporting their regulated workflows. queueUrl: title: SQSQueueURL type: string description: >- Your AWS account identifier or alias. This is the Account ID specified for the Cross-Account IAM role created as a preparatory task in [AWS Integration Prerequisites](https://www.laceworkplatform.com/aws-integration-prerequisites). pattern: >- ^((http[s]?|ftp):\/)?\/?([^:\/\s]+)((\/\w+)*\/)([\w\-\.]+[^#?\s]+)(.*)?(#[\w\-]+)?$ type: object CloudAccounts_AzureAlSeq_Create_Schema: allOf: - $ref: '#/components/schemas/CloudAccounts_AzureAlSeq_Update_Schema' - type: object required: - type - enabled - name - data properties: data: properties: credentials: properties: clientId: title: Client ID type: string description: The ApplicationId value from your Azure portal. minLength: 1 clientSecret: title: Client Secret type: string description: Your Azure client secret. minLength: 1 type: object description: Your Azure credentials. required: - clientId - clientSecret tenantId: title: Tenant ID type: string description: The DirectoryId value from your Azure portal. minLength: 1 queueUrl: title: Queue URL type: string description: The queue URL to access. pattern: ^https://[a-zA-Z0-9-]*.queue.core.windows.net/[a-zA-Z0-9-]* required: - tenantId - credentials - queueUrl type: object CloudAccounts_AzureAlSeq_Response_Schema: allOf: - $ref: '#/components/schemas/CloudAccounts_AzureAlSeq_Create_Schema' - type: object properties: isOrg: title: Is Org Integration type: number description: >- Returns `1` if the access token has organization admin permissions. Otherwise, returns `0`. default: 0 minimum: 0 maximum: 1 props: title: Props type: object description: The integration's properties. createdOrUpdatedBy: description: The user who created or who last updated the integration. type: string createdOrUpdatedTime: description: >- The timestamp for when the integration was created or last updated. type: string intgGuid: description: The integration’s globally unique identifier. type: string state: description: >- The integration’s real-time state, such as Pending, Success, or Error. type: object additionalProperties: true CloudAccounts_AzureAlSeq_Update_Schema: properties: name: title: Name type: string description: >- When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. pattern: (?!^ +$)^.+$ minLength: 1 type: title: Type type: string description: >- When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. enum: - AzureAlSeq enabled: title: Enabled type: number description: >- When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration. minimum: 0 maximum: 1 example: 1 data: properties: credentials: properties: clientId: title: Client ID type: string description: The ApplicationId value from your Azure portal. minLength: 1 clientSecret: title: Client Secret type: string description: Your Azure client secret. minLength: 1 type: object description: Your Azure credentials. tenantId: title: Tenant ID type: string description: The DirectoryId value from your Azure portal. minLength: 1 queueUrl: title: Queue URL type: string description: The queue URL to access. pattern: ^https://[a-zA-Z0-9-]*.queue.core.windows.net/[a-zA-Z0-9-]* type: object CloudAccounts_AzureCfg_Create_Schema: allOf: - $ref: '#/components/schemas/CloudAccounts_AzureCfg_Update_Schema' - type: object required: - type - enabled - name - data properties: data: properties: credentials: properties: clientId: title: Client ID type: string description: The ApplicationId value from your Azure portal. minLength: 1 clientSecret: title: Client Secret type: string description: Your Azure client secret. minLength: 1 type: object description: Your Azure credentials. required: - clientId - clientSecret tenantId: title: Tenant ID type: string description: The DirectoryId value from your Azure portal. minLength: 1 required: - tenantId - credentials type: object CloudAccounts_AzureCfg_Response_Schema: allOf: - $ref: '#/components/schemas/CloudAccounts_AzureCfg_Create_Schema' - type: object properties: isOrg: title: Is Org Integration type: number description: >- Returns `1` if the access token has organization admin permissions. Otherwise, returns `0`. default: 0 minimum: 0 maximum: 1 props: title: Props type: object description: The integration's properties. createdOrUpdatedBy: description: The user who created or who last updated the integration. type: string createdOrUpdatedTime: description: >- The timestamp for when the integration was created or last updated. type: string intgGuid: description: The integration’s globally unique identifier. type: string state: description: >- The integration’s real-time state, such as Pending, Success, or Error. type: object additionalProperties: true CloudAccounts_AzureCfg_Update_Schema: properties: name: title: Name type: string description: >- When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. pattern: (?!^ +$)^.+$ minLength: 1 type: title: Type type: string description: >- When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. enum: - AzureCfg enabled: title: Enabled type: number description: >- When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration. minimum: 0 maximum: 1 example: 1 data: properties: credentials: properties: clientId: title: Client ID type: string description: The ApplicationId value from your Azure portal. minLength: 1 clientSecret: title: Client Secret type: string description: Your Azure client secret. minLength: 1 type: object description: Your Azure credentials. tenantId: title: Tenant ID type: string description: The DirectoryId value from your Azure portal. minLength: 1 type: object CloudAccounts_Create_Schema: oneOf: - $ref: '#/components/schemas/CloudAccounts_AwsCfg_Create_Schema' - $ref: '#/components/schemas/CloudAccounts_AwsCtSqs_Create_Schema' - $ref: '#/components/schemas/CloudAccounts_AwsEksAudit_Create_Schema' - $ref: '#/components/schemas/CloudAccounts_AwsUsGovCfg_Create_Schema' - $ref: '#/components/schemas/CloudAccounts_AwsUsGovCtSqs_Create_Schema' - $ref: '#/components/schemas/CloudAccounts_AzureAlSeq_Create_Schema' - $ref: '#/components/schemas/CloudAccounts_AzureCfg_Create_Schema' - $ref: '#/components/schemas/CloudAccounts_GcpAtSes_Create_Schema' - $ref: '#/components/schemas/CloudAccounts_GcpCfg_Create_Schema' discriminator: propertyName: type mapping: AwsCfg: '#/components/schemas/CloudAccounts_AwsCfg_Create_Schema' AwsCtSqs: '#/components/schemas/CloudAccounts_AwsCtSqs_Create_Schema' AwsEksAudit: '#/components/schemas/CloudAccounts_AwsEksAudit_Create_Schema' AwsUsGovCfg: '#/components/schemas/CloudAccounts_AwsUsGovCfg_Create_Schema' AwsUsGovCtSqs: '#/components/schemas/CloudAccounts_AwsUsGovCtSqs_Create_Schema' AzureAlSeq: '#/components/schemas/CloudAccounts_AzureAlSeq_Create_Schema' AzureCfg: '#/components/schemas/CloudAccounts_AzureCfg_Create_Schema' GcpAtSes: '#/components/schemas/CloudAccounts_GcpAtSes_Create_Schema' GcpCfg: '#/components/schemas/CloudAccounts_GcpCfg_Create_Schema' CloudAccounts_GcpAtSes_Create_Schema: allOf: - $ref: '#/components/schemas/CloudAccounts_GcpAtSes_Update_Schema' - type: object required: - type - enabled - name - data properties: data: properties: credentials: properties: clientId: title: Client ID type: string description: Your GCP client (application) identifier or alias. minLength: 1 privateKeyId: title: Private Key ID type: string description: Your client private key identifier. minLength: 1 clientEmail: title: Client Email type: string description: Your client email address. pattern: >- ^[\w!#$%&’*+/=?`{|}~^-]+(?:\.[\w!#$%&’*+/=?`{|}~^-]+)*@(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]{2,6}$ minLength: 1 privateKey: title: Private Key description: The secret key value for your client ID. type: string minLength: 1 type: object description: Your GCP credentials. required: - clientId - clientEmail - privateKeyId idType: title: Integration Level type: string description: >- The GCP integration level as either **Organization** or **Project**. enum: - ORGANIZATION - PROJECT id: title: Org/Project ID type: string description: >- The organization or project identifier to associate with your integration. minLength: 1 subscriptionName: title: Subscription Name type: string description: The pub/sub queue subscription name. minLength: 1 required: - id - idType - credentials - subscriptionName type: object CloudAccounts_GcpAtSes_Response_Schema: allOf: - $ref: '#/components/schemas/CloudAccounts_GcpAtSes_Create_Schema' - type: object properties: isOrg: title: Is Org Integration type: number description: >- Returns `1` if the access token has organization admin permissions. Otherwise, returns `0`. default: 0 minimum: 0 maximum: 1 props: title: Props type: object description: The integration's properties. createdOrUpdatedBy: description: The user who created or who last updated the integration. type: string createdOrUpdatedTime: description: >- The timestamp for when the integration was created or last updated. type: string intgGuid: description: The integration’s globally unique identifier. type: string state: description: >- The integration’s real-time state, such as Pending, Success, or Error. type: object additionalProperties: true CloudAccounts_GcpAtSes_Update_Schema: properties: name: title: Name type: string description: >- When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. pattern: (?!^ +$)^.+$ minLength: 1 type: title: Type type: string description: >- When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. enum: - GcpAtSes enabled: title: Enabled type: number description: >- When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration. minimum: 0 maximum: 1 example: 1 data: properties: credentials: properties: clientId: title: Client ID type: string description: Your GCP client (application) identifier or alias. minLength: 1 privateKeyId: title: Private Key ID type: string description: Your client private key identifier. minLength: 1 clientEmail: title: Client Email type: string description: Your client email address. pattern: >- ^[\w!#$%&’*+/=?`{|}~^-]+(?:\.[\w!#$%&’*+/=?`{|}~^-]+)*@(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]{2,6}$ minLength: 1 privateKey: title: Private Key description: The secret key value for your client ID. type: string minLength: 1 type: object description: Your GCP credentials. idType: title: Integration Level type: string description: >- The GCP integration level as either **Organization** or **Project**. enum: - ORGANIZATION - PROJECT id: title: Org/Project ID type: string description: >- The organization or project identifier to associate with your integration. minLength: 1 subscriptionName: title: Subscription Name type: string description: The pub/sub queue subscription name. minLength: 1 type: object CloudAccounts_GcpCfg_Create_Schema: allOf: - $ref: '#/components/schemas/CloudAccounts_GcpCfg_Update_Schema' - type: object required: - type - enabled - name - data properties: data: properties: credentials: properties: clientId: title: Client ID type: string description: Your GCP client (application) identifier or alias. minLength: 1 privateKeyId: title: Private Key ID type: string description: | Your client private key identifier. minLength: 1 clientEmail: title: Client Email type: string description: Your client email address. pattern: >- ^[\w!#$%&’*+/=?`{|}~^-]+(?:\.[\w!#$%&’*+/=?`{|}~^-]+)*@(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]{2,6}$ minLength: 1 privateKey: title: Private Key type: string description: The secret key value for your client ID. minLength: 1 type: object description: Your GCP credentials. required: - clientId - clientEmail - privateKeyId - privateKey idType: title: Integration Level type: string description: >- The GCP integration level as either `Organization` or `Project` enum: - ORGANIZATION - PROJECT id: title: Org/Project ID type: string description: >- The organization or project identifier to associate with your integration. minLength: 1 required: - id - idType - credentials type: object CloudAccounts_GcpCfg_Response_Schema: allOf: - $ref: '#/components/schemas/CloudAccounts_GcpCfg_Create_Schema' - type: object properties: isOrg: title: Is Org Integration type: number description: >- Returns `1` if the access token has organization admin permissions. Otherwise, returns `0`. default: 0 minimum: 0 maximum: 1 props: title: Props type: object description: The integration's properties. createdOrUpdatedBy: description: The user who created or who last updated the integration. type: string createdOrUpdatedTime: description: >- The timestamp for when the integration was created or last updated. type: string intgGuid: description: The integration’s globally unique identifier. type: string state: description: >- The integration’s real-time state, such as Pending, Success, or Error. type: object additionalProperties: true CloudAccounts_GcpCfg_Update_Schema: properties: name: title: Name type: string description: >- When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. pattern: (?!^ +$)^.+$ minLength: 1 type: title: Type type: string description: >- When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. enum: - GcpCfg enabled: title: Enabled type: number description: >- When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration. minimum: 0 maximum: 1 example: 1 data: properties: credentials: properties: clientId: title: Client ID type: string description: Your GCP client (application) identifier or alias. minLength: 1 privateKeyId: title: Private Key ID type: string description: | Your client private key identifier. minLength: 1 clientEmail: title: Client Email type: string description: Your client email address. pattern: >- ^[\w!#$%&’*+/=?`{|}~^-]+(?:\.[\w!#$%&’*+/=?`{|}~^-]+)*@(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]{2,6}$ minLength: 1 privateKey: title: Private Key type: string description: The secret key value for your client ID. minLength: 1 type: object description: Your GCP credentials. idType: title: Integration Level type: string description: The GCP integration level as either `Organization` or `Project` enum: - ORGANIZATION - PROJECT id: title: Org/Project ID type: string description: >- The organization or project identifier to associate with your integration. minLength: 1 type: object CloudAccounts_Response_Schema: oneOf: - $ref: '#/components/schemas/CloudAccounts_AwsCfg_Response_Schema' - $ref: '#/components/schemas/CloudAccounts_AwsCtSqs_Response_Schema' - $ref: '#/components/schemas/CloudAccounts_AwsEksAudit_Response_Schema' - $ref: '#/components/schemas/CloudAccounts_AwsUsGovCfg_Response_Schema' - $ref: '#/components/schemas/CloudAccounts_AwsUsGovCtSqs_Response_Schema' - $ref: '#/components/schemas/CloudAccounts_AzureAlSeq_Response_Schema' - $ref: '#/components/schemas/CloudAccounts_AzureCfg_Response_Schema' - $ref: '#/components/schemas/CloudAccounts_GcpAtSes_Response_Schema' - $ref: '#/components/schemas/CloudAccounts_GcpCfg_Response_Schema' discriminator: propertyName: type mapping: AwsCfg: '#/components/schemas/CloudAccounts_AwsCfg_Response_Schema' AwsCtSqs: '#/components/schemas/CloudAccounts_AwsCtSqs_Response_Schema' AwsEksAudit: '#/components/schemas/CloudAccounts_AwsEksAudit_Response_Schema' AwsUsGovCfg: '#/components/schemas/CloudAccounts_AwsUsGovCfg_Response_Schema' AwsUsGovCtSqs: '#/components/schemas/CloudAccounts_AwsUsGovCtSqs_Response_Schema' AzureAlSeq: '#/components/schemas/CloudAccounts_AzureAlSeq_Response_Schema' AzureCfg: '#/components/schemas/CloudAccounts_AzureCfg_Response_Schema' GcpAtSes: '#/components/schemas/CloudAccounts_GcpAtSes_Response_Schema' GcpCfg: '#/components/schemas/CloudAccounts_GcpCfg_Response_Schema' CloudAccounts_Update_Schema: oneOf: - $ref: '#/components/schemas/CloudAccounts_AwsCfg_Update_Schema' - $ref: '#/components/schemas/CloudAccounts_AwsCtSqs_Update_Schema' - $ref: '#/components/schemas/CloudAccounts_AwsEksAudit_Update_Schema' - $ref: '#/components/schemas/CloudAccounts_AwsUsGovCfg_Update_Schema' - $ref: '#/components/schemas/CloudAccounts_AwsUsGovCtSqs_Update_Schema' - $ref: '#/components/schemas/CloudAccounts_AzureAlSeq_Update_Schema' - $ref: '#/components/schemas/CloudAccounts_AzureCfg_Update_Schema' - $ref: '#/components/schemas/CloudAccounts_GcpAtSes_Update_Schema' - $ref: '#/components/schemas/CloudAccounts_GcpCfg_Update_Schema' discriminator: propertyName: type mapping: AwsCfg: '#/components/schemas/CloudAccounts_AwsCfg_Update_Schema' AwsCtSqs: '#/components/schemas/CloudAccounts_AwsCtSqs_Update_Schema' AwsEksAudit: '#/components/schemas/CloudAccounts_AwsEksAudit_Update_Schema' AwsUsGovCfg: '#/components/schemas/CloudAccounts_AwsUsGovCfg_Update_Schema' AwsUsGovCtSqs: '#/components/schemas/CloudAccounts_AwsUsGovCtSqs_Update_Schema' AzureAlSeq: '#/components/schemas/CloudAccounts_AzureAlSeq_Update_Schema' AzureCfg: '#/components/schemas/CloudAccounts_AzureCfg_Update_Schema' GcpAtSes: '#/components/schemas/CloudAccounts_GcpAtSes_Update_Schema' GcpCfg: '#/components/schemas/CloudAccounts_GcpCfg_Update_Schema' CloudActivities: properties: startTime: type: integer endTime: type: integer eventType: type: string eventId: type: number eventModel: type: string eventActor: type: string entityMap: type: object CloudActivities_Response_Schema: properties: startTime: type: string endTime: type: string eventType: type: string eventId: type: number eventModel: type: string eventActor: type: string entityMap: type: object additionalProperties: true Configs_ComplianceEvaluations_Response_Schema: properties: reportTime: type: string evalType: type: string account: type: string section: type: string id: type: string recommendation: type: string status: type: string severity: type: string resource: type: string region: type: string reason: type: string additionalProperties: true ContainerRegistriesSubtype: oneOf: - type: string enum: - AWS_ECR - DOCKERHUB - GCP_GCR - GHCR - INLINE_SCANNER - PROXY_SCANNER - V2_REGISTRY title: ContVulnCfg ContainerRegistries_ContVulnCfg_Create_Schema: required: - type - enabled - name - data properties: name: title: Name type: string description: >- When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. pattern: (?!^ +$)^.+$ minLength: 1 type: title: Type type: string description: >- When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. enum: - ContVulnCfg enabled: title: Enabled type: number description: >- When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration. minimum: 0 maximum: 1 example: 1 data: type: object oneOf: - $ref: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_AWS_ECR_Create_Schema - $ref: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_AWS_ECR-AWS_ACCESS_KEY_Create_Schema - $ref: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_DOCKERHUB_Create_Schema - $ref: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_GCP_GCR_Create_Schema - $ref: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_GCP_GAR_Create_Schema - $ref: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_V2_REGISTRY_Create_Schema - $ref: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_INLINE_SCANNER_Create_Schema - $ref: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_GHCR_Create_Schema - $ref: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_PROXY_SCANNER_Create_Schema discriminator: propertyName: registryType mapping: AWS_ECR: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_AWS_ECR_Create_Schema AWS_ECR-AWS_ACCESS_KEY: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_AWS_ECR-AWS_ACCESS_KEY_Create_Schema DOCKERHUB: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_DOCKERHUB_Create_Schema GCP_GCR: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_GCP_GCR_Create_Schema GCP_GAR: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_GCP_GAR_Create_Schema V2_REGISTRY: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_V2_REGISTRY_Create_Schema INLINE_SCANNER: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_INLINE_SCANNER_Create_Schema GHCR: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_GHCR_Create_Schema PROXY_SCANNER: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_PROXY_SCANNER_Create_Schema ContainerRegistries_ContVulnCfg_Response_Schema: allOf: - $ref: '#/components/schemas/ContainerRegistries_ContVulnCfg_Create_Schema' - type: object properties: isOrg: title: Is Org Integration type: number description: >- Returns `1` if the access token has organization admin permissions. Otherwise, returns `0`. default: 0 minimum: 0 maximum: 1 props: title: Props type: object description: The integration's properties. createdOrUpdatedBy: description: The user who created or who last updated the integration. type: string createdOrUpdatedTime: description: >- The timestamp for when the integration was created or last updated. type: string intgGuid: description: The integration’s globally unique identifier. type: string state: description: >- The integration’s real-time state, such as Pending, Success, or Error. type: object additionalProperties: true ContainerRegistries_ContVulnCfg_Update_Schema: properties: name: title: Name type: string description: >- When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name. pattern: (?!^ +$)^.+$ minLength: 1 type: title: Type type: string description: >- When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type. enum: - ContVulnCfg enabled: title: Enabled type: number description: >- When sending a request, use this attribute to enable or disable an integration. When included in a response, returns `1` for an enabled integration or `0` for a disabled integration. minimum: 0 maximum: 1 example: 1 data: type: object oneOf: - $ref: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_AWS_ECR_Update_Schema - $ref: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_AWS_ECR-AWS_ACCESS_KEY_Update_Schema - $ref: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_DOCKERHUB_Update_Schema - $ref: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_GCP_GCR_Update_Schema - $ref: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_GCP_GAR_Update_Schema - $ref: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_V2_REGISTRY_Update_Schema - $ref: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_INLINE_SCANNER_Update_Schema - $ref: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_GHCR_Update_Schema - $ref: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_PROXY_SCANNER_Update_Schema discriminator: propertyName: registryType mapping: AWS_ECR: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_AWS_ECR_Update_Schema AWS_ECR-AWS_ACCESS_KEY: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_AWS_ECR-AWS_ACCESS_KEY_Update_Schema DOCKERHUB: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_DOCKERHUB_Update_Schema GCP_GCR: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_GCP_GCR_Update_Schema GCP_GAR: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_GCP_GAR_Update_Schema V2_REGISTRY: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_V2_REGISTRY_Update_Schema INLINE_SCANNER: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_INLINE_SCANNER_Update_Schema GHCR: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_GHCR_Update_Schema PROXY_SCANNER: >- #/components/schemas/ContainerRegistries_ContVulnCfg_data_PROXY_SCANNER_Update_Schema ContainerRegistries_ContVulnCfg_data_AWS_ECR-AWS_ACCESS_KEY_Create_Schema: properties: accessKeyCredentials: type: object properties: accessKeyId: title: Access Key ID type: string description: The AccessKeyId value from your AWS console. pattern: (^|[^A-Z0-9])[A-Z0-9]{20}(?![A-Z0-9]) secretAccessKey: title: Secret Access Key type: string description: The SecretAccessKey value from your AWS console. pattern: (^|[^A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=]) format: password required: - accessKeyId - secretAccessKey description: Your AWS account's credentials. awsAuthType: title: Authentication Type type: string enum: - AWS_ACCESS_KEY default: AWS_ACCESS_KEY registryType: title: Registry Type type: string enum: - AWS_ECR default: AWS_ECR description: The container registry's type. registryDomain: title: Registry Domain type: string description: >- The URL of your registry in the following format: `YourAWSAccount.dkr.ecr.YourRegion.amazonaws.com`, where **YourAWSAcount** is the AWS account number for the AWS IAM user that has a role with permissions to access the ECR and **YourRegion** is your AWS region such as us-west-2. **Note**: Do not prefix the URL with `https://`. pattern: ^(https://)?(http://)?(.*)(.dkr\.ecr.)(.*)(.amazonaws.com)$ limitNumImg: title: Limit Number of Images per Repo description: >- When sending a request, if you do not want to assess all images in this registry, specify the maximum number of newest container images to discover/assess per repository. The default value is `5`. When included in a response, returns the number of newest container images to discover/assess per repository. type: number default: 5 enum: - 5 - 10 - 15 limitByRep: title: Limit by Repository (optional) description: >- When sending a request, if you do not want to discover/assess all repositories in this registry, specify a comma-separated list of repositories to discover/assess (without spaces recommended). To change which repositories you want to assess, update this field so the change is captured during the next polling period. When included in a response, returns a list of repositories to discover/assess. default: [] type: array items: type: string nonOsPackageEval: description: >- This feature is enabled by default. When sending a request, set to `False` if you want to disable scanning of [language libraries](https://www.laceworkplatform.com/console/container-image-support#language-libraries-support). When included in a response, returns `True` if the scanning of language libraries is enabled, or returns `False` if the scanning of language libraries is disabled. type: boolean default: true limitByTag: title: Limit by Tag(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. You can input multiple tags. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of texts that will be used to assess images. default: [] type: array items: type: string pattern: ^[\w.\-]*[*]?[\w.\-]{0,127}$ limitByLabel: title: Limit by Label(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify `key:value` pairs so that only images with matching label `key:value` pairs will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. Supported field input: `key:value`. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of labels that will be used to assess images. default: [] type: array items: type: object example: - key1: value1 - key2: value2 required: - awsAuthType - accessKeyCredentials - registryType - registryDomain title: AWS ECR - AWS Key ID Access Key type: object ContainerRegistries_ContVulnCfg_data_AWS_ECR-AWS_ACCESS_KEY_Update_Schema: properties: accessKeyCredentials: type: object properties: accessKeyId: title: Access Key ID type: string description: The AccessKeyId value from your AWS console. pattern: (^|[^A-Z0-9])[A-Z0-9]{20}(?![A-Z0-9]) secretAccessKey: title: Secret Access Key type: string description: The SecretAccessKey value from your AWS console. pattern: (^|[^A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=]) format: password description: Your AWS account's credentials. awsAuthType: title: Authentication Type type: string enum: - AWS_ACCESS_KEY default: AWS_ACCESS_KEY registryType: title: Registry Type type: string enum: - AWS_ECR default: AWS_ECR description: The container registry's type. registryDomain: title: Registry Domain type: string description: >- The URL of your registry in the following format: `YourAWSAccount.dkr.ecr.YourRegion.amazonaws.com`, where **YourAWSAcount** is the AWS account number for the AWS IAM user that has a role with permissions to access the ECR and **YourRegion** is your AWS region such as us-west-2. **Note**: Do not prefix the URL with `https://`. pattern: ^(https://)?(http://)?(.*)(.dkr\.ecr.)(.*)(.amazonaws.com)$ limitNumImg: title: Limit Number of Images per Repo description: >- When sending a request, if you do not want to assess all images in this registry, specify the maximum number of newest container images to discover/assess per repository. The default value is `5`. When included in a response, returns the number of newest container images to discover/assess per repository. type: number default: 5 enum: - 5 - 10 - 15 limitByRep: title: Limit by Repository (optional) description: >- When sending a request, if you do not want to discover/assess all repositories in this registry, specify a comma-separated list of repositories to discover/assess (without spaces recommended). To change which repositories you want to assess, update this field so the change is captured during the next polling period. When included in a response, returns a list of repositories to discover/assess. default: [] type: array items: type: string nonOsPackageEval: description: >- This feature is enabled by default. When sending a request, set to `False` if you want to disable scanning of [language libraries](https://www.laceworkplatform.com/console/container-image-support#language-libraries-support). When included in a response, returns `True` if the scanning of language libraries is enabled, or returns `False` if the scanning of language libraries is disabled. type: boolean default: true limitByTag: title: Limit by Tag(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. You can input multiple tags. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of texts that will be used to assess images. default: [] type: array items: type: string pattern: ^[\w.\-]*[*]?[\w.\-]{0,127}$ limitByLabel: title: Limit by Label(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify `key:value` pairs so that only images with matching label `key:value` pairs will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. Supported field input: `key:value`. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of labels that will be used to assess images. default: [] type: array items: type: object example: - key1: value1 - key2: value2 title: AWS ECR - AWS Key ID Access Key type: object ContainerRegistries_ContVulnCfg_data_AWS_ECR_Create_Schema: properties: crossAccountCredentials: properties: externalId: title: External ID type: string description: >- The AWS external ID that is associated with the cross-account role that Lacework uses to access your AWS resource. This is the External ID specified for the Cross-Account IAM role in your preparatory integration of AWS described in [AWS Integration Prerequisites](https://www.laceworkplatform.com/aws-integration-prerequisites). minLength: 1 roleArn: title: Role ARN type: string description: >- The ARN of the cross-account role that Lacework uses to access your AWS resources. This is the ARN specified for the Cross-Account IAM role in your preparatory integration of AWS described in [AWS Integration Prerequisites](https://www.laceworkplatform.com/aws-integration-prerequisites). pattern: >- ^arn:aws(-[a-zA-Z]+)?:iam:([a-zA-Z0-9-_]+)?:([0-9]{12}):([a-zA-Z0-9_-]+)([/:][a-zA-Z0-9_-]+)*$ description: >- Details of the cross-account role that Lacework uses to access your AWS resource. required: - externalId - roleArn type: object awsAuthType: title: Authentication Type type: string description: Your AWS authentication type. The default value is `AWS_IAM`. enum: - AWS_IAM default: AWS_IAM registryType: title: Registry Type type: string description: The container registry's type. enum: - AWS_ECR default: AWS_ECR registryDomain: title: Registry Domain type: string description: >- The URL of your registry in the following format: `YourAWSAccount.dkr.ecr.YourRegion.amazonaws.com`, where `YourAWSAcount` is the AWS account number for the AWS IAM user that has a role with permissions to access the ECR and `YourRegion` is your AWS region such as us-west-2. **Note**: Do not prefix the URL with `https://`. pattern: ^(https://)?(http://)?(.*)(.dkr\.ecr.)(.*)(.amazonaws.com)$ limitNumImg: title: Limit Number of Images per Repo type: number description: >- When sending a request, if you do not want to assess all images in this registry, specify the maximum number of newest container images to discover/assess per repository. The default value is `5`. When included in a response, returns the number of newest container images to discover/assess per repository. default: 5 enum: - 5 - 10 - 15 limitByRep: title: Limit by Repository (optional) description: >- When sending a request, if you do not want to discover/assess all repositories in this registry, specify a comma-separated list of repositories to discover/assess (without spaces recommended). To change which repositories you want to assess, update this field so the change is captured during the next polling period. When included in a response, returns a list of repositories to discover/assess. default: [] type: array items: type: string nonOsPackageEval: description: >- This feature is enabled by default. When sending a request, set to `False` if you want to disable scanning of [language libraries](https://www.laceworkplatform.com/console/container-image-support#language-libraries-support). When included in a response, returns `True` if the scanning of language libraries is enabled, or returns `False` if the scanning of language libraries is disabled. type: boolean default: true limitByTag: title: Limit by Tag(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. You can input multiple tags. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of texts that will be used to assess images. default: [] type: array items: type: string pattern: ^[\w.\-]*[*]?[\w.\-]{0,127}$ limitByLabel: title: Limit by Label(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify `key:value` pairs so that only images with matching label `key:value` pairs will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. Supported field input: `key:value`. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of labels that will be used to assess images. default: [] type: array items: type: object example: - key1: value1 - key2: value2 required: - awsAuthType - crossAccountCredentials - registryType - registryDomain title: AWS ECR - AWS IAM Role type: object ContainerRegistries_ContVulnCfg_data_AWS_ECR_Update_Schema: properties: crossAccountCredentials: properties: externalId: title: External ID type: string description: >- The AWS external ID that is associated with the cross-account role that Lacework uses to access your AWS resource. This is the External ID specified for the Cross-Account IAM role in your preparatory integration of AWS described in [AWS Integration Prerequisites](https://www.laceworkplatform.com/aws-integration-prerequisites). minLength: 1 roleArn: title: Role ARN type: string description: >- The ARN of the cross-account role that Lacework uses to access your AWS resources. This is the ARN specified for the Cross-Account IAM role in your preparatory integration of AWS described in [AWS Integration Prerequisites](https://www.laceworkplatform.com/aws-integration-prerequisites). pattern: >- ^arn:aws(-[a-zA-Z]+)?:iam:([a-zA-Z0-9-_]+)?:([0-9]{12}):([a-zA-Z0-9_-]+)([/:][a-zA-Z0-9_-]+)*$ description: >- Details of the cross-account role that Lacework uses to access your AWS resource. type: object awsAuthType: title: Authentication Type type: string description: Your AWS authentication type. The default value is `AWS_IAM`. enum: - AWS_IAM default: AWS_IAM registryType: title: Registry Type type: string description: The container registry's type. enum: - AWS_ECR default: AWS_ECR registryDomain: title: Registry Domain type: string description: >- The URL of your registry in the following format: `YourAWSAccount.dkr.ecr.YourRegion.amazonaws.com`, where `YourAWSAcount` is the AWS account number for the AWS IAM user that has a role with permissions to access the ECR and `YourRegion` is your AWS region such as us-west-2. **Note**: Do not prefix the URL with `https://`. pattern: ^(https://)?(http://)?(.*)(.dkr\.ecr.)(.*)(.amazonaws.com)$ limitNumImg: title: Limit Number of Images per Repo type: number description: >- When sending a request, if you do not want to assess all images in this registry, specify the maximum number of newest container images to discover/assess per repository. The default value is `5`. When included in a response, returns the number of newest container images to discover/assess per repository. default: 5 enum: - 5 - 10 - 15 limitByRep: title: Limit by Repository (optional) description: >- When sending a request, if you do not want to discover/assess all repositories in this registry, specify a comma-separated list of repositories to discover/assess (without spaces recommended). To change which repositories you want to assess, update this field so the change is captured during the next polling period. When included in a response, returns a list of repositories to discover/assess. default: [] type: array items: type: string nonOsPackageEval: description: >- This feature is enabled by default. When sending a request, set to `False` if you want to disable scanning of [language libraries](https://www.laceworkplatform.com/console/container-image-support#language-libraries-support). When included in a response, returns `True` if the scanning of language libraries is enabled, or returns `False` if the scanning of language libraries is disabled. type: boolean default: true limitByTag: title: Limit by Tag(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. You can input multiple tags. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of texts that will be used to assess images. default: [] type: array items: type: string pattern: ^[\w.\-]*[*]?[\w.\-]{0,127}$ limitByLabel: title: Limit by Label(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify `key:value` pairs so that only images with matching label `key:value` pairs will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. Supported field input: `key:value`. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of labels that will be used to assess images. default: [] type: array items: type: object example: - key1: value1 - key2: value2 title: AWS ECR - AWS IAM Role type: object ContainerRegistries_ContVulnCfg_data_DOCKERHUB_Create_Schema: properties: credentials: type: object properties: username: title: User Name type: string description: >- The Docker user that has at least read-only permissions to the Docker Hub container repositories that you want to assess for vulnerabilities. For more details on how to grant permissions in Docker, see [Teams and Organizations](https://docs.docker.com/docker-hub/orgs/). Specify a Docker user that has at least read-only permissions to the Docker Hub container repositories that you want to assess for vulnerabilities. Docker uses organizations and teams to grant permissions. password: title: Password type: string description: >- The password for the specified Docker Hub user. Alternatively, you can use personal access tokens to access Hub images from the Docker CLI. For details, see [Managing Access Tokens](https://docs.docker.com/docker-hub/access-tokens/). format: password required: - username - password description: Your Docker Hub's credentials. registryType: title: Registry Type type: string description: The container registry's type. enum: - DOCKERHUB default: DOCKERHUB registryDomain: title: Registry Domain type: string description: >- This field is pre-populated with this URL of Docker Hub, which is `index.docker.io`. default: index.docker.io enum: - index.docker.io limitNumImg: title: Limit Number of Images per Repo description: >- When sending a request, if you do not want to assess all images in this registry, specify the maximum number of newest container images to discover/assess per repository. The default value is `5`. When included in a response, returns the number of newest container images to discover/assess per repository. type: number default: 5 enum: - 5 - 10 - 15 limitByRep: title: Limit by Repository (optional) description: >- When sending a request, if you do not want to discover/assess all repositories in this registry, specify a comma-separated list of repositories to discover/assess (without spaces recommended). To change which repositories you want to assess, update this field so the change is captured during the next polling period. When included in a response, returns a list of repositories to discover/assess. default: [] type: array items: type: string nonOsPackageEval: description: >- This feature is enabled by default. When sending a request, set to `False` if you want to disable scanning of [language libraries](https://www.laceworkplatform.com/console/container-image-support#language-libraries-support). When included in a response, returns `True` if the scanning of language libraries is enabled, or returns `False` if the scanning of language libraries is disabled. type: boolean default: true limitByTag: title: Limit by Tag(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. You can input multiple tags. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of texts that will be used to assess images. default: [] type: array items: type: string pattern: ^[\w.\-]*[*]?[\w.\-]{0,127}$ limitByLabel: title: Limit by Label(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify `key:value` pairs so that only images with matching label `key:value` pairs will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. Supported field input: `key:value`. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of labels that will be used to assess images. default: [] type: array items: type: object example: - key1: value1 - key2: value2 required: - credentials - registryType - registryDomain title: Docker Hub type: object ContainerRegistries_ContVulnCfg_data_DOCKERHUB_Update_Schema: properties: credentials: type: object properties: username: title: User Name type: string description: >- The Docker user that has at least read-only permissions to the Docker Hub container repositories that you want to assess for vulnerabilities. For more details on how to grant permissions in Docker, see [Teams and Organizations](https://docs.docker.com/docker-hub/orgs/). Specify a Docker user that has at least read-only permissions to the Docker Hub container repositories that you want to assess for vulnerabilities. Docker uses organizations and teams to grant permissions. password: title: Password type: string description: >- The password for the specified Docker Hub user. Alternatively, you can use personal access tokens to access Hub images from the Docker CLI. For details, see [Managing Access Tokens](https://docs.docker.com/docker-hub/access-tokens/). format: password description: Your Docker Hub's credentials. registryType: title: Registry Type type: string description: The container registry's type. enum: - DOCKERHUB default: DOCKERHUB registryDomain: title: Registry Domain type: string description: >- This field is pre-populated with this URL of Docker Hub, which is `index.docker.io`. default: index.docker.io enum: - index.docker.io limitNumImg: title: Limit Number of Images per Repo description: >- When sending a request, if you do not want to assess all images in this registry, specify the maximum number of newest container images to discover/assess per repository. The default value is `5`. When included in a response, returns the number of newest container images to discover/assess per repository. type: number default: 5 enum: - 5 - 10 - 15 limitByRep: title: Limit by Repository (optional) description: >- When sending a request, if you do not want to discover/assess all repositories in this registry, specify a comma-separated list of repositories to discover/assess (without spaces recommended). To change which repositories you want to assess, update this field so the change is captured during the next polling period. When included in a response, returns a list of repositories to discover/assess. default: [] type: array items: type: string nonOsPackageEval: description: >- This feature is enabled by default. When sending a request, set to `False` if you want to disable scanning of [language libraries](https://www.laceworkplatform.com/console/container-image-support#language-libraries-support). When included in a response, returns `True` if the scanning of language libraries is enabled, or returns `False` if the scanning of language libraries is disabled. type: boolean default: true limitByTag: title: Limit by Tag(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. You can input multiple tags. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of texts that will be used to assess images. default: [] type: array items: type: string pattern: ^[\w.\-]*[*]?[\w.\-]{0,127}$ limitByLabel: title: Limit by Label(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify `key:value` pairs so that only images with matching label `key:value` pairs will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. Supported field input: `key:value`. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of labels that will be used to assess images. default: [] type: array items: type: object example: - key1: value1 - key2: value2 title: Docker Hub type: object ContainerRegistries_ContVulnCfg_data_GCP_GAR_Create_Schema: properties: credentials: properties: clientId: title: Client ID type: string description: >- The client ID for the service account that has been [granted access to the organization, folder, or project](https://cloud.google.com/iam/docs/granting-changing-revoking-access) that contains the registry (or registries). For more details about which role to assign to the service account, see [Configure Registry](https://www.laceworkplatform.com/integrate-google-container-registry#configure-registry). minLength: 1 privateKeyId: title: Private Key ID type: string description: >- The private key ID for the private key that should be used to authenticate the service account that was specified in the *Client ID* setting. minLength: 1 clientEmail: title: Client Email type: string description: >- The client email associated with the service account that was specified in the *Client ID* setting. pattern: >- ^[\w!#$%&'*+/=?`{|}~^-]+(?:\.[\w!#$%&'*+/=?`{|}~^-]+)*@(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]{2,6}$ minLength: 1 privateKey: title: Private Key type: string description: >- The private key that should be used to authenticate the service account that was specified in the *Client ID* setting. To view the private key raw text, enter the following command, where `YourFileName.json` is the name of the file downloaded when you created the GCP Service Account to be used for the integration: `$ cat YourFileName.json | jq -r '.private_key'` minLength: 1 format: password type: object description: Your Google Artifact Registry's credentials. required: - clientId - clientEmail - privateKeyId - privateKey registryType: title: Registry Type type: string description: The container registry's type. enum: - GCP_GAR default: GCP_GAR registryDomain: title: Registry Domain type: string description: >- The supported GCP region to access. For details, see [Repository and Image Names](https://cloud.google.com/artifact-registry/docs/docker/names). default: us-west1-docker.pkg.dev enum: - northamerica-northeast1-docker.pkg.dev - us-central1-docker.pkg.dev - us-east1-docker.pkg.dev - us-east4-docker.pkg.dev - us-west1-docker.pkg.dev - us-west2-docker.pkg.dev - us-west3-docker.pkg.dev - us-west4-docker.pkg.dev - southamerica-east1-docker.pkg.dev - europe-north1-docker.pkg.dev - europe-west1-docker.pkg.dev - europe-west2-docker.pkg.dev - europe-west3-docker.pkg.dev - europe-west4-docker.pkg.dev - europe-west6-docker.pkg.dev - asia-east1-docker.pkg.dev - asia-east2-docker.pkg.dev - asia-northeast1-docker.pkg.dev - asia-northeast2-docker.pkg.dev - asia-northeast3-docker.pkg.dev - asia-south1-docker.pkg.dev - asia-southeast1-docker.pkg.dev - asia-southeast2-docker.pkg.dev - australia-southeast1-docker.pkg.dev - asia-docker.pkg.dev - europe-docker.pkg.dev - us-docker.pkg.dev limitNumImg: title: Limit Number of Images per Repo description: >- When sending a request, if you do not want to assess all images in this registry, specify the maximum number of newest container images to discover/assess per repository. The default value is `5`. When included in a response, returns the number of newest container images to discover/assess per repository. type: number default: 5 enum: - 5 - 10 - 15 limitByRep: title: Limit by Repository (optional) description: >- When sending a request, if you do not want to discover/assess all repositories in this registry, specify a comma-separated list of repositories to discover/assess (without spaces recommended). To change which repositories you want to assess, update this field so the change is captured during the next polling period. When included in a response, returns a list of repositories to discover/assess. default: [] type: array items: type: string nonOsPackageEval: description: >- This feature is enabled by default. When sending a request, set to `False` if you want to disable scanning of [language libraries](https://www.laceworkplatform.com/console/container-image-support#language-libraries-support). When included in a response, returns `True` if the scanning of language libraries is enabled, or returns `False` if the scanning of language libraries is disabled. type: boolean default: true limitByTag: title: Limit by Tag(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. You can input multiple tags. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of texts that will be used to assess images. default: [] type: array items: type: string pattern: ^[\w.\-]*[*]?[\w.\-]{0,127}$ limitByLabel: title: Limit by Label(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify `key:value` pairs so that only images with matching label `key:value` pairs will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. Supported field input: `key:value`. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of labels that will be used to assess images. default: [] type: array items: type: object example: - key1: value1 - key2: value2 required: - credentials - registryType - registryDomain title: Google Container Registry (GAR) type: object ContainerRegistries_ContVulnCfg_data_GCP_GAR_Update_Schema: properties: credentials: properties: clientId: title: Client ID type: string description: >- The client ID for the service account that has been [granted access to the organization, folder, or project](https://cloud.google.com/iam/docs/granting-changing-revoking-access) that contains the registry (or registries). For more details about which role to assign to the service account, see [Configure Registry](https://www.laceworkplatform.com/integrate-google-container-registry#configure-registry). minLength: 1 privateKeyId: title: Private Key ID type: string description: >- The private key ID for the private key that should be used to authenticate the service account that was specified in the *Client ID* setting. minLength: 1 clientEmail: title: Client Email type: string description: >- The client email associated with the service account that was specified in the *Client ID* setting. pattern: >- ^[\w!#$%&'*+/=?`{|}~^-]+(?:\.[\w!#$%&'*+/=?`{|}~^-]+)*@(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]{2,6}$ minLength: 1 privateKey: title: Private Key type: string description: >- The private key that should be used to authenticate the service account that was specified in the *Client ID* setting. To view the private key raw text, enter the following command, where `YourFileName.json` is the name of the file downloaded when you created the GCP Service Account to be used for the integration: `$ cat YourFileName.json | jq -r '.private_key'` minLength: 1 format: password type: object description: Your Google Artifact Registry's credentials. registryType: title: Registry Type type: string description: The container registry's type. enum: - GCP_GAR default: GCP_GAR registryDomain: title: Registry Domain type: string description: >- The supported GCP region to access. For details, see [Repository and Image Names](https://cloud.google.com/artifact-registry/docs/docker/names). default: us-west1-docker.pkg.dev enum: - northamerica-northeast1-docker.pkg.dev - us-central1-docker.pkg.dev - us-east1-docker.pkg.dev - us-east4-docker.pkg.dev - us-west1-docker.pkg.dev - us-west2-docker.pkg.dev - us-west3-docker.pkg.dev - us-west4-docker.pkg.dev - southamerica-east1-docker.pkg.dev - europe-north1-docker.pkg.dev - europe-west1-docker.pkg.dev - europe-west2-docker.pkg.dev - europe-west3-docker.pkg.dev - europe-west4-docker.pkg.dev - europe-west6-docker.pkg.dev - asia-east1-docker.pkg.dev - asia-east2-docker.pkg.dev - asia-northeast1-docker.pkg.dev - asia-northeast2-docker.pkg.dev - asia-northeast3-docker.pkg.dev - asia-south1-docker.pkg.dev - asia-southeast1-docker.pkg.dev - asia-southeast2-docker.pkg.dev - australia-southeast1-docker.pkg.dev - asia-docker.pkg.dev - europe-docker.pkg.dev - us-docker.pkg.dev limitNumImg: title: Limit Number of Images per Repo description: >- When sending a request, if you do not want to assess all images in this registry, specify the maximum number of newest container images to discover/assess per repository. The default value is `5`. When included in a response, returns the number of newest container images to discover/assess per repository. type: number default: 5 enum: - 5 - 10 - 15 limitByRep: title: Limit by Repository (optional) description: >- When sending a request, if you do not want to discover/assess all repositories in this registry, specify a comma-separated list of repositories to discover/assess (without spaces recommended). To change which repositories you want to assess, update this field so the change is captured during the next polling period. When included in a response, returns a list of repositories to discover/assess. default: [] type: array items: type: string nonOsPackageEval: description: >- This feature is enabled by default. When sending a request, set to `False` if you want to disable scanning of [language libraries](https://www.laceworkplatform.com/console/container-image-support#language-libraries-support). When included in a response, returns `True` if the scanning of language libraries is enabled, or returns `False` if the scanning of language libraries is disabled. type: boolean default: true limitByTag: title: Limit by Tag(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. You can input multiple tags. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of texts that will be used to assess images. default: [] type: array items: type: string pattern: ^[\w.\-]*[*]?[\w.\-]{0,127}$ limitByLabel: title: Limit by Label(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify `key:value` pairs so that only images with matching label `key:value` pairs will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. Supported field input: `key:value`. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of labels that will be used to assess images. default: [] type: array items: type: object example: - key1: value1 - key2: value2 title: Google Container Registry (GAR) type: object ContainerRegistries_ContVulnCfg_data_GCP_GCR_Create_Schema: properties: credentials: properties: clientId: title: Client ID type: string description: >- The client ID for the service account that has been [granted access to the organization, folder, or project](https://cloud.google.com/iam/docs/granting-changing-revoking-access) that contains the registry (or registries). For more details about which role to assign to the service account, see [Configure Registry](https://www.laceworkplatform.com/integrate-google-container-registry#configure-registry). minLength: 1 privateKeyId: title: Private Key ID type: string description: >- The private key ID for the service account that has granted `storage.objectViewer` role for access to the Google project that contains the Google Container Registry (GCR). minLength: 1 clientEmail: title: Client Email type: string description: >- The client email associated with the service account that has granted `storage.objectViewer` role for access to the Google project that contains the Google Container Registry (GCR). pattern: >- ^[\w!#$%&'*+/=?`{|}~^-]+(?:\.[\w!#$%&'*+/=?`{|}~^-]+)*@(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]{2,6}$ minLength: 1 privateKey: title: Private Key type: string description: >- The private key for the specified private key ID. See [Private Key Format](https://www.laceworkplatform.com/integrate-google-container-registry#private-key-format) for guidance on formatting your key. minLength: 1 format: password type: object description: Your Google Container Registry's credentials. required: - clientId - clientEmail - privateKeyId - privateKey registryType: title: Registry Type type: string description: The container registry's type. enum: - GCP_GCR default: GCP_GCR registryDomain: title: Registry Domain type: string description: >- The supported GCP region to access. For more information, see [Container Registry Pushing and pulling images](https://cloud.google.com/container-registry/docs/pushing-and-pulling). default: gcr.io enum: - gcr.io - us.gcr.io - eu.gcr.io - asia.gcr.io limitNumImg: title: Limit Number of Images per Repo description: >- When sending a request, if you do not want to assess all images in this registry, specify the maximum number of newest container images to discover/assess per repository. The default value is `5`. When included in a response, returns the number of newest container images to discover/assess per repository. type: number default: 5 enum: - 5 - 10 - 15 limitByRep: title: Limit by Repository (optional) description: >- When sending a request, if you do not want to discover/assess all repositories in this registry, specify a comma-separated list of repositories to discover/assess (without spaces recommended). To change which repositories you want to assess, update this field so the change is captured during the next polling period. When included in a response, returns a list of repositories to discover/assess. default: [] type: array items: type: string nonOsPackageEval: description: >- This feature is enabled by default. When sending a request, set to `False` if you want to disable scanning of [language libraries](https://www.laceworkplatform.com/console/container-image-support#language-libraries-support). When included in a response, returns `True` if the scanning of language libraries is enabled, or returns `False` if the scanning of language libraries is disabled. type: boolean default: true limitByTag: title: Limit by Tag(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. You can input multiple tags. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of texts that will be used to assess images. default: [] type: array items: type: string pattern: ^[\w.\-]*[*]?[\w.\-]{0,127}$ limitByLabel: title: Limit by Label(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify `key:value` pairs so that only images with matching label `key:value` pairs will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. Supported field input: `key:value`. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of labels that will be used to assess images. default: [] type: array items: type: object example: - key1: value1 - key2: value2 required: - credentials - registryType - registryDomain title: Google Container Registry (GCR) type: object ContainerRegistries_ContVulnCfg_data_GCP_GCR_Update_Schema: properties: credentials: properties: clientId: title: Client ID type: string description: >- The client ID for the service account that has been [granted access to the organization, folder, or project](https://cloud.google.com/iam/docs/granting-changing-revoking-access) that contains the registry (or registries). For more details about which role to assign to the service account, see [Configure Registry](https://www.laceworkplatform.com/integrate-google-container-registry#configure-registry). minLength: 1 privateKeyId: title: Private Key ID type: string description: >- The private key ID for the service account that has granted `storage.objectViewer` role for access to the Google project that contains the Google Container Registry (GCR). minLength: 1 clientEmail: title: Client Email type: string description: >- The client email associated with the service account that has granted `storage.objectViewer` role for access to the Google project that contains the Google Container Registry (GCR). pattern: >- ^[\w!#$%&'*+/=?`{|}~^-]+(?:\.[\w!#$%&'*+/=?`{|}~^-]+)*@(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]{2,6}$ minLength: 1 privateKey: title: Private Key type: string description: >- The private key for the specified private key ID. See [Private Key Format](https://www.laceworkplatform.com/integrate-google-container-registry#private-key-format) for guidance on formatting your key. minLength: 1 format: password type: object description: Your Google Container Registry's credentials. registryType: title: Registry Type type: string description: The container registry's type. enum: - GCP_GCR default: GCP_GCR registryDomain: title: Registry Domain type: string description: >- The supported GCP region to access. For more information, see [Container Registry Pushing and pulling images](https://cloud.google.com/container-registry/docs/pushing-and-pulling). default: gcr.io enum: - gcr.io - us.gcr.io - eu.gcr.io - asia.gcr.io limitNumImg: title: Limit Number of Images per Repo description: >- When sending a request, if you do not want to assess all images in this registry, specify the maximum number of newest container images to discover/assess per repository. The default value is `5`. When included in a response, returns the number of newest container images to discover/assess per repository. type: number default: 5 enum: - 5 - 10 - 15 limitByRep: title: Limit by Repository (optional) description: >- When sending a request, if you do not want to discover/assess all repositories in this registry, specify a comma-separated list of repositories to discover/assess (without spaces recommended). To change which repositories you want to assess, update this field so the change is captured during the next polling period. When included in a response, returns a list of repositories to discover/assess. default: [] type: array items: type: string nonOsPackageEval: description: >- This feature is enabled by default. When sending a request, set to `False` if you want to disable scanning of [language libraries](https://www.laceworkplatform.com/console/container-image-support#language-libraries-support). When included in a response, returns `True` if the scanning of language libraries is enabled, or returns `False` if the scanning of language libraries is disabled. type: boolean default: true limitByTag: title: Limit by Tag(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. You can input multiple tags. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of texts that will be used to assess images. default: [] type: array items: type: string pattern: ^[\w.\-]*[*]?[\w.\-]{0,127}$ limitByLabel: title: Limit by Label(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify `key:value` pairs so that only images with matching label `key:value` pairs will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. Supported field input: `key:value`. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of labels that will be used to assess images. default: [] type: array items: type: object example: - key1: value1 - key2: value2 title: Google Container Registry (GCR) type: object ContainerRegistries_ContVulnCfg_data_GHCR_Create_Schema: properties: credentials: type: object description: Your GitHub Container Registry's credentials. properties: username: title: Username type: string description: >- The user that has permissions to pull the images (that will be assessed) from the container registry. minLength: 1 password: title: Password type: string description: >- The GitHub token. For details about generating a new token, see [Creating a personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token). The required permission is `read:packages`. format: password ssl: title: SSL type: boolean description: >- When sending a request, set to `True` if the registry uses SSL. You can use either a valid SSL certificate issued by a trusted Certificate Authority (CA) or a self-signed certificate. If you set it to `False`, you will use an unencrypted communication channel. When included in a response, returns `True` for enabled SSL encryption, or returns `False` for disabled SSL encryption. default: true required: - username - password registryType: title: Registry Type type: string description: The container registry's type. enum: - GHCR default: GHCR registryDomain: title: Registry Domain type: string description: The URL of your registry. The default URL is `ghcr.io`. default: ghcr.io enum: - ghcr.io registryNotifications: title: Subscribe to Registry Notifications type: boolean description: >- When sending a request, if the [container registry supports notifications](https://www.laceworkplatform.com/integrate-a-docker-v2-registry#container-registry-support), you can optionally set to `True`. When included in a response, returns `True` if registry notifications are enabled, or returns `False` if registry notifications are disabled. limitNumImg: title: Limit Number of Images per Repo description: >- When sending a request, if you do not want to assess all images in this registry, specify the maximum number of newest container images to discover/assess per repository. The default value is `5`. When included in a response, returns the number of newest container images to discover/assess per repository. type: number default: 5 enum: - 5 - 10 - 15 limitByRep: title: Limit by Repository (optional) default: [] type: array items: type: string nonOsPackageEval: description: >- This feature is enabled by default. When sending a request, set to `False` if you want to disable scanning of [language libraries](https://www.laceworkplatform.com/console/container-image-support#language-libraries-support). When included in a response, returns `True` if the scanning of language libraries is enabled, or returns `False` if the scanning of language libraries is disabled. type: boolean default: true limitByTag: title: Limit by Tag(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. You can input multiple tags. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of texts that will be used to assess images. default: [] type: array items: type: string pattern: ^[\w.\-]*[*]?[\w.\-]{0,127}$ limitByLabel: title: Limit by Label(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify `key:value` pairs so that only images with matching label `key:value` pairs will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. Supported field input: `key:value`. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of labels that will be used to assess images. default: [] type: array items: type: object example: - key1: value1 - key2: value2 required: - credentials - registryType - registryDomain title: Github Container Registry type: object ContainerRegistries_ContVulnCfg_data_GHCR_Update_Schema: properties: credentials: type: object description: Your GitHub Container Registry's credentials. properties: username: title: Username type: string description: >- The user that has permissions to pull the images (that will be assessed) from the container registry. minLength: 1 password: title: Password type: string description: >- The GitHub token. For details about generating a new token, see [Creating a personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token). The required permission is `read:packages`. format: password ssl: title: SSL type: boolean description: >- When sending a request, set to `True` if the registry uses SSL. You can use either a valid SSL certificate issued by a trusted Certificate Authority (CA) or a self-signed certificate. If you set it to `False`, you will use an unencrypted communication channel. When included in a response, returns `True` for enabled SSL encryption, or returns `False` for disabled SSL encryption. default: true registryType: title: Registry Type type: string description: The container registry's type. enum: - GHCR default: GHCR registryDomain: title: Registry Domain type: string description: The URL of your registry. The default URL is `ghcr.io`. default: ghcr.io enum: - ghcr.io registryNotifications: title: Subscribe to Registry Notifications type: boolean description: >- When sending a request, if the [container registry supports notifications](https://www.laceworkplatform.com/integrate-a-docker-v2-registry#container-registry-support), you can optionally set to `True`. When included in a response, returns `True` if registry notifications are enabled, or returns `False` if registry notifications are disabled. limitNumImg: title: Limit Number of Images per Repo description: >- When sending a request, if you do not want to assess all images in this registry, specify the maximum number of newest container images to discover/assess per repository. The default value is `5`. When included in a response, returns the number of newest container images to discover/assess per repository. type: number default: 5 enum: - 5 - 10 - 15 limitByRep: title: Limit by Repository (optional) default: [] type: array items: type: string nonOsPackageEval: description: >- This feature is enabled by default. When sending a request, set to `False` if you want to disable scanning of [language libraries](https://www.laceworkplatform.com/console/container-image-support#language-libraries-support). When included in a response, returns `True` if the scanning of language libraries is enabled, or returns `False` if the scanning of language libraries is disabled. type: boolean default: true limitByTag: title: Limit by Tag(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. You can input multiple tags. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of texts that will be used to assess images. default: [] type: array items: type: string pattern: ^[\w.\-]*[*]?[\w.\-]{0,127}$ limitByLabel: title: Limit by Label(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify `key:value` pairs so that only images with matching label `key:value` pairs will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. Supported field input: `key:value`. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of labels that will be used to assess images. default: [] type: array items: type: object example: - key1: value1 - key2: value2 title: Github Container Registry type: object ContainerRegistries_ContVulnCfg_data_INLINE_SCANNER_Create_Schema: properties: registryType: title: Registry Type type: string description: The container registry's type. enum: - INLINE_SCANNER default: INLINE_SCANNER limitNumScan: title: Limit number of scans for this Integration description: >- The maximum number of scans per hour that this integration can perform. type: string default: '60' identifierTag: title: Identifier Tag(s) for Scan description: Identifier tags as `key:value` pairs. default: [] type: array items: type: object example: - key1: value1 - key2: value2 required: - registryType title: Inline Scanner type: object ContainerRegistries_ContVulnCfg_data_INLINE_SCANNER_Update_Schema: properties: registryType: title: Registry Type type: string description: The container registry's type. enum: - INLINE_SCANNER default: INLINE_SCANNER limitNumScan: title: Limit number of scans for this Integration description: >- The maximum number of scans per hour that this integration can perform. type: string default: '60' identifierTag: title: Identifier Tag(s) for Scan description: Identifier tags as `key:value` pairs. default: [] type: array items: type: object example: - key1: value1 - key2: value2 title: Inline Scanner type: object ContainerRegistries_ContVulnCfg_data_PROXY_SCANNER_Create_Schema: properties: registryType: title: Registry Type type: string description: The container registry's type. enum: - PROXY_SCANNER default: PROXY_SCANNER limitNumImg: title: Limit Number of Images per Repo description: >- When sending a request, if you do not want to assess all images in this registry, specify the maximum number of newest container images to discover/assess per repository. The default value is `5`. When included in a response, returns the number of newest container images to discover/assess per repository. type: number default: 5 enum: - 5 - 10 - 15 limitByRep: title: Limit by Repository (optional) default: [] type: array items: type: string limitByTag: title: Limit by Tag(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. You can input multiple tags. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of texts that will be used to assess images. default: [] type: array items: type: string pattern: ^[\w.\-]*[*]?[\w.\-]{0,127}$ limitByLabel: title: Limit by Label(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify `key:value` pairs so that only images with matching label `key:value` pairs will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. Supported field input: `key:value`. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of labels that will be used to assess images. default: [] type: array items: type: object example: - key1: value1 - key2: value2 required: - registryType title: Proxy Scanner type: object ContainerRegistries_ContVulnCfg_data_PROXY_SCANNER_Update_Schema: properties: registryType: title: Registry Type type: string description: The container registry's type. enum: - PROXY_SCANNER default: PROXY_SCANNER limitNumImg: title: Limit Number of Images per Repo description: >- When sending a request, if you do not want to assess all images in this registry, specify the maximum number of newest container images to discover/assess per repository. The default value is `5`. When included in a response, returns the number of newest container images to discover/assess per repository. type: number default: 5 enum: - 5 - 10 - 15 limitByRep: title: Limit by Repository (optional) default: [] type: array items: type: string limitByTag: title: Limit by Tag(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. You can input multiple tags. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of texts that will be used to assess images. default: [] type: array items: type: string pattern: ^[\w.\-]*[*]?[\w.\-]{0,127}$ limitByLabel: title: Limit by Label(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify `key:value` pairs so that only images with matching label `key:value` pairs will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. Supported field input: `key:value`. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of labels that will be used to assess images. default: [] type: array items: type: object example: - key1: value1 - key2: value2 title: Proxy Scanner type: object ContainerRegistries_ContVulnCfg_data_V2_REGISTRY_Create_Schema: properties: credentials: type: object description: Your Docker V2 Registry's credentials. properties: username: title: Username type: string description: >- The user that has permissions to pull the images (that will be assessed) from the container registry. minLength: 1 password: title: Password type: string description: The password for the specified user. format: password ssl: title: SSL type: boolean description: >- When sending a request, set to `True` if the registry uses SSL. You can use either a valid SSL certificate issued by a trusted Certificate Authority (CA) or a self-signed certificate. If you set it to `False`, you will use an unencrypted communication channel.
When included in a response, returns `True` for enabled SSL encryption, or returns `False` for disabled SSL encryption. **Known Issue for JFrog:** JFrog Cloud integrations must be SSL-enabled due to a [known issue](https://www.laceworkplatform.com/releases/2021-12-01_december-2021-platform-releases#known-issues). required: - username - password registryType: title: Registry Type type: string description: The container registry's type. enum: - V2_REGISTRY default: V2_REGISTRY registryDomain: title: Registry Domain type: string description: >- When sending a request, if you use `docker login `:`, specify the domain as `:`. If you use `docker login `, specify the domain as: ``. If you use `docker login :`, specify the domain as: `:`. When included in a response, returns the registry domain. registryNotifications: title: Subscribe to Registry Notifications type: boolean description: >- When sending a request, if the [container registry supports notifications](https://www.laceworkplatform.com/integrate-a-docker-v2-registry#container-registry-support), you can optionally set to `True`. When included in a response, returns `True` if registry notifications are enabled; or returns `False` if registry notifications are disabled. nonOsPackageEval: description: >- This feature is enabled by default. When sending a request, set to `False` if you want to disable scanning of [language libraries](https://www.laceworkplatform.com/console/container-image-support#language-libraries-support). When included in a response, returns `True` if the scanning of language libraries is enabled, or returns `False` if the scanning of language libraries is disabled. type: boolean default: true limitByTag: title: Limit by Tag(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. You can input multiple tags. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of texts that will be used to assess images. default: [] type: array items: type: string pattern: ^[\w.\-]*[*]?[\w.\-]{0,127}$ limitByLabel: title: Limit by Label(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify `key:value` pairs so that only images with matching label `key:value` pairs will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. Supported field input: `key:value`. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of labels that will be used to assess images. default: [] type: array items: type: object example: - key1: value1 - key2: value2 required: - credentials - registryType - registryDomain title: Docker V2 Registry type: object ContainerRegistries_ContVulnCfg_data_V2_REGISTRY_Update_Schema: properties: credentials: type: object description: Your Docker V2 Registry's credentials. properties: username: title: Username type: string description: >- The user that has permissions to pull the images (that will be assessed) from the container registry. minLength: 1 password: title: Password type: string description: The password for the specified user. format: password ssl: title: SSL type: boolean description: >- When sending a request, set to `True` if the registry uses SSL. You can use either a valid SSL certificate issued by a trusted Certificate Authority (CA) or a self-signed certificate. If you set it to `False`, you will use an unencrypted communication channel.
When included in a response, returns `True` for enabled SSL encryption, or returns `False` for disabled SSL encryption. **Known Issue for JFrog:** JFrog Cloud integrations must be SSL-enabled due to a [known issue](https://www.laceworkplatform.com/releases/2021-12-01_december-2021-platform-releases#known-issues). registryType: title: Registry Type type: string description: The container registry's type. enum: - V2_REGISTRY default: V2_REGISTRY registryDomain: title: Registry Domain type: string description: >- When sending a request, if you use `docker login `:`, specify the domain as `:`. If you use `docker login `, specify the domain as: ``. If you use `docker login :`, specify the domain as: `:`. When included in a response, returns the registry domain. registryNotifications: title: Subscribe to Registry Notifications type: boolean description: >- When sending a request, if the [container registry supports notifications](https://www.laceworkplatform.com/integrate-a-docker-v2-registry#container-registry-support), you can optionally set to `True`. When included in a response, returns `True` if registry notifications are enabled; or returns `False` if registry notifications are disabled. nonOsPackageEval: description: >- This feature is enabled by default. When sending a request, set to `False` if you want to disable scanning of [language libraries](https://www.laceworkplatform.com/console/container-image-support#language-libraries-support). When included in a response, returns `True` if the scanning of language libraries is enabled, or returns `False` if the scanning of language libraries is disabled. type: boolean default: true limitByTag: title: Limit by Tag(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. You can input multiple tags. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of texts that will be used to assess images. default: [] type: array items: type: string pattern: ^[\w.\-]*[*]?[\w.\-]{0,127}$ limitByLabel: title: Limit by Label(s) (optional) description: >- When sending a request, if you do not want to assess all images in this registry, specify `key:value` pairs so that only images with matching label `key:value` pairs will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. Supported field input: `key:value`. If you specify tag and label limits, they function as an AND. When included in a response, returns a list of labels that will be used to assess images. default: [] type: array items: type: object example: - key1: value1 - key2: value2 title: Docker V2 Registry type: object ContainerRegistries_Create_Schema: oneOf: - $ref: '#/components/schemas/ContainerRegistries_ContVulnCfg_Create_Schema' discriminator: propertyName: type mapping: ContVulnCfg: '#/components/schemas/ContainerRegistries_ContVulnCfg_Create_Schema' ContainerRegistries_Response_Schema: oneOf: - $ref: '#/components/schemas/ContainerRegistries_ContVulnCfg_Response_Schema' discriminator: propertyName: type mapping: ContVulnCfg: '#/components/schemas/ContainerRegistries_ContVulnCfg_Response_Schema' ContainerRegistries_Update_Schema: oneOf: - $ref: '#/components/schemas/ContainerRegistries_ContVulnCfg_Update_Schema' discriminator: propertyName: type mapping: ContVulnCfg: '#/components/schemas/ContainerRegistries_ContVulnCfg_Update_Schema' ContractInfo: properties: objName: type: string props: type: object ContractInfo_Response_Schema: properties: objName: type: string description: The license's name. props: type: object description: The contract details. additionalProperties: true DataExportRules: allOf: - $ref: '#/components/schemas/DataExportRules_Create_Schema' - type: object properties: mcGuid: type: string DataExportRules_Create_Schema: allOf: - $ref: '#/components/schemas/DataExportRules_Update_Schema' - type: object required: - filters - intgGuidList - type properties: type: type: string description: The data export rule's type such as `Dataexport`. enum: - Dataexport filters: type: object description: >- When sending a request, use this object to define the new data export rule. When included in a response, this object contains details of a data export rule.
You can use these attributes when searching for existing data export rules by invoking a POST request. required: - name - enabled properties: name: type: string description: The data export rule's name. minLength: 1 description: type: string description: Summary of the data export rule. enabled: description: >- When sending a request, use this attribute to enable or disable a data export rule.
When included in a response, returns `1` for enabled data export rules, or returns `0` for disabled data export rules. enum: - 0 - 1 example: 1 profileVersions: type: array description: A list of profile versions. uniqueItems: true items: type: string DataExportRules_Response_Schema: allOf: - $ref: '#/components/schemas/DataExportRules_Create_Schema' - type: object properties: mcGuid: type: string description: Data Export Rule ID additionalProperties: true DataExportRules_Update_Schema: type: object properties: filters: type: object description: >- When sending a request, use this object to define the new data export rule. When included in a response, this object contains details of a data export rule.
You can use these attributes when searching for existing data export rules by invoking a POST request. properties: name: type: string description: The data export rule's name. minLength: 1 description: type: string description: Summary of the data export rule. enabled: description: >- When sending a request, use this attribute to enable or disable a data export rule.
When included in a response, returns `1` for enabled data export rules, or returns `0` for disabled data export rules. enum: - 0 - 1 example: 1 profileVersions: type: array description: A list of profile versions. uniqueItems: true items: type: string intgGuidList: type: array description: The alert channels for the rule to use. minItems: 1 uniqueItems: true items: type: string Dataset_2_Request_Body_Schema: allOf: - $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS' - type: object additionalProperties: false properties: csp: description: >- Cloud service provider. You must specify either `csp` or `dataset` in the request. enum: - AWS - Azure - GCP dataset: deprecated: true description: You must specify either `csp` or `dataset` in the request. enum: - AwsCompliance - GcpCompliance Dataset_Request_Body_Schema: allOf: - $ref: '#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS' - type: object additionalProperties: false required: - dataset properties: dataset: enum: - AwsCompliance - AzureCompliance - GcpCompliance Datasources_Response_Schema: required: - name - description properties: name: description: Name of the datasource type: string description: description: Description of the datasource type: string resultSchema: description: >- The datasource's schema that can be used to write queries for the datasource. type: array items: type: object properties: name: type: string description: Name of the column. dataType: type: string description: The data type of this column. description: type: string description: Description of the data that this column holds. sourceRelationships: description: The relationship between this datasource and other datasources. type: array items: type: object properties: from: type: string description: >- The table that is the source of the relationship. For example, MACHINES. to: type: string description: >- The table that is the destination of the relationship. For example, DNS_REQUESTS. name: type: string description: >- Name of this relationship. For example, Machines-to-DNS-Requests. description: type: string description: >- Description of the relationship. For example, DNS requests made from this machine. toCardinality: type: string description: The cardinality of values from a single source value. additionalProperties: true Entities_Applications_Response_Schema: properties: startTime: type: string endTime: type: string mid: type: integer appName: type: string exePath: type: string username: type: object propsMachine: type: object containerInfo: type: object netStats: type: object props: type: object additionalProperties: true Entities_CommandLines_Response_Schema: properties: createdTime: type: string cmdlineHash: type: string cmdline: type: string additionalProperties: true Entities_Containers_Response_Schema: properties: startTime: type: string endTime: type: string mid: type: integer containerName: type: string podName: type: string imageId: type: string propsContainer: type: object tags: type: object additionalProperties: true Entities_Files_Response_Schema: properties: createdTime: type: string mid: type: integer filePath: type: string filedataHash: type: string size: type: integer mtime: type: string additionalProperties: true Entities_Images_Response_Schema: properties: createdTime: type: string mid: type: integer imageId: type: string repo: type: string tag: type: string size: type: integer containerType: type: string additionalProperties: true Entities_InternalIPAddresses_Response_Schema: properties: startTime: type: string endTime: type: string ipAddr: type: string mid: type: integer additionalProperties: true Entities_K8sPods_Response_Schema: properties: startTime: type: string endTime: type: string mid: type: integer podName: type: string primaryIpAddr: type: string propsContainer: type: object additionalProperties: true Entities_MachineDetails_Response_Schema: properties: createdTime: type: string mid: type: integer hostname: type: string domain: type: string os: type: string osVersion: type: string kernel: type: string kernelRelease: type: string kernelVersion: type: string tags: type: object awsInstanceId: type: string awsZone: type: string additionalProperties: true Entities_Machines_Response_Schema: properties: startTime: type: string endTime: type: string mid: type: integer hostname: type: string machineTags: type: object primaryIpAddr: type: string entityType: type: string additionalProperties: true Entities_NetworkInterfaces_Response_Schema: properties: createdTime: type: string mid: type: integer name: type: string hwAddr: type: string ipAddr: type: string additionalProperties: true Entities_NewFileHashes_Response_Schema: properties: startTime: type: string endTime: type: string filedataHash: type: string additionalProperties: true Entities_Packages_Response_Schema: properties: createdTime: type: string mid: type: integer packageName: type: string version: type: string arch: type: string additionalProperties: true Entities_Processes_Response_Schema: properties: startTime: type: string endTime: type: string mid: type: integer pid: type: integer ppid: type: integer username: type: string uid: type: integer filePath: type: string cmdlineHash: type: string podName: type: string processStartTime: type: string containerId: type: string additionalProperties: true Entities_Users_Response_Schema: properties: createdTime: type: string mid: type: integer username: type: string uid: type: integer primaryGroupName: type: string otherGroupNames: type: string additionalProperties: true Events_Response_Schema: properties: id: type: number startTime: type: string endTime: type: string eventType: type: string srcEvent: type: object srcType: type: string dstEvent: type: object dstType: type: string eventCount: type: number additionalProperties: true Exceptions_Create_Schema: allOf: - $ref: '#/components/schemas/Exceptions_Update_Schema' - type: object required: - exceptionId - constraints properties: {} Exceptions_Response_Schema: allOf: - $ref: '#/components/schemas/Exceptions_Create_Schema' - type: object properties: exceptionId: description: |+ Unique identifier of the new exception. type: string nullable: false additionalProperties: true Exceptions_Update_Schema: type: object properties: description: description: A brief description of the new exception. type: string constraints: description: The detailed constraints applied to the exception. type: array items: type: object properties: fieldKey: type: string description: A representation of an identifier for a specific data element. nullable: false fieldValues: type: array description: A list of the field values from the dataset. items: type: object nullable: false GENERIC_FILTERS: properties: filters: type: array description: Use this object to add information to refine your search results. items: type: object required: - expression - field properties: expression: type: string description: >- Search expressions are math expressions that you can add to your queries. Use the expression to add multiple related metrics to a query. enum: - eq - ne - in - not_in - like - ilike - not_like - not_ilike - not_rlike - rlike - gt - ge - lt - le - between field: type: string description: Use this attribute to specify which field you want to query. value: type: string description: >- Use this attribute to specify the search value you want to retrieve. values: type: array description: >- Use this attribute to provide multiple search values you want to retrieve. items: type: string GENERIC_FILTERS_FOR_ALERTS: properties: filters: type: array description: Use this object to add information to refine your search results. items: type: object required: - expression - field properties: expression: type: string description: >- Search expressions are math expressions that you can add to your queries. Use the expression to add multiple related metrics to a query. enum: - eq field: type: string description: Use this attribute to specify which field you want to query. enum: - alertId - alertType - severity - status value: type: string description: >- Use this attribute to specify the search value you want to retrieve. GET_DATA_REQUEST_BODY_FILTERS: allOf: - $ref: '#/components/schemas/GENERIC_FILTERS' - $ref: '#/components/schemas/RETURN_FIELDS' GET_DATA_REQUEST_BODY_TIME_FILTERS: allOf: - $ref: '#/components/schemas/TIME_FILTER' - $ref: '#/components/schemas/GENERIC_FILTERS' - $ref: '#/components/schemas/RETURN_FIELDS' GET_DATA_REQUEST_BODY_TIME_FILTERS_FOR_ALERTS: allOf: - $ref: '#/components/schemas/TIME_FILTER' - $ref: '#/components/schemas/GENERIC_FILTERS_FOR_ALERTS' - $ref: '#/components/schemas/RETURN_FIELDS' Inventory_Response_Schema: properties: apiKey: type: string cloudDetails: type: object csp: type: string endTime: type: string resourceConfig: type: object resourceId: type: string resourceRegion: type: string resourceTags: type: object resourceType: type: string service: type: string startTime: type: string status: type: object urn: type: string additionalProperties: true OrganizationInfo_Response_Schema: properties: orgAccount: type: boolean orgAccountUrl: type: string additionalProperties: true Paging_Schema: description: Details of the response's pagination properties: rows: type: number description: The number of rows displayed on each page totalRows: type: number description: The number of rows returned from the query urls: type: object description: Pagination-related URLs properties: nextPage: type: string description: The next page's URL Policies_Create_Schema: allOf: - $ref: '#/components/schemas/Policies_Update_Schema' - type: object required: - title - enabled - description - queryId - remediation - severity - alertEnabled properties: policyId: type: string description: >- Policy ID. The convention for policy ID creation is `accountName-remainder`, for example, lws-special-100. When sending a request, you can simply provide `$account-`, and Lacework will substitute the `$account` prefix with your actual account name. **Note:** The `-remainder` must use the regex pattern (`^[a-z]{1,16}(-\d{1,8})?$`), and cannot be `default` or start with `default-`. Policies_Response_Schema: allOf: - $ref: '#/components/schemas/Policies_Create_Schema' - type: object properties: evaluatorId: description: >- Evaluator ID. For POST and PATCH endpoints, the `evaluatorId` field is still accepted but is ignored. No warning is returned if an `evaluatorId` is provided; this behavior may change in the future. For responses from all of these calls, an `evaluatorId` field is no longer returned. type: string owner: type: string description: The user who created the policy. lastUpdateTime: type: string description: The timestamp for when the policy was last updated. lastUpdateUser: description: The user who last updated the policy. type: string exceptionConfiguration: description: The configuration of policy exceptions when it is applicable. type: object required: - constraintFields properties: constraintFields: description: >- List of constraint fields that can be used to create policy exceptions. type: array items: type: object required: - fieldKey - dataType - multiValue properties: fieldKey: type: string description: >- Field ID that can be used to apply the exception on a policy. dataType: type: string description: Type can be `String` or `KVTagPair`. multiValue: type: boolean description: Allow multiple values or not. additionalProperties: true Policies_Update_Schema: type: object properties: policyType: type: string description: The policy type such as `Violation`. enum: - Violation queryId: type: string description: Identifier of the query that executes while running the policy. title: type: string description: The policy's title. enabled: type: boolean description: >- When sending a request, use this attribute to enable or disable a policy. When included in a response, returns `True` for enabled policies, or returns `False` for disabled policies. description: type: string description: Information about the new policy. remediation: type: string description: Remediation strategy for the events triggered by the policy. severity: type: string description: The severity of an event triggered by the policy. enum: - info - low - medium - high - critical limit: type: number description: >- The maximum number of records that each policy will return. The default value is 1000. minimum: 1 default: 1000 evalFrequency: type: string deprecated: true description: Frequency at which the policy will be evaluated enum: - Hourly - Daily alertEnabled: type: boolean description: >- When sending a request, set to `True` if you want to send alerts to an alert profile when the policy is triggered. Set to `False` if you want to mute alerts when the policy is triggered. alertProfile: type: string description: >- The alert profile to use for sending alerts when the policy is triggered. tags: description: A list of policy tags. type: array items: type: string Queries_Create_Schema: allOf: - $ref: '#/components/schemas/Queries_Update_Schema' - type: object required: - queryId - queryText properties: queryId: type: string description: Identifier of the query that executes while running the policy. Queries_Response_Schema: allOf: - $ref: '#/components/schemas/Queries_Create_Schema' - type: object properties: evaluatorId: description: >- Optional identifier of the evaluator where the query is run. This field is only for `CloudTrail` queries and policies. type: string owner: type: string description: User that created the query lastUpdateTime: type: string description: Timestamp in the form yyyy-MM-dd'T'HH:mm:ss.SSS'Z' lastUpdateUser: description: User that last affected the state of this query type: string resultSchema: type: array description: A list of schemas that match your query. items: type: object properties: name: type: string default: Name of the column. description: Name of the result column dataType: type: string default: The data type of this column. description: LQL type of the result column description: type: string description: Description of the data that this column holds. additionalProperties: true Queries_Update_Schema: type: object properties: queryText: type: string description: >- When sending a request, provide a human-readable text syntax for specifying selection, filtering, and manipulation of data. Query_Execute_Options: properties: limit: type: integer minimum: 1 nullable: false description: >- The limit field specifies the maximum number of records to return from the query. If specified, the limit must be at least 1. RETURN_FIELDS: properties: returns: type: array description: >- Use this attribute to specify which top-level fields of the response schema you want to receive. items: type: string ReportRules: allOf: - $ref: '#/components/schemas/ReportRules_Create_Schema' - type: object properties: mcGuid: type: string ReportRules_Create_Schema: allOf: - $ref: '#/components/schemas/ReportRules_Update_Schema' - type: object required: - filters - intgGuidList - type - reportNotificationTypes properties: type: type: string description: The data type as `Report`. enum: - Report filters: type: object description: >- When sending a request, use this object to define the new report rule. When included in a response, this object contains details of a report rule. You can use these attributes when searching for existing report rules by invoking a GET request. required: - name - enabled properties: name: type: string description: The report rule's name. minLength: 1 description: type: string description: Summary of the report rule. enabled: description: >- When sending a request, use this attribute to enable or disable a report rule. When included in a response, returns `1` for enabled report rules, or returns `0` for disabled report rules. enum: - 0 - 1 example: 1 resourceGroups: type: array description: The resource groups that you want the rule to apply to. items: type: string severity: description: >- The severities that you want the rule to apply to. 1=Critical 2=High 3=Medium 4=Low 5=Info type: array minItems: 1 uniqueItems: true items: enum: - 1 - 2 - 3 - 4 - 5 default: [] ReportRules_Response_Schema: allOf: - $ref: '#/components/schemas/ReportRules_Create_Schema' - type: object properties: mcGuid: type: string description: Report Rule ID. additionalProperties: true ReportRules_Update_Schema: type: object properties: filters: type: object description: >- When sending a request, use this object to define the new report rule. When included in a response, this object contains details of a report rule. You can use these attributes when searching for existing report rules by invoking a GET request. properties: name: type: string description: The report rule's name. minLength: 1 description: type: string description: Summary of the report rule. enabled: description: >- When sending a request, use this attribute to enable or disable a report rule. When included in a response, returns `1` for enabled report rules, or returns `0` for disabled report rules. enum: - 0 - 1 example: 1 resourceGroups: type: array description: The resource groups that you want the rule to apply to. items: type: string severity: description: >- The severities that you want the rule to apply to. 1=Critical 2=High 3=Medium 4=Low 5=Info type: array minItems: 1 uniqueItems: true items: enum: - 1 - 2 - 3 - 4 - 5 default: [] intgGuidList: type: array description: The alert channels for the rule to access. minItems: 1 uniqueItems: true items: type: string reportNotificationTypes: description: The report types that you want the rule to apply to. properties: agentEvents: type: boolean awsCis14: type: boolean awsCisS3: type: boolean awsCloudtrailEvents: type: boolean awsComplianceEvents: type: boolean azureActivityLogEvents: type: boolean azureCis: type: boolean azureCis131: type: boolean azureComplianceEvents: type: boolean azurePci: type: boolean azurePciRev2: type: boolean azureSoc: type: boolean azureSocRev2: type: boolean azureIso27001: type: boolean azureHipaa: type: boolean azureNistCsf: type: boolean azureNist80053Rev5: type: boolean azureNist800171Rev2: type: boolean gcpAuditTrailEvents: type: boolean gcpCis: type: boolean gcpComplianceEvents: type: boolean gcpHipaa: type: boolean gcpHipaaRev2: type: boolean gcpIso27001: type: boolean gcpCis12: type: boolean gcpCis13: type: boolean gcpK8s: type: boolean gcpPci: type: boolean gcpPciRev2: type: boolean gcpSoc: type: boolean gcpSocRev2: type: boolean gcpNistCsf: type: boolean gcpNist80053Rev4: type: boolean gcpNist800171Rev2: type: boolean hipaa: type: boolean iso2700: type: boolean k8sAuditLogEvents: type: boolean nist800-53Rev4: type: boolean nist800-171Rev2: type: boolean openShiftCompliance: type: boolean openShiftComplianceEvents: type: boolean pci: type: boolean platformEvents: type: boolean soc: type: boolean awsSocRev2: type: boolean trendReport: type: boolean awsPciDss321: type: boolean awsNist80053Rev5: type: boolean awsSoc2: type: boolean awsNist800171Rev2: type: boolean awsNistCsf: type: boolean awsCmmc102: type: boolean awsHipaa: type: boolean awsIso270012013: type: boolean Reports_Response_Schema: properties: {} ResourceGroups_AWS_Create_Schema: allOf: - $ref: '#/components/schemas/ResourceGroups_AWS_Update_Schema' - type: object required: - resourceName - resourceType - props properties: props: description: >- The new resource group's properties. The data varies based on the value of the `type` attribute. properties: description: type: string description: A brief description of the new resource group. accountIds: type: array description: A list of accounts to include in the group. minItems: 1 items: type: string pattern: (?!^ +$)^.+$ required: - accountIds type: object ResourceGroups_AWS_Response_Schema: allOf: - $ref: '#/components/schemas/ResourceGroups_AWS_Create_Schema' - type: object properties: resourceGuid: type: string description: Resource Group ID. guid: type: string description: >- Returns the organization ID if the new resource group is an organization-level resource group. Otherwise, returns the customer ID. isDefault: type: number description: >- Returns `1` if this is a default resource group. Otherwise, returns `0`. additionalProperties: true ResourceGroups_AWS_Response_Schema_Override: allOf: - $ref: '#/components/schemas/ResourceGroups_AWS_Response_Schema' - type: object properties: isDefaultInteger: type: number description: >- The number of default resource groups in your Lacework Application. propsJson: properties: description: type: string accountIds: type: array minItems: 1 items: type: string pattern: (?!^ +$)^.+$ required: - accountIds type: object additionalProperties: true ResourceGroups_AWS_Update_Schema: properties: resourceName: type: string description: The resource group's name. pattern: (?!^ +$)^.+$ minLength: 1 resourceType: type: string description: The resource type such as cloud accounts, containers, or machines. enum: - AWS default: AWS enabled: type: number description: >- When sending a request, use this attribute to enable or disable a resource group. When included in a response, returns `1` for enabled resource groups, or returns `0` for disabled resource groups. enum: - 0 - 1 example: 1 props: description: >- The new resource group's properties. The data varies based on the value of the `type` attribute. properties: description: type: string description: A brief description of the new resource group. accountIds: type: array description: A list of accounts to include in the group. minItems: 1 items: type: string pattern: (?!^ +$)^.+$ type: object ResourceGroups_AZURE_Create_Schema: allOf: - $ref: '#/components/schemas/ResourceGroups_AZURE_Update_Schema' - type: object required: - resourceName - resourceType - props properties: props: description: >- The new resource group's properties. The data varies based on the value of the `type` attribute. properties: description: type: string description: A brief description of the new resource group. tenant: type: string description: The Azure tenant to use in the group. pattern: (?!^ +$)^.+$ minLength: 1 subscriptions: type: array description: A list of subscriptions to include in the group. minItems: 1 items: type: string pattern: (?!^ +$)^.+$ required: - tenant - subscriptions type: object ResourceGroups_AZURE_Response_Schema: allOf: - $ref: '#/components/schemas/ResourceGroups_AZURE_Create_Schema' - type: object properties: resourceGuid: type: string guid: type: string isDefault: type: number additionalProperties: true ResourceGroups_AZURE_Response_Schema_Override: allOf: - $ref: '#/components/schemas/ResourceGroups_AZURE_Response_Schema' - type: object properties: isDefaultInteger: type: number description: >- The number of default resource groups in your Lacework Application. propsJson: properties: description: type: string tenant: type: string pattern: (?!^ +$)^.+$ minLength: 1 subscriptions: type: array minItems: 1 items: type: string pattern: (?!^ +$)^.+$ required: - tenant - subscriptions type: object additionalProperties: true ResourceGroups_AZURE_Update_Schema: properties: resourceName: type: string description: The resource group's name. pattern: (?!^ +$)^.+$ minLength: 1 resourceType: type: string description: The resource type such as cloud accounts, containers, or machines. enum: - AZURE default: AZURE enabled: type: number description: >- When sending a request, use this attribute to enable or disable a resource group. When included in a response, returns `1` for enabled resource groups, or returns `0` for disabled resource groups. enum: - 0 - 1 props: description: >- The new resource group's properties. The data varies based on the value of the `type` attribute. properties: description: type: string description: A brief description of the new resource group. tenant: type: string description: The Azure tenant to use in the group. pattern: (?!^ +$)^.+$ minLength: 1 subscriptions: type: array description: A list of subscriptions to include in the group. minItems: 1 items: type: string pattern: (?!^ +$)^.+$ type: object ResourceGroups_CONTAINER_Create_Schema: allOf: - $ref: '#/components/schemas/ResourceGroups_CONTAINER_Update_Schema' - type: object required: - resourceName - resourceType - props properties: props: description: >- The new resource group's properties. The data varies based on the value of the `type` attribute. properties: description: type: string description: A brief description of the new resource group. containerLabels: description: >- A list of labels assigned to containers to categorize them. Format: [{"key1": "value1"}, {"key2": "value2"}] type: array minItems: 1 items: type: object example: - key1: value1 - key2: value2 containerTags: type: array description: A list of tags assigned to containers to categorize them. minItems: 1 items: type: string pattern: (?!^ +$)^.+$ required: - containerLabels - containerTags type: object ResourceGroups_CONTAINER_Response_Schema: allOf: - $ref: '#/components/schemas/ResourceGroups_CONTAINER_Create_Schema' - type: object properties: resourceGuid: type: string guid: type: string isDefault: type: number additionalProperties: true ResourceGroups_CONTAINER_Response_Schema_Override: allOf: - $ref: '#/components/schemas/ResourceGroups_CONTAINER_Response_Schema' - type: object properties: isDefaultInteger: type: number description: >- The number of default resource groups in your Lacework Application. propsJson: properties: description: type: string containerLabels: description: 'Format: [{"key1": "value1"}, {"key2": "value2"}]' type: array minItems: 1 items: type: object example: - key1: value1 - key2: value2 containerTags: type: array minItems: 1 items: type: string pattern: (?!^ +$)^.+$ required: - containerLabels - containerTags type: object additionalProperties: true ResourceGroups_CONTAINER_Update_Schema: properties: resourceName: type: string description: The resource group's name. pattern: (?!^ +$)^.+$ minLength: 1 resourceType: type: string description: The resource type such as cloud accounts, containers, or machines. enum: - CONTAINER default: CONTAINER enabled: type: number description: >- When sending a request, use this attribute to enable or disable a resource group. When included in a response, returns `1` for enabled resource groups, or returns `0` for disabled resource groups. enum: - 0 - 1 props: description: >- The new resource group's properties. The data varies based on the value of the `type` attribute. properties: description: type: string description: A brief description of the new resource group. containerLabels: description: >- A list of labels assigned to containers to categorize them. Format: [{"key1": "value1"}, {"key2": "value2"}] type: array minItems: 1 items: type: object example: - key1: value1 - key2: value2 containerTags: type: array description: A list of tags assigned to containers to categorize them. minItems: 1 items: type: string pattern: (?!^ +$)^.+$ type: object ResourceGroups_Create_Schema: oneOf: - $ref: '#/components/schemas/ResourceGroups_AWS_Create_Schema' - $ref: '#/components/schemas/ResourceGroups_AZURE_Create_Schema' - $ref: '#/components/schemas/ResourceGroups_GCP_Create_Schema' - $ref: '#/components/schemas/ResourceGroups_MACHINE_Create_Schema' - $ref: '#/components/schemas/ResourceGroups_CONTAINER_Create_Schema' - $ref: '#/components/schemas/ResourceGroups_LW_ACCOUNT_Create_Schema' discriminator: propertyName: resourceType mapping: AWS: '#/components/schemas/ResourceGroups_AWS_Create_Schema' AZURE: '#/components/schemas/ResourceGroups_AZURE_Create_Schema' GCP: '#/components/schemas/ResourceGroups_GCP_Create_Schema' MACHINE: '#/components/schemas/ResourceGroups_MACHINE_Create_Schema' CONTAINER: '#/components/schemas/ResourceGroups_CONTAINER_Create_Schema' LW_ACCOUNT: '#/components/schemas/ResourceGroups_LW_ACCOUNT_Create_Schema' ResourceGroups_GCP_Create_Schema: allOf: - $ref: '#/components/schemas/ResourceGroups_GCP_Update_Schema' - type: object required: - resourceName - resourceType - props properties: props: description: >- The new resource group's properties. The data varies based on the value of the `type` attribute. properties: description: type: string description: A brief description of the new resource group. organization: type: string description: The GCP organization to use in the group. pattern: (?!^ +$)^.+$ minLength: 1 projects: type: array description: A list of projects to include in the group. minItems: 1 items: type: string pattern: (?!^ +$)^.+$ required: - organization - projects type: object ResourceGroups_GCP_Response_Schema: allOf: - $ref: '#/components/schemas/ResourceGroups_GCP_Create_Schema' - type: object properties: resourceGuid: type: string guid: type: string isDefault: type: number additionalProperties: true ResourceGroups_GCP_Response_Schema_Override: allOf: - $ref: '#/components/schemas/ResourceGroups_GCP_Response_Schema' - type: object properties: isDefaultInteger: type: number description: >- The number of default resource groups in your Lacework Application. propsJson: properties: description: type: string organization: type: string pattern: (?!^ +$)^.+$ minLength: 1 projects: type: array minItems: 1 items: type: string pattern: (?!^ +$)^.+$ required: - organization - projects type: object additionalProperties: true ResourceGroups_GCP_Update_Schema: properties: resourceName: type: string description: The resource group's name. pattern: (?!^ +$)^.+$ minLength: 1 resourceType: type: string description: The resource type such as cloud accounts, containers, or machines. enum: - GCP default: GCP enabled: type: number description: >- When sending a request, use this attribute to enable or disable a resource group. When included in a response, returns `1` for enabled resource groups, or returns `0` for disabled resource groups. enum: - 0 - 1 props: description: >- The new resource group's properties. The data varies based on the value of the `type` attribute. properties: description: type: string description: A brief description of the new resource group. organization: type: string description: The GCP organization to use in the group. pattern: (?!^ +$)^.+$ minLength: 1 projects: type: array description: A list of projects to include in the group. minItems: 1 items: type: string pattern: (?!^ +$)^.+$ type: object ResourceGroups_LW_ACCOUNT_Create_Schema: allOf: - $ref: '#/components/schemas/ResourceGroups_LW_ACCOUNT_Update_Schema' - type: object required: - resourceName - resourceType - props properties: props: description: >- The new resource group's properties. The data varies based on the value of the `type` attribute. properties: description: type: string description: A brief description of the new resource group. lwAccounts: type: array description: A list of Lacework accounts to include in the group. minItems: 1 items: type: string pattern: (?!^ +$)^.+$ required: - lwAccounts type: object ResourceGroups_LW_ACCOUNT_Response_Schema: allOf: - $ref: '#/components/schemas/ResourceGroups_LW_ACCOUNT_Create_Schema' - type: object properties: resourceGuid: type: string guid: type: string isDefault: type: number additionalProperties: true ResourceGroups_LW_ACCOUNT_Response_Schema_Override: allOf: - $ref: '#/components/schemas/ResourceGroups_LW_ACCOUNT_Response_Schema' - type: object properties: isDefaultInteger: type: number description: >- The number of default resource groups in your Lacework Application. propsJson: properties: description: type: string lwAccounts: type: array minItems: 1 items: type: string pattern: (?!^ +$)^.+$ required: - lwAccounts type: object additionalProperties: true ResourceGroups_LW_ACCOUNT_Update_Schema: properties: resourceName: type: string description: The resource group's name. pattern: (?!^ +$)^.+$ minLength: 1 resourceType: type: string description: The resource type such as cloud accounts, containers, or machines. enum: - LW_ACCOUNT default: LW_ACCOUNT enabled: type: number description: >- When sending a request, use this attribute to enable or disable a resource group. When included in a response, returns `1` for enabled resource groups, or returns `0` for disabled resource groups. enum: - 0 - 1 props: description: >- The new resource group's properties. The data varies based on the value of the `type` attribute. properties: description: type: string description: A brief description of the new resource group. lwAccounts: type: array description: A list of Lacework accounts to include in the group. minItems: 1 items: type: string pattern: (?!^ +$)^.+$ type: object ResourceGroups_MACHINE_Create_Schema: allOf: - $ref: '#/components/schemas/ResourceGroups_MACHINE_Update_Schema' - type: object required: - resourceName - resourceType - props properties: props: description: >- The new resource group's properties. The data varies based on the value of the `type` attribute. properties: description: type: string description: A brief description of the new resource group. machineTags: description: >- A list of tags or labels assigned to machines (such as VMs) to categorize them. Format: [{"key1": "value1"}, {"key2": "value2"}] type: array minItems: 1 items: type: object example: - key1: value1 - key2: value2 required: - machineTags type: object ResourceGroups_MACHINE_Response_Schema: allOf: - $ref: '#/components/schemas/ResourceGroups_MACHINE_Create_Schema' - type: object properties: resourceGuid: type: string guid: type: string isDefault: type: number additionalProperties: true ResourceGroups_MACHINE_Response_Schema_Override: allOf: - $ref: '#/components/schemas/ResourceGroups_MACHINE_Response_Schema' - type: object properties: isDefaultInteger: type: number description: >- The number of default resource groups in your Lacework Application. propsJson: properties: description: type: string machineTags: description: 'Format: [{"key1": "value1"}, {"key2": "value2"}]' type: array minItems: 1 items: type: object example: - key1: value1 - key2: value2 required: - machineTags type: object additionalProperties: true ResourceGroups_MACHINE_Update_Schema: properties: resourceName: type: string description: The resource group's name. pattern: (?!^ +$)^.+$ minLength: 1 resourceType: type: string description: The resource type such as cloud accounts, containers, or machines. enum: - MACHINE default: MACHINE enabled: type: number description: >- When sending a request, use this attribute to enable or disable a resource group. When included in a response, returns `1` for enabled resource groups, or returns `0` for disabled resource groups. enum: - 0 - 1 props: description: >- The new resource group's properties. The data varies based on the value of the `type` attribute. properties: description: type: string description: A brief description of the new resource group. machineTags: description: >- A list of tags or labels assigned to machines (such as VMs) to categorize them. Format: [{"key1": "value1"}, {"key2": "value2"}] type: array minItems: 1 items: type: object example: - key1: value1 - key2: value2 type: object ResourceGroups_Response_Schema: oneOf: - $ref: '#/components/schemas/ResourceGroups_AWS_Response_Schema' - $ref: '#/components/schemas/ResourceGroups_AZURE_Response_Schema' - $ref: '#/components/schemas/ResourceGroups_GCP_Response_Schema' - $ref: '#/components/schemas/ResourceGroups_MACHINE_Response_Schema' - $ref: '#/components/schemas/ResourceGroups_CONTAINER_Response_Schema' - $ref: '#/components/schemas/ResourceGroups_LW_ACCOUNT_Response_Schema' discriminator: propertyName: resourceType mapping: AWS: '#/components/schemas/ResourceGroups_AWS_Response_Schema' AZURE: '#/components/schemas/ResourceGroups_AZURE_Response_Schema' GCP: '#/components/schemas/ResourceGroups_GCP_Response_Schema' MACHINE: '#/components/schemas/ResourceGroups_MACHINE_Response_Schema' CONTAINER: '#/components/schemas/ResourceGroups_CONTAINER_Response_Schema' LW_ACCOUNT: '#/components/schemas/ResourceGroups_LW_ACCOUNT_Response_Schema' ResourceGroups_Response_Schema_Override: oneOf: - $ref: '#/components/schemas/ResourceGroups_AWS_Response_Schema_Override' - $ref: '#/components/schemas/ResourceGroups_AZURE_Response_Schema_Override' - $ref: '#/components/schemas/ResourceGroups_GCP_Response_Schema_Override' - $ref: '#/components/schemas/ResourceGroups_MACHINE_Response_Schema_Override' - $ref: >- #/components/schemas/ResourceGroups_CONTAINER_Response_Schema_Override - $ref: >- #/components/schemas/ResourceGroups_LW_ACCOUNT_Response_Schema_Override discriminator: propertyName: resourceType mapping: AWS: '#/components/schemas/ResourceGroups_AWS_Response_Schema_Override' AZURE: '#/components/schemas/ResourceGroups_AZURE_Response_Schema_Override' GCP: '#/components/schemas/ResourceGroups_GCP_Response_Schema_Override' MACHINE: '#/components/schemas/ResourceGroups_MACHINE_Response_Schema_Override' CONTAINER: >- #/components/schemas/ResourceGroups_CONTAINER_Response_Schema_Override LW_ACCOUNT: >- #/components/schemas/ResourceGroups_LW_ACCOUNT_Response_Schema_Override ResourceGroups_Update_Schema: oneOf: - $ref: '#/components/schemas/ResourceGroups_AWS_Update_Schema' - $ref: '#/components/schemas/ResourceGroups_AZURE_Update_Schema' - $ref: '#/components/schemas/ResourceGroups_GCP_Update_Schema' - $ref: '#/components/schemas/ResourceGroups_MACHINE_Update_Schema' - $ref: '#/components/schemas/ResourceGroups_CONTAINER_Update_Schema' - $ref: '#/components/schemas/ResourceGroups_LW_ACCOUNT_Update_Schema' discriminator: propertyName: resourceType mapping: AWS: '#/components/schemas/ResourceGroups_AWS_Update_Schema' AZURE: '#/components/schemas/ResourceGroups_AZURE_Update_Schema' GCP: '#/components/schemas/ResourceGroups_GCP_Update_Schema' MACHINE: '#/components/schemas/ResourceGroups_MACHINE_Update_Schema' CONTAINER: '#/components/schemas/ResourceGroups_CONTAINER_Update_Schema' LW_ACCOUNT: '#/components/schemas/ResourceGroups_LW_ACCOUNT_Update_Schema' Response4xxApiV2AccessTokens: type: object properties: message: type: string example: Access Key is null. ResponseApiV2AccessTokens: type: object properties: expiresAt: description: >- The timestamp for when the access token expires in RFC3339 date time format (yyyy-MM-ddTHH:mm:ss.SSSZ) type: string example: '2021-08-18T08:00:00.000Z' token: description: The access token. type: string ResponseApiV2SchemasType: type: object example: - name: accountName type: string - name: createdTime type: integer - name: eventDescription type: string - name: eventName type: string - name: userAction type: string - name: userName type: string ResponseApiV2SchemasTypeSubtype: type: object example: - required: - type - enabled - name - data properties: name: type: string minLength: 1 type: type: string enum: - SlackChannel enabled: type: number minimum: 0 maximum: 1 data: properties: slackUrl: type: string pattern: ^https://hooks.slack.com([/][a-zA-Z0-9#-_]+)+$ required: - slackUrl additionalProperties: true type: object ResponseInvalidApiV2SchemasType: type: object properties: message: type: string example: 'Invalid type: Audits. Available type(s): [AlertChannels, AuditLogs]' ResponseInvalidApiV2SchemasTypeSubtype: type: object properties: message: type: string example: >- Invalid type: AlertChannels with Slack. Available subtype(s): [SlackChannel] TIME_FILTER: properties: timeFilter: type: object description: The date/time range during which actions occurred. properties: startTime: type: string description: >- Returns only recorded actions that occurred after this timestamp. endTime: type: string description: >- Returns only recorded actions that occurred before this timestamp. TeamMembers_Create_Schema: oneOf: - $ref: '#/components/schemas/TeamMembers_With_Org-Access_Create_Schema' - $ref: '#/components/schemas/TeamMembers_Without_Org-Access_Create_Schema' discriminator: propertyName: schemaOption mapping: With_Org-Access: '#/components/schemas/TeamMembers_With_Org-Access_Create_Schema' Without_Org-Access: '#/components/schemas/TeamMembers_Without_Org-Access_Create_Schema' TeamMembers_Response_Schema: oneOf: - $ref: '#/components/schemas/TeamMembers_With_Org-Access_Response_Schema' - $ref: '#/components/schemas/TeamMembers_Without_Org-Access_Response_Schema' discriminator: propertyName: schemaOption mapping: With_Org-Access: '#/components/schemas/TeamMembers_With_Org-Access_Response_Schema' Without_Org-Access: '#/components/schemas/TeamMembers_Without_Org-Access_Response_Schema' TeamMembers_Update_Schema: oneOf: - $ref: '#/components/schemas/TeamMembers_With_Org-Access_Update_Schema' - $ref: '#/components/schemas/TeamMembers_Without_Org-Access_Update_Schema' discriminator: propertyName: schemaOption mapping: With_Org-Access: '#/components/schemas/TeamMembers_With_Org-Access_Update_Schema' Without_Org-Access: '#/components/schemas/TeamMembers_Without_Org-Access_Update_Schema' TeamMembers_With_Org-Access_Create_Schema: allOf: - $ref: '#/components/schemas/TeamMembers_With_Org-Access_Update_Schema' - type: object required: - props - userName - adminRoleAccounts - userRoleAccounts - userEnabled properties: props: type: object properties: firstName: type: string lastName: type: string company: type: string accountAdmin: type: boolean default: false description: >- If team member is a current account admin, this field will be ignored if org-access is true required: - firstName - lastName - company userName: type: string description: user email address TeamMembers_With_Org-Access_Response_Schema: allOf: - $ref: '#/components/schemas/TeamMembers_With_Org-Access_Create_Schema' - type: object properties: userGuid: type: string description: user guid additionalProperties: true TeamMembers_With_Org-Access_Update_Schema: properties: schemaOption: type: string enum: - With_Org-Access description: Not required. props: type: object properties: firstName: type: string lastName: type: string company: type: string accountAdmin: type: boolean default: false description: >- If team member is a current account admin, this field will be ignored if org-access is true orgAdmin: type: boolean default: false description: >- When sending a request, set to `True` to make the team member an organization admin. Otherwise, set to `False`. When included in a response, returns the role assigned to the team member. **Note:** If the team member is currently an organization admin, Lacework ignores the `adminRoleAccounts` and `userRoleAccounts` attributes. orgUser: type: boolean default: false description: >- When sending a request, set to `True` to make the new member an organization user. Otherwise, set to `False` When included in a response, returns the role assigned to the new member. **Note:** If the team member is currently an organization user, Lacework will ignore the `userRoleAccounts` attribute. adminRoleAccounts: type: array items: type: string description: A list of account names for which this team member will be an admin. userRoleAccounts: type: array items: type: string description: A list of account names for which this team member will be a user. userEnabled: type: integer enum: - 1 - 0 TeamMembers_Without_Org-Access_Create_Schema: allOf: - $ref: '#/components/schemas/TeamMembers_Without_Org-Access_Update_Schema' - type: object required: - props - userName - userEnabled properties: props: type: object description: >- Details of the new team member. The data varies based on the value of the `schemaOptions` attribute. properties: firstName: type: string description: The new team member's first name. lastName: type: string description: The new team member's last name. company: type: string description: The new team member's company. accountAdmin: type: boolean default: false description: >- When sending a request, set to `True` to make the new member an account admin. Set to `False` to make the new member an account user. When included in a response, returns the role assigned to the new member. **Note:** If the team member is currently an account admin, and the `schemaOption` is set to `With_Org-Access`, Lacework will ignore this attribute. required: - firstName - lastName - company userName: type: string description: The new team member's email address. TeamMembers_Without_Org-Access_Response_Schema: allOf: - $ref: '#/components/schemas/TeamMembers_Without_Org-Access_Create_Schema' - type: object properties: userGuid: type: string description: user guid custGuid: type: string description: customer guid additionalProperties: true TeamMembers_Without_Org-Access_Update_Schema: properties: schemaOption: type: string enum: - Without_Org-Access description: >- Select `Without_Org-Access` to create team members for an account. Select `With_Org-Access` to create team members for an organization. props: type: object description: >- Details of the new team member. The data varies based on the value of the `schemaOptions` attribute. properties: firstName: type: string description: The new team member's first name. lastName: type: string description: The new team member's last name. company: type: string description: The new team member's company. accountAdmin: type: boolean default: false description: >- When sending a request, set to `True` to make the new member an account admin. Set to `False` to make the new member an account user. When included in a response, returns the role assigned to the new member. **Note:** If the team member is currently an account admin, and the `schemaOption` is set to `With_Org-Access`, Lacework will ignore this attribute. userEnabled: type: integer description: >- When sending a request, use this attribute to enable or disable a team member's access. When included in a response, returns `1` for enabled team members, or returns `0` for disabled team members. enum: - 1 - 0 TemplateFiles_Response_Schema: properties: {} UserProfile: required: - username - orgAccount - accounts properties: username: type: string orgAccount: type: boolean url: type: string orgAdmin: type: boolean orgUser: type: boolean accounts: type: array minItems: 1 description: list of accounts this user has access to items: type: object properties: admin: type: boolean accountName: type: string custGuid: type: string userGuid: type: string userEnabled: type: number enum: - 0 - 1 UserProfile_Response_Schema: required: - username - orgAccount - accounts properties: username: type: string description: The sub-account's username. orgAccount: type: boolean description: >- Your organization account. An organization contains the organization account (the one used to enroll the organization) and possibly multiple sub-accounts. url: type: string description: >- Your Lacework URL that is used for the organization and all sub-accounts in the organization. orgAdmin: type: boolean description: Returns `True` if this member is an organization admin. orgUser: type: boolean description: Returns `True` if this member is an organization user. accounts: type: array minItems: 1 description: A list of accounts this member can access. items: type: object properties: admin: type: boolean description: Returns `True` if this member is an account admin. accountName: type: string description: The account name this member can access. custGuid: type: string description: Customer ID. userGuid: type: string description: User ID. userEnabled: type: number enum: - 0 - 1 additionalProperties: true Vulnerabilities_Containers_Response_Schema: properties: startTime: type: string vulnId: type: string imageId: type: string evalCtx: type: object evalGuid: type: string featureKey: type: object featureProps: type: object fixInfo: type: object severity: type: string status: type: string props: type: object additionalProperties: true Vulnerabilities_Hosts_Response_Schema: properties: startTime: type: string endTime: type: string vulnId: type: string mid: type: string machineTags: type: object evalCtx: type: object evalGuid: type: string featureKey: type: object severity: type: string fixInfo: type: object status: type: string cveProps: type: object props: type: object additionalProperties: true VulnerabilityExceptions_Container_Create_Schema: allOf: - $ref: '#/components/schemas/VulnerabilityExceptions_Container_Update_Schema' - type: object required: - exceptionName - exceptionType - exceptionReason - vulnerabilityCriteria - props properties: exceptionType: description: Exception Type type: string enum: - Container VulnerabilityExceptions_Container_Response_Schema: allOf: - $ref: '#/components/schemas/VulnerabilityExceptions_Container_Create_Schema' - type: object properties: exceptionGuid: description: Vulnerability Exception ID type: string createdTime: description: The time and date when the vulnerability exception was created. type: string updatedTime: description: >- The time and date when the vulnerability exception was last updated. type: string additionalProperties: true VulnerabilityExceptions_Container_Update_Schema: properties: exceptionName: description: Name of the exception. type: string pattern: (?!^ +$)^.+$ minLength: 1 exceptionReason: description: Reason for creating an exception type: string enum: - False Positive - Accepted Risk - Compensating Controls - Fix Pending - Other resourceScope: type: object description: >- The set of resources this exception can apply to. The data varies based on the value of the `exceptionType` attribute. minProperties: 1 properties: imageId: type: array description: >- The SHA-256 hash that was generated for the container image. For example, `sha256:ex4ampl3`. minItems: 1 items: type: string pattern: ^\S*$ imageTag: type: array description: The container image tag. minItems: 1 items: type: string registry: type: array description: The container registry. minItems: 1 items: type: string repository: type: array description: The container repository. minItems: 1 items: type: string namespace: type: array description: >- The namespace for the package distribution (for example, an operating system or language package). minItems: 1 items: type: string vulnerabilityCriteria: type: object description: >- When sending a request, use this object to define the criteria of the vulnerability to be excluded. The criteria value changes depending on the type of criteria selected. minProperties: 1 properties: cve: type: array description: >+ The vulnerability (CVE) ID that you want to constrain the exception to. You can provide multiple IDs. minItems: 1 items: type: string package: type: array description: >- The package name (for example, an operating system or language package). This can include a version number. You can provide multiple package names. minItems: 1 items: type: object severity: type: array description: >- The severity levels of the vulnerability to constrain the exception to a **Critical**, **High**, **Medium**, **Low**, or **Info** vulnerability. You can provide multiple severity levels. You can provide multiple severity levels. minItems: 1 items: type: string enum: - Info - Low - Medium - High - Critical fixable: type: array description: >- When sending a request, set to `True` or `False` to constrain the exception to a fixable or non-fixable vulnerability. minItems: 1 items: type: number enum: - 0 - 1 expiryTime: description: The exception's expiration date and time. type: string state: description: State type: number enum: - 1 props: type: object description: The vulnerability exception's properties. properties: description: type: string description: A brief description of the exception creation. createdBy: type: string description: The user who creates the exception. updatedBy: type: string description: The user who updates the exception. VulnerabilityExceptions_Create_Schema: oneOf: - $ref: '#/components/schemas/VulnerabilityExceptions_Container_Create_Schema' - $ref: '#/components/schemas/VulnerabilityExceptions_Host_Create_Schema' discriminator: propertyName: exceptionType mapping: Container: '#/components/schemas/VulnerabilityExceptions_Container_Create_Schema' Host: '#/components/schemas/VulnerabilityExceptions_Host_Create_Schema' VulnerabilityExceptions_Host_Create_Schema: allOf: - $ref: '#/components/schemas/VulnerabilityExceptions_Host_Update_Schema' - type: object required: - exceptionName - exceptionType - exceptionReason - vulnerabilityCriteria - props properties: exceptionType: description: Exception Type type: string enum: - Host VulnerabilityExceptions_Host_Response_Schema: allOf: - $ref: '#/components/schemas/VulnerabilityExceptions_Host_Create_Schema' - type: object properties: exceptionGuid: description: Vulnerability Exception ID type: string createdTime: description: The time and date when the vulnerability exception was created. type: string updatedTime: description: >- The time and date when the vulnerability exception was last updated. type: string additionalProperties: true VulnerabilityExceptions_Host_Update_Schema: properties: exceptionName: description: Name of the exception. type: string pattern: (?!^ +$)^.+$ minLength: 1 exceptionReason: description: Reason for creating an exception type: string enum: - False Positive - Accepted Risk - Compensating Controls - Fix Pending - Other resourceScope: type: object description: >- The set of resources this exception can apply to. The data varies based on the value of the `exceptionType` attribute. minProperties: 1 properties: hostname: type: array description: The hostname of the machine. minItems: 1 items: type: string externalIp: type: array description: The external IP address. minItems: 1 items: type: string clusterName: type: array description: The cluster name for the group of hosts. minItems: 1 items: type: string namespace: type: array description: >- The namespace for the package distribution (for example, an operating system or language package). minItems: 1 items: type: string vulnerabilityCriteria: type: object description: >- When sending a request, use this object to define the criteria of the vulnerability to be excluded. The criteria value changes depending on the type of criteria selected. minProperties: 1 properties: cve: type: array description: >- The vulnerability (CVE) ID that you want to constrain the exception to. You can provide multiple IDs. minItems: 1 items: type: string package: type: array description: >- The package name (for example, an operating system or language package). This can include a version number. You can provide multiple package names. minItems: 1 items: type: object severity: type: array description: >- The severity constrains the vulnerability severity levels for an exception, from **Critical**, **High**, **Medium**, **Low**, or **Info**. You can provide multiple severity levels. minItems: 1 items: type: string enum: - Info - Low - Medium - High - Critical fixable: type: array description: >+ When sending a request, set to `True` or `False` to constrain the exception to a fixable or non-fixable vulnerability. minItems: 1 items: type: number enum: - 0 - 1 expiryTime: description: The exception's expiration date and time. type: string state: description: State type: number enum: - 1 props: type: object description: The vulnerability exception's properties. properties: description: type: string description: A brief description of the exception creation. createdBy: type: string description: The user who creates the exception. updatedBy: type: string description: The user who updates the exception. VulnerabilityExceptions_Response_Schema: oneOf: - $ref: >- #/components/schemas/VulnerabilityExceptions_Container_Response_Schema - $ref: '#/components/schemas/VulnerabilityExceptions_Host_Response_Schema' discriminator: propertyName: exceptionType mapping: Container: >- #/components/schemas/VulnerabilityExceptions_Container_Response_Schema Host: '#/components/schemas/VulnerabilityExceptions_Host_Response_Schema' VulnerabilityExceptions_Update_Schema: oneOf: - $ref: '#/components/schemas/VulnerabilityExceptions_Container_Update_Schema' - $ref: '#/components/schemas/VulnerabilityExceptions_Host_Update_Schema' discriminator: propertyName: exceptionType mapping: Container: '#/components/schemas/VulnerabilityExceptions_Container_Update_Schema' Host: '#/components/schemas/VulnerabilityExceptions_Host_Update_Schema' VulnerabilityPolicies_CVE: type: object minProperties: 1 properties: cveIds: type: array description: >- The CVE ID full name(s), such as CVE-2019-01234, CVE-2019-5678. You can specify multiple values but they will be considered as "or" values (rather than "and"). minItems: 1 items: type: string pattern: (?!^ +$)^.+$ packageNames: type: array minItems: 1 items: type: string pattern: (?!^ +$)^.+$ severityInfo: $ref: '#/components/schemas/VulnerabilityPolicies_severityFilter' description: >- The CVE’s severity ranking, which is assigned by the vendor or computed from CVSS v3 or CVSS v2 scores (in that order of precedence). severityLow: $ref: '#/components/schemas/VulnerabilityPolicies_severityFilter' description: Contains only vulnerabilities with a low severity level. severityMedium: $ref: '#/components/schemas/VulnerabilityPolicies_severityFilter' description: Contains only vulnerabilities with a medium severity level. severityHigh: $ref: '#/components/schemas/VulnerabilityPolicies_severityFilter' description: Contains only vulnerabilities with a high severity level. severityCritical: $ref: '#/components/schemas/VulnerabilityPolicies_severityFilter' description: Contains only vulnerabilities with a critical severity level. VulnerabilityPolicies_CVE_Create_Schema: allOf: - $ref: '#/components/schemas/VulnerabilityPolicies_CVE_Update_Schema' - type: object required: - policyName - policyType - severity - filter - state - props properties: {} description: CVE Policy VulnerabilityPolicies_CVE_Response_Schema: allOf: - $ref: '#/components/schemas/VulnerabilityPolicies_CVE_Create_Schema' - type: object properties: policyGuid: description: Vulnerability Policy ID type: string createdTime: description: The time and date when the vulnerability policy was created. type: string updatedTime: description: >- The time and date when the vulnerability policy was last updated. type: string isDefault: description: >- Returns `1` if this is a default vulnerability policy. Otherwise, returns `0`. type: number enum: - 0 - 1 additionalProperties: true VulnerabilityPolicies_CVE_Update_Schema: properties: policyType: description: The policy type such as `DockerFile`, `DockerConfig`, or `Image`. type: string enum: - CVE policyName: description: Name of the policy. type: string pattern: (?!^ +$)^.+$ minLength: 1 policyEvalType: description: >- The evaluation type to use for the policy. The default value is `local`. type: string default: local enum: - local severity: description: >- The severity level of the policy; Info, Low, Medium, High, or Critical. type: string enum: - Critical - High - Medium - Low - Info failOnViolation: description: >- When sending a request, use this attribute to define what action is taken when a policy failure occurs. Set to `1` to permits container image deployment to continue even when the policy fails. Set to `0` to blocks container image deployment when the policy fails. type: number default: 0 enum: - 0 - 1 alertOnViolation: description: >- When sending a request, set to `1` if you want to send alerts to an alert profile when a violation is detected. Set to `0` if you want to mute alerts when a violation is detected. type: number default: 0 enum: - 0 - 1 state: description: >- When sending a request, set to `1` to enable the policy. Set to `0` to disable the policy. type: number enum: - 0 - 1 filter: $ref: '#/components/schemas/VulnerabilityPolicies_CVE' description: >- A set of filters that you can use to refine your search results when searching for policies. The data varies based on the value of the `policyType` attribute. props: type: object description: The vulnerability policy's properties. properties: description: type: string description: A brief description of the policy creation. createdBy: type: string description: The user who creates the policy. updatedBy: type: string description: The user who updates the policy. description: CVE Policy VulnerabilityPolicies_Create_Schema: oneOf: - $ref: '#/components/schemas/VulnerabilityPolicies_DockerFile_Create_Schema' - $ref: >- #/components/schemas/VulnerabilityPolicies_DockerConfig_Create_Schema - $ref: '#/components/schemas/VulnerabilityPolicies_Image_Create_Schema' - $ref: '#/components/schemas/VulnerabilityPolicies_File_Create_Schema' - $ref: '#/components/schemas/VulnerabilityPolicies_CVE_Create_Schema' discriminator: propertyName: policyType mapping: DockerFile: '#/components/schemas/VulnerabilityPolicies_DockerFile_Create_Schema' DockerConfig: >- #/components/schemas/VulnerabilityPolicies_DockerConfig_Create_Schema Image: '#/components/schemas/VulnerabilityPolicies_Image_Create_Schema' File: '#/components/schemas/VulnerabilityPolicies_File_Create_Schema' CVE: '#/components/schemas/VulnerabilityPolicies_CVE_Create_Schema' VulnerabilityPolicies_DockerConfig: type: object required: - operator - values properties: operator: type: string description: >- The search operator such as `include`, `exclude`, `equals`, or `notEquals`. enum: - include - exclude - equals - notEquals values: type: array description: A list of search values you want to use. minItems: 1 items: type: object required: - key - value properties: key: type: string pattern: (?!^ +$)^.+$ value: type: string VulnerabilityPolicies_DockerConfig_Create_Schema: allOf: - $ref: >- #/components/schemas/VulnerabilityPolicies_DockerConfig_Update_Schema - type: object required: - policyName - policyType - severity - filter - state - props properties: {} description: Docker Config Policy VulnerabilityPolicies_DockerConfig_Response_Schema: allOf: - $ref: >- #/components/schemas/VulnerabilityPolicies_DockerConfig_Create_Schema - type: object properties: policyGuid: description: Vulnerability Policy ID type: string createdTime: description: The time and date when the vulnerability policy was created. type: string updatedTime: description: >- The time and date when the vulnerability policy was last updated. type: string isDefault: description: >- Returns `1` if this is a default vulnerability policy. Otherwise, returns `0`. type: number enum: - 0 - 1 additionalProperties: true VulnerabilityPolicies_DockerConfig_Update_Schema: properties: policyType: description: The policy type such as `DockerFile`, `DockerConfig`, or `Image`. type: string enum: - DockerConfig policyName: description: Name of the policy. type: string pattern: (?!^ +$)^.+$ minLength: 1 policyEvalType: description: >- The evaluation type to use for the policy. The default value is `local`. type: string default: local enum: - local severity: description: >- The severity level of the policy; Info, Low, Medium, High, or Critical. type: string enum: - Critical - High - Medium - Low - Info failOnViolation: description: >- When sending a request, use this attribute to define what action is taken when a policy failure occurs. Set to `1` to permit container image deployment to continue even when the policy fails. Set to `0` to block container image deployment when the policy fails. type: number default: 0 enum: - 0 - 1 alertOnViolation: description: >- When sending a request, set to `1` if you want to send alerts to an alert profile when a violation is detected. Set to `0` if you want to mute alerts when a violation is detected. type: number default: 0 enum: - 0 - 1 state: description: >- When sending a request, set to `1` to enable the policy. Set to `0` to disable the policy. type: number enum: - 0 - 1 filter: $ref: '#/components/schemas/VulnerabilityPolicies_DockerConfig' description: >- A set of filters that you can use to refine your search results when searching for policies. The data varies based on the value of the `policyType` attribute. props: type: object description: The vulnerability policy's properties. properties: description: type: string description: A brief description of the policy creation. createdBy: type: string description: The user who creates the policy. updatedBy: type: string description: The user who updates the policy. description: Docker Config Policy VulnerabilityPolicies_DockerFile: allOf: - $ref: '#/components/schemas/VulnerabilityPolicies_filterObject' VulnerabilityPolicies_DockerFile_Create_Schema: allOf: - $ref: '#/components/schemas/VulnerabilityPolicies_DockerFile_Update_Schema' - type: object required: - policyName - policyType - severity - filter - state - props properties: {} description: Docker File Policy VulnerabilityPolicies_DockerFile_Response_Schema: allOf: - $ref: '#/components/schemas/VulnerabilityPolicies_DockerFile_Create_Schema' - type: object properties: policyGuid: description: Vulnerability Policy ID type: string createdTime: description: The time and date when the vulnerability policy was created. type: string updatedTime: description: >- The time and date when the vulnerability policy was last updated. type: string isDefault: description: >- Returns `1` if this is a default vulnerability policy. Otherwise, returns `0`. type: number enum: - 0 - 1 additionalProperties: true VulnerabilityPolicies_DockerFile_Update_Schema: properties: policyType: description: The policy type such as `DockerFile`, `DockerConfig`, or `Image`. type: string enum: - DockerFile policyName: description: Name of the policy. type: string pattern: (?!^ +$)^.+$ minLength: 1 policyEvalType: description: >- The evaluation type to use for the policy. The default value is `local`. type: string default: local enum: - local severity: description: >- The severity level of the policy; Info, Low, Medium, High, or Critical. type: string enum: - Critical - High - Medium - Low - Info failOnViolation: description: >- When sending a request, use this attribute to define what action is taken when a policy failure occurs. Set to `1` to permit container image deployment to continue even when the policy fails. Set to `0` to block container image deployment when the policy fails. type: number default: 0 enum: - 0 - 1 alertOnViolation: description: >- When sending a request, set to `1` if you want to send alerts to an alert profile when a violation is detected. Set to `0` if you want to mute alerts when a violation is detected. type: number default: 0 enum: - 0 - 1 state: description: >- When sending a request, set to `1` to enable the policy. Set to `0` to disable the policy. type: number enum: - 0 - 1 filter: $ref: '#/components/schemas/VulnerabilityPolicies_DockerFile' description: >- A set of filters that you can use to refine your search results when searching for policies. The data varies based on the value of the `policyType` attribute. props: type: object description: The vulnerability policy's properties. properties: description: type: string description: A brief description of the policy creation. createdBy: type: string description: The user who creates the policy. updatedBy: type: string description: The user who updates the policy. description: Docker File Policy VulnerabilityPolicies_File: type: object required: - fileType - pathPrefix - fileNameFilter - fileContentFilter - filePermissionFilter properties: fileType: type: string description: The file type such as `EXE`, `DockerFile`. enum: - EXE - DockerFile - ALL pathPrefix: type: string description: The file path's prefix such as `LW_FIM`. pattern: (?!^ +$)^.+$ minLength: 1 fileNameFilter: $ref: '#/components/schemas/VulnerabilityPolicies_filterObject' description: Filter by file names. fileContentFilter: $ref: '#/components/schemas/VulnerabilityPolicies_filterObject' filePermissionFilter: type: object description: Filter by file permissions. required: - executable - writable - symlink - setUid - setGid properties: executable: $ref: '#/components/schemas/VulnerabilityPolicies_permissionFilter' description: The executable permission. writable: $ref: '#/components/schemas/VulnerabilityPolicies_permissionFilter' description: The writable permission. symlink: $ref: '#/components/schemas/VulnerabilityPolicies_permissionFilter' description: The symbolic link permission. setUid: $ref: '#/components/schemas/VulnerabilityPolicies_permissionFilter' description: >- SetUID is a Linux file permission setting that allows a user to execute that file or program with the permission of the owner of that file. setGid: $ref: '#/components/schemas/VulnerabilityPolicies_permissionFilter' description: >+ The SetGID permission is similar to the SetGUID permission. The process's effective group ID (GID) is changed to the group that owns the file, and a user is granted access based on the permissions that are granted to that group. VulnerabilityPolicies_File_Create_Schema: allOf: - $ref: '#/components/schemas/VulnerabilityPolicies_File_Update_Schema' - type: object required: - policyName - policyType - severity - filter - state - props properties: {} description: File Policy VulnerabilityPolicies_File_Response_Schema: allOf: - $ref: '#/components/schemas/VulnerabilityPolicies_File_Create_Schema' - type: object properties: policyGuid: description: Vulnerability Policy ID type: string createdTime: description: The time and date when the vulnerability policy was created. type: string updatedTime: description: >- The time and date when the vulnerability policy was last updated. type: string isDefault: description: >- Returns `1` if this is a default vulnerability policy. Otherwise, returns `0`. type: number enum: - 0 - 1 additionalProperties: true VulnerabilityPolicies_File_Update_Schema: properties: policyType: description: The policy type such as `DockerFile`, `DockerConfig`, or `Image`. type: string enum: - File policyName: description: Name of the policy. type: string pattern: (?!^ +$)^.+$ minLength: 1 policyEvalType: description: >- The evaluation type to use for the policy. The default value is `local`. type: string default: local enum: - local severity: description: >- The severity level of the policy; Info, Low, Medium, High, or Critical. type: string enum: - Critical - High - Medium - Low - Info failOnViolation: description: >- When sending a request, use this attribute to define what action is taken when a policy failure occurs. Set to `1` to permits container image deployment to continue even when the policy fails. Set to `0` to blocks container image deployment when the policy fails. type: number default: 0 enum: - 0 - 1 alertOnViolation: description: >- When sending a request, set to `1` if you want to send alerts to an alert profile when a violation is detected. Set to `0` if you want to mute alerts when a violation is detected. type: number default: 0 enum: - 0 - 1 state: description: >- When sending a request, set to `1` to enable the policy. Set to `0` to disable the policy. type: number enum: - 0 - 1 filter: $ref: '#/components/schemas/VulnerabilityPolicies_File' description: >- A set of filters that you can use to refine your search results when searching for policies. The data varies based on the value of the `policyType` attribute. props: type: object description: The vulnerability policy's properties. properties: description: type: string description: A brief description of the policy creation. createdBy: type: string description: The user who creates the policy. updatedBy: type: string description: The user who updates the policy. description: File Policy VulnerabilityPolicies_Image: type: object minProperties: 1 properties: allowedLabelKey: $ref: '#/components/schemas/VulnerabilityPolicies_filterObject' allowedTag: $ref: '#/components/schemas/VulnerabilityPolicies_filterObject' description: Filter vulnerability policies by image tags. VulnerabilityPolicies_Image_Create_Schema: allOf: - $ref: '#/components/schemas/VulnerabilityPolicies_Image_Update_Schema' - type: object required: - policyName - policyType - severity - filter - state - props properties: {} description: Image Policy VulnerabilityPolicies_Image_Response_Schema: allOf: - $ref: '#/components/schemas/VulnerabilityPolicies_Image_Create_Schema' - type: object properties: policyGuid: description: Vulnerability Policy ID type: string createdTime: description: The time and date when the vulnerability policy was created. type: string updatedTime: description: >- The time and date when the vulnerability policy was last updated. type: string isDefault: description: >- Returns `1` if this is a default vulnerability policy. Otherwise, returns `0`. type: number enum: - 0 - 1 additionalProperties: true VulnerabilityPolicies_Image_Update_Schema: properties: policyType: description: The policy type such as `DockerFile`, `DockerConfig`, or `Image`. type: string enum: - Image policyName: description: Name of the policy. type: string pattern: (?!^ +$)^.+$ minLength: 1 policyEvalType: description: >- The evaluation type to use for the policy. The default value is `local`. type: string default: local enum: - local severity: description: >- The severity level of the policy; Info, Low, Medium, High, or Critical. type: string enum: - Critical - High - Medium - Low - Info failOnViolation: description: >- When sending a request, use this attribute to define what action is taken when a policy failure occurs. Set to `1` to permit container image deployment to continue even when the policy fails. Set to `0` to block container image deployment when the policy fails. type: number default: 0 enum: - 0 - 1 alertOnViolation: description: >- When sending a request, set to `1` if you want to send alerts to an alert profile when a violation is detected. Set to `0` if you want to mute alerts when a violation is detected. type: number default: 0 enum: - 0 - 1 state: description: >- When sending a request, set to `1` to enable the policy. Set to `0` to disable the policy. type: number enum: - 0 - 1 filter: $ref: '#/components/schemas/VulnerabilityPolicies_Image' description: >- A set of filters that you can use to refine your search results when searching for policies. The data varies based on the value of the `policyType` attribute. props: type: object description: The vulnerability policy's properties. properties: description: type: string description: A brief description of the policy creation. createdBy: type: string description: The user who creates the policy. updatedBy: type: string description: The user who updates the policy. description: Image Policy VulnerabilityPolicies_Response_Schema: oneOf: - $ref: >- #/components/schemas/VulnerabilityPolicies_DockerFile_Response_Schema - $ref: >- #/components/schemas/VulnerabilityPolicies_DockerConfig_Response_Schema - $ref: '#/components/schemas/VulnerabilityPolicies_Image_Response_Schema' - $ref: '#/components/schemas/VulnerabilityPolicies_File_Response_Schema' - $ref: '#/components/schemas/VulnerabilityPolicies_CVE_Response_Schema' discriminator: propertyName: policyType mapping: DockerFile: >- #/components/schemas/VulnerabilityPolicies_DockerFile_Response_Schema DockerConfig: >- #/components/schemas/VulnerabilityPolicies_DockerConfig_Response_Schema Image: '#/components/schemas/VulnerabilityPolicies_Image_Response_Schema' File: '#/components/schemas/VulnerabilityPolicies_File_Response_Schema' CVE: '#/components/schemas/VulnerabilityPolicies_CVE_Response_Schema' VulnerabilityPolicies_Update_Schema: oneOf: - $ref: '#/components/schemas/VulnerabilityPolicies_DockerFile_Update_Schema' - $ref: >- #/components/schemas/VulnerabilityPolicies_DockerConfig_Update_Schema - $ref: '#/components/schemas/VulnerabilityPolicies_Image_Update_Schema' - $ref: '#/components/schemas/VulnerabilityPolicies_File_Update_Schema' - $ref: '#/components/schemas/VulnerabilityPolicies_CVE_Update_Schema' discriminator: propertyName: policyType mapping: DockerFile: '#/components/schemas/VulnerabilityPolicies_DockerFile_Update_Schema' DockerConfig: >- #/components/schemas/VulnerabilityPolicies_DockerConfig_Update_Schema Image: '#/components/schemas/VulnerabilityPolicies_Image_Update_Schema' File: '#/components/schemas/VulnerabilityPolicies_File_Update_Schema' CVE: '#/components/schemas/VulnerabilityPolicies_CVE_Update_Schema' VulnerabilityPolicies_filterObject: type: object required: - rule properties: rule: $ref: '#/components/schemas/VulnerabilityPolicies_internalFilter' description: Filter by rules. exception: $ref: '#/components/schemas/VulnerabilityPolicies_internalFilter' description: Filter vulnerability policies for Docker files by policy exceptions. VulnerabilityPolicies_internalFilter: type: object required: - operator - values properties: operator: type: string description: >- The search operator such as `include`, `exclude`, `equals`, or `notEquals`. enum: - include - exclude - equals - notEquals values: type: array description: A list of search values you want to use. minItems: 1 items: type: string pattern: (?!^ +$)^.+$ VulnerabilityPolicies_permissionFilter: type: object required: - allow properties: allow: type: number description: >- When sending a request, set to 1 to enable the executable permission. Set to 0 to disable the executable permission. exception: $ref: '#/components/schemas/VulnerabilityPolicies_internalFilter' description: Filter vulnerability policies for Docker files by policy exceptions. VulnerabilityPolicies_severityFilter: type: object required: - allowedCounts - allowedFixable properties: allowedCounts: type: number description: >- The number of vulnerabilities of that severity level that is allowed in your environment. `-1` means unlimited. allowedFixable: type: number description: >- The number of fixable vulnerabilities of that severity level that is allowed in your environment. `-1` means unlimited. `0` means all fixable vulnerabilities must be addressed. Vulnerability_Container_Scan_Request_Body_Schema: required: - registry - repository - tag properties: registry: type: string description: The container registry to be assessed. repository: type: string description: The repository within the container registry to be assessed. tag: type: string description: The identifier tag as `key:value` pairs. example: registry: index.docker.io repository: yourDockerOrg/yourRepository tag: yourTag Vulnerability_SW_Pkg_Scan_Request_Body_Schema: required: - osPkgInfoList properties: osPkgInfoList: type: array minItems: 1 description: A list of supported OS types. items: type: object properties: os: type: string description: The OS type. osVer: type: string description: The OS version. pkg: type: string description: The package name. pkgVer: type: string description: The version of the package. example: osPkgInfoList: - os: Ubuntu osVer: '18.04' pkg: openssl pkgVer: 1.1.1-1ubuntu2.1~18.04.5 responses: response4XX: description: Client Error content: application/json: schema: type: object properties: message: type: string example: Invalid ... responseInternalError: description: Internal Server Error content: application/json: schema: type: object properties: message: type: string example: Internal Server Error responseAsync_Scan_Response_Schema: description: No Error (Request Id and Status) content: application/json: schema: type: object properties: data: type: object properties: requestId: type: string status: type: string additionalProperties: true example: data: requestId: abcdef124... status: scanning responseAsync_Scan_Status_Response_Schema: description: No Error (Request Status) content: application/json: schema: type: object properties: data: type: object properties: status: type: string enum: - scanning - completed evalGuid: type: string description: >- This field is returned when the scan status is `completed`, and can be used to get the results of the scan operation. additionalProperties: true examples: Completed: value: data: status: completed evalGuid: 1234567a89012b34567890123cd56e78 Scanning: value: data: status: scanning responseVulnerability_SW_Package_Scan_Response_Schema: description: |- No Error (List of all specified packages found in the supported OSs) There are two unique eval_status returned in the response. * FIX_INFO:eval_status is the fine-grain evaluation result for each set of OS, OS version, package, and package version specified in the input body parameter. * SUMMARY:eval_status is the overall overview evaluation result. content: application/json: schema: type: object properties: data: type: array items: type: object properties: osPkgInfo: type: object properties: namespace: type: string os: type: string osVer: type: string pkg: type: string pkgVer: type: string versionFormat: type: string vulnId: type: string severity: type: string featureKey: type: object properties: name: type: string namespace: type: string cveProps: type: object properties: cveBatchId: type: string description: type: string link: type: string metadata: type: object fixInfo: type: object description: >- **FIX_INFO:eval_status** can equal "GOOD", "VULNERABLE" or "". * **GOOD** - A returned FIX_INFO:eval_status of "GOOD" means the assessment found no vulnerabilities (CVEs) associated with the specified OS, OS version, package, and package version. * **VULNERABLE** - A returned FIX_INFO:eval_status of "VULNERABLE" means the assessment found at least one vulnerability (CVE) associated with the specified OS, OS version, package, and package version. * **EMPTY STR** - A returned FIX_INFO:eval_status of "" means that Lacework did not find any entries in the CVE database that match the specified OS, OS version, and package. summary: type: object description: >- **SUMMARY:eval_status** can equal "MATCH_NO_VULN", "MATCH_VULN", or "NOT_MATCH". * **MATCH_NO_VULN** - A returned SUMMARY:eval_status of "MATCH_NO_VULN" means there are valid entries in the Lacework CVE database that match the specified set of OS, OS version, and package but no vulnerability (CVE) were found for the specified package version. * **MATCH_VULN** - A returned SUMMARY:eval_status of "MATCH_VULN" means there are valid entries in the Lacework CVE database that match the specified set of OS, OS version, and package and at least one vulnerability (CVE) was found for the specified package version. * **NOT_MATCH** - A returned SUMMARY:eval_status of "NOT_MATCH" means that Lacework did not find any entries in the CVE database that match the specified OS, OS version, and package. This could occur, for example, if the os name specified was misspelled or if Lacework does not have information in its database for the specified OS, OS version, and package. props: type: object example: data: - osPkgInfo: namespace: ubuntu:18.04 os: Ubuntu osVer: '18.04' pkg: openssl pkgVer: 1.1.1-1ubuntu2.1~18.04.5 versionFormat: dpkg vulnId: CVE-2017-3731 severity: Medium featureKey: name: openssl namespace: ubuntu:18.04 cveProps: cveBatchId: 087956A88D8B89A79D0DC1F2E5E8269C description: >- If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k. link: http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-3731 metadata: nvd: cvssv2: publisheddatetime: 2017-05-04T19:29Z score: 5 vectors: AV:N/AC:L/Au:N/C:N/I:N/A:P cvssv3: exploitabilityscore: 3.9 impactscore: 3.6 score: 7.5 vectors: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H fixInfo: fixAvailable: '1' fixedVersion: 0:1.0.2g-1ubuntu11 summary: evalCreatedTime: 2021-09-16 18:41:04.161 -0700 evalStatus: MATCH_VULN numFixableVuln: 10 numFixableVulnBySeverity: '1': 0 '2': 3 '3': 5 '4': 2 '5': 0 numTotal: 70 numVuln: 10 numVulnBySeverity: '1': 0 '2': 3 '3': 5 '4': 2 '5': 0 props: evalAlgo: '1001' responseAgentAccessTokens_Response_Schema: description: 'No Error ' content: application/json: schema: properties: data: $ref: '#/components/schemas/AgentAccessTokens_Response_Schema' example: data: accessToken: 47d102752b57caa18b... createdTime: '2020-12-16T16:43:37.915Z' props: createdTime: '2020-12-16T16:43:37.915Z' description: testing agent tokenAlias: Ops Agent tokenEnabled: '1' version: '0.1' responseAgentAccessTokensList_Response_Schema: description: No Error (List of Agent Access Tokens) content: application/json: schema: properties: data: type: array items: $ref: '#/components/schemas/AgentAccessTokens_Response_Schema' example: data: - accessToken: 47d102752b57caa18b... createdTime: '2020-12-16T16:43:37.915Z' props: createdTime: '2020-12-16T16:43:37.915Z' description: testing agent tokenAlias: Ops Agent tokenEnabled: '1' version: '0.1' - accessToken: e2f32885791213cb41... createdTime: '2020-12-10T18:14:05.754Z' props: createdTime: '2020-12-10T18:14:05.754Z' description: testing agent 1 tokenAlias: Dev Agent tokenEnabled: '1' version: '0.1' responseAlertChannels_Response_Schema: description: 'No Error ' content: application/json: schema: properties: data: $ref: '#/components/schemas/AlertChannels_Response_Schema' examples: AwsS3: value: data: createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: AwsS3 data: s3CrossAccountCredentials: externalId: '123456' roleArn: arn:aws:iam::... bucketArn: arn:aws:s3:::... CiscoSparkWebhook: value: data: createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: CiscoSparkWebhook data: webhook: https://api.ciscospark.com/v1/webhooks/incoming/abc CloudwatchEb: value: data: createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: CloudwatchEb data: issueGrouping: Events eventBusArn: arn:aws:events:us-west-2:123456789012:event-bus/abc Datadog: value: data: createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: Datadog data: datadogType: Logs Summary datadogSite: com apiKey: '********' EmailUser: value: data: createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2020-12-18T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Email User props: '{object}' state: '{object}' type: EmailUser data: notificationTypes: ...: ... channelProps: recipients: support@lacework.net,info@lacework.net GcpPubsub: value: data: createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: GcpPubsub data: issueGrouping: Events credentials: clientId: 1234567890... privateKeyId: 1234567890abcdefgh clientEmail: abc@xyz.com privateKey: '********' projectId: project_id topicId: topic_id IbmQradar: value: data: createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: IbmQradar data: qradarCommType: HTTPS Self Signed Cert qradarHostUrl: 127.0.0.1 qradarHostPort: 12345 Jira: value: data: createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: Jira data: jiraType: JIRA_CLOUD issueGrouping: Events jiraUrl: https://xyz.atlassian.com/abc projectId: project_id issueType: issue_type username: support apiToken: api_token MicrosoftTeams: value: data: createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: MicrosoftTeams data: teamsUrl: https://webhook.office.com/webhook/xyz NewRelicInsights: value: data: createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: NewRelicInsights data: insertKey: Xyz123Abc456Def789... accountId: 123456 PagerDutyApi: value: data: createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: PagerDutyApi data: apiIntgKey: Xyz123Abc456Def789... ServiceNowRest: value: data: createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: ServiceNowRest data: issueGrouping: Events userName: support password: '********' instanceUrl: https://xyz.service-now.com/abc SlackChannel: value: data: createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2020-12-18T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Slack Channel LW props: '{object}' state: '{object}' type: SlackChannel data: slackUrl: https://hooks.slack.com/services/xyz/abc/def SplunkHec: value: data: createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: SplunkHec data: hecToken: 12345678-abcd-1234-5678-1234abcd5678 channel: channel123 host: xyz.cloud.splunk.com port: 8088 ssl: true eventData: index: main source: src VictorOps: value: data: createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: VictorOps data: intgUrl: >- https://alert.victorops.com/integrations/generic/xyz/alert/abc Webhook: value: data: createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: Webhook data: webhookUrl: https://wh.xyz.com/abc responseAlertChannelsList_Response_Schema: description: No Error (List of Alert Channels) content: application/json: schema: properties: data: type: array items: $ref: '#/components/schemas/AlertChannels_Response_Schema' examples: AwsS3: value: data: - createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: AwsS3 data: s3CrossAccountCredentials: externalId: '123456' roleArn: arn:aws:iam::... bucketArn: arn:aws:s3:::... - createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: info props: '{object}' state: '{object}' type: AwsS3 data: s3CrossAccountCredentials: externalId: '123456' roleArn: arn:aws:iam::... bucketArn: arn:aws:s3:::... AwsUsGovCfg: value: data: - createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: AwsUsGovCfg data: accessKeyCredentials: accountId: '123456789012' accessKeyId: ABCDEFGHIJKLMNOPQRST secretAccessKey: '********' - createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Info props: '{object}' state: '{object}' type: AwsUsGovCfg data: accessKeyCredentials: accountId: '123456789012' accessKeyId: ABCDEFGHIJKLMNOPQRST secretAccessKey: '********' AwsUsGovCtSqs: value: data: - createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: AwsUsGovCtSqs data: accessKeyCredentials: accountId: '123456789012' accessKeyId: ABCDEFGHIJKLMNOPQRST secretAccessKey: '********' queueUrl": https://sqs.us-gov-west-1.amazonaws.com/... - createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: info props: '{object}' state: '{object}' type: AwsUsGovCtSqs data: accessKeyCredentials: accountId: '123456789012' accessKeyId: ABCDEFGHIJKLMNOPQRST secretAccessKey: '********' queueUrl": https://sqs.us-gov-west-1.amazonaws.com/... AzureAlSeq: value: data: - createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: AzureAlSeq data: credentials: clientId: 12345678-9012-3456-abcd-efghijklijkl clientSecret: '********' tenantId: 12345678-9012-3456-abcd-efghijklijkl queueUrl": https://xyz.queue.core.windows.net/abc - createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: info props: '{object}' state: '{object}' type: AzureAlSeq data: credentials: clientId: 12345678-9012-3456-abcd-efghijklijkl clientSecret: '********' tenantId: 12345678-9012-3456-abcd-efghijklijkl queueUrl": https://xyz.queue.core.windows.net/abc AzureCfg: value: data: - createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: AzureCfg data: credentials: clientId: 12345678-9012-3456-abcd-efghijklijkl clientSecret: '********' tenantId: 12345678-9012-3456-abcd-efghijklijkl - createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: info props: '{object}' state: '{object}' type: AzureCfg data: credentials: clientId: 12345678-9012-3456-abcd-efghijklijkl clientSecret: '********' tenantId: 12345678-9012-3456-abcd-efghijklijkl CiscoSparkWebhook: value: data: - createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: CiscoSparkWebhook data: webhook: https://api.ciscospark.com/v1/webhooks/incoming/abc - createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: info props: '{object}' state: '{object}' type: CiscoSparkWebhook data: webhook: https://api.ciscospark.com/v1/webhooks/incoming/abc CloudwatchEb: value: data: - createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: CloudwatchEb data: issueGrouping: Events eventBusArn: arn:aws:events:us-west-2:123456789012:event-bus/abc - createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: info props: '{object}' state: '{object}' type: CloudwatchEb data: issueGrouping: Events eventBusArn: arn:aws:events:us-west-2:123456789012:event-bus/abc Datadog: value: data: - createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: Datadog data: datadogType: Logs Summary datadogSite: com apiKey: '********' - createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: info props: '{object}' state: '{object}' type: Datadog data: datadogType: Logs Summary datadogSite: com apiKey: '********' EmailUser: value: data: - createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2020-12-18T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Lacework Information props: '{object}' state: '{object}' type: EmailUser data: notificationTypes: ...: ... channelProps: recipients: support@lacework.net,info@lacework.net - createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Lacework Support props: '{object}' state: '{object}' type: EmailUser data: notificationTypes: ...: ... channelProps: recipients: support@lacework.net,info@lacework.net GcpPubsub: value: data: - createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: GcpPubsub data: issueGrouping: Events credentials: clientId: 1234567890... privateKeyId: 1234567890abcdefgh clientEmail: abc@xyz.com privateKey: '********' projectId: project_id topicId: topic_id - createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: info props: '{object}' state: '{object}' type: GcpPubsub data: issueGrouping: Events credentials: clientId: 1234567890... privateKeyId: 1234567890abcdefgh clientEmail: abc@xyz.com privateKey: '********' projectId: project_id topicId: topic_id IbmQradar: value: data: - createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: IbmQradar data: qradarCommType: HTTPS Self Signed Cert qradarHostUrl: 127.0.0.1 qradarHostPort: 12345 - createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: info props: '{object}' state: '{object}' type: IbmQradar data: qradarCommType: HTTPS qradarHostUrl: 127.0.0.1 qradarHostPort: 23456 Jira: value: data: - createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: Jira data: jiraType: JIRA_CLOUD issueGrouping: Events jiraUrl: https://xyz.atlassian.com/abc projectId: project_id issueType: issue_type username: support apiToken: api_token - createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: info props: '{object}' state: '{object}' type: Jira data: jiraType: JIRA_CLOUD issueGrouping: Resources jiraUrl: https://xyz.atlassian.com/abc projectId: project_id issueType: issue_type username: info apiToken: api_token MicrosoftTeams: value: data: - createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: MicrosoftTeams data: teamsUrl: https://webhook.office.com/webhook/xyz - createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: info props: '{object}' state: '{object}' type: MicrosoftTeams data: teamsUrl: https://webhook.office.com/webhook/xyz NewRelicInsights: value: data: - createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: NewRelicInsights data: insertKey: Xyz123Abc456Def789... accountId: 123456 - createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: info props: '{object}' state: '{object}' type: NewRelicInsights data: insertKey: Xyz123Abc456Def789... accountId: 123456 PagerDutyApi: value: data: - createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: PagerDutyApi data: apiIntgKey: Xyz123Abc456Def789... - createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: info props: '{object}' state: '{object}' type: PagerDutyApi data: apiIntgKey: Xyz123Abc456Def789... ServiceNowRest: value: data: - createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: ServiceNowRest data: issueGrouping: Events userName: support password: '********' instanceUrl: https://xyz.service-now.com/abc - createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: info props: '{object}' state: '{object}' type: ServiceNowRest data: issueGrouping: Events userName: info password: '********' instanceUrl: https://xyz.service-now.com/abc SlackChannel: value: data: - createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2020-12-18T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Slack Channel LW props: '{object}' state: '{object}' type: SlackChannel data: slackUrl: https://hooks.slack.com/services/xyz/abc/def - createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2020-12-18T11:38:28Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Slack Channel LW Dev props: '{object}' state: '{object}' type: SlackChannel data: slackUrl: https://hooks.slack.com/services/xyz/ghi/jkl SplunkHec: value: data: - createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: SplunkHec data: hecToken: 12345678-abcd-1234-5678-1234abcd5678 channel: channel123 host: xyz.cloud.splunk.com port: 8088 ssl: true eventData: index: main source: src - createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: info props: '{object}' state: '{object}' type: SplunkHec data: hecToken: 12345678-abcd-1234-5678-1234abcd5678 channel: channel123 host: xyz.cloud.splunk.com port: 8088 ssl: true eventData: index: main source: src VictorOps: value: data: - createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: VictorOps data: intgUrl: >- https://alert.victorops.com/integrations/generic/xyz/alert/abc - createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: info props: '{object}' state: '{object}' type: VictorOps data: intgUrl: >- https://alert.victorops.com/integrations/generic/xyz/alert/abc Webhook: value: data: - createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: Webhook data: webhookUrl: https://wh.xyz.com/abc - createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: info props: '{object}' state: '{object}' type: Webhook data: webhookUrl: https://wh.xyz.com/abc responseAlertRules_Response_Schema: description: 'No Error ' content: application/json: schema: properties: data: $ref: '#/components/schemas/AlertRules_Response_Schema' example: data: mcGuid: QA42F6C8_97... filters: name: Default Rule createdOrUpdatedBy: user@lacework.net createdOrUpdatedTime: '2020-02-18T16:52:57.726Z' enabled: 1 resourcegroups: - QA402035_43... severity: - 1 - 2 - 3 eventcategory: - App - Compliance - Cloud - File - K8sActivity - Machine - Platform - User intgGuidList: - QA402035_66... type: Event responseAlertRulesList_Response_Schema: description: No Error (List of Alert Rules) content: application/json: schema: properties: data: type: array items: $ref: '#/components/schemas/AlertRules_Response_Schema' example: data: - mcGuid: QA42F6C8_97... filters: name: Default Rule createdOrUpdatedBy: user@lacework.net createdOrUpdatedTime: '2020-02-18T16:52:57.726Z' enabled: 1 resourcegroups: - QA402035_43.. severity: - 1 - 2 - 3 eventcategory: - App - Compliance - Cloud - File - K8sActivity - Machine - Platform - User intgGuidList: - QA402035_66... type: Event - mcGuid: QA42F6C8_83... filters: name: test createdOrUpdatedBy: user@lacework.net createdOrUpdatedTime: '2020-01-15T07:07:21.989Z' enabled: 1 resourcegroups: - QA402035_EB... - QA402035_BA... severity: - 1 - 2 - 3 eventcategory: - User - Cloud intgGuidList: - QA402035_01... - QA402035_A6... type: Event responseAuditLogsList_Response_Schema: description: No Error (List of Audit Logs) content: application/json: schema: properties: data: type: array items: $ref: '#/components/schemas/AuditLogs_Response_Schema' example: data: - accountName: Lacework createdTime: '2020-12-18T18:38:28Z' eventDescription: >- User info@lacework.net logged in to Lacework account using OAuth credentials eventName: User Login userAction: Login with OAuth Succeeded userName: info@lacework.net - accountName: Lacework createdTime: '2020-12-18T22:38:28Z' eventDescription: >- User info@lacework.net logged in to Lacework account using OAuth credentials eventName: User Login userAction: Login with OAuth Succeeded userName: info@lacework.net responseCloudActivitiesList_Response_Schema: description: No Error (List of Cloud Activities) content: application/json: schema: properties: paging: $ref: '#/components/schemas/Paging_Schema' data: type: array items: $ref: '#/components/schemas/CloudActivities_Response_Schema' example: paging: rows: 5000 totalRows: 5020 urls: nextPage: >- https://YourLacework.lacework.net/api/v2/CloudActivities/AbcdEfgh123... data: - startTime: '2021-12-18T06:00:00Z' endTime: '2021-12-18T06:30:00Z' eventType: CloudTrailDefaultAlert eventId: 291028 eventModel: CloudTrailCep eventActor: Aws eventMap: API: - KEY: api: DeleteUser service: iam.amazonaws.com PROPS: source_ip_address_list: - 34.221.221.117 user_list: - AssumedRole/631664038012:dev-test-instances CT_User: - KEY: account: '631664038012' mfa: 0 principalId: ABCDEFGHIJKL123456789 username: AssumedRole/631664038012:dev-test-instances PROPS: api_list: - DeleteUser region_list: - us-east-1 Region: - KEY: region: us-east-1 PROPS: account_list: - '631668038012' Resource: - KEY: name: userName value: demomon13dec21083001 - KEY: name: userName value: demomon13dec21083001 RulesTriggered: - KEY: triggered_rule_id: lw-dev-1 PROPS: rule_description: An existing user was deleted. rule_id: lw-dev-1 rule_severity: 3 rule_title: Delete User SourceIpAddress: - KEY: ip_addr: 34.221.221.117 PROPS: api_list: - DeleteUser - startTime: '2021-12-18T08:00:00Z' endTime: '2021-12-18T08:30:00Z' eventType: IAMAccessKeyChanged eventId: 19018 eventModel: CloudTrailCep eventActor: Aws eventMap: API: - KEY: api: CreateAccessKey service: iam.amazonaws.com PROPS: source_ip_address_list: - 34.221.221.117 user_list: - AssumedRole/631664038012:dev-test-instances - KEY: api: DeleteAccessKey service: iam.amazonaws.com PROPS: source_ip_address_list: - 34.221.221.117 user_list: - AssumedRole/631664038012:dev-test-instances CT_User: - KEY: account: '631664038012' mfa: 0 principalId: ABCDEFGHIJKL123456789 username: AssumedRole/631664038012:dev-test-instances PROPS: api_list: - CreateAccessKey - DeleteAccessKey region_list: - us-east-1 Region: - KEY: region: us-east-1 PROPS: account_list: - '631664038012' Resource: - KEY: name: accessKeyId value: ABCD1234567890 - KEY: name: userName value: demomon13dec21083001 - KEY: name: accessKeyId value: ABCD9876543210 - KEY: name: userName value: demomon13dec21083001 RulesTriggered: - KEY: triggered_rule_id: lw-global-12 PROPS: rule_description: An IAM access key was created or deleted. rule_id: lw-global-12 rule_severity: 2 rule_title: IAM Access Key Change SourceIpAddress: - KEY: ip_addr: 34.221.221.117 PROPS: api_list: - CreateAccessKey - DeleteAccessKey responseContractInfoList_Response_Schema: description: No Error (List of Contract Info) content: application/json: schema: properties: data: type: array items: $ref: '#/components/schemas/ContractInfo_Response_Schema' example: data: - objName: CloudActivities props: contractStartUtc: '2020-12-01T00:00:00Z' renewalUtc: '2021-03-01T00:00:00Z' numPurchased: 1 dataRetentionInDay: 90 - objName: AWSConfig props: contractStartUtc: '2020-12-01T00:00:00Z' renewalUtc: '2021-03-01T00:00:00Z' numPurchased: 1 dataRetentionInDay: 90 responseReportRules_Response_Schema: description: 'No Error ' content: application/json: schema: properties: data: $ref: '#/components/schemas/ReportRules_Response_Schema' example: data: mcGuid: QA42F6C8_83... filters: name: LW Rule 1 createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-01-12T23:16:08.418Z' enabled: 1 resourceGroups: - QA402035_BA... severity: - 1 - 2 - 3 intgGuidList: - QA402035_32... reportNotificationTypes: gcpCis: false gcpComplianceEvents: false trendReport: false azurePci: true agentEvents: false awsCisS3: false gcpAuditTrailEvents: false openShiftCompliance: false openShiftComplianceEvents: false azureSoc: true awsComplianceEvents: false azureComplianceEvents: false azureCis: true azureActivityLogEvents: false awsCloudtrailEvents: false type: Report responseReportRulesList_Response_Schema: description: No Error (List of Report Rules) content: application/json: schema: properties: data: type: array items: $ref: '#/components/schemas/ReportRules_Response_Schema' example: data: - mcGuid: QA42F6C8_83... filters: name: LW Rule 1 createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-01-12T23:16:08.418Z' enabled: 1 resourceGroups: - QA402035_BA... severity: - 1 - 2 - 3 intgGuidList: - QA402035_32... reportNotificationTypes: gcpCis: false gcpComplianceEvents: false trendReport: false azurePci: false agentEvents: false awsCisS3: true gcpAuditTrailEvents: false openShiftCompliance: false openShiftComplianceEvents: false azureSoc: false awsComplianceEvents: true azureComplianceEvents: false azureCis: false azureActivityLogEvents: false awsCloudtrailEvents: true type: Report - mcGuid: QA42F6C8_88... filters: name: LW Rule 2 createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-01-12T23:18:08.418Z' enabled: 1 resourceGroups: - QA402035_BC... severity: - 1 - 2 - 3 intgGuidList: - QA402035_33... reportNotificationTypes: gcpCis: false gcpComplianceEvents: false trendReport: false azurePci: true agentEvents: false awsCisS3: false gcpAuditTrailEvents: false openShiftCompliance: false openShiftComplianceEvents: false azureSoc: true awsComplianceEvents: false azureComplianceEvents: false azureCis: true azureActivityLogEvents: false awsCloudtrailEvents: false type: Report responseTeamMembers_Response_Schema: description: 'No Error ' content: application/json: schema: properties: data: $ref: '#/components/schemas/TeamMembers_Response_Schema' examples: With Org-Access: value: data: userName: user1.test@lacework.net orgAccount: true url: url orgAdmin: false orgUser: false accounts: - admin: 'true' custGuid: CUST_GUID userGuid: USER1_GUID userEnabled: 1 Without Org-Access: value: data: props: firstName: User1 lastName: Test accountAdmin: true userGuid: USER1_GUID custGuid: CUST_GUID userEnabled: 1 userName: user1.test@lacework.net responseUpdateTeamMember: description: No Error content: application/json: schema: properties: data: $ref: '#/components/schemas/TeamMembers_Update_Schema' examples: With Org-Access: value: data: userName: user1.test@lacework.net orgAccount: true url: url orgAdmin: false orgUser: false accounts: - admin: 'true' custGuid: CUST_GUID userGuid: USER1_GUID userEnabled: 1 Without Org-Access: value: data: props: firstName: User1 lastName: Test accountAdmin: true userGuid: USER1_GUID custGuid: CUST_GUID userEnabled: 1 userName: user1.test@lacework.net responseTeamMembersList_Response_Schema: description: No Error (List of Team Members) content: application/json: schema: properties: data: type: array items: $ref: '#/components/schemas/TeamMembers_Response_Schema' example: data: - props: firstName: User1 lastName: Test accountAdmin: true userGuid: USER1_GUID custGuid: CUST_GUID userEnabled: 1 userName: user1.test@lacework.net - props: firstName: User2 lastName: Test accountAdmin: true userGuid: USER2_GUID custGuid: CUST_GUID userEnabled: 1 userName: user2.test@lacework.net responseResourceGroups_Response_Schema_Specific_Resource_Guid: description: 'No Error ' content: application/json: schema: properties: data: $ref: '#/components/schemas/ResourceGroups_Response_Schema_Override' example: data: guid: LW_XYZ... isDefault: '1' props: >- {"DESCRIPTION":"AWS Resource Group","ACCOUNT_IDS":["827398290830"],"UPDATED_BY":abc@xyz.com,"LAST_UPDATED":1611257592628} resourceGuid: LWABC... resourceName: AWS Resource Group resourceType: AWS enabled: 1 isDefaultInteger: 1 propsJson: description: AWS Resource Group accountIds: - '827398290830' updatedBy: abc@xyz.com lastUpdated: '1611257592628' responseResourceGroups_Response_Schema: description: 'No Error ' content: application/json: schema: properties: data: $ref: '#/components/schemas/ResourceGroups_Response_Schema_Override' example: data: guid: LW_XYZ... isDefault: 1 resourceGuid: LWABC... resourceName: AWS Resource Group resourceType: AWS enabled: 1 props: description: AWS Resource Group accountIds: - '827398290830' updatedBy: abc@xyz.com lastUpdated: '1611257592628' isDefaultInteger: 1 propsJson: description: AWS Resource Group accountIds: - '827398290830' updatedBy: abc@xyz.com lastUpdated: '1611257592628' responseResourceGroupsList_Response_Schema: description: No Error (List of Resource Groups) content: application/json: schema: properties: data: type: array items: $ref: '#/components/schemas/ResourceGroups_Response_Schema_Override' example: data: - guid: LW_XYZ... isDefault: '1' props: >- {"DESCRIPTION":"AWS Resource Group","ACCOUNT_IDS":["827398290830"],"UPDATED_BY":abc@xyz.com,"LAST_UPDATED":1611257592628} resourceGuid: LWABC... resourceName: AWS Resource Group resourceType: AWS enabled: 1 isDefaultInteger: 1 propsJson: description: AWS Resource Group accountIds: - '827398290830' updatedBy: abc@xyz.com lastUpdated: '1611257592628' - guid: LW_XYZ... isDefault: '0' props: >- {"DESCRIPTION":"GCP Resource Group","ORGANIZATION":"817397103268","PROJECTS":["gcpProject"],"UPDATED_BY":abc@xyz.com,"LAST_UPDATED":1611257592628} resourceGuid: LWDEF... resourceName: GCP Resource Group resourceType: GCP enabled: 0 isDefaultInteger: 0 propsJson: description: GCP Resource Group organization: '817397103268' projects: - gcpProject updatedBy: abc@xyz.com lastUpdated: '1611257592638' responseCloudAccounts_Response_Schema: description: 'No Error ' content: application/json: schema: properties: data: $ref: '#/components/schemas/CloudAccounts_Response_Schema' examples: AwsCfg: value: data: createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: AwsCfg data: awsAccountId: '123456789012' crossAccountCredentials: roleArn: arn:aws:iam::... externalId: '123456' AwsCtSqs: value: data: createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: AwsCtSqs data: awsAccountId: '123456789012' crossAccountCredentials: roleArn: arn:aws:iam::... externalId: '123456' issueGrouping: Events queueUrl: https://sqs.us-west-2.amazonaws.com/... AwsEksAudit: value: data: createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: AwsEksAudit data: snsArn: arn:aws:sns::... crossAccountCredentials: roleArn: arn:aws:iam::... externalId: '123456' AwsUsGovCfg: value: data: createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: AwsUsGovCfg data: accessKeyCredentials: accountId: '123456789012' accessKeyId: ABCDEFGHIJKLMNOPQRST secretAccessKey: '********' AwsUsGovCtSqs: value: data: createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: AwsUsGovCtSqs data: accessKeyCredentials: accountId: '123456789012' accessKeyId: ABCDEFGHIJKLMNOPQRST secretAccessKey: '********' queueUrl": https://sqs.us-gov-west-1.amazonaws.com/... AzureAlSeq: value: data: createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: AzureAlSeq data: credentials: clientId: 12345678-9012-3456-abcd-efghijklijkl clientSecret: '********' tenantId: 12345678-9012-3456-abcd-efghijklijkl queueUrl": https://xyz.queue.core.windows.net/abc AzureCfg: value: data: createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: AzureCfg data: credentials: clientId: 12345678-9012-3456-abcd-efghijklijkl clientSecret: '********' tenantId: 12345678-9012-3456-abcd-efghijklijkl GcpAtSes: value: data: createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: GcpAtSes data: credentials: clientId: 1234567890... privateKeyId: 1234567890abcdefgh clientEmail: abc@xyz.com privateKey: '********' idType: PROJECT id: prod1-xyz-gcp subscriptionName: projects/prod1-xyz-gcp/subscriptions/abc GcpCfg: value: data: createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: GcpCfg data: credentials: clientId: 1234567890... privateKeyId: 1234567890abcdefgh clientEmail: abc@xyz.com privateKey: '********' idType: PROJECT id: abc responseCloudAccountsList_Response_Schema: description: No Error (List of Cloud Accounts) content: application/json: schema: properties: data: type: array items: $ref: '#/components/schemas/CloudAccounts_Response_Schema' examples: AwsCfg: value: data: - createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-01-28T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: AwsCfg data: awsAccountId: '123456789012' crossAccountCredentials: roleArn: arn:aws:iam::... externalId: '123456' - createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-01-30T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Info props: '{object}' state: '{object}' type: AwsCfg data: awsAccountId: '123456789012' crossAccountCredentials: roleArn: arn:aws:iam::... externalId: '123456' AwsCtSqs: value: data: - createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: AwsCtSqs data: awsAccountId: '123456789012' crossAccountCredentials: roleArn: arn:aws:iam::... externalId: '123456' issueGrouping: Events queueUrl: https://sqs.us-west-2.amazonaws.com/... - createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-02-08T18:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Info props: '{object}' state: '{object}' type: AwsCtSqs data: awsAccountId: '123456789012' crossAccountCredentials: roleArn: arn:aws:iam::... externalId: '123456' issueGrouping: Events queueUrl: https://sqs.us-west-2.amazonaws.com/... AwsEksAudit: value: data: - createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: AwsEksAudit data: snsArn: arn:aws:sns::... crossAccountCredentials: roleArn: arn:aws:iam::... externalId: '123456' - createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: AwsEksAudit data: snsArn: arn:aws:sns::... crossAccountCredentials: roleArn: arn:aws:iam::... externalId: '123456' AwsUsGovCfg: value: data: - createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: AwsUsGovCfg data: accessKeyCredentials: accountId: '123456789012' accessKeyId: ABCDEFGHIJKLMNOPQRST secretAccessKey: '********' - createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: AwsUsGovCfg data: accessKeyCredentials: accountId: '123456789012' accessKeyId: ABCDEFGHIJKLMNOPQRST secretAccessKey: '********' AwsUsGovCtSqs: value: data: - createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: AwsUsGovCtSqs data: accessKeyCredentials: accountId: '123456789012' accessKeyId: ABCDEFGHIJKLMNOPQRST secretAccessKey: '********' queueUrl": https://sqs.us-gov-west-1.amazonaws.com/... - createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: AwsUsGovCtSqs data: accessKeyCredentials: accountId: '123456789012' accessKeyId: ABCDEFGHIJKLMNOPQRST secretAccessKey: '********' queueUrl": https://sqs.us-gov-west-1.amazonaws.com/... AzureAlSeq: value: data: - createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: AzureAlSeq data: credentials: clientId: 12345678-9012-3456-abcd-efghijklijkl clientSecret: '********' tenantId: 12345678-9012-3456-abcd-efghijklijkl queueUrl": https://xyz.queue.core.windows.net/abc - createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: AzureAlSeq data: credentials: clientId: 12345678-9012-3456-abcd-efghijklijkl clientSecret: '********' tenantId: 12345678-9012-3456-abcd-efghijklijkl queueUrl": https://xyz.queue.core.windows.net/abc AzureCfg: value: data: - createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: AzureCfg data: credentials: clientId: 12345678-9012-3456-abcd-efghijklijkl clientSecret: '********' tenantId: 12345678-9012-3456-abcd-efghijklijkl - createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: AzureCfg data: credentials: clientId: 12345678-9012-3456-abcd-efghijklijkl clientSecret: '********' tenantId: 12345678-9012-3456-abcd-efghijklijkl GcpAtSes: value: data: - createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: GcpAtSes data: credentials: clientId: 1234567890... privateKeyId: 1234567890abcdefgh clientEmail: abc@xyz.com privateKey: '********' idType: PROJECT id: prod1-xyz-gcp subscriptionName: projects/prod1-xyz-gcp/subscriptions/abc - createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: info props: '{object}' state: '{object}' type: GcpAtSes data: credentials: clientId: 1234567890... privateKeyId: 1234567890abcdefgh clientEmail: abc@xyz.com privateKey: '********' idType: PROJECT id: prod1-xyz-gcp subscriptionName: projects/prod1-xyz-gcp/subscriptions/abc GcpCfg: value: data: - createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: GcpCfg data: credentials: clientId: 1234567890... privateKeyId: 1234567890abcdefgh clientEmail: abc@xyz.com privateKey: '********' idType: PROJECT id: abc - createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: GcpCfg data: credentials: clientId: 1234567890... privateKeyId: 1234567890abcdefgh clientEmail: abc@xyz.com privateKey: '********' idType: PROJECT id: abc responseContainerRegistries_Response_Schema: description: 'No Error ' content: application/json: schema: properties: data: $ref: '#/components/schemas/ContainerRegistries_Response_Schema' examples: ContVulnCfg: value: data: createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: ContVulnCfg data: accessKeyCredentials: accessKeyId: ABCDEFGHIJKLMNOPQRST secretAccessKey: '********' registryType: AWS_ECR registryDomain: 12345678.abc.ecr.us-west-2.amazonaws.com limitByTag: - latest* limitByLabel: [] limitByRep": [] limitNumImg: 5 identifierTag: - tag1: tag_1 - tag2: tag_2 responseContainerRegistriesList_Response_Schema: description: No Error (List of Container Registries) content: application/json: schema: properties: data: type: array items: $ref: '#/components/schemas/ContainerRegistries_Response_Schema' examples: ContVulnCfg: value: data: - createdOrUpdatedBy: support@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: Support props: '{object}' state: '{object}' type: ContVulnCfg data: accessKeyCredentials: accessKeyId: ABCDEFGHIJKLMNOPQRST secretAccessKey: '********' registryType: AWS_ECR registryDomain: 12345678.abc.ecr.us-west-2.amazonaws.com limitByTag: - latest* limitByLabel: [] limitByRep": [] limitNumImg: 5 identifierTag: - tag1: tag_1 - tag2: tag_2 - createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-02-08T08:28:18Z' enabled: 1 intgGuid: LWXYZ... isOrg: 0 name: info props: '{object}' state: '{object}' type: ContVulnCfg data: accessKeyCredentials: accessKeyId: ABCDEFGHIJKLMNOPQRST secretAccessKey: '********' registryType: AWS_ECR registryDomain: 12345678.abc.ecr.us-west-2.amazonaws.com limitByTag: - latest* limitByLabel: [] limitByRep": [] limitNumImg: 5 identifierTag: - tag1: tag_1 - tag2: tag_2 responseUserProfileList_Response_Schema: description: List of Sub-accounts content: application/json: schema: properties: data: type: array items: $ref: '#/components/schemas/UserProfile_Response_Schema' example: - username: user@lacework.net orgAccount: true url: url orgAdmin: true orgUser: false accounts: - admin: true accountName: accountName1 custGuid: custGuid1 userGuid: userGuid1 userEnabled: 1 - admin: true accountName: accountName2 custGuid: custGuid2 userGuid: userGuid2 userEnabled: 1 responsePolicies_Response_Schema: description: No Error content: application/json: schema: properties: data: $ref: '#/components/schemas/Policies_Response_Schema' example: data: evaluatorId: Cloudtrail policyId: lacework... policyType: Violation queryId: LW_Custom_AWS_CTA_AuroraPasswordChange queryText: >- LW_Custom_AWS_CTA_AuroraPasswordChange { SOURCE { CloudTrailRawEvents } FILTER ... title: Cloudtrail Policy 2 enabled: false description: Cloudtrail Policy 2 remediation: Policy remediation 2 severity: medium limit: 100 evalFrequency: Hourly alertEnabled: true alertProfile: LW_CloudTrail_Alerts.CloudTrailDefaultAlert_AwsResource owner: support@lacework.net lastUpdateTime: '2022-10-03T16:23:38.915Z' lastUpdateUser: support@lacework.net tags: - domain:Host - subdomain:Container responsePoliciesList_Response_Schema: description: No Error (List of Policies) content: application/json: schema: properties: data: type: array items: $ref: '#/components/schemas/Policies_Response_Schema' example: data: - policyId: lacework-global-89 policyType: Compliance queryId: '' queryText: '' title: EC2 instance does not have any tags enabled: false description: >- Tags allow users to better organize resources and assist the collection of metrics... remediation: |- Perform the following to add tags: 1. Log in to the AWS Management Console... severity: high alertEnabled: false alertProfile: '' owner: Lacework lastUpdateTime: '2021-05-31T19:00:00.000Z' lastUpdateUser: Lacework tags: - framework:aws-lacework-security-1-0 - domain:AWS - subdomain:Configuration exceptionConfiguration: constraintFields: - fieldKey: accountIds dataType: String multiValue: true - fieldKey: regionNames dataType: String multiValue: true - fieldKey: resourceNames dataType: String multiValue: false - fieldKey: resourceTags dataType: KVTagPair multiValue: true - evaluatorId: Cloudtrail policyId: lacework... policyType: Violation queryId: LW_Custom_AWS_CTA_AuroraPasswordChange queryText: >- LW_Custom_AWS_CTA_AuroraPasswordChange { SOURCE { CloudTrailRawEvents } FILTER ... title: Cloudtrail Policy 2 enabled: false description: Cloudtrail Policy 2 remediation: Policy remediation 2 severity: medium limit: 100 evalFrequency: Hourly alertEnabled: true alertProfile: LW_CloudTrail_Alerts.CloudTrailDefaultAlert_AwsResource owner: support@lacework.net lastUpdateTime: '2022-10-03T16:23:38.915Z' lastUpdateUser: support@lacework.net tags: - domain:Host - subdomain:Container responsePolicyTags_Response_Schema: description: No Error content: application/json: schema: properties: data: type: array items: type: string example: data: - domain:AWS - domain:Host - subdomain:Cloudtrail - subdomain:Container responseQueries_Response_Schema: description: No Error content: application/json: schema: properties: data: $ref: '#/components/schemas/Queries_Response_Schema' example: data: evaluatorId: Cloudtrail queryId: LW_Global_... queryText: Query... owner: support@lacework.net lastUpdateTime: '2020-12-16T16:43:37.915Z' lastUpdateUser: support@lacework.net resultSchema: - name: EVENT dataType: JSON description: Description of the result - name: EVENT_TIME dataType: Timestamp description: Description of the result responseQueriesList_Response_Schema: description: No Error (List of Queries) content: application/json: schema: properties: data: type: array items: $ref: '#/components/schemas/Queries_Response_Schema' example: data: - evaluatorId: Cloudtrail queryId: LW_Global_... queryText: Query... owner: support@lacework.net lastUpdateTime: '2020-12-16T16:43:37.915Z' lastUpdateUser: support@lacework.net resultSchema: - name: EVENT dataType: JSON description: Description of the result - name: EVENT_TIME dataType: Timestamp description: Description of the result - evaluatorId: Cloudtrail queryId: LW_Global2_... queryText: Query... owner: support@lacework.net lastUpdateTime: '2020-12-16T16:43:37.915Z' lastUpdateUser: support@lacework.net resultSchema: - name: EVENT dataType: JSON description: Description of the result - name: EVENT_TIME dataType: Timestamp description: Description of the result responseQueriesExecute: description: No Error content: application/json: schema: properties: data: type: array description: Result records, schema determined by query items: {} example: data: - {} responseQueriesValidate: description: No Error content: application/json: schema: properties: data: type: object properties: evaluatorId: description: > Optional identifier of the evaluator where the policy is run. This field is only for CloudTrail queries and policies. type: string queryText: description: >- When sending a request, provide a human-readable text syntax for specifying selection, filtering, and manipulation of data. type: string queryId: type: string description: Identifier of the query resultSchema: type: array items: type: object properties: name: type: string description: Name of the result column dataType: type: string description: LQL type of the result column example: data: evaluatorId: Cloudtrail queryId: LW_Global_... queryText: Query... resultSchema: - name: column1 dataType: '' - name: column2 dataType: '' responseTemplateFilesList_Response_Schema: description: No Error (Template File Content) content: application/octet-stream: schema: $ref: '#/components/schemas/TemplateFiles_Response_Schema' responseEntities_MachinesList_Response_Schema: description: No Error (List of Machines) content: application/json: schema: properties: paging: $ref: '#/components/schemas/Paging_Schema' data: type: array items: $ref: '#/components/schemas/Entities_Machines_Response_Schema' example: paging: rows: 5000 totalRows: 6318 urls: nextPage: >- https://YourLacework.lacework.net/api/v2/Entities/Machines/AbcdEfgh123... data: - startTime: '2021-08-28T21:00:00Z' endTime: '2021-08-28T22:00:00Z' mid: 12345 hostname: ip-172-31-22-135.us-west-2.compute.internal machineTags: ExternalIp: 35.163.78.148 Hostname: ip-172-31-22-135.us-west-2.compute.internal InstanceId: i-07927817a7a532c81 InstanceName: vpc-39c60f41 InternalIp: 172.31.22.135 NumericProjectId: ami-038b12f51d612b5db ProjectId: '632668038012' SubnetId: subnet-ec136995 VmInstanceType: t2.xlarge VmProvider: AWS Zone: us-west-2 primaryIpAddr: 172-31-22-135 entityType: Machine - startTime: '2021-08-28T21:00:00Z' endTime: '2021-08-28T22:00:00Z' mid: 12346 hostname: ip-172-31-22-138.us-west-2.compute.internal machineTags: ExternalIp: 35.163.78.138 Hostname: ip-172-31-22-138.us-west-2.compute.internal InstanceId: i-07927817a7a532c83 InstanceName: vpc-39c60f31 InternalIp: 172.31.22.138 NumericProjectId: ami-038b12f51d312b5db ProjectId: '632668038013' SubnetId: subnet-ec136965 VmInstanceType: t2.xlarge VmProvider: AWS Zone: us-west-2 primaryIpAddr: 172-31-22-138 entityType: Machine responseActivities_UserLoginsList_Response_Schema: description: No Error (List of User Logins) content: application/json: schema: properties: paging: $ref: '#/components/schemas/Paging_Schema' data: type: array items: $ref: '#/components/schemas/Activities_UserLogins_Response_Schema' example: paging: rows: 5000 totalRows: 5050 urls: nextPage: >- https://YourLacework.lacework.net/api/v2/Activities/UserLogins/AbcdEfgh123... data: - createdTime: '2021-09-10T05:35:45.382Z' mid: 12345 activityTime: '2021-08-06T06:05:05.260Z' activityType: LOGIN username: ec2-user uid: 1000 sourceIpAddr: 2.141.452.76 - createdTime: '2021-09-10T05:35:45.382Z' mid: 12345 activityTime: '2021-08-06T06:05:05.260Z' activityType: LOGOFF username: ec2-user uid: 1000 sourceIpAddr: 2.141.452.76 responseEntities_ApplicationsList_Response_Schema: description: No Error (List of Applications) content: application/json: schema: properties: paging: $ref: '#/components/schemas/Paging_Schema' data: type: array items: $ref: '#/components/schemas/Entities_Applications_Response_Schema' example: paging: rows: 5000 totalRows: 8368 urls: nextPage: >- https://YourLacework.lacework.net/api/v2/Entities/Applications/AbcdEfgh123... data: - startTime: '2021-08-28T21:00:00Z' endTime: '2021-08-28T22:00:00Z' mid: 12345 appName: appName1 exePath: exePath1 username: effective: example1 original: example2 propsMachine: hostname: ip-10-100-20-200 ip_addr: 10.100.20.200 mem_kbytes: 340000049 num_users: 5 primary_tags: - primaryTag1 tags: {} up_time: 45 containerInfo: k8s_cluster: cluster value pod_name: lacework-agent-ab8ok pod_namespace: kube-system pod_type: lacework-agent vmType: VM type 1 netStats: {} props: {} - startTime: '2021-08-28T21:00:00Z' endTime: '2021-08-28T22:00:00Z' mid: 12346 appName: appName2 exePath: exePath2 username: effective: example3 original: example4 propsMachine: hostname: ip-10-100-20-201 ip_addr: 10.100.20.201 mem_kbytes: 340000050 num_users: 7 primary_tags: - primaryTag6 tags: {} up_time: 60 containerInfo: k8s_cluster: cluster value 2 pod_name: lacework-agent-ab8st pod_namespace: kube-system pod_type: lacework-agent vmType: VM type 2 netStats: {} props: {} responseEntities_ImagesList_Response_Schema: description: No Error (List of Images) content: application/json: schema: properties: paging: $ref: '#/components/schemas/Paging_Schema' data: type: array items: $ref: '#/components/schemas/Entities_Images_Response_Schema' example: paging: rows: 5000 totalRows: 6298 urls: nextPage: >- https://YourLacework.lacework.net/api/v2/Entities/Images/AbcdEfgh123... data: - createdTime: '2021-08-28T21:00:00Z' mid: 12345 imageId: sha256:1234sjfd3343592a320392... repo: repo1 tag: tag1 size: 1234567 containerType: DOCKER - createdTime: '2021-08-28T21:00:00Z' mid: 98765 imageId: sha256:1264kfdjg45430fdl... repo: repo2 tag: tag2 size: 5687 containerType: DOCKER responseEntities_UsersList_Response_Schema: description: No Error (List of Users) content: application/json: schema: properties: paging: $ref: '#/components/schemas/Paging_Schema' data: type: array items: $ref: '#/components/schemas/Entities_Users_Response_Schema' example: paging: rows: 5000 totalRows: 12345 urls: nextPage: >- https://YourLacework.lacework.net/api/v2/Entities/Users/AbcdEfgh123... data: - createdTime: '2021-08-28T21:00:00Z' mid: 12345 username: username1 uid: 55 primaryGroupName: primaryName1 otherGroupNames: |- [ "groupName1", "groupName2" ] - createdTime: '2021-08-28T21:00:00Z' mid: 98765 username: username2 uid: 532 primaryGroupName: primaryName2 otherGroupNames: |- [ "groupName3" ] responseDatasources_Response_Schema: description: No Error content: application/json: schema: properties: data: $ref: '#/components/schemas/Datasources_Response_Schema' example: data: name: LW_DATASOURCE_1 description: Details about datasource resultSchema: - name: START_TIME dataType: Timestamp description: Beginning of time interval - name: END_TIME dataType: Timestamp description: End of time interval - name: CREATED_TIME dataType: Timestamp description: Record creation time sourceRelationships: - from: MACHINES to: DNS_REQUESTS name: Machines-to-DNS-Requests description: DNS requests made from this machine toCardinality: MANY - from: MACHINES to: USER_LOGINS name: Machines-to-User-Logins description: User logins made on this machine toCardinality: MANY responseDatasourcesList_Response_Schema: description: No Error (List of Datasources) content: application/json: schema: properties: data: type: array items: $ref: '#/components/schemas/Datasources_Response_Schema' example: data: - name: LW_DATASOURCE_1 description: Details about datasource resultSchema: - name: START_TIME dataType: Timestamp description: Beginning of time interval - name: END_TIME dataType: Timestamp description: End of time interval - name: CREATED_TIME dataType: Timestamp description: Record creation time sourceRelationships: - from: MACHINES to: DNS_REQUESTS name: Machines-to-DNS-Requests description: DNS requests made from this machine toCardinality: MANY - from: MACHINES to: USER_LOGINS name: Machines-to-User-Logins description: User logins made on this machine toCardinality: MANY - name: LW_DATASOURCE_2 description: Details about datasource resultSchema: - name: START_TIME dataType: Timestamp description: Beginning of time interval - name: END_TIME dataType: Timestamp description: End of time interval - name: CREATED_TIME dataType: Timestamp description: Record creation time sourceRelationships: - from: CONNECTIONS to: MACHINES name: Connections-to-Machines description: Machine the connection was recorded on toCardinality: ONE responseActivities_ConnectionsList_Response_Schema: description: No Error (List of Connections) content: application/json: schema: properties: paging: $ref: '#/components/schemas/Paging_Schema' data: type: array items: $ref: '#/components/schemas/Activities_Connections_Response_Schema' example: paging: rows: 5000 totalRows: 1233301 urls: nextPage: >- https://YourLacework.lacework.net/api/v2/Activities/Connections/AbcdEfgh123... data: - dstEntityId: mid: 116015 pid_hash: -8627328323700991000 dstEntityType: Process dstInBytes: 162688 dstOutBytes: 3572 endpointDetails: - dst_ip_addr: 10.245.48.175 dst_port: 2878 protocol: TCP src_ip_addr: 10.245.187.233 endTime: '2022-08-18T01:00:00.000Z' numConns: 38 srcEntityId: mid: 114151 pid_hash: 6612898627139247000 srcEntityType: Process srcInBytes: 3572 srcOutBytes: 162688 startTime: '2022-08-18T00:00:00.000Z' - dstEntityId: mid: 116015 pid_hash: -8627328323700991000 dstEntityType: Process dstInBytes: 252673 dstOutBytes: 4418 endpointDetails: - dst_ip_addr: 10.245.48.175 dst_port: 2878 protocol: TCP src_ip_addr: 10.245.172.126 endTime: '2022-08-18T01:00:00.000Z' numConns: 47 srcEntityId: mid: 114151 pid_hash: 6143690005229381000 srcEntityType: Process srcInBytes: 4418 srcOutBytes: 252673 startTime: '2022-08-18T00:00:00.000Z' responseActivities_DNSsList_Response_Schema: description: No Error (List of DNS Summaries) content: application/json: schema: properties: paging: $ref: '#/components/schemas/Paging_Schema' data: type: array items: $ref: '#/components/schemas/Activities_DNSs_Response_Schema' example: paging: rows: 5000 totalRows: 17519 urls: nextPage: >- https://YourLacework.lacework.net/api/v2/Activities/DNSs/AbcdEfgh123... data: - createdTime: '2021-09-10T05:35:45.382Z' mid: 12345 fqdn: sqs.us-west-2.amazonaws.com hostIpAddr: 22.94.218.126 ttl: 1 dnsServerIp: 11.251.0.9 - createdTime: '2021-09-10T05:35:45.382Z' mid: 12314 fqdn: sqs.us-west-2.amazonaws.com hostIpAddr: 22.94.228.126 ttl: 60 dnsServerIp: 11.312.0.9 responseActivities_ChangedFilesList_Response_Schema: description: No Error (List of Changed Files) content: application/json: schema: properties: paging: $ref: '#/components/schemas/Paging_Schema' data: type: array items: $ref: '#/components/schemas/Activities_ChangedFiles_Response_Schema' example: paging: rows: 5000 totalRows: 654455 urls: nextPage: >- https://YourLacework.lacework.net/api/v2/Activities/ChangedFiles/AbcdEfgh123... data: - startTime: '2021-09-10T23:00:00Z' endTime: '2021-09-11T00:00:00Z' mid: 12345 filePath: /usr/bin/curl filedataHash: >- d055afd3h16f11460b3549885a9u8a40f1905df1f9d83cf16gbfa8a3157c29ac mtime: '1631306708492' size: 210944 threatInfo: 'null' - startTime: '2021-09-10T23:00:00Z' endTime: '2021-09-11T00:00:00Z' mid: 12345 filePath: /bin/sleep filedataHash: >- ada88f7fd24bcdfdde10294c76968a335c2414ea7d43c5e3829b65cb037e90a4 mtime: '1631317667570' size: 0 threatInfo: 'null' responseConfigs_ComplianceEvaluationsList_Response_Schema: description: No Error (List of Compliance Evaluations) content: application/json: schema: properties: paging: $ref: '#/components/schemas/Paging_Schema' data: type: array items: $ref: >- #/components/schemas/Configs_ComplianceEvaluations_Response_Schema example: paging: rows: 5000 totalRows: 9838 urls: nextPage: >- https://YourLacework.lacework.net/api/v2/Configs/ComplianceEvaluations/AbcdEfgh123... data: - account: AccountId": '812212113623' Account_Alias: lacework evalType: LW_SA id: LW_AWS_IAM_7 reason: Iam user is created but it is not active in the last 30 days recommendation: Iam user should not be inactive from last 30 days or more reportTime: '2021-09-02T11:04:45.817Z' resource: arn:aws:iam::812252663823:user/lwUser section: Identity and Access Management severity: Medium status: NonCompliant - account: AccountId": '812212113623' Account_Alias: lacework evalType: LW_SA id: LW_AWS_NETWORKING_2 reason: >- Security Groups have Unrestricted Inbound Traffic other than port 80 and 443 recommendation: Network ACLs do not allow unrestricted inbound traffic region: eu-west-2 reportTime: '2021-09-02T11:04:45.817Z' resource: arn:aws:ec2:eu-west-2:855452774823:network-acl/acl-1ue8138 section: Networking severity: Critical status: NonCompliant responseVulnerabilities_HostsList_Response_Schema: description: No Error (List of Host Vulnerabilities) content: application/json: schema: properties: paging: $ref: '#/components/schemas/Paging_Schema' data: type: array items: $ref: '#/components/schemas/Vulnerabilities_Hosts_Response_Schema' example: paging: rows: 5000 totalRows: 209082 urls: nextPage: >- https://YourLacework.lacework.net/api/v2/Vulnerabilities/Hosts/AbcdEfgh123... data: - cveProps: description: >- Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-11236... link: https://alas.aws.amazon.com/AL2/ALAS-2018-1048.html endTime: '2021-09-03T08:00:00Z' evalCtx: exception_props: - status": FixedOnDiscovery hostname: ip-10-241-138-242.us-west-2.compute.internal evalGuid: 1234567a89012b34567890123cd56e78 featureKey: name: glibc-common namespace: amzn:2 package_active: 0 version_installed: 0:2.26-56.amzn2 fixInfo: fix_available: '1' fixed_version: 2.26-28.amzn2.0.1 machineTags: Account: '249446771485' AmiId: ami-0d9ef0d809e365a36 Env: YourLacework ExternalIp: '' Hostname: ip-10-241-138-242.us-west-2.compute.internal InstanceId: i-001d473b884e2ab64 InternalIp: 10.241.138.242 KubernetesCluster: lw LwTokenShort: 2e568b3b9a3c5de63116422e41fccc Name: nodes-gbm.lw.prod SubnetId: subnet-0b2a51e40b1a0bde4 VmInstanceType: r5.12xlarge VmProvider: AWS VpcId: vpc-0df6f5ed0cd993ff2 Zone: us-west-2c arch: amd64 cluster: lw environment: prod kubernetes.io/cluster/lw: owned lw-role: nodes-gbm lw_KubernetesCluster: lw os: linux spotinst:accountId: act-b0b9eea2 spotinst:aws:ec2:group:createdBy: spotinst spotinst:aws:ec2:group:id: oesg-9a7dca03 spotinst:aws:ec2:group:name: Spotinst::Ocean::lw spotinst:ocean:launchspec:id: ols-62de1d30 spotinst:ocean:launchspec:name: nodes-gbm mid: '25988' severity: High startTime: '2021-09-03T07:00:00Z' status: FixedOnDiscovery vulnId: ALAS2-2018-1048 - cveProps: description: >- Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2017-5754... link: https://alas.aws.amazon.com/AL2/ALAS-2018-939.html endTime: '2021-09-03T08:00:00Z' evalCtx: exception_props: - status": FixedOnDiscovery hostname: ip-10-241-138-242.us-west-2.compute.internal evalGuid: 1234567a89012b34567890123cd56e78 featureKey: name: kernel namespace: amzn:2 package_active: 0 version_installed: 0:4.14.214-160.339.amzn2 fixInfo: fix_available: '1' fixed_version: 4.9.76-38.79.amzn2 machineTags: Account: '249446771485' AmiId: ami-0d9ef0d807e465a36 Env: YourLacework ExternalIp: '' Hostname: ip-10-241-138-242.us-west-2.compute.internal InstanceId: i-001d473b884e2ab64 InternalIp: 10.241.138.242 KubernetesCluster: lw LwTokenShort: 2e568b3b9a3c5de63116422e41fccc Name: nodes-gbm.lw.prod SubnetId: subnet-0b2a51e40b1a0bde4 VmInstanceType: r5.12xlarge VmProvider: AWS VpcId: vpc-0df6f5ed0cd993ff2 Zone: us-west-2c arch: amd64 cluster: lw environment: prod kubernetes.io/cluster/lw: owned lw-role: nodes-gbm lw_KubernetesCluster: lw os: linux spotinst:accountId: act-b0b9eea2 spotinst:aws:ec2:group:createdBy: spotinst spotinst:aws:ec2:group:id: oesg-9a7dca03 spotinst:aws:ec2:group:name: Spotinst::Ocean::lw spotinst:ocean:launchspec:id: ols-62de1d30 spotinst:ocean:launchspec:name: nodes-gbm mid: '25988' severity: Critical startTime: '2021-09-03T07:00:00Z' status: FixedOnDiscovery vulnId: ALAS2-2018-939 responseVulnerabilities_ContainersList_Response_Schema: description: No Error (List of Container Vulnerabilities) content: application/json: schema: properties: paging: $ref: '#/components/schemas/Paging_Schema' data: type: array items: $ref: >- #/components/schemas/Vulnerabilities_Containers_Response_Schema example: paging: rows: 5000 totalRows: 11668 urls: nextPage: >- https://YourLacework.lacework.net/api/v2/Vulnerabilities/Containers/AbcdEfgh123... data: - evalCtx: cve_batch_info: - cve_created_time: '2021-12-20 00:15:59.317000000' exception_props: - exception_guid: VULN_1228C7C124CA7B3A77E3C46FFFA2FBDAE7E50C0D82400C01763 exception_name: Test Demo exception_reason: Accepted Risk image_info: created_time: 1634344667578 digest: >- sha256:2e05f1f668367c1fc0f1c9c02ee87521ed66541e6ebf0a31905b8cdd78d22611 error_msg: [] id: >- sha256:657922eb2d64b0a34fe7339f8b48afb9f2f44635d7d6eaa92af69591d29b3330 registry: remote_scanner repo: lacework/vuln-policies scan_created_time: '2021-10-16T00:37:47.578+00:00' size: 72776513 status: Success tags: - lw_container_policy_3_pass type: Docker integration_props: IDENTIFIER_TAG: - NAME: test-container-reg-1220044834 INTG_GUID: LW6DB45_DE7B1A2B2230E5B08FC1C6E6C509BD17328B04F45308A56 LIMIT_NUM_SCAN: 60 NAME: test-container-reg-1220044834 REGISTRY_TYPE: INLINE_SCANNER is_reeval: false request_source: INLINE_SCANNER scan_batch_id: c2e25d3d-b708-494a-83d7-f9a2cd731a35-1639975718819620735 scan_request_props: data_format_version: '1.0' environment: docker_version: error_message: '' version: Client: ApiVersion: '1.41' Arch: amd64 BuildTime: Fri Jul 30 19:54:08 2021 Context: default DefaultAPIVersion: '1.41' Experimental: true GitCommit: 3967b7d GoVersion: go1.16.6 Os: linux Platform: Name: Docker Engine - Community Version: 20.10.8 Server: ApiVersion: '1.41' Arch: amd64 BuildTime: '2021-06-02T11:55:29.000000000+00:00' Components: - Details: ApiVersion: '1.41' Arch": amd64 BuildTime": Wed Jun 2 11:55:29 2021 Experimental": 'true' GitCommit": b0f5bc3 GoVersion": go1.13.15 KernelVersion": 4.14.214-160.339.amzn2.x86_64 MinAPIVersion": '1.12' Os: linux Name: Engine Version: 20.10.7 - Details: GitCommit: d71fcd7d8303cbf684402823e425e9dd2e99285d Name: containerd Version: v1.4.6 - Details: GitCommit: b9ee9c6314599f1b4a7f497e1f1f856fe433d3b7 Name: runc Version: 1.0.0-rc95 - Details: GitCommit": de40ad0 Name: docker-init Version: 0.19.0 Experimental: true GitCommit: b0f5bc3 GoVersion: go1.13.15 KernelVersion: 4.14.214-160.339.amzn2.x86_64 MinAPIVersion: '1.12' Os: linux Platform: Name: Docker Engine - Community Version": 20.10.7 tags: build_id: dev_build build_plan: dev_machine hostname: e900fd1a84e3 source: lacework_remote_scanner user: root props: data_format_version: '1.0' scanner_version: 0.2.2 scan_start_time: 1639975714 scanner_version: 0.2.2 vuln_batch_id: 29E30198A4544F3CA92714A73F8C964B vuln_created_time: '2021-12-20 00:15:59.317000000' evalGuid: 1234567a89012b34567890123cd56e78 featureKey: name: systemd namespace: ubuntu:20.04 version: 245.4-4ubuntu3.13 featureProps: feed: lacework introduced_in: bazel build ... layer: >- sha256:sha256:1db25fc8110c198e666dc1259ccb245293eb32dc0939407456ad80048fa06a35 src: var/lib/dpkg/status version_format: dpkg fixInfo: fix_available: 0 fixed_version: '' imageId: >- sha256:657922eb2d64b0a34fe7339f8b48afb9f2f44635d7d6eaa92af69591d29b3330 severity: Low startTime: 2021-12-19 20:48:39.019 -0800 status: EXCEPTION vulnId: CVE-2020-13776 - evalCtx: cve_batch_info: - cve_created_time: '2021-12-20 00:15:59.317000000' image_info: created_time: 1634344667578 digest: >- sha256:2e05f1f668367c1fc0f1c9c02ee47521ed66541e6ebf0a31905b8cdd78d22411 error_msg: [] id: >- sha256:657922eb2d64b0a34fe7339f8b48afb9f2f44635d7d6eaa92af69591d29b3330 registry: remote_scanner repo: lacework/vuln-policies scan_created_time: '2021-10-16T00:37:47.578+00:00' size: 72776513 status: Success tags: - lw_container_policy_3_pass type: Docker integration_props: IDENTIFIER_TAG: - NAME: test-container-reg-1220044834 INTG_GUID: LW6DB45_DE7B1A2B2230E5B08FC1C6E6C509BD17328B04F45308A56 LIMIT_NUM_SCAN: 60 NAME: test-container-reg-1220044834 REGISTRY_TYPE: INLINE_SCANNER is_reeval: false request_source: INLINE_SCANNER scan_batch_id: c2e25d3d-b708-494a-83d7-f9a2cd731a35-1639975718819620735 scan_request_props: data_format_version: '1.0' environment: docker_version: error_message: '' version: Client: ApiVersion: '1.41' Arch: amd64 BuildTime: Fri Jul 30 19:54:08 2021 Context: default DefaultAPIVersion: '1.41' Experimental: true GitCommit: 3967b7d GoVersion: go1.16.6 Os: linux Platform: Name: Docker Engine - Community Version: 20.10.8 Server: ApiVersion: '1.41' Arch: amd64 BuildTime: '2021-06-02T11:55:29.000000000+00:00' Components: - Details: ApiVersion: '1.41' Arch": amd64 BuildTime": Wed Jun 2 11:55:29 2021 Experimental": 'true' GitCommit": b0f5bc3 GoVersion": go1.13.15 KernelVersion": 4.14.214-160.339.amzn2.x86_64 MinAPIVersion": '1.12' Os: linux Name: Engine Version: 20.10.7 - Details: GitCommit: d71fcd7d8303cbf684402823e425e9dd2e99285d Name: containerd Version: v1.4.6 - Details: GitCommit: b9ee9c6314599f1b4a7f497e1f1f856fe433d3b7 Name: runc Version: 1.0.0-rc95 - Details: GitCommit": de40ad0 Name: docker-init Version: 0.19.0 Experimental: true GitCommit: b0f5bc3 GoVersion: go1.13.15 KernelVersion: 4.14.214-160.339.amzn2.x86_64 MinAPIVersion: '1.12' Os: linux Platform: Name: Docker Engine - Community Version": 20.10.7 tags: build_id: dev_build build_plan: dev_machine hostname: e900fd1a84e3 source: lacework_remote_scanner user: root props: data_format_version: '1.0' scanner_version: 0.2.2 scan_start_time: 1639975714 scanner_version: 0.2.2 vuln_batch_id: 29E30198A4544F3CA92714A73F8C964B vuln_created_time: '2021-12-20 00:15:59.317000000' evalGuid: 1234567a89012b34567890123cd56e78 featureKey: name: p11-kit namespace: ubuntu:20.04 version: 0.23.20-1ubuntu0.1 featureProps: feed: lacework introduced_in: bazel build ... layer: >- sha256:sha256:1db25fc8110c198e666dc1259ccb245293eb32dc0939407456ad80048fa06a35 src: var/lib/dpkg/status version_format: dpkg fixInfo: fix_available: 0 fixed_version: '' imageId: >- sha256:657922eb2d64b0a34fe7339f8b48afb9f2f44635d7d6eaa92af69591d29b3330 severity: Low startTime: 2021-12-19 20:48:39.019 -0800 status: EXCEPTION vulnId: CVE-2019-18276 responseEntities_K8sPodsList_Response_Schema: description: No Error (List of K8s Pods) content: application/json: schema: properties: paging: $ref: '#/components/schemas/Paging_Schema' data: type: array items: $ref: '#/components/schemas/Entities_K8sPods_Response_Schema' example: paging: rows: 5000 totalRows: 12398 urls: nextPage: >- https://YourLacework.lacework.net/api/v2/Entities/K8sPods/AbcdEfgh123... data: - startTime: '2021-08-28T21:00:00Z' endTime: '2021-08-28T22:00:00Z' mid: 12345 podName: name1 primaryIpAddr: 10.100.20.200 propsContainer: CONTAINER_TYPE: DOCKER IMAGE_CREATED_TIME: '2018-06-03T23:17:09.859Z' IMAGE_ID: >- sha256:9e862c010bf39766f9821926848754adccf58225aa652cc18a97fccba273df39 IMAGE_REPO: 602801163852.dkr.ecr.us-west-2.amazonaws.com/eks/pause-amd64 IMAGE_SIZE: 742472 IMAGE_TAG: '3.1' IMAGE_VERSION: 17.06.2-ce IMAGE_VIRTUAL_SIZE: 742472 IPV4: 0.0.0.0 NAME: >- /k8s_POD_vmalert-vm-5865bffbd6-f6c7l_vm_b46fdbf1-8103-667b-ab5b-8efbff0fe8ae_0 NETWORK_MODE: None PID_MODE: Private POD_TYPE: vmalert-vm PRIVILEGED: 0 PROPS_LABEL: {} - startTime: '2021-08-28T21:00:00Z' endTime: '2021-08-28T22:00:00Z' mid: 98763 podName: name2 primaryIpAddr: 10.100.20.201 propsContainer: CONTAINER_TYPE: DOCKER IMAGE_CREATED_TIME: '2018-06-03T23:17:09.859Z' IMAGE_ID: >- sha256:9e862c010bf39766f9821926828754adccf58225aa652cc18a97fccba273df39 IMAGE_REPO: 602801163852.dkr.ecr.us-west-2.amazonaws.com/eks/pause-amd64 IMAGE_SIZE: 742472 IMAGE_TAG: '3.1' IMAGE_VERSION: 17.06.2-ce IMAGE_VIRTUAL_SIZE: 742472 IPV4: 0.0.0.0 NAME: >- /k8s_POD_vmalert-vm-5865bffbd6-f6c7l_vm_b46fdbf1-8103-667b-ab5b-8efbff0fe8ae_0 NETWORK_MODE: Host PID_MODE: Host PRIVILEGED: 0 PROPS_LABEL: {} responseEntities_CommandLinesList_Response_Schema: description: No Error (List of Active Command Lines) content: application/json: schema: properties: paging: $ref: '#/components/schemas/Paging_Schema' data: type: array items: $ref: '#/components/schemas/Entities_CommandLines_Response_Schema' example: paging: rows: 5000 totalRows: 8368 urls: nextPage: >- https://YourLacework.lacework.net/api/v2/Entities/CommandLines/AbcdEfgh123... data: - createdTime: '2021-08-28T21:00:00Z' cmdlineHash: sdlkfjl3492343240.... cmdline: /bin/bash ... - createdTime: '2021-08-28T21:00:00Z' cmdlineHash: 12345fospdofd000909fsfsd.... cmdline: kubectl apply ... responseEntities_ContainersList_Response_Schema: description: No Error (List of Active Containers) content: application/json: schema: properties: paging: $ref: '#/components/schemas/Paging_Schema' data: type: array items: $ref: '#/components/schemas/Entities_Containers_Response_Schema' example: paging: rows: 5000 totalRows: 5698 urls: nextPage: >- https://YourLacework.lacework.net/api/v2/Entities/Containers/AbcdEfgh123... data: - startTime: '2021-08-29T21:00:00Z' endTime: '2021-08-29T22:00:00Z' mid: 12345 containerName: container1 podName: podName1 imageId: sha256:12345678910abcdefghijklmno... propsContainer: IMAGE_CREATED_TIME: '2020-08-31T19:16:56.210Z' IMAGE_ID: sha256:e3adaca0b7890abcdefghijklmnopqrstuvwxyz IMAGE_SIZE: 46269990 IMAGE_TAG: v1.7.0-eksbuild.1 IMAGE_VERSION: 19.03.11 IMAGE_VIRTUAL_SIZE: 46269990 IPV4: 10.238.75.183 NAME: >- /k8s_coredns_coredns-559b5db78d-w72nn_kube-system_12a3d5c0-vea3-6305-a3f9-2733528849d5_0 PID_MODE: Private POD_IP_ADDR: 10.238.75.183 POD_TYPE: coredns-559b5db85d PRIVILEGED: 0 PROPS_LABEL: {} VOLUME_MAP: {} tags: {} - startTime: '2021-08-29T21:00:00Z' endTime: '2021-08-29T22:00:00Z' mid: 98765 containerName: container2 podName: podName2 imageId: sha256:sdkfhjdsk349324823vclkj... propsContainer: IMAGE_CREATED_TIME: '2020-08-31T19:16:56.210Z' IMAGE_ID: sha256:e3adaca0b7890abcdefghijklmnopqrstuvwxyz IMAGE_SIZE: 46269990 IMAGE_TAG: v1.7.0-eksbuild.1 IMAGE_VERSION: 19.03.11 IMAGE_VIRTUAL_SIZE: 46269990 IPV4: 10.231.32.155 NAME: >- /k8s_coredns_coredns-559b5db78d-w72nn_kube-system_12a3d5c0-vea3-6305-a3f9-2733528849d5_0 PID_MODE: Private POD_IP_ADDR: 10.231.32.155 POD_TYPE: coredns-559b5db85d PRIVILEGED: 0 PROPS_LABEL: {} VOLUME_MAP: {} tags: {} responseEntities_FilesList_Response_Schema: description: No Error (List of Active Files) content: application/json: schema: properties: paging: $ref: '#/components/schemas/Paging_Schema' data: type: array items: $ref: '#/components/schemas/Entities_Files_Response_Schema' example: paging: rows: 5000 totalRows: 5698 urls: nextPage: >- https://YourLacework.lacework.net/api/v2/Entities/Files/AbcdEfgh123... data: - createdTime: '2021-08-29T21:00:00Z' mid: 12345 filePath: filePath1 filedataHash: hash1 size: 1234567 mtime: '1232132198' - createdTime: '2021-08-29T21:00:00Z' mid: 98765 filePath: filePath2 filedataHash: hash2 size: 59849509 mtime: '9892347923' responseEntities_ProcessesList_Response_Schema: description: No Error (List of Active Processes) content: application/json: schema: properties: paging: $ref: '#/components/schemas/Paging_Schema' data: type: array items: $ref: '#/components/schemas/Entities_Processes_Response_Schema' example: paging: rows: 5000 totalRows: 123680 urls: nextPage: >- https://YourLacework.lacework.net/api/v2/Entities/Processes/AbcdEfgh123... data: - startTime: '2021-08-29T21:00:00Z' endTime: '2021-08-29T22:00:00Z' mid: 98765 pid: 12345 ppid: 11 username: root uid: 0 filePath: someFilePath cmdlineHash: 0011234567abja3495834d3954389fh podName: pod1 processStartTime: '2021-08-28T21:00:00Z' containerId: 12345467894329487ofi345987439857439gki349857394857438957349 - startTime: '2021-08-29T21:00:00Z' endTime: '2021-08-29T22:00:00Z' mid: 12345 pid: 98765 ppid: 1100 username: root uid: 0 filePath: someFilePath2 cmdlineHash: 394823749fskdhf349823fh498 podName: pod2 processStartTime: '2021-08-27T21:00:00Z' containerId: 3454395843759fodsigoiu495385789hgsighdskhgjfdk4843242342342 responseAlertProfiles_Response_Schema: description: No Error content: application/json: schema: properties: data: $ref: '#/components/schemas/AlertProfiles_Response_Schema' example: - alertProfileId: Custom_HE_Machines_AlertProfile extends: LW_HE_Machines fields: - name: _EVENT_COUNT - name: _PRIMARY_TAG - name: _RISK - name: _SEVERITY - name: _POLICY_ID - name: HOSTNAME descriptionKeys: - name: _POLICY_DESCRIPTION spec: '{{_POLICY_DESCRIPTION}}' - name: _POLICY_TITLE spec: '{{_POLICY_TITLE}}' - name: HOSTNAME spec: '{{HOSTNAME}}' alerts: - name: HE_Machine_NewViolation eventName: Custom LW Host Entity Machine New Violation Alert description: Custom New Violation for machine {{HOSTNAME}} subject: Custom New violation detected for machine {{HOSTNAME}} - name: HE_Machine_PolicyChanged eventName: Custom LW Host Entity Machine Policy Changed Alert description: Custom policy changed for machine {{HOSTNAME}} subject: Custom policy change detected for machine {{HOSTNAME}} responseAlertProfilesList_Response_Schema: description: No Error (List of Alert Profiles) content: application/json: schema: properties: data: type: array items: $ref: '#/components/schemas/AlertProfiles_Response_Schema' example: - alertProfileId: Custom_HE_Machines_AlertProfile extends: LW_HE_Machines fields: - name: _EVENT_COUNT - name: _PRIMARY_TAG - name: _RISK - name: _SEVERITY - name: _POLICY_ID - name: HOSTNAME descriptionKeys: - name: _POLICY_DESCRIPTION spec: '{{_POLICY_DESCRIPTION}}' - name: _POLICY_TITLE spec: '{{_POLICY_TITLE}}' - name: HOSTNAME spec: '{{HOSTNAME}}' alerts: - name: HE_Machine_NewViolation eventName: Custom LW Host Entity Machine New Violation Alert description: Custom New Violation for machine {{HOSTNAME}} subject: Custom New violation detected for machine {{HOSTNAME}} - name: HE_Machine_PolicyChanged eventName: Custom LW Host Entity Machine Policy Changed Alert description: Custom policy changed for machine {{HOSTNAME}} subject: Custom policy change detected for machine {{HOSTNAME}} responseAlerts_Comment_Response_Schema: description: No Error (Posting a comment to an alert) content: application/json: schema: $ref: '#/components/schemas/Alerts_Timeline_Response_Schema' example: data: id: 211250 alertId: 871115 createdTime: '2022-07-18T18:28:30.739Z' entryType: Comment entryAuthorType: UserUpdate message: value: test comment externalTime: '' user: userGuid: LW123_6FA99157890E373006F7EE3FA926B02C38D547BD6C79F1D username: support@lacework.net updateContext: {} responseAlerts_Response_Schema: description: No Error (Alert Details) content: application/json: schema: oneOf: - $ref: '#/components/schemas/Alerts_Details_Response_Schema_Finalized' - $ref: >- #/components/schemas/Alerts_Investigation_Response_Schema_Finalized - $ref: '#/components/schemas/Alerts_Events_Response_Schema_Finalized' - $ref: >- #/components/schemas/Alerts_RelatedAlerts_Response_Schema_Finalized - $ref: >- #/components/schemas/Alerts_Integrations_Response_Schema_Finalized - $ref: '#/components/schemas/Alerts_Timeline_Response_Schema_Finalized' discriminator: propertyName: scope mapping: Details: '#/components/schemas/Alerts_Details_Response_Schema_Finalized' Investigation: >- #/components/schemas/Alerts_Investigation_Response_Schema_Finalized Events: '#/components/schemas/Alerts_Events_Response_Schema_Finalized' RelatedAlerts: >- #/components/schemas/Alerts_RelatedAlerts_Response_Schema_Finalized Integrations: >- #/components/schemas/Alerts_Integrations_Response_Schema_Finalized Timeline: '#/components/schemas/Alerts_Timeline_Response_Schema_Finalized' examples: Details: value: data: alertId: 813628 startTime: '2022-06-30T00:00:00.000Z' alertType: CloudActivityLogIngestionFailed severity: High endTime: '2022-06-30T01:00:00.000Z' lastUserUpdatedTime: '' status: Open alertName: Clone of Cloud Activity log ingestion failure detected alertInfo: subject: >- Clone of Cloud Activity log ingestion failure detected: `azure-al-india-dnd` (and `3` more) is failing for data ingestion into Lacework description: >- New integration failure detected for azure-al-india-dnd (and 3 more) entityMap: API: '{object}' CT_User: '{object}' CT_RawTime: '{object}' Region: '{object}' Resource: '{object}' RulesTriggered: '{object}' SourceIpAddress: '{object}' Investigation: value: data: - question: >- Has a new user been involved in the event in the last 60 days? answer: 'No' - question: >- Have the users involved in the event authenticated without MFA in the last 60 days? answer: 'Yes' - question: >- Have any of the users involved in the event used the Root account in the last 60 days? answer: 'No' Events: value: data: awsRegion: us-west-2 eventName: GetEbsEncryptionByDefault eventSource: ec2.amazonaws.com sourceIpAddress: 123.80.321.98 recipientAccountId: '812352663828' mfa: false eventTime: '2022-07-18T17:25:30Z' userIdentity: '{object}' additionalEventInfo: errorCode: Client.UnauthorizedOperation errorMessage: You are not authorized to perform this operation. eventID: de75431e-6e1d-45d0-92a0-22addfd02f1d eventTime: 2022-07-18 10:25:30.000 -0700 eventType: AwsApiCall eventVersion: '1.08' readOnly: true requestID: ea5f07f6-459a-47d9-885c-140ace09d811 userAgent: >- Botocore/1.21.52 Python/3.9.13 Linux/5.4.181-99.354.amzn2.x86_64 requestParameters: '{"GetEbsEncryptionByDefaultRequest":""}' RelatedAlerts: value: data: eventType: CloudTrailDefaultAlert eventId: '831168' severity: '3' startTime: '2022-06-13T18:00:00Z' endTime: '2022-06-13T19:00:00Z' eventModel: CloudTrailCep eventProps: description: '{object}' dstEntities: '{object}' eventActor: Aws srcEntities: '{object}' keys: '{object}' rank: 6 eventInfo: subject: >- CTA UnauthorizedAPICall only for Client: For account: `812252663823` : event `CTA UnauthorizedAPICall only for Client.` occurred `334` times description: ' For account: 812252663823 : event CTA UnauthorizedAPICall only for Client. occurred 334 times by user ABCDEFGHIJKL:Lacework ' eventName: CTA UnauthorizedAPICall only for Client Integrations: value: data: alertChannel: '{object}' alertIntegrationId: 361f69b8-8fdf-2d6c-640c-e62bb68623cd createdTime: '2022-07-13T18:29:16.961Z' alertId: 876951 integrationType: JIRA integrationContext: id: LW-Win-123 link: https://lacework-windows.atlassian.net/browse/LW-Win-123 intgGuid: LWWIN123_FC43532CB8288DF8A2A74BC52A4579C564597C3B8221AB9 lastSyncTime: '2022-07-13T18:29:15.776Z' alertIntegrationStatus: To Do status: Open isBidirectional: true Timeline: value: data: alertChannel: '{object}' id: 134138 alertId: 871115 createdTime: '2022-07-11T00:11:31.563Z' entryType: IntegrationCreate entryAuthorType: Integration intgGuid: LWWIN123_15DE38A0090190A81719D6EF0DCCC4FED34839DC3356A23 message: {} externalTime: '' user: '{object}' updateContext: newIntegration: createdTime: '' alertId: 871115 lastSyncTime: '2022-07-11T00:11:31.560Z' alertIntegrationStatus: To Do status: Open isBidirectional: false alertIntegration": '{object}' responseAlertsList_Response_Schema: description: No Error (List of Alerts) content: application/json: schema: properties: paging: $ref: '#/components/schemas/Paging_Schema' data: type: array items: $ref: '#/components/schemas/Alerts_Response_Schema' example: paging: rows: 1000 totalRows: 3120 urls: nextPage: https://YourLacework.lacework.net/api/v2/Alerts/AbcdEfgh123... data: - alertId: 855628 startTime: '2022-06-30T00:00:00.000Z' alertType: CloudActivityLogIngestionFailed severity: High endTime: '2022-06-30T01:00:00.000Z' lastUserUpdatedTime: '' status: Open alertName: Clone of Cloud Activity log ingestion failure detected alertInfo: subject: >- Clone of Cloud Activity log ingestion failure detected: `azure-al-india-dnd` (and `3` more) is failing for data ingestion into Lacework description: >- New integration failure detected for azure-al-india-dnd (and 3 more) policyId: CUSTOM_PLATFORM_130 - alertId: 855629 startTime: '2022-06-30T00:00:00.000Z' alertType: UnauthorizedAPICall severity: Info endTime: '2022-06-30T01:00:00.000Z' lastUserUpdatedTime: '2022-06-30T01:26:51.392Z' status: Open alertName: Unauthorized API Call alertInfo: subject: >- Unauthorized API Call: For account: `1234567890`: Unauthorized API call was attempted `4` times description: >- For account: 1234567890: Unauthorized API call was attempted 4 times by user ABCD1234:Lacework responseOrganizationInfoList_Response_Schema: description: No Error (Organization Info) content: application/json: schema: properties: data: type: array items: $ref: '#/components/schemas/OrganizationInfo_Response_Schema' example: - orgAccount: true orgAccountUrl: YourLacework.lacework.net responseEntities_PackagesList_Response_Schema: description: No Error (List of Packages) content: application/json: schema: properties: paging: $ref: '#/components/schemas/Paging_Schema' data: type: array items: $ref: '#/components/schemas/Entities_Packages_Response_Schema' example: paging: rows: 5000 totalRows: 123680 urls: nextPage: >- https://YourLacework.lacework.net/api/v2/Entities/Packages/AbcdEfgh123... data: - createdTime: '2021-10-12T09:00:00Z' mid: 21099 packageName: package-1 version: version-1 arch: noarch - createdTime: '2021-10-12T10:00:00Z' mid: 12345 packageName: package-2 version: version-2 arch: noarch responseEntities_MachineDetailsList_Response_Schema: description: No Error (List of Machine Details) content: application/json: schema: properties: paging: $ref: '#/components/schemas/Paging_Schema' data: type: array items: $ref: '#/components/schemas/Entities_MachineDetails_Response_Schema' example: paging: rows: 5000 totalRows: 6138 urls: nextPage: >- https://YourLacework.lacework.net/api/v2/Entities/MachineDetails/AbcdEfgh123... data: - createdTime: '2021-10-12T09:00:00Z' mid: 21099 hostname: ip-1-2-3-4.us-west-2.compute.internal domain: domainName-1 os: Amazon Linux osVersion: v1 kernel: Linux kernalRelease: release-1 kernelVersion: kernelVersion1 tags: Account: '631663038012' AmiId: ami-0b83c6233cdbe5c3e Env: k8s ExternalIp: 65.12.33.13 Hostname: ip-172-20-48-251.ap-south-1.compute.internal InstanceId: i-086d43d6a3b95577b InternalIp: 172.20.48.251 KubernetesCluster: k8s.pr3-india.k8s.local SubnetId: subnet-00632df802c188943 VmInstanceType: t2.large VmProvider: AWS VpcId: vpc-0b27d7188aa120476 Zone: ap-south-1a arch: amd64 os: linux awsInstanceId: i-1 awsZone: us-west-2a - createdTime: '2021-10-12T10:00:00Z' mid: 12345 hostname: ip-10-29-39-40.us-west-2.compute.internal domain: domainName-2 os: Amazon Linux osVersion: v2 kernel: Linux kernalRelease: release-2 kernelVersion: kernelVersion2 tags: Account: '631663038222' AmiId: ami-0b82c6233cdbe5c3e Env: k8s ExternalIp: 65.12.33.12 Hostname: ip-172-20-48-252.ap-south-1.compute.internal InstanceId: i-086d43d6a3b95577b InternalIp: 172.20.48.252 KubernetesCluster: k8s.pr2-india.k8s.local SubnetId: subnet-02632df802c188923 VmInstanceType: t2.large VmProvider: AWS VpcId: vpc-0b27d7188aa120276 Zone: ap-south-1a arch: amd64 os: linux awsInstanceId: i-2 awsZone: us-west-2b responseEntities_InternalIPAddressesList_Response_Schema: description: No Error (List of Internal IP Addresses) content: application/json: schema: properties: paging: $ref: '#/components/schemas/Paging_Schema' data: type: array items: $ref: >- #/components/schemas/Entities_InternalIPAddresses_Response_Schema example: paging: rows: 5000 totalRows: 6298 urls: nextPage: >- https://YourLacework.lacework.net/api/v2/Entities/InternalIPAddresses/AbcdEfgh123... data: - startTime: '2021-10-12T09:00:00Z' endTime: '2021-10-12T10:00:00Z' ipAddr: 10.123.987.0 mid: 21099 - startTime: '2021-10-12T08:00:00Z' endTime: '2021-10-12T09:00:00Z' ipAddr: 19.567.921.3 mid: 12345 responseEntities_NewFileHashesList_Response_Schema: description: No Error (List of New File Hashes) content: application/json: schema: properties: paging: $ref: '#/components/schemas/Paging_Schema' data: type: array items: $ref: '#/components/schemas/Entities_NewFileHashes_Response_Schema' example: paging: rows: 5000 totalRows: 123456 urls: nextPage: >- https://YourLacework.lacework.net/api/v2/Entities/NewFileHashes/AbcdEfgh123... data: - startTime: '2020-12-18T08:00:00Z' endTime: '2020-12-18T08:30:00Z' filedataHash: 3209482304949038fjdksjfk324923840fuiewf498274923odiu32049 - startTime: '2020-12-18T08:00:00Z' endTime: '2020-12-18T08:30:00Z' filedataHash: lksjfldkjfl5j345uioert94t344920349j03f9ejf34900tj40934940 responseEntities_NetworkInterfacesList_Response_Schema: description: No Error (List of Network Interfaces) content: application/json: schema: properties: paging: $ref: '#/components/schemas/Paging_Schema' data: type: array items: $ref: >- #/components/schemas/Entities_NetworkInterfaces_Response_Schema example: paging: rows: 5000 totalRows: 23680 urls: nextPage: >- https://YourLacework.lacework.net/api/v2/Entities/NetworkInterfaces/AbcdEfgh123... data: - createdTime: '2020-12-18T08:00:00Z' mid: 12345 name: name-1 hwAddr: a5:3d:f4:7o:hy ipAddr: hg97::kdjf:klj9:kin8:lej4 - createdTime: '2020-12-18T08:30:00Z' mid: 98765 name: name-2 hwAddr: b7:k0:bh:8n ipAddr: som4::skd8:kj99:hg72:lk98 responseVulnerabilityExceptions_Response_Schema: description: No Error content: application/json: schema: properties: data: $ref: '#/components/schemas/VulnerabilityExceptions_Response_Schema' example: data: createdTime: '2021-12-18T08:30:00Z' exceptionGuid: LWABC exceptionName: Container Vulnerability Exception exceptionReason: Accepted Risk exceptionType: Container expiryTime: '2021-12-28T08:30:00Z' props: description: This is a Container Vulnerability Exception createdBy: abc@xyz.com updatedBy: abc@xyz.com resourceScope: registry: - registry1 - registry2 state: 1 updatedTime: '2021-12-18T08:30:00Z' vulnerabilityCriteria: severity: - Low responseVulnerabilityExceptionsList_Response_Schema: description: No Error (List of Vulnerability Exceptions) content: application/json: schema: properties: data: type: array items: $ref: '#/components/schemas/VulnerabilityExceptions_Response_Schema' example: data: - createdTime: '2021-12-18T08:30:00Z' exceptionGuid: LWABC exceptionName: Container Vulnerability Exception exceptionReason: Accepted Risk exceptionType: Container expiryTime: '2021-12-28T08:30:00Z' props: description: This is a Container Vulnerability Exception createdBy: abc@xyz.com updatedBy: abc@xyz.com resourceScope: registry: - registry1 - registry2 state: 1 updatedTime: '2021-12-18T08:30:00Z' vulnerabilityCriteria: severity: - Low - createdTime: '2021-12-18T08:30:00Z' exceptionGuid: LWDEF exceptionName: Host Vulnerability Exception exceptionReason: Other exceptionType: Host expiryTime: '2021-12-28T08:30:00Z' props: description: This is a Host Vulnerability Exception createdBy: abc@xyz.com updatedBy: abc@xyz.com resourceScope: hostname: - hostname state: 1 updatedTime: '2021-12-18T08:30:00Z' vulnerabilityCriteria: severity: - High - Medium responseVulnerabilityPolicies_Response_Schema: description: No Error content: application/json: schema: properties: data: $ref: '#/components/schemas/VulnerabilityPolicies_Response_Schema' example: data: policyGuid: LWABC policyName: DockerFile Vulnerability Policy policyType: DockerFile policyEvalType: local severity: Critical failOnViolation: 0 alertOnViolation: 0 filter: rule: operator: include values: - setgid - setuid state: 1 isDefault: 0 props: description: This is a DockerFile Vulnerability Policy createdBy: abc@xyz.com updatedBy: abc@xyz.com createdTime: '2022-03-04T22:32:14.685Z' updatedTime: '2022-03-04T22:32:14.685Z' responseVulnerabilityPoliciesList_Response_Schema: description: No Error (List of Vulnerability Policies) content: application/json: schema: properties: data: type: array items: $ref: '#/components/schemas/VulnerabilityPolicies_Response_Schema' example: data: - policyGuid: LWABC policyName: DockerFile Vulnerability Policy policyType: DockerFile policyEvalType: local severity: Critical failOnViolation: 0 alertOnViolation: 0 filter: rule: operator: include values: - setgid - setuid state: 1 isDefault: 0 props: description: This is a DockerFile Vulnerability Policy createdBy: abc@xyz.com updatedBy: abc@xyz.com createdTime: '2022-03-04T22:32:14.685Z' updatedTime: '2022-03-04T22:32:14.685Z' - policyGuid: LWABC policyName: CVE Vulnerability Policy policyType: CVE policyEvalType: local severity: High failOnViolation: 0 alertOnViolation: 0 filter: cveIds: - CVE-140 state: 1 isDefault: 0 props: description: This is a CVE Vulnerability Policy createdBy: abc@xyz.com updatedBy: abc@xyz.com createdTime: '2022-03-04T22:32:14.685Z' updatedTime: '2022-03-04T22:32:14.685Z' responseEventsList_Response_Schema: description: No Error (List of Events) content: application/json: schema: properties: paging: $ref: '#/components/schemas/Paging_Schema' data: type: array items: $ref: '#/components/schemas/Events_Response_Schema' example: data: - endTime: '2022-03-18T01:00:00.000Z' eventCount: 7738 eventType: CloudTrailDefaultAlert id: 438898 srcEvent: awsRegion: us-west-2 event: additionalEventData: AuthenticationMethod: AuthHeader CipherSuite: ECDHE-RSA-AES128-GCM-SHA256 SignatureVersion: SigV4 bytesTransferredIn: 0 bytesTransferredOut: 137 x-amz-id-2: >- wl+gKI0I80T1CIBzz8d96nX5XcesTU/eIeo8SwdNqmSH2ZYFZssPmlqNhJJnhvewgefx6Babcqc= awsRegion: us-west-2 eventCategory: Management eventID: 1dddd61c-7608-87d8-b9f8-4a52495bdbb1 eventName: GetBucketLocation eventSource: s3.amazonaws.com eventTime: '2022-03-18T00:04:08Z' eventType: AwsApiCall eventVersion: '1.08' managementEvent: true readOnly: true recipientAccountId: '631668038012' requestID: SRZY6EVTR8Q3ADSJ requestParameters: Host: s3.us-west-2.amazonaws.com bucketName: redhat-k8-crio-bucket location: '' resources: - ARN: arn:aws:s3:::redhat-k8-crio-bucket accountId: '631668038012' type: Aws::s3::bucket sourceIPAddress: 36.223.225.183 tlsDetails: cipherSuite: ECDHE-RSA-AES128-GCM-SHA256 clientProvidedHostHeader: s3.us-west-2.amazonaws.com tlsVersion: TLSv1.2 userAgent: '[aws-sdk-go/1.37.0 (go1.15.8; linux; amd64)]' userIdentity: accessKeyId: ABCDEFGHIJKLMNOPQRST accountId: '631668038012' arn: >- arn:aws:sts::631668038012:assumed-role/masters.redhatk8crio.k8s.local/i-06443e34ddc641957 principalId: ABCDEFGHIJKL123456789 sessionContext: attributes: creationDate: '2022-03-17T23:58:00Z' mfaAuthenticated: 'false' ec2RoleDelivery: '2.0' sessionIssuer: accountId: '631668038012' arn: >- arn:aws:iam::631668038012:role/masters.redhatk8crio.k8s.local principalId: ABCDEFGHIJKL123456789 type: Role userName: masters.redhatk8crio.k8s.local webIdFederationData: {} type: Assumedrole eventName: GetBucketLocation eventSource: s3.amazonaws.com is_assumed_role: true principalId: ABCDEFGHIJKL123456789 recipientAccountId: '631668038012' sourceIPAddress: 36.223.225.183 userIdentity: accessKeyId: ABCDEFGHIJKLMNOPQRST accountId: '631668038012' arn: >- arn:aws:sts::631668038012:assumed-role/masters.redhatk8crio.k8s.local/i-06443e34ddc641957 principalId: ABCDEFGHIJKL123456789 sessionContext: attributes: creationDate: '2022-03-17T23:58:00Z' mfaAuthenticated: 'false' ec2RoleDelivery: '2.0' sessionIssuer: accountId: '631668038012' arn: >- arn:aws:iam::631668038012:role/masters.redhatk8crio.k8s.local principalId: ABCDEFGHIJKL123456789 type: Role userName: masters.redhatk8crio.k8s.local webIdFederationData: {} type: Assumedrole userIdentityAccount: '631668038012' userIdentityName: masters.redhatk8crio.k8s.local userIdentityType: AssumedRole username: AssumedRole/631668038012:masters.redhatk8crio.k8s.local srcType: AwsResource startTime: '2022-03-18T00:00:00.000Z' - endTime: '2022-03-18T01:00:00.000Z' eventCount: 7738 eventType: CloudTrailDefaultAlert id: 438898 srcEvent: awsRegion: us-west-2 event: additionalEventData: AuthenticationMethod: AuthHeader CipherSuite: ECDHE-RSA-AES128-GCM-SHA256 SignatureVersion: SigV4 bytesTransferredIn: 0 bytesTransferredOut: 137 x-amz-id-2: >- hhxqxS6lksuIoI/E8eZqZ1xg+yqLSVwoXBgFb3doT0+e3QJzoDyGuQ6RqVkL8zjyhVBKhbQGC9E= awsRegion: us-west-2 eventCategory: Management eventID: 1338a37d-4309-44bb-9f68-30c39ce152b0 eventName: GetBucketLocation eventSource: s3.amazonaws.com eventTime: '2022-03-18T00:17:27Z' eventType: AwsApiCall eventVersion: '1.08' managementEvent: true readOnly: true recipientAccountId: '631668038012' requestID: T7SB5GS78Q8ZA4KV requestParameters: Host: s3.us-west-2.amazonaws.com bucketName: asset-mgt-dev-697 location: '' resources: - ARN: arn:aws:s3:::asset-mgt-dev-697 accountId: '631668038012' type: Aws::s3::bucket sourceIPAddress: 10.0.198.115 tlsDetails: cipherSuite: ECDHE-RSA-AES128-GCM-SHA256 clientProvidedHostHeader: s3.us-west-2.amazonaws.com tlsVersion: TLSv1.2 userAgent: '[aws-sdk-go/1.40.53 (go1.16; linux; amd64)]' userIdentity: accessKeyId: ABCDEFGHIJKLMNOPQRST accountId: '631668038012' arn: >- arn:aws:iam::631668038012:user/user1-7nsnk-managed-velero-operator-iam-credentia-dr7ss principalId: ABCDEFGHIJKL123456789 type: Iamuser userName: user1-7nsnk-managed-velero-operator-iam-credentia-dr7ss vpcEndpointId: vpce-0b01b13fbbcec47fa eventName: GetBucketLocation eventSource: s3.amazonaws.com is_assumed_role: false principalId: ABCDEFGHIJKL123456789 recipientAccountId: '631668038012' sourceIPAddress: 10.0.198.115 userIdentity: accessKeyId: ABCDEFGHIJKLMNOPQRST accountId: '631668038012' arn: >- arn:aws:iam::631668038012:user/user1-7nsnk-managed-velero-operator-iam-credentia-dr7ss principalId: ABCDEFGHIJKL123456789 type: Iamuser userName: user1-7nsnk-managed-velero-operator-iam-credentia-dr7ss userIdentityAccount: '631668038012' userIdentityType: IAMUser username: >- IAMUser/631668038012:user1-7nsnk-managed-velero-operator-iam-credentia-dr7ss srcType: AwsResource startTime: '2022-03-18T00:00:00.000Z' responseExceptions_Response_Schema: description: No Error content: application/json: schema: properties: data: $ref: '#/components/schemas/Exceptions_Response_Schema' example: data: exceptionId: 510c8bc5-f06b-8afb-8028-0203d6e582de description: wildcard exception constraints: - fieldKey: fieldKey1 fieldValues: - '*' lastUpdateTime: '2022-04-05T01:53:11.809Z' lastUpdateUser: info@lacework.net responseExceptionsList_Response_Schema: description: No Error (List of Policy Exceptions) content: application/json: schema: properties: data: type: array items: $ref: '#/components/schemas/Exceptions_Response_Schema' example: data: - exceptionId: 510c8bc5-f06b-8afb-8028-0203d6e582da description: wildcard exception constraints: - fieldKey: fieldKey1 fieldValues: - '*' lastUpdateTime: '2022-04-05T01:53:11.809Z' lastUpdateUser: info@lacework.net - exceptionId: 510c8bc5-f06b-8afb-8028-0203d6e582d description: exception for eu regions constraints: - fieldKey: fieldKey1 fieldValues: - eu-central-1 - eu-north-1 lastUpdateTime: '2022-04-05T01:56:21.808Z' lastUpdateUser: info@lacework.net responseAgentInfoList_Response_Schema: description: No Error (List of Agent Information) content: application/json: schema: properties: paging: $ref: '#/components/schemas/Paging_Schema' data: description: >- For details about what agent information is available, see [AGENT_MANAGEMENT_V View](https://www.laceworkplatform.com/console/agentmanagementv-view). type: array items: $ref: '#/components/schemas/AgentInfo_Response_Schema' example: paging: rows: 5000 totalRows: 5060 urls: nextPage: >- https://YourLacework.lacework.net/api/v2/AgentInfo/AbcdEfgh123... data: - agentVersion: 5.5.0-6ecefc7f createdTime: '2021-03-30T12:40:19.087Z' hostname: ip-10-231-16-188.us-west-2.compute.internal ipAddr: 10.231.16.188 lastUpdate: 2022-04-27 16:59:11.283 -0700 mid: 1898 mode: normal os: Linux status: ACTIVE tags: Account: '289356771585' AmiId: ami-0d9ef0d807e565a36 COGS: OPEX Env: lw ExternalIp: '' Hostname: ip-10-231-16-188.us-west-2.compute.internal InstanceId: i-05bd72db3d5678c23 InternalIp: 10.231.16.188 KubernetesCluster: lw LwTokenShort: 2e568b3b9a3c5de63116422e41fccc Name: prod-node.lw Owner: lacework SubnetId: subnet-0a83c026ef1437f0e VmInstanceType: m5.large VmProvider: AWS VpcId: vpc-0df6f5ed0cd993ff2 WavefrontProxy: wavefront-proxy.kube-system.svc.cluster.local Zone: us-west-2a arch: amd64 aws:autoscaling:groupName: lw-cluster-123 cluster: eks-lw environment: prod kubernetes.io/cluster/prod: owned lw_KubernetesCluster: prod os: linux role: default - agentVersion: 5.5.0-6ecefc7f createdTime: '2022-04-26T11:34:58.316Z' hostname: ip-10-231-168-119.us-west-2.compute.internal ipAddr: 10.231.168.119 lastUpdate: 2022-04-28 11:05:58.317 -0700 mid: 85282 mode: ebpf os: Linux status: INACTIVE tags: Account: '239656771685' AmiId: ami-03b6ddb2869abcd51 Env: lw ExternalIp: '' Hostname: ip-10-231-168-119.us-west-2.compute.internal InstanceId: i-06f6569862686630e InternalIp: 10.231.168.119 KubernetesCluster: lw LwTokenShort: 2e568b3b9a3c5de63116422e51fccc Name: on-demand.prod.lw SubnetId: subnet-0b2a51e40b1a0bde8 VmInstanceType: r5.xlarge VmProvider: AWS VpcId: vpc-0df6f8ed0cd993ff2 Zone: us-west-2c arch: amd64 cluster: eks-lw environment: prod kubernetes.io/cluster/prod: owned lw-role: on-demand lw_KubernetesCluster: prod os: linux spotinst:accountId: act-b0b9eea2 spotinst:aws:ec2:group:createdBy: spotinst spotinst:aws:ec2:group:id: oesg-9a6dca03 spotinst:aws:ec2:group:name: Spotinst::Ocean::prod spotinst:ocean:launchspec:id: ols-fad9bf81 spotinst:ocean:launchspec:name: on-demand responseInventoryList_Response_Schema: description: No Error (List of Inventory) content: application/json: schema: properties: paging: $ref: '#/components/schemas/Paging_Schema' data: description: >- For details about what cloud resource information is available, see [CLOUD_CONFIGURATION_V View](https://www.laceworkplatform.com/console/cloudconfigurationv-view). type: array items: $ref: '#/components/schemas/Inventory_Response_Schema' example: paging: rows: 5000 totalRows: 78623 urls: nextPage: >- https://YourLacework.lacework.net/api/v2/Inventory/AbcdEfgh123... data: - apiKey: '' cloudDetails: accountAlias: abc-prod-account accountID: '631668038012' csp: AWS endTime: '2022-04-28T04:00:00.000Z' resourceConfig: AmiLaunchIndex: 0 Architecture: x86_64 BlockDeviceMappings: - DeviceName: /dev/sda1 Ebs: AttachTime: '2019-10-13T18:27:30.000Z' DeleteOnTermination: true Status: attached VolumeId: vol-05620dfe2b7fcc0d6 CapacityReservationSpecification: CapacityReservationPreference: open ClientToken: '' CpuOptions: CoreCount: 1 ThreadsPerCore: 1 EbsOptimized: false EnaSupport: true EnclaveOptions: Enabled: false HibernationOptions: Configured: false Hypervisor: xen ImageId: ami-06d31e91cea0dac8d InstanceId: i-011a36c1169995c86 InstanceType: t2.micro KeyName: test1 LaunchTime: '2019-10-13T18:27:29.000Z' MetadataOptions: HttpEndpoint: enabled HttpProtocolIpv6: disabled HttpPutResponseHopLimit: 1 HttpTokens: optional State: applied Monitoring: State: disabled NetworkInterfaces: - Attachment: AttachTime: '2019-10-13T18:27:29.000Z' AttachmentId: eni-attach-02c2609c0fe4758a0 DeleteOnTermination: true DeviceIndex: 0 NetworkCardIndex: 0 Status: attached Description": '' Groups: - GroupId: sg-0dee9782b9ba32717 GroupName: launch-wizard-23 InterfaceType: interface Ipv6Addresses: [] MacAddress: 06:8e:88:e8:50:2e NetworkInterfaceId: eni-054e319950b404c1e OwnerId: '631664038012' PrivateDnsName: ip-172-31-40-205.us-west-2.compute.internal PrivateIpAddress: 172.31.40.205 PrivateIpAddresses: - Primary: true PrivateDnsName: ip-172-31-40-205.us-west-2.compute.internal PrivateIpAddress: 172.31.40.205 SourceDestCheck": true Status: in-use SubnetId: subnet-c592d68e VpcId: vpc-39c60f41 Placement: AvailabilityZone: us-west-2a GroupName: '' Tenancy: default PlatformDetails: Linux/UNIX PrivateDnsName: ip-172-31-20-205.us-west-2.compute.internal PrivateIpAddress: 172.31.20.205 ProductCodes: [] PublicDnsName: '' RootDeviceName: /dev/sda1 RootDeviceType: ebs SecurityGroups: - GroupId: sg-0dee9774b9ba32717 GroupName: launch-wizard-23 SourceDestCheck: true State: Code: 80 Name: stopped StateReason: Code: Server.ScheduledStop Message: 'Server.ScheduledStop: Stopped due to scheduled retirement' StateTransitionReason: Server.InternalError SubnetId: subnet-c592d68e UsageOperation: RunInstances UsageOperationUpdateTime: '2019-10-13T18:27:29.000Z' VirtualizationType: hvm VpcId: vpc-39c60f41 resourceId: i-011a76c1169995c76 resourceRegion: us-west-2 resourceTags: KubernetesCluster: auto-02272022-160719-prod.k8s.local Name: a.etcd-main.auto-02272022-160719-prod.k8s.local k8s.io/etcd/main: a/a k8s.io/role/master: '1' kubernetes.io/cluster/auto-02272022-160719-prod.k8s.local: owned resourceType: ec2:instance service: ec2 startTime: '2022-04-28T03:00:00.000Z' status: formatVersion: 2 props: {} status: success urn: >- arn:aws:ec2:us-west-2:631664038012:instance/i-011a76c1169995c76 - apiKey: '' cloudDetails: accountAlias: abc-prod-account accountID: '631668038012' csp: AWS endTime: '2022-04-28T04:00:00.000Z' resourceConfig: AmiLaunchIndex: 0 Architecture: x86_64 BlockDeviceMappings: - DeviceName: /dev/sda1 Ebs: AttachTime: '2019-10-13T18:27:30.000Z' DeleteOnTermination: true Status: attached VolumeId: vol-05620dfe2b7fcc0d6 CapacityReservationSpecification: null CapacityReservationPreference: open ClientToken: '' CpuOptions: CoreCount: 1 ThreadsPerCore: 1 EbsOptimized: false EnaSupport: true EnclaveOptions: Enabled: false HibernationOptions: Configured: false Hypervisor: xen ImageId: ami-06d31e91cea0dac8d InstanceId: i-011a36c1169995c86 InstanceType: t2.micro KeyName: test1 LaunchTime: '2019-10-13T18:27:29.000Z' MetadataOptions: HttpEndpoint: enabled HttpProtocolIpv6: disabled HttpPutResponseHopLimit: 1 HttpTokens: optional State: applied Monitoring: State: disabled NetworkInterfaces: - Attachment: AttachTime: '2019-10-13T18:27:29.000Z' AttachmentId: eni-attach-02c2609c0fe4758a0 DeleteOnTermination: true DeviceIndex: 0 NetworkCardIndex: 0 Status: attached Description": '' Groups: - GroupId: sg-0dee9782b9ba32717 GroupName: launch-wizard-23 InterfaceType: interface Ipv6Addresses: [] MacAddress: 06:8e:88:e8:50:2e NetworkInterfaceId: eni-054e319950b404c1e OwnerId: '631664038012' PrivateDnsName: ip-172-31-40-205.us-west-2.compute.internal PrivateIpAddress: 172.31.40.205 PrivateIpAddresses: - Primary: true PrivateDnsName: ip-172-31-40-205.us-west-2.compute.internal PrivateIpAddress: 172.31.40.205 SourceDestCheck": true Status: in-use SubnetId: subnet-c592d68e VpcId: vpc-39c60f41 Placement: AvailabilityZone: us-west-2a GroupName: '' Tenancy: default PlatformDetails: Linux/UNIX PrivateDnsName: ip-172-31-20-205.us-west-2.compute.internal PrivateIpAddress: 172.31.20.205 ProductCodes: [] PublicDnsName: '' RootDeviceName: /dev/sda1 RootDeviceType: ebs SecurityGroups: - GroupId: sg-0dee9774b9ba32717 GroupName: launch-wizard-23 SourceDestCheck: true State: Code: 80 Name: stopped StateReason: Code: Server.ScheduledStop Message: 'Server.ScheduledStop: Stopped due to scheduled retirement' StateTransitionReason: Server.InternalError SubnetId: subnet-c592d68e UsageOperation: RunInstances UsageOperationUpdateTime: '2019-10-13T18:27:29.000Z' VirtualizationType: hvm VpcId: vpc-39c60f41 resourceId: i-011a76c1169995c76 resourceRegion: us-west-2 resourceTags: {} resourceType: ec2:instance service: ec2 startTime: '2022-04-28T03:00:00.000Z' status: formatVersion: 2 props: {} status: success urn: >- arn:aws:ec2:us-west-2:631664038012:instance/i-011a76c1169995c76 responseDataExportRules_Response_Schema: description: No Error content: application/json: schema: properties: data: $ref: '#/components/schemas/DataExportRules_Response_Schema' example: data: mcGuid: QA42F6C8_97... filters: name: Default Data Export Rule createdOrUpdatedBy: user@lacework.net createdOrUpdatedTime: '2020-02-18T16:52:57.726Z' enabled: 1 profileVersions: - V1 intgGuidList: - QA402035_66... type: Dataexport responseDataExportRulesList_Response_Schema: description: No Error (List of DataExportRules) content: application/json: schema: properties: data: type: array items: $ref: '#/components/schemas/DataExportRules_Response_Schema' example: data: - mcGuid: QA42F6C8_83... filters: name: LW Data Export Rule 1 createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-01-12T23:16:08.418Z' enabled: 1 profileVersions: - V1 intgGuidList: - QA402035_32... type: Dataexport - mcGuid: QA42F6C8_88... filters: name: LW Data Export Rule 2 createdOrUpdatedBy: info@lacework.net createdOrUpdatedTime: '2021-01-12T23:18:08.418Z' enabled: 1 profileVersions: - V1 intgGuidList: - QA402035_33... type: Dataexport responseReportsList_Response_Schema: description: No Error (List of Reports) content: application/json: schema: properties: data: type: array items: $ref: '#/components/schemas/Reports_Response_Schema' example: data: - reportType: AWS CIS Benchmark and S3 reportTitle: AWS CIS Benchmark and S3 recommendations: - ACCOUNT_ID: '24903813429804' ACCOUNT_ALIAS: aws-account START_TIME: 1648833313141 SUPPRESSIONS: - suppressions INFO_LINK: https://info-link.net/info/link ASSESSED_RESOURCE_COUNT: 627 STATUS: NonCompliant REC_ID: LW_S3_1 CATEGORY: S3 SERVICE: aws:s3 TITLE: >- Ensure the S3 bucket ACL does not grant 'Everyone' READ permission [list S3 objects] VIOLATIONS: - reasons: - ReadAccessGranted resource: arn:aws:s3:::eco-s3-acl-aws - reasons: - ReadAccessGranted resource: arn:aws:s3:::ecosystem-s3-acl-aws RESOURCE_COUNT: 632 SEVERITY: 1 summary: - NUM_RECOMMENDATIONS: 160 NUM_SEVERITY_2_NON_COMPLIANCE: 60 NUM_SEVERITY_4_NON_COMPLIANCE: 4 NUM_SEVERITY_1_NON_COMPLIANCE: 23 NUM_COMPLIANT: 35 NUM_SEVERITY_3_NON_COMPLIANCE: 18 ASSESSED_RESOURCE_COUNT: 88129 NUM_SUPPRESSED: 0 NUM_SEVERITY_5_NON_COMPLIANCE: 1 NUM_NOT_COMPLIANT: 106 VIOLATED_RESOURCE_COUNT: 15823 SUPPRESSED_RESOURCE_COUNT: 0 accountId: '24903813429804' accountAlias: aws-account reportTime: '2022-04-01T17:15:13.141Z'