Lacework
Visualize Lacework services, teams, and users in the JupiterOne graph. Map Lacework users to employees in your JupiterOne account. Monitor changes to Lacework users using JupiterOne alerts.
- Installation
- Data Model
Installation
You will need to create an API key on Lacework and get the "key ID" and "generated secret". See their documentation for more information.
To install the Lacework integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Lacework. Click New Instance to begin configuring the integration.
Creating a Lacework instance requires the following:
-
The Account Name used to identify the Lacework account in JupiterOne. Ingested entities will have this value stored in
tag.AccountNamewhen theAccountNametoggle is enabled. -
Description to assist in identifying the integration instance, if desired.
-
Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as
DISABLEDand manually execute the integration. -
Your Lacework Organization URL, Secret Key, Access Key Id.
Data Volume Configuration
Control how much data is ingested from Lacework to manage entity counts and job duration.
Data Filtering Options
| Field | Type | Description | Default |
|---|---|---|---|
| Included Host Vulnerability Severities | Multi-select | Select host vulnerability severities to ingest | Critical, High, Medium |
| Included Container Vulnerability Severities | Multi-select | Select container vulnerability severities to ingest | Critical, High, Medium |
Available severity options:
- Critical
- High
- Medium
- Low
- Info (host vulnerabilities only)
How it affects data volume: Filtering by severity reduces the number of vulnerability entities ingested. By default, only Critical, High, and Medium severity vulnerabilities are imported for both hosts and containers. Enabling Low and Info severities will significantly increase data volume.
Click Create once all values are provided to finalize the integration.
Next steps
Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.
Entities
The following entities are created:
| Resources | Entity _type | Entity _class |
|---|---|---|
| Alert Finding | lacework_alert_finding | Alert |
| Application | lacework_application | Application |
| Assessment | lacework_assessment | Assessment |
| Cloud Account | lacework_cloud_account | Account |
| Container | lacework_container | Container |
| Container Finding | lacework_container_finding | Finding |
| Machine | lacework_machine | Host |
| Organization | lacework_organization | Account |
| Package | lacework_package | CodeModule |
| Service | lacework_service | Service |
| Team User | lacework_team_user | User |
| Vulnerability | lacework_finding | Finding |
Relationships
The following relationships are created:
Source Entity _type | Relationship _class | Target Entity _type |
|---|---|---|
lacework_application | HAS | lacework_alert_finding |
lacework_assessment | IDENTIFIED | lacework_finding |
lacework_container | HAS | lacework_container_finding |
lacework_machine | HAS | lacework_alert_finding |
lacework_machine | HAS | lacework_application |
lacework_machine | HAS | lacework_package |
lacework_machine | HAS | lacework_finding |
lacework_machine | HAS | lacework_container |
lacework_organization | HAS | lacework_cloud_account |
lacework_organization | HAS | lacework_service |
lacework_organization | HAS | lacework_team_user |
lacework_organization | HAS | lacework_machine |
lacework_service | PERFORMED | lacework_assessment |
Mapped Relationships
The following mapped relationships are created:
Source Entity _type | Relationship _class | Target Entity _type | Direction |
|---|---|---|---|
lacework_finding | HAS | aws_instance | REVERSE |
lacework_finding | IS | cve | FORWARD |