Collect Lacework Cloud Security logs

Supported in:

Overview

This parser extracts fields from Lacework Cloud Security JSON logs, transforming them into UDM format. It maps raw log fields to UDM fields, handling various data types and enriching the event with additional context from tags, ultimately classifying the event type based on the presence of principal and target information.

Before you begin

  • Ensure that you have a Google SecOps instance.
  • Ensure that you have privileged access to FortiCNAPP Lacework.

Configure a feed in Google SecOps to ingest the Lacework logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add new.
  3. In the Feed name field, enter a name for the feed (for example, Lacework Logs).
  4. Select Webhook as the Source type.
  5. Select Lacework as the Log type.
  6. Click Next.
  7. Optional: Specify values for the following input parameters:
    • Split delimiter: the delimiter that is used to separate log lines, such as \n.
    • Asset namespace: the asset namespace.
    • Ingestion labels: the label applied to the events from this feed.
  8. Click Next.
  9. Review the feed configuration in the Finalize screen, and then click Submit.
  10. Click Generate Secret Key to generate a secret key to authenticate this feed.
  11. Copy and store the secret key. You cannot view this secret key again. If needed, you can regenerate a new secret key, but this action makes the previous secret key obsolete.
  12. From the Details tab, copy the feed endpoint URL from the Endpoint Information field. You need to specify this endpoint URL in your client application.
  13. Click Done.

Create an API key for the webhook feed

  1. Go to Google Cloud console > Credentials.

    Go to Credentials

  2. Click Create credentials, and then select API key.

  3. Restrict the API key access to the Chronicle API.

Specify the endpoint URL

  1. In your client application, specify the HTTPS endpoint URL provided in the webhook feed.

  2. Enable authentication by specifying the API key and secret key as part of the custom header in the following format:

    X-goog-api-key = API_KEY
X-Webhook-Access-Key = SECRET

    Recommendation: Specify the API key as a header instead of specifying it in the URL.

  3. If your webhook client doesn't support custom headers, you can specify the API key and secret key using query parameters in the following format:

    ENDPOINT_URL?key=API_KEY&secret=SECRET

    Replace the following:

    • ENDPOINT_URL: the feed endpoint URL.
    • API_KEY: the API key to authenticate to Google SecOps.
    • SECRET: the secret key that you generated to authenticate the feed.

Configure a Lacework Webhook for Google SecOps

  1. Sign in to the Lacework FortiCNAPP Console with administrative privileges.
  2. Go to Settings > Notifications > Alert channels.
  3. Click + Add new.
  4. Select Webhook.
  5. Click Next.
  6. Specify a unique name to the channel (for example, Google SecOps).
  7. Webhook URL: enter the <ENDPOINT_URL> followed by <API_KEY> and <SECRET>.
  8. Click Save.
  9. Select Alert rules and configure your required alert routing details.

UDM Mapping Table

Log Field UDM Mapping Logic
AGENT_VERSION metadata.product_version Directly mapped from the AGENT_VERSION field.
CREATED_TIME metadata.event_timestamp Directly mapped from the CREATED_TIME field, converted to a timestamp.
FILEDATA_HASH target.file.sha256 Directly mapped from the FILEDATA_HASH field.
FILE_PATH target.file.full_path Directly mapped from the FILE_PATH field.
IP_ADDR principal.ip Directly mapped from the IP_ADDR field.
OS target.platform Mapped from the OS field. Logic converts various OS strings (Linux, Windows, Mac) to UDM enum values (LINUX, WINDOWS, MAC). Defaults to UNKNOWN_PLATFORM if no match is found.
STATUS additional.fields[].key:"STATUS", value.string_value Directly mapped from the STATUS field as an additional field.
TAGS.Account metadata.product_deployment_id Directly mapped from the TAGS.Account field.
TAGS.AmiId additional.fields[].key:"AmiId", value.string_value Directly mapped from the TAGS.AmiId field as an additional field.
TAGS.ExternalIp target.ip Directly mapped from the TAGS.ExternalIp field.
TAGS.Hostname principal.hostname Directly mapped from the TAGS.Hostname field.
TAGS.InstanceId target.asset_id Directly mapped from the TAGS.InstanceId field, prefixed with "Device Instance Id: ".
TAGS.LwTokenShort additional.fields[].key:"LwTokenShort", value.string_value Directly mapped from the TAGS.LwTokenShort field as an additional field.
TAGS.MID additional.fields[].key:"MID", value.string_value Directly mapped from the MID field as an additional field.
TAGS.MODE additional.fields[].key:"MODE", value.string_value Directly mapped from the MODE field as an additional field.
TAGS.Name additional.fields[].key:"Name", value.string_value Directly mapped from the TAGS.Name field as an additional field.
TAGS.QSConfigName-vfzg0 additional.fields[].key:"QSConfigName", value.string_value Directly mapped from the TAGS.QSConfigName-vfzg0 field as an additional field.
TAGS.ResourceType target.resource.resource_subtype Directly mapped from the TAGS.ResourceType field.
TAGS.SubnetId target.resource.attribute.labels[].key:"Subnet Id", value Directly mapped from the TAGS.SubnetId field as a label within target.resource.attribute.
TAGS.VmInstanceType target.resource.attribute.labels[].key:"VmInstanceType", value Directly mapped from the TAGS.VmInstanceType field as a label within target.resource.attribute.
TAGS.VmProvider target.resource.attribute.labels[].key:"VmProvider", value Directly mapped from the TAGS.VmProvider field as a label within target.resource.attribute.
TAGS.VpcId target.resource.product_object_id Directly mapped from the TAGS.VpcId field.
TAGS.Zone target.cloud.availability_zone Directly mapped from the TAGS.Zone field.
TAGS.alpha.eksctl.io/nodegroup-name additional.fields[].key:"eksctl_nodegroup_name", value.string_value Directly mapped from the TAGS.alpha.eksctl.io/nodegroup-name field as an additional field.
TAGS.alpha.eksctl.io/nodegroup-type additional.fields[].key:"eksctl_nodegroup_type", value.string_value Directly mapped from the TAGS.alpha.eksctl.io/nodegroup-type field as an additional field.
TAGS.arch principal.platform_version Directly mapped from the TAGS.arch field.
TAGS.aws:autoscaling:groupName additional.fields[].key:"autoscaling_groupName", value.string_value Directly mapped from the TAGS.aws:autoscaling:groupName field as an additional field.
TAGS.aws:ec2:fleet-id additional.fields[].key:"ec2_fleetid", value.string_value Directly mapped from the TAGS.aws:ec2:fleet-id field as an additional field.
TAGS.aws:ec2launchtemplate:id additional.fields[].key:"ec2launchtemplate_id", value.string_value Directly mapped from the TAGS.aws:ec2launchtemplate:id field as an additional field.
TAGS.aws:ec2launchtemplate:version additional.fields[].key:"ec2launchtemplate_ver", value.string_value Directly mapped from the TAGS.aws:ec2launchtemplate:version field as an additional field.
TAGS.aws:eks:cluster-name additional.fields[].key:"eks_cluster_name", value.string_value Directly mapped from the TAGS.aws:eks:cluster-name field as an additional field.
TAGS.enableCrowdStrike additional.fields[].key:"enableCrowdStrike", value.string_value Directly mapped from the TAGS.enableCrowdStrike field as an additional field.
TAGS.falconx.io/application additional.fields[].key:"io/application", value.string_value Directly mapped from the TAGS.falconx.io/application field as an additional field.
TAGS.falconx.io/environment additional.fields[].key:"io/environment", value.string_value Directly mapped from the TAGS.falconx.io/environment field as an additional field.
TAGS.falconx.io/managedBy additional.fields[].key:"io/managedBy", value.string_value Directly mapped from the TAGS.falconx.io/managedBy field as an additional field.
TAGS.falconx.io/project additional.fields[].key:"io/project", value.string_value Directly mapped from the TAGS.falconx.io/project field as an additional field.
TAGS.falconx.io/proxy-type additional.fields[].key:"io/proxy_type", value.string_value Directly mapped from the TAGS.falconx.io/proxy-type field as an additional field.
TAGS.falconx.io/service additional.fields[].key:"io/service", value.string_value Directly mapped from the TAGS.falconx.io/service field as an additional field.
TAGS.falconx.io/team additional.fields[].key:"io/team", value.string_value Directly mapped from the TAGS.falconx.io/team field as an additional field.
TAGS.k8s.io/cluster-autoscaler/enabled additional.fields[].key:"k8s_autoscaler_enabled", value.string_value Directly mapped from the TAGS.k8s.io/cluster-autoscaler/enabled field as an additional field.
TAGS.k8s.io/cluster-autoscaler/falcon additional.fields[].key:"k8s_cluster_autoscaler", value.string_value Directly mapped from the TAGS.k8s.io/cluster-autoscaler/falcon field as an additional field.
TAGS.kubernetes.io/cluster/falcon additional.fields[].key:"kubernetes_io_cluster", value.string_value Directly mapped from the TAGS.kubernetes.io/cluster/falcon field as an additional field.
TAGS.lw_KubernetesCluster additional.fields[].key:"lw_KubernetesCluster", value.string_value Directly mapped from the TAGS.lw_KubernetesCluster field as an additional field.
LAST_UPDATE additional.fields[].key:"LAST_UPDATE", value.string_value Directly mapped from the LAST_UPDATE field as an additional field. Hardcoded to "LACEWORK". Hardcoded to "Lacework Cloud Security".
metadata.event_type metadata.event_type Determined by logic. Set to "NETWORK_CONNECTION" if both principal.ip and target.ip are present, "STATUS_UPDATE" if only principal.ip is present, and "GENERIC_EVENT" otherwise.

Changes

2023-11-09

  • Newly created parser.