Skip to main content

Lacework API 2.0 Documentation (2.0)

Download OpenAPI specification:Download

The Lacework API documentation is available directly from your Lacework application at the following URI: https://YourLacework.lacework.net/api/v2/docs, where YourLacework is your Lacework application.

No login to the Lacework Console is required. However, there is a link to the Lacework API 2.0 documentation from the Lacework Console. From the Help drop-down, select API Documentation and then API 2.0 Documentation.

All the Lacework API operations listed below require an API Access Token to allow access to the Lacework API. For more information about getting a temporary API Access Token to pass into these operations as a header, see https://docs.lacework.com/generate-api-access-keys-and-tokens.

You can run the Lacework APIs using your favorite REST API tools, such as curl or Postman. You can also run the Lacework API from the Lacework CLI. For more information, see Get Started with the Lacework CLI.

Overview

Conventions

  1. Parameters: Parameters follow the JSON conventions, i.e., camelcase or lowerCamelcase notation, for all parameter names in the query, request and response bodies, for example, startTime, endTime.

  2. Data Types: For the constant types of data sets, integrations, assets, and other resources, the convention is to use UpperCamelcase notation, for example, AlertChannels, AuditLogs, CloudActivities.

  3. Response Schema: A successful response returns either the HTTP 200 or 201 Status Code and a top-level property called data, which contains the result in the JSON format. A response returning the HTTP 4xx or 5xx Status Code returns the top-level property called message, which contains an error message.

  4. additionalProperties Keyword: For all response schemas, the additionalProperties keyword is set to true. This means additional fields or properties can be added to responses in the future. For information about the additionalProperties keyword, see the JSON Schema online documentation.

Simple & Advanced Search

The Lacework API provides simple and advanced searches for retrieving information.

For simple searches, specify a HTTP GET method with simple query parameters, for example, startTime, endTime.

For advanced searches, specify a HTTP POST method with filters in the request body. The filters in requests that have multiple filters are AND'd, that is, all filters conditions must be met to satisfy a match.

There are 16 filter types consisting of seven pairs and two unique operators, which are similar to the SQL comparison operators for database queries. The pairs are:

  • The eq operator allows you to specify a value that the field values of the result must be equal to. The ne operator means not equal to. Note the value field of the filters must be used; the values field of the filters cannot be used for eq and ne.

  • The in operator allows you to specify multiple values in the values field of the filters. The field values of the result must match one of the values. The not_in operator is the opposite of in. Note the value field of the filters cannot be used for in and not_in.

  • The like operator allows you to specify a pattern that the field values of the result must match. The not_like operator is the opposite of like. Note the values field of the filters cannot be used for like and not_like.

  • The ilike operator works similar to like but it makes the match case insensitive. The not_ilike operator is the opposite of ilike. Note the values field of the filters cannot be used for ilike and not_ilike.

  • The rlike operator matches the specified pattern represented by regular expressions (more info on RLIKE — Snowflake Documentation). The not_rlike operator is the opposite of rlike. Note the values field of the filters cannot be used for rlike and not_rlike.

  • The gt operator allows you to specify a value that the field values of the result must be greater than. The lt (less-than) operator is the opposite of gt. Note the values field of the filters cannot be used for gt and lt.

  • The ge operator allows you to specify a value that the field values of the result must be greater than or equal to. The le (less-than-or-equal-to) operator is the opposite of ge. Note the values field of the filters cannot be used for ge and le.

The unique operators are:

  • The between operator allows you to specify a range that the field values of the result must be within. The specified upper boundary must be larger/greater than the lower boundary. The two values of upper and lower boundaries must be set in the values field of the filters. Note the value field of the filters cannot be used for between.

  • The expr operator is reserved for future use.

Date & Time Formats

For date and time parameters, the time zone is always UTC and the following formats are supported:

  • yyyy-MM-dd for example, 2020-12-18

  • yyyy-MM-ddTHH for example, 2020-12-18T08

  • yyyy-MM-ddTHH:mm:ssZ for example 2020-12-18T08:00:00Z

  • yyyy-MM-ddTHH:mm:ss.SSSZ for example, 2020-12-18T08:00:00.000Z

Organization Level Access

An organization may have a primary account and multiple sub-accounts. If an access token is generated for the primary account and used as the authorization token, it can also be used for one of the sub-accounts with the additional header called Account-Name (case insensitive).

For example, if the primary account is xyz and the sub-account is xyz-sub1, set the Account-Name header to xyz-sub1.

For accessing the organization level data sets, a separate header called Org-Access (case insensitive) can be used. If this header is set to true (case insensitive) and the authorization token has the proper permissions (org admin), if specified, the Account-Name header is ignored, If the Org-Access header is not set to true, the Account-Name header is used, if specified.

For more information about creating and using access (bearer) tokens for accounts in an Organization, see Role-Based API Authentication for Organizations.

Pagination

Making calls to Lacework APIs could return a lot of results. Pagination of the results helps manage overall performance and makes the responses easier for you to handle by dividing the results into separate pages, each with a subset of the results.

The following row limits apply:

  • Row limit per page: 5,000 rows

  • Row limit of all pages of one result set: 500,000 rows

Pagination is available for some datasets, such as those that are searched with the /api/v2/Vulnerabilities/Containers/search or /api/v2/Entities/Machines/search endpoints.

Pagination metadata is located within the response's paging field, which contains information for rows, totalRows, and urls. The urls field contains the nextPage field with the Next Page URL. The Next Page URLs stay valid for 24 hours. No pagination is available for an API if the paging field is missing from a response.

To get the next page of the result, use the entire Next Page URL and send a GET request with the two required HTTP headers: "Authorization: Bearer {YourAPIToken}" and "Content-Type: application/json".

Example:

GET https://YourLacework.lacework.net/api/v2/Vulnerabilities/Containers/abcxyz...

See the right panel for response examples.

Rate Limiting

The current rate limit is 480 API requests per hour per user. When the total number of API requests on a one-hour rolling window exceeds the rate limit, the HTTP 429 Too Many Requests response status code is returned.

Lacework uses the token bucket algorithm to apply request rate limiting. Each API v2 functionality has its own bucket with 480 tokens and each request that you make removes one token from the bucket. For example, performing a GET /api/v2/AgentAccessTokens or a GET /api/v2/AgentAccessTokens/{ID} are both part of one functionality, which gets an agent access token, so each request removes one token from the same bucket. Similarly, updating an agent access token (PATCH /api/v2/AgentAccessTokens/{ID}) is a different functionality and disregards the ID to use the same bucket, so a token is removed from a different bucket.

Each request sends back three response headers following standard HTTP naming conventions for rate limiting. RateLimit-Limit is the total number of requests you can make in an hour, RateLimit-Remaining is the number of remaining requests, and RateLimit-Reset is how much time it will take (in seconds) before you can make another request once the limit is reached. For more information about RateLimit header fields, see IETF Draft 05

Response Status Codes

The Lacework API endpoints return the following HTTP response status codes.

Status CodeDefinitionDescription
200 OK The request has succeeded.
201 Created The request has been fulfilled and resulted in a new resource being created.
204 No Content The server has fulfilled the request but does not need to return an entity-body.
400 Bad Request The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications.
401 Unauthorized The request requires user authentication. If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials.
403 Forbidden The server understood the request, but is refusing to fulfill it. Authorization will not fix the issue and the request SHOULD NOT be repeated.
404 Not Found The server has not found anything matching the Request-URI.
405 Method Not Allowed The method specified in the Request-Line is not allowed for the resource identified by the Request-URI.
409 Conflict The request could not be completed due to a conflict with the current state of the resource.
429 Too Many Requests Too many requests occurred during the allotted time period and rate limiting was applied.
500 Internal Server Error The request did not complete due to an internal error on the server side. The server encountered an unexpected condition which prevented it from fulfilling the request.
503 Service Unavailable The server is currently unable to handle the request due to a temporary overloading or maintenance of the server.

Access Tokens

Generate access tokens for API requests.

Generate Access Tokens

Get access tokens for the API requests by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/access/tokens

After creating a secret key, administrators can generate Temporary API access (bearer) tokens that clients and client applications use to access the Lacework API. Create temporary API access (bearer) tokens by invoking the POST https://YourLacework.lacework.net/api/v2/access/tokens endpoint.

header Parameters
X-LW-UAKS
required
string

YourSecretKey

Content-Type
required
string

application/json

Request Body schema: application/json
keyId
required
string

YourAccessKeyID

expiryTime
required
integer

The access token's expiration (in seconds) that you want to set. Maximum value: 86400 (24 hours).

Responses

Request samples

Content type
application/json
{
  • "keyId": "YourSecretKey",
  • "expiryTime": 3600
}

Response samples

Content type
application/json
{
  • "expiresAt": "2021-08-18T08:00:00.000Z",
  • "token": "string"
}

Schemas

Get details about the available Lacework schemas.

Schema Details

Get a list of available Lacework schema types by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/schemas

Get details about a Lacework schema by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/schemas/{type}

Here is an example invocation:

GET https://YourLacework.lacework.net/api/v2/schemas/AuditLogs

path Parameters
type
required
string
Example: AuditLogs

When sending a request, use this parameter to specify the schema type. If not specified, the response returns all schema types. If specified, the response returns details of the requested schema.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
[
  • {
    },
  • {
    },
  • {
    },
  • {
    },
  • {
    },
  • {
    }
]

Schema Details of Subtype

Get details about a Lacework schema by specifying a schema type and subtype when invoking the endpoint.

GET https://YourLacework.lacework.net/api/v2/schemas/{type}/{subtype}

Here is an example invocation:

GET https://YourLacework.lacework.net/api/v2/schemas/AlertChannels/SlackChannel

path Parameters
type
required
string
Example: AlertChannels

When sending a request, use this parameter to specify the schema type. If not specified, the response returns all schema types. If specified, the response returns details of the requested schema.

subtype
required
string
Example: SlackChannel

The schema's subtype. If a type is subordinate to another type, it is called a subtype.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Activities

Get information about network activities detected through the agent.

Search Changed Files

Search for changed files in your environment by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Activities/ChangedFiles/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days.

You can optionally filter the returned changed files by start time, end time, machine ID, file path, and more. For more information, see CHANGE_FILES_V View.

Here are some example body payloads:

  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "48011" } ] }
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "48011" }, { "field": "filePath", "expression": "eq", "value": "/usr/bin/curl" } ],
    "returns": [ "filePath", "filedataHash", "mid" ] }
header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Search Connections

Search for connections in your environment by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Activities/Connections/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days.

You can optionally filter the returned connections by start time, end time, created time, machine ID, and more. For more information, see CONNECTIONS_V View.

Here are some example body payloads:

  • { "timeFilter": { "startTime": "2022-08-18T00:00:00Z", "endTime": "2022-08-18T02:00:00Z"}, "filters": [ { "field": "dstEntityId.mid", "expression": "eq", "value": "116018" } ] }
  • { "timeFilter": { "startTime": "2022-08-18T00:00:00Z", "endTime": "2022-08-18T02:00:00Z"}, "filters": [ { "field": "srcEntityId.mid", "expression": "eq", "value": "123456" }, { "field": "dstInBytes", "expression": "le", "value": "300000" } ],
    "returns": [ "dstEntityId", "dstEntityType", "srcEntityId", "srcEntityType" ] }
header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Search DNS Summaries

Search for DNS summaries in your environment by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Activities/DNSs/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days.

You can optionally filter the returned DNS summaries by start time, end time, created time, machine ID, and more. For more information, see DNS_QUERY_V View.

Here are some example body payloads:

  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "48011" } ] }
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "48011" }, { "field": "fqdn", "expression": "eq", "value": "sqs.us-west-2.amazonaws.com" } ],
    "returns": [ "fqdn", "hostIpAddr", "mid" ] }
header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Search User Logins

Search for user logins in your environment by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Activities/UserLogins/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days.

You can optionally filter the returned login activities by start time, end time, created time, machine ID, and more. For more information, see USER_LOGIN_V View.

Here are some example body payloads:

  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "48011" } ] }
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "48011" }, { "field": "username", "expression": "eq", "value": "ec2-user" } ],
    "returns": [ "username", "activityType", "activityTime" ] }
header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Agent Access Tokens

To connect to the Lacework instance, Lacework agents require an agent access token.

Create Agent Access Token

Create a new agent access token that an agent can use to connect and send data to your Lacework instance by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AgentAccessTokens

Here is an example body payload:

{ "tokenAlias": "prod", "tokenEnabled": "1" }

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The access token's properties, including createdTime and description.

tokenEnabled
required
string non-empty

The tokenEnabled property determines if an edit control is a "Text token" edit control. When the tokenEnabled property is set to 1, if the user enters a separator character or a carriage return (CR), a token is automatically added and the user can continue entering values in the control.

tokenAlias
required
string non-empty

The token's alias such as Ops Agent. Aliases help communicate the intended purpose of a token and are effective when a value with a single intent appears in multiple places.

Responses

Request samples

Content type
application/json
{
  • "props": {
    },
  • "tokenEnabled": "string",
  • "tokenAlias": "string"
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

List All Agent Access Tokens

Get a list of currently enabled agent access tokens in your Lacework instance by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AgentAccessTokens

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Search Agent Access Tokens

Search all enabled agent access tokens in your Lacework instance by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AgentAccessTokens/search

To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

You can filter on the following fields:

  • accessToken

  • createdTime

  • tokenAlias

  • tokenEnabled

  • version

Here is an example body payload:

{ "filters" : [ { "expression": "eq", "field": "tokenAlias", "value": "Eng" } ] }

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Agent Access Token Details

Get details about an agent access token by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AgentAccessTokens/{id}

You can get the {id} by invoking the GET /api/v2/AgentAccessTokens endpoint. Replace {id} with the long hexadecimal access token identifier returned in the accessToken field of the GET /api/v2/AgentAccessTokens endpoint response.

path Parameters
id
required
string

Agent Access Token {id}

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "data": {
    }
}

Update Agent Access Token

Optionally update the tokenEnabled settings of the passed in agent access token. Update these settings by invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/AgentAccessTokens/{id}

Get the agent access token id by calling the GET /api/v2/AgentAccessTokens endpoint.

Replace {id} with the long hexadecimal access token identifier returned in the accessToken field of the GET /api/v2/AgentAccessTokens endpoint response.

Here is an example body payload:

{ "tokenEnabled": "1" }

path Parameters
id
required
string

AgentAccessTokens {id}

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The access token's properties, including createdTime and description.

tokenEnabled
string non-empty

The tokenEnabled property determines if an edit control is a "Text token" edit control. When the tokenEnabled property is set to 1, if the user enters a separator character or a carriage return (CR), a token is automatically added and the user can continue entering values in the control.

Responses

Request samples

Content type
application/json
{
  • "props": {
    },
  • "tokenEnabled": "string"
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

Agent Information

View and verify information about all agents, including:

  • The hostname
  • The number of active and inactive agents
  • Machine tags information associated with the agents
  • The agent version

Search Agent Information

The Agent Information API enables you to retrieve information about all agents by invoking the following endpoint:

POST /api/v2/AgentInfo/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days.

You can optionally filter the information returned by agent status, agent version, IP address, and more. For details about what agent information is available, see AGENT_MANAGEMENT_V View.

Here are some example body payloads:

  • { "timeFilter": { "startTime" : "2022-04-28T00:00:00Z", "endTime": "2022-04-28T18:00:00Z"},
  • { "timeFilter": { "startTime": " 2022-04-28T00:00:00Z", "endTime": "2022-04-28T18:00:00Z"}, "filters" : [ { "field": "status", "expression": "eq", "value": "ACTIVE" }, { "field": "tags.VmProvider", "expression": "eq", "value" : "AWS" } ],
    "returns": [ "hostname", "ipAddr", "os" , "agentVersion", "status" ] }
header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Alert Channels

Lacework combines alert channels with alert rules or report rules to provide a flexible method for routing alerts and reports.

  • For alert channels, you define where to send alerts or reports, such as to Jira, Slack, or email.
  • For alert rules, you define information about which alert types to send, such as critical and high severity compliance alerts.
  • For report rules, you define information about which reports to send.

Create Alert Channels

Create an alert channel by specifying parameters in the request body when invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AlertChannels

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
name
required
string (Name) non-empty (?!^ +$)^.+$

When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name.

type
required
string (Type)

When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type.

enabled
required
number (Enabled) [ 0 .. 1 ]

When sending a request, use this attribute to enable or disable an integration. When included in a response, returns 1 for an enabled integration or 0 for a disabled integration.

required
object

Responses

Request samples

Content type
application/json
Example
{
  • "name": "string",
  • "type": "AwsS3",
  • "enabled": 1,
  • "data": {
    }
}

Response samples

Content type
application/json
Example
{
  • "data": {
    }
}

List All Alert Channels

Get a list of alert channels for the current user by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AlertChannels

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
Example
{
  • "data": [
    ]
}

List Alert Channels by Type

Get a list of alert channels of the specified type by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AlertChannels/{type}

Here is an example invocation:

GET https://YourLacework.lacework.net/api/v2/AlertChannels/SlackChannel

path Parameters
type
required
string
Enum: "AwsS3" "CiscoSparkWebhook" "CloudwatchEb" "Datadog" "EmailUser" "GcpPubsub" "IbmQradar" "Jira" "MicrosoftTeams" "NewRelicInsights" "PagerDutyApi" "ServiceNowRest" "SlackChannel" "SplunkHec" "VictorOps" "Webhook"

Alert Channel Type

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
Example
{
  • "data": [
    ]
}

Search Alert Channels

Search alert channels by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AlertChannels/search

To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

In the request body, optionally specify the list of fields to return in the response by specifying the list in the returns array, for example, "returns":[ "name", "type", "enabled" ].

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
Example
{
  • "data": [
    ]
}

Test Alert Channels

Test the integration of an alert channel by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}/test

path Parameters
intgGuid
required
string

Alert Channel ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
{
  • "message": "Invalid ..."
}

Alert Channel Details

Get details about an alert channel by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}

path Parameters
intgGuid
required
string

Alert Channel ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
Example
{
  • "data": {
    }
}

Update Alert Channels

Update an alert channel by specifying parameters in the request body when invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}

In the request body, only specify the parameter(s) that you want to update, for example, { "enabled" : 0 }.

path Parameters
intgGuid
required
string

Alert Channel ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json

Only specify the parameter(s) that you want to update, for example, { "enabled" : 0 }.

name
string (Name) non-empty (?!^ +$)^.+$

When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name.

type
string (Type)

When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type.

enabled
number (Enabled) [ 0 .. 1 ]

When sending a request, use this attribute to enable or disable an integration. When included in a response, returns 1 for an enabled integration or 0 for a disabled integration.

object

Responses

Request samples

Content type
application/json
Example
{
  • "name": "string",
  • "type": "AwsS3",
  • "enabled": 1,
  • "data": {
    }
}

Response samples

Content type
application/json
Example
{
  • "data": {
    }
}

Update Alert Channels

Update an alert channel by specifying the entire object in the request body when invoking the following endpoint:

PUT https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}

In the request body, specify the entire object that you want to update, for example,

{"name": "string","type": "AwsS3", "enabled": 1, "data": {"s3CrossAccountCredentials": {"externalId": "string", "roleArn": "string", "bucketArn":"string"}} }.

path Parameters
intgGuid
required
string

Alert Channel ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
name
required
string (Name) non-empty (?!^ +$)^.+$

When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name.

type
required
string (Type)

When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type.

enabled
required
number (Enabled) [ 0 .. 1 ]

When sending a request, use this attribute to enable or disable an integration. When included in a response, returns 1 for an enabled integration or 0 for a disabled integration.

required
object

Responses

Request samples

Content type
application/json
Example
{
  • "name": "string",
  • "type": "AwsS3",
  • "enabled": 1,
  • "data": {
    }
}

Response samples

Content type
application/json
Example
{
  • "data": {
    }
}

Delete Alert Channels

Delete an alert channel by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}

path Parameters
intgGuid
required
string

Alert Channel ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
{
  • "message": "Invalid ..."
}

Alert Profiles

An alert profile is a set of metadata that defines how your LQL queries get consumed into events and alerts.

Alert profiles exist as a system. Lacework provides a set of predefined alert profiles to ensure that policy evaluation gives you useful results out of the box. To create your own customized profiles, you extend an existing alert profile and add your custom definitions to it. The predefined alert profiles and operations for defining and editing your own are exposed via Lacework API calls.

Create Alert Profiles

Create an alert profile that extends off of a current alert profile by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AlertProfiles

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
required
Array of objects[ items ]

An alert is a definition of content to create from the results of a resource's policy violation. The event name, subject, and description contained in the alert appear in pushed alerts and in the Lacework Console.

alertProfileId
required
string

Unique id within customer account for Alert Profile

extends
required
string

Base Lacework defined Alert Profile to inherit properties

Responses

Request samples

Content type
application/json
{
  • "alerts": [
    ],
  • "alertProfileId": "string",
  • "extends": "string"
}

Response samples

Content type
application/json
[
  • {
    }
]

List All Alert Profiles

Get all the alert profiles for the current user by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AlertProfiles

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Alert Profiles Details

Get the details to the specified alert profile by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}

path Parameters
id
required
string

Alert Profile id

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Update Alert Profiles

Update the alert templates of the specified alert profile by invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}

path Parameters
id
required
string

Alert Profile id

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
Array of objects[ items ]

An alert is a definition of content to create from the results of a resource's policy violation. The event name, subject, and description contained in the alert appear in pushed alerts and in the Lacework Console.

Array
name
string

A name that policies can use to refer to this definition when generating alerts

eventName
string

The name of the resulting alert

description
string

Summary of the resulting alert

subject
string

A high-level observation of the resulting alert

Responses

Request samples

Content type
application/json
{
  • "alerts": [
    ]
}

Response samples

Content type
application/json
[
  • {
    }
]

Delete Alert Profiles

Delete the specified alert profile by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}

path Parameters
id
required
string

Alert Profile id

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "message": "Invalid ..."
}

Create Alert Templates

Create a new alert template for a specified alert profile by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}/AlertTemplates

path Parameters
id
required
string

Alert Profile id

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
name
required
string

A name that policies can use to refer to this definition when generating alerts

eventName
required
string

The name of the resulting alert

description
required
string

Summary of the resulting alert

subject
required
string

A high-level observation of the resulting alert

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "eventName": "string",
  • "description": "string",
  • "subject": "string"
}

Response samples

Content type
application/json
[
  • {
    }
]

Update Alert Templates

Update an alert template for a specified alert profile by invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}/AlertTemplates/{alertTemplateName}

path Parameters
id
required
string

Alert Profile id

alertTemplateName
required
string

Alert Template Name

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
eventName
string

The name of the resulting alert

description
string

Summary of the resulting alert

subject
string

A high-level observation of the resulting alert

Responses

Request samples

Content type
application/json
{
  • "eventName": "string",
  • "description": "string",
  • "subject": "string"
}

Response samples

Content type
application/json
[
  • {
    }
]

Delete Alert Templates

Delete an alert template for a specified alert profile by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}/AlertTemplates/{alertTemplateName}

path Parameters
id
required
string

Alert Profile id

alertTemplateName
required
string

Alert Template Name

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "message": "Invalid ..."
}

Alert Rules

Lacework combines alert channels and alert rules to provide a flexible method for routing alerts. For alert channels, you define information about where to send alerts, such as to Jira, Slack, or email. For alert rules, you define information about which alert types to send, such as critical and high severity compliance alerts.

Create Alert Rules

Create an alert rule by specifying parameters in the request body when invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AlertRules

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
required
object

When sending a request, use this object to define the new alert rule. When included in a response, this object contains details of an alert rule. You can use these attributes when searching for existing alert rules by invoking a GET request.

intgGuidList
required
Array of strings non-empty unique

The alert channels for the rule to access.

type
required
string
Value: "Event"

The alert type.

Responses

Request samples

Content type
application/json
{
  • "filters": {
    },
  • "intgGuidList": [
    ],
  • "type": "Event"
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

List All Alert Rules

List all alert rules in your Lacework instance by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AlertRules

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Search Alert Rules

Search alert rules by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AlertRules/search

To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

Here are some example body payloads:

  • { "filters": [ { "field": "mcGuid", "expression": "rlike", "value": "123ABC" } ] }

  • { "filters": [ { "field": "mcGuid", "expression": "between", "values": [ "ABC_123", "DEC_456" ] } ] }

  • { "filters": [ { "field": "intgGuidList", "expression": "eq", "value": "ABC_123" } ] }

  • { "filters": [ { "field": "intgGuidList", "expression": "in", "values": [ "ABC_123", "DEF_456" ] } ] }

  • { "filters": [ { "field": "filters.name", "expression": "ilike", "value": "slack" } ] }

  • { "filters": [ { "field": "filters.resourceGroups", "expression": "eq", "value": "ABC_123" } ] }

  • { "filters": [ { "field": "filters.severity", "expression": "eq", "value": "5" } ] }

  • { "filters": [ { "field": "filters.eventCategory", "expression": "eq", "value": "App" } ] }

  • { "filters": [ { "field": "reportNotificationTypes.agentEvents", "expression": "eq", "value": "false" } ] }

In the request body, optionally specify the list of fields to return in the response by specifying the list in the returns array.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Alert Rule Details

Get details about an alert rule by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AlertRules/{mcGuid}

Replace {mcGuid} with the mcGuid value returned for an alert rule in the response when the GET /api/v2/AlertRules endpoint is invoked.

path Parameters
mcGuid
required
string

Alert Rule mcGuid

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
{
  • "data": {
    }
}

Update Alert Rules

Update an alert rule by specifying parameters in the request body when invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/AlertRules/{mcGuid}

Replace {mcGuid} with the mcGuid value returned for an alert rule in the response when the GET /api/v2/AlertRules endpoint is invoked. In the request body, only specify the parameters that you want to update.

path Parameters
mcGuid
required
string

Alert Rules mcGuid

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
object

When sending a request, use this object to define the new alert rule. When included in a response, this object contains details of an alert rule. You can use these attributes when searching for existing alert rules by invoking a GET request.

intgGuidList
Array of strings non-empty unique

The alert channels for the rule to access.

Responses

Request samples

Content type
application/json
{
  • "filters": {
    },
  • "intgGuidList": [
    ]
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

Delete Alert Rules

Delete an alert rule by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/AlertRules/{mcGuid}

Replace {mcGuid} with the mcGuid value returned for an alert rule in the response when the GET /api/v2/AlertRules endpoint is invoked.

path Parameters
mcGuid
required
string

Alert Rules mcGuid

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
{
  • "message": "Invalid ..."
}

Alerts

Lacework provides real-time alerts that are interactive and manageable. Each alert contains various metadata information, such as severity level, type, status, alert category, and associated tags.

You can also post a comment to an alert's timeline; or change an alert status from Open to Closed.

List Alerts

Get a list of alerts during the specified date range by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/Alerts?startTime={startTime}&endTime={endTime}

Use the following formats to specify the startTime and endTime:

  • yyyy-MM-dd for example, 2022-06-28

  • yyyy-MM-ddTHH for example, 2022-06-28T08

  • yyyy-MM-ddTHH:mm:ssZ for example, 2022-06-28T08:00:00Z

  • yyyy-MM-ddTHH:mm:ss.SSSZ for example, 2022-06-28T08:00:00.000Z

Here is an example invocation:

GET https://YourLacework.lacework .net/api/v2/Alerts?startTime=2022-06-30T00:00:00Z&endTime=2022-06-30T08:00:00Z

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days.

Pagination metadata is located within the response's paging field, which contains information for rows, totalRows, and urls. The urls field contains the nextPage field with the Next Page URL. The Next Page URLs stay valid for 24 hours.

To get the next page of the result, use the entire Next Page URL and send a GET request with the two required HTTP headers: "Authorization: Bearer {YourAPIToken}" and "Content-Type: application/json".

Example:

GET https://YourLacework.lacework.net/api/v2/Alerts/abcxyz123...

query Parameters
startTime
string

Returns only recorded actions that occurred after this timestamp.

endTime
string

Returns only recorded actions that occurred before this timestamp.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Search Alerts

Search alerts by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Alerts/search

Optionally specify filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

For the timeFilter filter, these are the supported time formats:

  • yyyy-MM-dd for example, 2022-07-08

  • yyyy-MM-ddTHH for example, 2022-07-08T08

  • yyyy-MM-ddTHH:mm:ssZ for example, 2022-07-08T08:00:00Z

  • yyyy-MM-ddTHH:mm:ss.SSSZ for example, 2022-07-08T08:00:00.000Z

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days.

To limit the returned result, optionally specify one or more filters in the request body. These fields can be set in the filters: alertId, alertType, severity, and status.

You can optionally filter the returned alerts by one or more of the top-level fields.

Here are some example body payloads:

  • { "timeFilter": { "startTime": "2022-07-08T00:00:00Z", "endTime": "2022-07-08T08:00:00Z"}} "filters": [ { "field": "alertType", "expression": "eq", "value": "SuspiciousUserFailedLogin" } ] }
  • { "timeFilter": { "startTime": "2022-07-08T00:00:00Z", "endTime": "2022-07-08T08:00:00Z"}, "filters": [ { "field": "severity", "expression": "eq", "value": "Critical" }, { "field": "status", "expression": "eq", "value": "Open" } ],
    "returns": [ "alertId", "alertName", "alertType", "alertInfo" ] }

Pagination metadata is located within the response's paging field, which contains information for rows, totalRows, and urls. The urls field contains the nextPage field with the Next Page URL. The Next Page URLs stay valid for 24 hours.

To get the next page of the result, use the entire Next Page URL and send a GET request with the two required HTTP headers: "Authorization: Bearer {YourAPIToken}" and "Content-Type: application/json".

Example:

GET https://YourLacework.lacework.net/api/v2/Alerts/abcxyz123...

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Alert Details

Get details about an alert by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/Alerts/{alertId}?scope={scope}

You must specify a scope, as one of these options: Details, Investigation, Events, RelatedAlerts, Integrations, or Timeline.

path Parameters
alertId
required
string

Alert id

query Parameters
scope
required
string
Enum: "Details" "Investigation" "Events" "RelatedAlerts" "Integrations" "Timeline"

You must specify a scope, as one of these options.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
Example
{
  • "data": {
    }
}

Post Comments

Post a user comment on an alert’s timeline by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Alerts/{alertId}/comment

For details about alert timelines, see Timeline.

path Parameters
alertId
required
string

Alert id

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
comment
required
string

Responses

Request samples

Content type
application/json
{
  • "comment": "string"
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

Close Alerts

Change the status of an alert to closed by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Alerts/{alertId}/close

The body of the request should contain the reason for closing, from these options:

  • Other
  • False positive
  • Not enough information
  • Malicious and have resolution in place
  • Expected because of routine testing.

If you choose Other, the message field is required and should contain a brief explanation of why the alert is closed.

Note that a closed alert cannot be reopened.

For details about alert statuses, see Status.

path Parameters
alertId
required
string

Alert id

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
reason
required
number
Enum: 0 1 2 3 4

0 - Other

1 - False positive

2 - Not enough information

3 - Malicious and have resolution in place

4 - Expected because of routine testing

comment
string

If you choose 0 (Other), the comment field is required and should contain a brief explanation of why the alert is closed.

Responses

Request samples

Content type
application/json
{
  • "reason": 0,
  • "comment": "string"
}

Response samples

Content type
application/json
{
  • "message": "Invalid ..."
}

Audit Logs

Audit logs let you view the history of all actions performed within a Lacework account so you know who made changes to the system and when. For example, you can see who suppressed certain alerts, what time an authentication setting was modified, etc. For more information, see Audit Logs.

Audit Logs

Get audit logs by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/AuditLogs

Optionally specify the startTime and endTime time range filters using the following formats:

  • yyyy-MM-dd for example, 2020-12-18

  • yyyy-MM-ddTHH for example, 2020-12-18T08

  • yyyy-MM-ddTHH:mm:ssZ for example, 2020-12-18T08:00:00Z

  • yyyy-MM-ddTHH:mm:ss.SSSZ for example, 2020-12-18T08:00:00.000Z

Here is an example invocation:

GET https://YourLacework.lacework.net/api/v2/AuditLogs?startTime=2020-12-11T08:00:00Z&endTime=2020-12-18T08:00:00Z

query Parameters
startTime
string

Returns only recorded actions that occurred after this timestamp.

endTime
string

Returns only recorded actions that occurred before this timestamp.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Search Audit Logs

Search the audit logs by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/AuditLogs/search

Optionally specify filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

For the timeFilter filter, these are the supported time formats:

  • yyyy-MM-dd for example, 2020-12-18

  • yyyy-MM-ddTHH for example, 2020-12-18T08

  • yyyy-MM-ddTHH:mm:ssZ for example, 2020-12-18T08:00:00Z

  • yyyy-MM-ddTHH:mm:ss.SSSZ, for example, 2020-12-18T08:00:00.000Z

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json

Filters in the request body

object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Cloud Accounts

Cloud accounts are integrations between Lacework and cloud providers such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform.

Create Cloud Accounts

Create a cloud account by specifying parameters in the request body when invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/CloudAccounts

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
name
required
string (Name) non-empty (?!^ +$)^.+$

When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name.

type
required
string (Type)

When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type.

enabled
required
number (Enabled) [ 0 .. 1 ]

When sending a request, use this attribute to enable or disable an integration. When included in a response, returns 1 for an enabled integration or 0 for a disabled integration.

required
object

Responses

Request samples

Content type
application/json
Example
{
  • "name": "string",
  • "type": "AwsCfg",
  • "enabled": 1,
  • "data": {
    }
}

Response samples

Content type
application/json
Example
{
  • "data": {
    }
}

List All Cloud Accounts

Get a list of cloud accounts for the current user by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/CloudAccounts

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
Example
{
  • "data": [
    ]
}

List Cloud Accounts by Type

Get a list of cloud accounts of the specified type by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/CloudAccounts/{type}

Here is an example invocation:

GET https://YourLacework.lacework.net/api/v2/CloudAccounts/AwsCfg

path Parameters
type
required
string
Enum: "AwsCfg" "AwsCtSqs" "AwsEksAudit" "AwsUsGovCfg" "AwsUsGovCtSqs" "AzureAlSeq" "AzureCfg" "GcpAtSes" "GcpCfg"

Cloud Accounts Type

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
Example
{
  • "data": [
    ]
}

Search Cloud Accounts

Search cloud accounts by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/CloudAccounts/search

To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

In the request body, optionally specify the list of fields to return in the response by specifying the list in the returns array, for example, "returns":[ "name", "type", "enabled" ].

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
Example
{
  • "data": [
    ]
}

Cloud Accounts Details

Get details about a cloud account by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/CloudAccounts/{intgGuid}

path Parameters
intgGuid
required
string

Cloud Account ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
Example
{
  • "data": {
    }
}

Update Cloud Accounts

Update a cloud account by specifying parameters in the request body when invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/CloudAccounts/{intgGuid}

In the request body, only specify the parameters that you want to update, for example, { "enabled" : 0 }.

path Parameters
intgGuid
required
string

Cloud Account ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
name
string (Name) non-empty (?!^ +$)^.+$

When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name.

type
string (Type)

When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type.

enabled
number (Enabled) [ 0 .. 1 ]

When sending a request, use this attribute to enable or disable an integration. When included in a response, returns 1 for an enabled integration or 0 for a disabled integration.

object

Responses

Request samples

Content type
application/json
Example
{
  • "name": "string",
  • "type": "AwsCfg",
  • "enabled": 1,
  • "data": {
    }
}

Response samples

Content type
application/json
Example
{
  • "data": {
    }
}

Update Cloud Accounts

Update a cloud account by specifying the entire object in the request body when invoking the following endpoint:

PUT https://YourLacework.lacework.net/api/v2/CloudAccounts/{intgGuid}

In the request body, specify the entire object that you want to update, for example,

{"name": "string","type": "AwsCfg", "enabled": 1, "data": { "awsAccountId": "string", "crossAccountCredentials": {"externalId": "string", "roleArn": "string"}} }.

path Parameters
intgGuid
required
string

Cloud Account ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
name
required
string (Name) non-empty (?!^ +$)^.+$

When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name.

type
required
string (Type)

When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type.

enabled
required
number (Enabled) [ 0 .. 1 ]

When sending a request, use this attribute to enable or disable an integration. When included in a response, returns 1 for an enabled integration or 0 for a disabled integration.

required
object

Responses

Request samples

Content type
application/json
Example
{
  • "name": "string",
  • "type": "AwsCfg",
  • "enabled": 1,
  • "data": {
    }
}

Response samples

Content type
application/json
Example
{
  • "data": {
    }
}

Delete Cloud Accounts

Delete a cloud account by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/CloudAccounts/{intgGuid}

path Parameters
intgGuid
required
string

Cloud Account ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
{
  • "message": "Invalid ..."
}

Cloud Activities

Get information about cloud activities for the integrated AWS cloud accounts in your Lacework instance.

Cloud Activities

Get cloud activity details by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/CloudActivities

Optionally filter by specifying the startTime and endTime of a time range using the following formats:

  • yyyy-MM-dd for example, 2020-12-18

  • yyyy-MM-ddTHH for example, 2020-12-18T08

  • yyyy-MM-ddTHH:mm:ssZ for example, 2020-12-18T08:00:00Z

  • yyyy-MM-ddTHH:mm:ss.SSSZ for example, 2020-12-18T08:00:00.000Z

Here is an example invocation:

GET https://YourLacework.lacework.net/api/v2/CloudActivities?startTime=2020-12-11T08:00:00Z&endTime=2020-12-18T08:00:00Z

query Parameters
startTime
string

Returns only recorded actions that occurred after this timestamp.

endTime
string

Returns only recorded actions that occurred before this timestamp.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Search Cloud Activities

Search cloud activities by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/CloudActivities/search

Optionally specify filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

For the timeFilter filter, these are the supported time formats:

  • yyyy-MM-dd for example, 2021-12-18

  • yyyy-MM-ddTHH for example, 2021-12-18T08

  • yyyy-MM-ddTHH:mm:ssZ for example, 2021-12-18T08:00:00Z

  • yyyy-MM-ddTHH:mm:ss.SSSZ for example, 2021-12-18T08:00:00.000Z

Here are some example body payloads:

  • { "timeFilter": { "startTime": "2021-12-11T00:00:00Z", "endTime": "2021-12-12T00:00:00Z"}, "filters": [ { "field": "eventType", "expression": "eq", "value": "NewUser" } ] }
  • { "timeFilter": { "startTime": "2021-12-11T00:00:00Z", "endTime": "2021-12-12T00:00:00Z"}, "filters": [ { "field": "eventType", "expression": "eq", "value": "NewUser" },
    { "field": "eventModel", "expression": "eq", "value": "AwsApiTracker" } ],
    "returns":[ "startTime", "endTime", "eventType", "eventActor", "eventModel" ] }
header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Configurations

Get information about compliance configurations.

Search Compliance Evaluations

Search for compliance evaluations (with details such as compliance status, violated resources, reason, recommendation, account info, etc.) for a specified cloud provider within the last 90 days by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Configs/ComplianceEvaluations/search

This view reports details about compliance violations identified by cloud assessments for all supported and configured cloud provider types: AWS, Azure, and GCP.

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days.

You must specify a dataset. The possible datasets are AwsCompliance, AzureCompliance, GcpCompliance, and K8sCompliance. You can optionally filter the compliance evaluations by report time, account, section, ID, and more. For more information, see CLOUD_COMPLIANCE_V View.

Here are some example body payloads:

  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "dataset": "AwsCompliance" }
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "status", "expression": "eq", "value": "NonCompliant" }, { "field": "account.AccountId", "expression": "eq", "value": "812212113623" } ],
    "returns": [ "account", "id", "recommendation", "severity", "status" ],
    "dataset": "AzureCompliance" }
header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

dataset
required
any
Enum: "AwsCompliance" "AzureCompliance" "GcpCompliance" "K8sCompliance"

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ],
  • "dataset": "AwsCompliance"
}

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Azure Subscriptions

Get a list of Azure subscription IDs for an entire account or for a specific Azure tenant.

To list all Azure subscription IDs for an account, invoke the following endpoint:

GET https://YourLacework.lacework.net/api/v2/Configs/AzureSubscriptions

To get a list of Azure subscription IDs for a specific tenant, pass the tenant ID as a parameter to the endpoint:

GET https://YourLacework.lacework.net/api/v2/Configs/AzureSubscriptions?tenantId={tenantId}

query Parameters
tenantId
string

The Azure tenant ID.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "data": [
    ]
}

GCP Projects

Get a list of GCP project IDs for an entire account or for a specific organization.

To list all GCP project IDs for an account, invoke the following endpoint:

GET https://YourLacework.lacework.net/api/v2/Configs/GcpProjects

To get a list of GCP project IDs for a specific organization, pass the organization ID as a parameter to the endpoint:

GET https://YourLacework.lacework.net/api/v2/Configs/GcpProjects?orgId={orgId}

query Parameters
orgId
string

The GCP organization ID.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Container Registries

Lacework provides the ability to assess, identify, and report vulnerabilities found in the operating system software packages in a Docker container image. After integrating a container registry in Lacework, Lacework finds all container images in the registry repositories, assesses those container images for software packages with known vulnerabilities, and reports them.

In addition to online container registry integrations, Lacework helps secure containers that are not connected to the Internet through the use of proxy scanners and inline scanners. Container registries that are of type proxy scanner (PROXY_SCANNER) or inline scanner (INLINE_SCANNER) may not include all fields shown below, such as state.

Create Container Registries

Create a container registry by specifying parameters in the request body when invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/ContainerRegistries

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
name
required
string (Name) non-empty (?!^ +$)^.+$

When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name.

type
required
string (Type)

When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type.

enabled
required
number (Enabled) [ 0 .. 1 ]

When sending a request, use this attribute to enable or disable an integration. When included in a response, returns 1 for an enabled integration or 0 for a disabled integration.

required
object

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "type": "ContVulnCfg",
  • "enabled": 1,
  • "data": {
    }
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

List All Container Registries

Get a list of container registries for the current user by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/ContainerRegistries

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
{
  • "data": [
    ]
}

List Container Registries by Type

Get a list of container registries of the specified type by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/ContainerRegistries/{type}/{subtype}

Here is an example invocation:

GET https://YourLacework.lacework.net/api/v2/ContainerRegistries/ContVulnCfg/AWS_ECR

path Parameters
type
required
string
Value: "ContVulnCfg"

Container Registry Type

required
ContVulnCfg (string) (ContainerRegistriesSubtype)

Container Registry Subtype

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Search Container Registries

Search container registries by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/ContainerRegistries/search

To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

In the request body, optionally specify the list of fields to return in the response by specifying the list in the returns array, for example, "returns":[ "name", "type", "enabled" ].

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Map policies to Container Registries

Map specific policies to a container registry by invoking the following endpoint: POST https://YourLacework.lacework.net/api/v2/ContainerRegistries/{intgGuid}/mapPolicies

path Parameters
intgGuid
required
string

The container registry's ID.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
evaluate
boolean

Set to True if you want to evaluate all policies for this integration. Otherwise, set to False.

policyGuids
Array of strings

A list of all policy IDs to map to this integration.

Responses

Request samples

Content type
application/json
{
  • "evaluate": true,
  • "policyGuids": [
    ]
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

Container Registry Details

Get details about a container registry by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/ContainerRegistries/{intgGuid}

path Parameters
intgGuid
required
string

The container registry's ID.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
{
  • "data": {
    }
}

Update Container Registries

Update a container registry by specifying parameters in the request body when invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/ContainerRegistries/{intgGuid}

In the request body, only specify the parameters that you want to update, for example, { "enabled" : 0 }.

path Parameters
intgGuid
required
string

The container registry's ID.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
name
string (Name) non-empty (?!^ +$)^.+$

When sending a request, use this attribute to specify an integration’s name. When included in a response, this attribute returns the specified integration’s name.

type
string (Type)

When sending a request, use this attribute to specify the type of integration, from the following options. When included in a response, this attribute returns the specified integration’s type.

enabled
number (Enabled) [ 0 .. 1 ]

When sending a request, use this attribute to enable or disable an integration. When included in a response, returns 1 for an enabled integration or 0 for a disabled integration.

object

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "type": "ContVulnCfg",
  • "enabled": 1,
  • "data": {
    }
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

Delete Container Registries

Delete a container registry by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/ContainerRegistries/{intgGuid}

path Parameters
intgGuid
required
string

The container registry's ID.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
{
  • "message": "Invalid ..."
}

Contract Info

Get Lacework contract information.

Contract Info

Return contract details about the Lacework licenses found in the Lacework instance by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/ContractInfo

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Data Export Rules

S3 data export allows you to export data collected from your Lacework account and send it to an S3 bucket of your choice. You can extend Lacework processed/normalized data to report/visualize alone or combine with other business/security data to get insights and make meaningful business decisions.

Create Data Export Rules

Create a data export rule by specifying parameters in the request body when invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/DataExportRules

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
required
object

When sending a request, use this object to define the new data export rule. When included in a response, this object contains details of a data export rule.
You can use these attributes when searching for existing data export rules by invoking a POST request.

intgGuidList
required
Array of strings non-empty unique

The alert channels for the rule to use.

type
required
string
Value: "Dataexport"

The data export rule's type such as Dataexport.

Responses

Request samples

Content type
application/json
{
  • "filters": {
    },
  • "intgGuidList": [
    ],
  • "type": "Dataexport"
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

List All Data Export Rules

List all data export rules in your Lacework Application by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/DataExportRules

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Search Data Export Rules

Search data export rules by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/DataExportRules/search

To limit the returned result, optionally specify one or more filters in the request body.

Here are some example body payloads:

  • { "filters": [ { "field": "mcGuid", "expression": "rlike", "value": "123ABC" } ] }

  • { "filters": [ { "field": "mcGuid", "expression": "between", "values": [ "ABC_123", "DEC_456" ] } ] }

  • { "filters": [ { "field": "intgGuidList", "expression": "eq", "value": "ABC_123" } ] }

  • { "filters": [ { "field": "intgGuidList", "expression": "in", "values": [ "ABC_123", "DEF_456" ] } ] }

  • { "filters": [ { "field": "filters.name", "expression": "ilike", "value": "slack" } ] }

  • { "filters": [ { "field": "filters.profileVersions", "expression": "eq", "value": "V1" } ] }

In the request body, optionally specify the list of fields to return in the response by specifying the list in the returns array.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Data Export Rule Details

Get details about a data export rule by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/DataExportRules/{mcGuid}

Replace {mcGuid} with the mcGuid value returned for a data export rule in the response when the GET /api/v2/DataExportRules endpoint is invoked.

path Parameters
mcGuid
required
string

Data Export Rule ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
{
  • "data": {
    }
}

Update Data Export Rules

Update a data export rule by specifying parameters in the request body when invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/DataExportRules/{mcGuid}

Replace {mcGuid} with the mcGuid value returned for a data export rule in the response when the GET /api/v2/DataExportRules endpoint is invoked.

In the request body, only specify the parameters that you want to update, for example, { "enabled" : 0 }.

path Parameters
mcGuid
required
string

Data Export Rule ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
object

When sending a request, use this object to define the new data export rule. When included in a response, this object contains details of a data export rule.
You can use these attributes when searching for existing data export rules by invoking a POST request.

intgGuidList
Array of strings non-empty unique

The alert channels for the rule to use.

Responses

Request samples

Content type
application/json
{
  • "filters": {
    },
  • "intgGuidList": [
    ]
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

Update Data Export Rules

Update a data export rule by specifying the entire object in the request body when invoking the following endpoint:

PUT https://YourLacework.lacework.net/api/v2/DataExportRules/{mcGuid}

In the request body, specify the entire object that you want to update, for example,

{"mcGuid": "string", "filters": {"name": "string", "description": "string", "enabled": 1, "profileVersions": ["V1"]}, "intgGuidList": ["string"], "type": "Dataexport"}.

path Parameters
mcGuid
required
string

Data Export Rule ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
required
object

When sending a request, use this object to define the new data export rule. When included in a response, this object contains details of a data export rule.
You can use these attributes when searching for existing data export rules by invoking a POST request.

intgGuidList
required
Array of strings non-empty unique

The alert channels for the rule to use.

type
required
string
Value: "Dataexport"

The data export rule's type such as Dataexport.

Responses

Request samples

Content type
application/json
{
  • "filters": {
    },
  • "intgGuidList": [
    ],
  • "type": "Dataexport"
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

Delete DataExportRules

Delete a data export rule by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/DataExportRules/{mcGuid}

path Parameters
mcGuid
required
string

Data Export Rule ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
{
  • "message": "Invalid ..."
}

Datasources

Get schema details for all datasources that you can query using LQL.

List All Datasources

List all available datasources in your Lacework instance by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/Datasources

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Datasource Details

Get details about a single datasource by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/Datasources/{datasource}

Replace {datasource} with the name value returned for a datasource in the response when invoking the following endpoint: GET /api/v2/Datasources.

path Parameters
datasource
required
string

The datasource's name.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "data": {
    }
}

Entities

Lacework continuously monitors machines in your environment and maintains data on both running and non-running virtual machines.

Search Applications

Search for applications running on the machine with an agent within the last 90 days. Get details such as the application name, username, machine, etc. by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Entities/Applications/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days.

You can optionally filter the returned applications by application name, username, machine, and more. For more information, see APPLICATIONS_V View.

Here are some example body payloads:

  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "containerInfo.pod_type", "expression": "eq", "value": "lacework-agent" } ],
    "returns": [ "appName", "exePath", "containerInfo", "mid", "username" ] }
header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Search Active Command Lines

Search for active command line invocations in your environment across machines. Get details such as the created time, command line hash, and name of the command line executable by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Entities/CommandLines/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days.

You can optionally filter the returned command line invocations by the created time, command line hash, and name of the command line executable. For more information, see CMDLINE_V View.

Here are some example body payloads:

  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "cmdlineHash", "expression": "eq", "value": "12345sdlfkhk54l5..." } ] }
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "cmdlineHash", "expression": "eq", "value": "12345sdlfkhk54l5..." }, { "field": "cmdline", "expression": "eq", "value": "some command" } ],
    "returns": [ "cmdline", "cmdlineHash" ] }
header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{}

Search Active Containers

Search for active containers in your environment. Get details such as the container name, pod name, tags, etc. by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Entities/Containers/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days.

You can optionally filter the returned containers by the container name, pod name, tags, and more. For more information, see CONTAINER_SUMMARY_V View.

Here are some example body payloads:

  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "propsContainer.IMAGE_TAG", "expression": "eq", "value": "v1.7.0-eksbuild.1" } ],
    "returns": [ "containerName", "imageId", "podName", "propsContainer", "tags" ] }
header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Search Active Files

Search for active files in your environment. Get details such as the path to the file, file size, date of file modification, etc. by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Entities/Files/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days.

You can optionally filter the returned files by the path to the file, file size, date of file modification, and more. For more information, see ALL_FILES_V View.

Here are some example body payloads:

  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "filePath", "expression": "eq", "value": "somePath" } ],
    "returns": [ "filePath", "filedataHash", "mid", "size" ] }
header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Search Images

Search for container images in your environment. Get details such as the image id, image size, repository name, etc. by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Entities/Images/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days.

You can optionally filter the returned images by image id, image size, repository name, and more. For more information, see IMAGE_V View.

Here are some example body payloads:

  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "size", "expression": "eq", "value": "434" } ],
    "returns": [ "imageId", "mid", "repo", "size" ] }
header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Search Internal IP Addresses

Search for internal IP addresses in your environment. Get details such as the start time, IP address, machine ID, etc. by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Entities/InternalIPAddresses/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days.

You can optionally filter the returned addresses by the start time, IP address, machine ID, and more. For more information, see INTERNAL_IPA_V View.

Here are some example body payloads:

  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "ipAddr", "expression": "eq", "value": "10.123.456.1" } ],
    "returns": [ "ipAddr" ] }
header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{}

Search K8s Pods

Search for Kubernetes pods in your environment. Get details such as the pod name, IP address assigned to the pod, and other pod statistics by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Entities/K8sPods/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days.

You can optionally filter the returned pods by machine ID, pod name, primary IP address, and more. For more information, see POD_SUMMARY_V View.

Here are some example body payloads:

  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "propsContainer.IMAGE_ID", "expression": "eq", "value": "sha256:9e862c010bf39766f9821926848754adccf58225aa652cc18a97fccba273df39" } ],
    "returns": [ "mid", "podName", "propsContainer" ] }
header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Search Machines

Search for machines in your environment. Get details such as the machine ID, host name of the machine, and other machine statistics by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Entities/Machines/search

The results reflect the online machines for the specified time frame. Machines that were not online do not appear in the results.

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days.

You can optionally filter the returned machines by machine ID, host name, primary IP address, and more. For more information, see MACHINE_SUMMARY_V View.

Here are some example body payloads:

  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "machineTags.ExternalIp", "expression": "eq", "value": "35.163.78.148" } ],
    "returns": [ "hostname", "machineTags", "mid", "primaryIpAddr" ] }
header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Search Machine Details

Search for machine details in your environment. Get details such as the machine id, host name of the machine, domain associated with the machine, kernel type of the machine, and other machine statistics by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Entities/MachineDetails/search

Machine details are available only for machines that were online for the specified time frame. Details for machines that were not online are not available.

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days.

You can optionally filter the returned machines by machine ID, host name, domain, os, os version, and more. For more information, see MACHINE_DETAILS_V View.

Here are some example body payloads:

  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "tags.AmiId", "expression": "eq", "value": "ami-0b83c6233cdbe5c3e" } ],
    "returns": [ "hostname", "mid", "awsInstanceId", "awsZone", "tags" ] }
header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Search Network Interfaces

Search for network interfaces in your environment. Get details such as the interface name, machine ID, hardware address associated with the interface, etc. by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Entities/NetworkInterfaces/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days.

You can optionally filter the returned interfaces by the interface name, machine ID, the hardware address associated with the interface, and more. For more information, see INTERFACES_V View.

Here are some example body payloads:

  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "name", "expression": "eq", "value": "someName" } ],
    "returns": [ "name", "mid", "hwAddr", "ipAddr" ] }
header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Search New File Hashes

Search for new file hashes in your environment. Get details such as the file hash, start time, and end time by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Entities/NewFileHashes/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days.

You can optionally filter the returned file hashes by the file hash, start time, or end time. For more information, see NEW_HASHES_V View.

Here are some example body payloads:

  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "filedataHash", "expression": "eq", "value": "2394832980909eoifjof3209032840i39r02390" } ],
    "returns": [ "filedataHash" ] }
header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Search Packages

Search for package in your environment. Get details such as the machine ID that contains the package, package name, package version, and other package statistics by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Entities/Packages/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days.

You can optionally filter the returned packages by machine ID, version, package architecture type, and more. For more information, see PACKAGE_V View.

Here are some example body payloads:

  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "packageName", "expression": "eq", "value": "package-1" } ],
    "returns": [ "packageName", "mid", "version" ] }
header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Search Active Processes

Search for active processes in your environment. Get details such as the process id, username that started the process, path to the file, parent process id, etc. by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Entities/Processes/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days.

You can optionally filter the returned processes by the process id, username that started the process, path to the file, parent process ID, and more. For more information, see PROCESS_SUMMARY_V View.

Here are some example body payloads:

  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "ppid", "expression": "eq", "value": "0044" } ],
    "returns": [ "pid", "ppid", "cmdlineHash", "mid", "uid", "username" ] }
header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Search Users

Search for users in your environment. Get details such as the username, machine ID, user ID, etc. by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Entities/Users/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days.

You can optionally filter the returned users by username, machine ID, user ID, and more. For more information, see USER_DETAILS_V View.

Here are some example body payloads:

  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}}
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" } ] }
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "mid", "expression": "eq", "value": "12345" }, { "field": "username", "expression": "eq", "value": "someUser" } ],
    "returns": [ "username", "uid", "mid" ] }
header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Events

View and verify the evidence or observation details of individual events.

Search Events

The Events API enables you to retrieve the evidence or observation details by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Events/search

Lacework highly recommends specifying a time range in the request to narrow the search. If no time range is specified, the request uses the default time range of 24 hours before the current time. The maximum time range per API request is seven days.

You can optionally filter the returned users by eventType, srcType, and more.

Here are some example body payloads:

  • { "timeFilter": { "startTime": "2022-03-18T00:00:00Z", "endTime": "2022-03-18T12:00:00Z"}}
  • { "timeFilter": { "startTime": "2022-03-18T00:00:00Z", "endTime": "2022-03-18T12:00:00Z"}, "filters": [ { "field": "eventType", "expression": "eq", "value": "CloudTrailDefaultAlert" } ] }
  • { "timeFilter": { "startTime": "2022-03-18T00:00:00Z", "endTime": "2022-03-18T12:00:00Z"}, "filters": [ { "field": "srcType", "expression": "eq", "value": "AwsResource" }, { "field": "srcEvent.awsRegion", "expression": "eq", "value": "us-west-2" } ],
    "returns": [ "id", "srcEvent", "srcType" ] }
header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Policy Exceptions

Policy exceptions are a mechanism used to maintain the policies but allow you to circumvent one or more restrictions.

Create Policy Exceptions

Create exceptions for a specific policy by specifying the exception metadata when invoking the following endpoint:

POST /api/v2/Exceptions?policyId={policyId}

Replace {policyId} with the policyId value returned for an LQL policy in the response when invoking the following endpoint:

GET /api/v2/Policies

query Parameters
policyId
required
string

Policy ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
description
string

A brief description of the new exception.

required
Array of objects[ items ]

The detailed constraints applied to the exception.

Responses

Request samples

Content type
application/json
{
  • "description": "string",
  • "constraints": [
    ]
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

List All Policy Exceptions

Get all existing exceptions of a specific policy by invoking the following endpoint:

GET /api/v2/Exceptions?policyId={policyId}

Replace {policyId} with the policyId value returned for an LQL policy in the response when invoking the following endpoint:

GET /api/v2/Policies

query Parameters
policyId
required
string

Policy ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Policy Exception Details

Get details about an existing exception applied to a specific policy by invoking the following endpoint:

GET /api/v2/Exceptions/{exceptionId}?policyId={policyId}

Replace {policyId} with the policyId value returned for an LQL policy in the response when when invoking the following endpoint:

GET /api/v2/Policies

Replace {exceptionId} with the exceptionId value returned for an LQL policy in the response when invoking the following endpoint:

GET /api/v2/Exceptions?policyId={policyId}

path Parameters
exceptionId
required
string

Exception ID

query Parameters
policyId
required
string

Policy ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "data": {
    }
}

Update Policy Exceptions

Update an existing exception applied to a specific policy by invoking the following endpoint:

PATCH /api/v2/Exceptions/{exceptionId}?policyId={policyId}

Replace {policyId} with the policyId value returned for an LQL policy in the response when invoking the following endpoint:

GET /api/v2/Policies

Replace {exceptionId} with the exceptionId value returned for an LQL policy in the response when invoking the following endpoint:

GET /api/v2/Exceptions?policyId={policyId}

path Parameters
exceptionId
required
string

Exception ID

query Parameters
policyId
required
string

Policy ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
description
string

A brief description of the new exception.

Array of objects[ items ]

The detailed constraints applied to the exception.

Responses

Request samples

Content type
application/json
{
  • "description": "string",
  • "constraints": [
    ]
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

Delete Policy Exceptions

Delete an existing exception applied to a specific policy by invoking the following endpoint:

DELETE /api/v2/Exceptions/{exceptionId}?policyId={policyId}

Replace {policyId} with the policyId value returned for an LQL policy in the response when invoking the following endpoint:

GET /api/v2/Policies

Replace {exceptionId} with the exceptionId value returned for an LQL policy in the response when invoking the following endpoint:

GET /api/v2/Exceptions?policyId={policyId}

path Parameters
exceptionId
required
string

Exception ID

query Parameters
policyId
required
string

Policy ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "message": "Invalid ..."
}

Inventory

View and monitor in-use cloud resources' risk, compliance, and configuration changes.

For more details about snapshots of resources, see Resource Inventory.

Search Inventory

The Inventory API enables you to retrieve information about resources in your cloud integrations, such as virtual machines, S3 buckets, security groups, and more, using the following endpoint:

POST /api/v2/Inventory/search

By default, Lacework collects resource information once a day. You can view and modify when resource collection starts using the Compliance Report Schedule setting.

The time filter allows you to see your resource inventory at a specific point of time. When using the Inventory API, keep in mind that the information returned reflects the inventory when the resource collector last ran within the specified time range. If you use a recent time range that does not encompass the last time inventory collection occurred, the query returns an empty array. In this case, expand the time span to include the last collection time.

For details about what cloud resource information is available, see CLOUD_CONFIGURATION_V View.

Here are some example body payloads:

  • { "timeFilter": { "startTime" : "2022-06-08T00:00:00Z", "endTime": "2022-06-10T12:00:00Z"}, "csp": "AWS" }
  • { "timeFilter": { "startTime": "2022-06-08T00:00:00Z", "endTime": "2022-06-10T12:00:00Z"}, "filters" : [ { "field": "resourceConfig.Architecture", "expression": "eq", "value": "x86_64" }, { "field": "resourceRegion", "expression": "eq", "value" : "us-east-2" } ],
    "returns": [ "cloudDetails", "csp", "resourceConfig" , "resourceId", "resourceType" ],
    "csp": "GCP" }
header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

csp
any
Enum: "AWS" "Azure" "GCP"

Cloud service provider. You must specify either csp or dataset in the request.

dataset
any
Deprecated
Enum: "AwsCompliance" "GcpCompliance"

You must specify either csp or dataset in the request.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ],
  • "csp": "AWS",
  • "dataset": "AwsCompliance"
}

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Scan Inventory

Trigger a resource inventory scan. By default, Lacework scans cloud integrations in order to generate or update its resource inventory once a day. This endpoint lets you trigger scans manually. This endpoint is useful, for example, after you have onboarded a new cloud integration and want to start collecting and evaluating resources from the system immediately. Manual scans can be run one hour after the last scan has completed.

Usage Example:

curl -X POST -H 'Content-Type: application/json' "https://YourLacework.lacework.net/api/v2/Inventory/scan?csp=AWS" -H "Authorization: Bearer YourAPIToken"

query Parameters
csp
required
string
Enum: "AWS" "GCP" "Azure"

Cloud service provider

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
Example
{
  • "data": {
    }
}

Track Inventory Scan Status

Check the status of a resource inventory scan. A resource inventory scan may take an hour or more to complete. This endpoint lets you check the progress of a running scan.

Usage Example:

curl -X GET -H 'Content-Type: application/json' "https://YourLacework.lacework .net/api/v2/Inventory/scan?csp=AWS" -H "Authorization: Bearer YourAPIToken"

query Parameters
csp
required
string
Enum: "AWS" "GCP" "Azure"

Cloud service provider

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
Example
{
  • "data": {
    }
}

Organization Info

Return information about whether the Lacework account is an organization account and, if it is, what the organization account URL is by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/OrganizationInfo

Organization Info

Return information about whether the Lacework account is an organization account and, if it is, what the organization account URL is by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/OrganizationInfo

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Policies

Policies are a mechanism used to add annotated metadata to queries for improving the context of alerts, reports, and information displayed in the Lacework Console. You can fully customize policies.

Create Policies

Create a Lacework Query Language (LQL) policy by specifying parameters in the request body when invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Policies

This creates the LQL policy in your Lacework instance so you can view it in the Lacework Console. You can get the unique identifiers for the LQL policies (policyIdList) array by invoking the GET /api/v2/Policies endpoint.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
policyType
string
Value: "Violation"

The policy type such as Violation.

queryId
required
string

Identifier of the query that executes while running the policy.

title
required
string

The policy's title.

enabled
required
boolean

When sending a request, use this attribute to enable or disable a policy. When included in a response, returns True for enabled policies, or returns False for disabled policies.

description
required
string

Information about the new policy.

remediation
required
string

Remediation strategy for the events triggered by the policy.

severity
required
string
Enum: "info" "low" "medium" "high" "critical"

The severity of an event triggered by the policy.

limit
number >= 1
Default: 1000

The maximum number of records that each policy will return. The default value is 1000.

evalFrequency
string
Deprecated
Enum: "Hourly" "Daily"

Frequency at which the policy will be evaluated

alertEnabled
required
boolean

When sending a request, set to True if you want to send alerts to an alert profile when the policy is triggered. Set to False if you want to mute alerts when the policy is triggered.

alertProfile
string

The alert profile to use for sending alerts when the policy is triggered.

tags
Array of strings

A list of policy tags.

policyId
string

Policy ID. The convention for policy ID creation is accountName-remainder, for example, lws-special-100. When sending a request, you can simply provide $account-<remainder>, and Lacework will substitute the $account prefix with your actual account name. Note: The -remainder must use the regex pattern (^[a-z]{1,16}(-\d{1,8})?$), and cannot be default or start with default-.

Responses

Request samples

Content type
application/json
{
  • "policyType": "Violation",
  • "queryId": "string",
  • "title": "string",
  • "enabled": true,
  • "description": "string",
  • "remediation": "string",
  • "severity": "info",
  • "limit": 1000,
  • "evalFrequency": "Hourly",
  • "alertEnabled": true,
  • "alertProfile": "string",
  • "tags": [
    ],
  • "policyId": "string"
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

List All Policies

List all registered LQL policies in your Lacework instance, by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/Policies

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Policy Tags

Get a list of policy tags

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Policy Details

Get details about a single LQL policy by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/Policies/{policyId}

Replace {policyId} with the policyId value returned for an LQL policy in the response when the GET /api/v2/Policies endpoint is invoked.

path Parameters
policyId
required
string

Policy ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "data": {
    }
}

Update Policies

Update an existing LQL policy registered in your Lacework instance by specifying parameters in the request body when invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/Policies/{policyId}

Replace {policyId} with the policyId value returned for an LQL policy in the response when the GET /api/v2/Policies endpoint is invoked.

path Parameters
policyId
required
string

Policy ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
policyType
string
Value: "Violation"

The policy type such as Violation.

queryId
string

Identifier of the query that executes while running the policy.

title
string

The policy's title.

enabled
boolean

When sending a request, use this attribute to enable or disable a policy. When included in a response, returns True for enabled policies, or returns False for disabled policies.

description
string

Information about the new policy.

remediation
string

Remediation strategy for the events triggered by the policy.

severity
string
Enum: "info" "low" "medium" "high" "critical"

The severity of an event triggered by the policy.

limit
number >= 1
Default: 1000

The maximum number of records that each policy will return. The default value is 1000.

evalFrequency
string
Deprecated
Enum: "Hourly" "Daily"

Frequency at which the policy will be evaluated

alertEnabled
boolean

When sending a request, set to True if you want to send alerts to an alert profile when the policy is triggered. Set to False if you want to mute alerts when the policy is triggered.

alertProfile
string

The alert profile to use for sending alerts when the policy is triggered.

tags
Array of strings

A list of policy tags.

Responses

Request samples

Content type
application/json
{
  • "policyType": "Violation",
  • "queryId": "string",
  • "title": "string",
  • "enabled": true,
  • "description": "string",
  • "remediation": "string",
  • "severity": "info",
  • "limit": 1000,
  • "evalFrequency": "Hourly",
  • "alertEnabled": true,
  • "alertProfile": "string",
  • "tags": [
    ]
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

Delete Policies

Delete an LQL custom policy registered in your Lacework instance by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/Policies/{policyId}

Replace {policyId} with the policyId value returned for an LQL policy in the response when the GET /api/v2/Policies endpoint is invoked.

path Parameters
policyId
required
string

Policy ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "message": "Invalid ..."
}

Queries

Queries are the mechanism used to interactively request information from a specific curated datasource. Queries have a defined structure for authoring detections.

Create Queries

Create a Lacework Query Language (LQL) query by specifying parameters in the request body when invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Queries

This creates the LQL query in your Lacework instance so you can use it in an LQL custom policy and view it in the Lacework Console. You can get the unique identifiers for the LQL queries (queryIdList) array by invoking the GET /api/v2/Queries endpoint.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
queryText
required
string

When sending a request, provide a human-readable text syntax for specifying selection, filtering, and manipulation of data.

queryId
required
string

Identifier of the query that executes while running the policy.

Responses

Request samples

Content type
application/json
{
  • "queryText": "string",
  • "queryId": "string"
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

List All Queries

List all registered LQL queries in your Lacework instance by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/Queries

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Execute Queries

Run an LQL query by specifying parameters in the request body by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Queries/execute

The response is the data that the query finds in the datasource for the specified time period.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
required
object
object (Query_Execute_Options)
Array of objects[ items ]

Responses

Request samples

Content type
application/json
{
  • "query": {
    },
  • "options": {
    },
  • "arguments": [
    ]
}

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Execute Queries by ID

Run an existing LQL query registered in your Lacework instance by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Queries/{queryId}/execute

Replace {queryId} with the queryId value returned for an LQL query in the response when the GET /api/v2/Queries endpoint is invoked. The response is the data that the query finds in the datasource for the specified time period.

path Parameters
queryId
required
string

Identifier of the query that executes while running the policy.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object (Query_Execute_Options)
Array of objects[ items ]

Responses

Request samples

Content type
application/json
{
  • "options": {
    },
  • "arguments": [
    ]
}

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Validate Queries

Validate an LQL query by specifying parameters in the request body by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Queries/validate

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
queryText
required
string

When sending a request, provide a human-readable text syntax for specifying selection, filtering, and manipulation of data.

Responses

Request samples

Content type
application/json
{
  • "queryText": "string"
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

Query Details

Get details about a single LQL query by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/Queries/{queryId}

Replace {queryId} with the queryId value returned for an LQL query in the response when the GET /api/v2/Queries endpoint is invoked.

path Parameters
queryId
required
string

Identifier of the query that executes while running the policy.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "data": {
    }
}

Update Queries

Update an existing LQL query registered in your Lacework instance by invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/Queries/{queryId}

Replace {queryId} with the queryId value returned for an LQL query in the response when the GET /api/v2/Queries endpoint is invoked.

path Parameters
queryId
required
string

Identifier of the query that executes while running the policy.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
queryText
string

When sending a request, provide a human-readable text syntax for specifying selection, filtering, and manipulation of data.

Responses

Request samples

Content type
application/json
{
  • "queryText": "string"
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

Delete Queries

Delete a Lacework Query Language (LQL) query registered in your Lacework instance by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/Queries/{queryId}

Replace {queryId} with the queryId value returned for an LQL query in the response when invoking the following endpoint: GET /api/v2/Queries.

path Parameters
queryId
required
string

Identifier of the query that executes while running the policy.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "message": "Invalid ..."
}

Report Rules

Lacework combines alert channels and report rules to provide a flexible method for routing reports. For report rules, you define information about which reports to send. For alert channels, you define where to send reports such as to Jira, Slack, or email.

Create Report Rule

Create a report rule in your Lacework instance by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/ReportRules

Get the unique identifiers for the alert channels (intGuidList) array by invoking the GET /api/v2/ReportRules endpoint.

In addition, the severity field is required if you create report rules for any of the following report types: awsCloudtrailEvents, awsComplianceEvents, azureActivityLogEvents, azureComplianceEvents, gcpAuditTrailEvents, gcpComplianceEvents, openShiftComplianceEvents, platformEvents, agentEvents.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
required
object

When sending a request, use this object to define the new report rule. When included in a response, this object contains details of a report rule. You can use these attributes when searching for existing report rules by invoking a GET request.

intgGuidList
required
Array of strings non-empty unique

The alert channels for the rule to access.

required
object

The report types that you want the rule to apply to.

type
required
string
Value: "Report"

The data type as Report.

Responses

Request samples

Content type
application/json
{
  • "filters": {
    },
  • "intgGuidList": [
    ],
  • "reportNotificationTypes": {
    },
  • "type": "Report"
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

List All Report Rules

List all report rules in your Lacework instance, by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/ReportRules

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Search Report Rules

Search all report rules in your Lacework instance by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/ReportRules/search

To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

Here are some example body payloads:

  • { "filters": [ { "expression": "eq", "field": "name", "value": " Jane" } ] }

  • { "filters": [ { "field": "mcGuid", "expression": "rlike", "value": "123ABC" } ] }

  • { "filters": [ { "field": "mcGuid", "expression": "between", "values": [ "ABC_123", "DEC_456" ] } ] }

  • { "filters": [ { "field": "intgGuidList", "expression": "eq", "value": "ABC_123" } ] }

  • { "filters": [ { "field": "intgGuidList", "expression": "in", "values": [ "ABC_123", "DEF_456" ] } ] }

  • { "filters": [ { "field": "filters.name", "expression": "ilike", "value": "slack" } ] }

  • { "filters": [ { "field": "filters.resourceGroups", "expression": "eq", "value": "ABC_123" } ] }

  • { "filters": [ { "field": "filters.severity", "expression": "eq", "value": "5" } ] }

  • { "filters": [ { "field": "filters.eventCategory", "expression": "eq", "value": "App" } ] }

  • { "filters": [ { "field": "reportNotificationTypes.agentEvents", "expression": "eq", "value": "false" } ] }

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Report Rule Details

Get details about a report rule by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/ReportRules/{mcGuid}

Replace {mcGuid} with the mcGuid value returned for a report rule in the response when invoking the following endpoint: GET /api/v2/ReportRules.

path Parameters
mcGuid
required
string

Report Rule ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "data": {
    }
}

Update Report Rules

Update a report rule by specifying parameters in the request body when invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/ReportRules/{mcGuid}

Replace {mcGuid} with the mcGuid value returned for a report rule in the response, when the GET /api/v2/ReportRules endpoint is invoked.

In addition, if the severity field doesn't exist for the report rule being updated, the severity field is required if you add any of the following report types: awsCloudtrailEvents, awsComplianceEvents, azureActivityLogEvents, azureComplianceEvents, gcpAuditTrailEvents, gcpComplianceEvents, openShiftComplianceEvents, platformEvents, agentEvents.

path Parameters
mcGuid
required
string

Report Rule ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

When sending a request, use this object to define the new report rule. When included in a response, this object contains details of a report rule. You can use these attributes when searching for existing report rules by invoking a GET request.

intgGuidList
Array of strings non-empty unique

The alert channels for the rule to access.

object

The report types that you want the rule to apply to.

Responses

Request samples

Content type
application/json
{
  • "filters": {
    },
  • "intgGuidList": [
    ],
  • "reportNotificationTypes": {
    }
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

Delete Report Rules

Delete a report rule by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/ReportRules/{mcGuid}

Replace {mcGuid} with the mcGuid value returned for a report rule in the response when invoking the following endpoint: GET /api/v2/ReportRules.

path Parameters
mcGuid
required
string

Report Rule ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "message": "Invalid ..."
}

Reports

Lacework combines details about non-compliant resources that are in violation into reports. You must configure at least one cloud integration with AWS, Azure, or GCP to receive these reports.

Reports

Get a specific report by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/Reports?primaryQueryId={primaryQueryId}&secondaryQueryId={secondaryQueryId}&format={format}&reportType={reportType}

Examples:

GET https://YourLacework.lacework.net/api/v2/Reports?primaryQueryId=343523252&format=json&reportType=HIPAA

query Parameters
primaryQueryId
string

The primary ID that is used to fetch the report; for example, AWS Account ID or Azure Tenant ID.

Note: For GCP, use the secondaryQueryId attribute to provide your GCP Project ID.

secondaryQueryId
string

The secondary ID that is used to fetch the report; for example, GCP Project ID or Azure Subscription ID.

Note: For AWS, this parameter is not required.

format
string
Default: "pdf"
Enum: "json" "pdf" "csv" "html"

The report's format.

reportType
required
string
Enum: "AZURE_CIS" "AZURE_CIS_131" "AZURE_SOC" "AZURE_SOC_Rev2" "AZURE_PCI" "AZURE_PCI_Rev2" "AZURE_ISO_27001" "AZURE_NIST_CSF" "AZURE_NIST_800_53_REV5" "AZURE_NIST_800_171_REV2" "AZURE_HIPAA" "AWS_CIS_S3" "NIST_800-53_Rev4" "NIST_800-171_Rev2" "ISO_2700" "HIPAA" "SOC" "AWS_SOC_Rev2" "GCP_HIPAA" "PCI" "GCP_CIS" "GCP_SOC" "GCP_CIS12" "GCP_K8S" "GCP_PCI_Rev2" "GCP_SOC_Rev2" "GCP_HIPAA_Rev2" "GCP_ISO_27001" "GCP_NIST_CSF" "GCP_NIST_800_53_REV4" "GCP_NIST_800_171_REV2" "GCP_PCI" "AWS_CIS_14" "GCP_CIS13" "AWS_CMMC_1.02" "AWS_HIPAA" "AWS_ISO_27001:2013" "AWS_NIST_CSF" "AWS_NIST_800-171_rev2" "AWS_NIST_800-53_rev5" "AWS_PCI_DSS_3.2.1" "AWS_SOC_2" "LW_AWS_SEC_ADD_1_0" "AZURE_ISO_27001:2013_CIS_1_5" "AZURE_SOC_2_CIS_1_5" "AZURE_NIST_CSF_CIS_1_5" "AZURE_CIS_1_5" "AZURE_HIPAA_CIS_1_5" "AZURE_NIST_800-171_rev2_CIS_1_5" "AZURE_PCI_DSS_3_2_1_CIS_1_5" "AZURE_NIST_800-53_rev5_CIS_1_5"

The report's notification type; for example, AZURE_NIST_CSF.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Resource Groups

Resource groups provide a way to categorize Lacework-identifiable assets.

Create Resource Group

Create a resource group by specifying parameters in the request body when invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/ResourceGroups

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
resourceName
required
string non-empty (?!^ +$)^.+$

The resource group's name.

resourceType
required
string
Default: "AWS"

The resource type such as cloud accounts, containers, or machines.

enabled
number
Enum: 0 1

When sending a request, use this attribute to enable or disable a resource group. When included in a response, returns 1 for enabled resource groups, or returns 0 for disabled resource groups.

required
object

The new resource group's properties. The data varies based on the value of the type attribute.

Responses

Request samples

Content type
application/json
Example
{
  • "resourceName": "string",
  • "resourceType": "AWS",
  • "enabled": 1,
  • "props": {
    }
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

List All Resource Groups

Get a list of all resource groups for the account by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/ResourceGroups

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Search Resource Groups

Search resource groups by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/ResourceGroups/search

To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

In the request body, optionally specify the list of fields to return in the response by specifying the list in the returns array, for example, "returns":[ "name", "type", "enabled" ].

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Resource Groups Details

Get details about a resource group by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/ResourceGroups/{resourceGuid}

path Parameters
resourceGuid
required
string

Resource Group ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
{
  • "data": {
    }
}

Update Resource Groups

Update a resource group by specifying parameters in the request body when invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/ResourceGroups/{resourceGuid}

In the request body, only specify the parameters that you want to update, for example, { "enabled" : 0 }.

path Parameters
resourceGuid
required
string

Resource Group ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json

Only specify the parameter(s) that you want to update, for example, { "enabled" : 0 }.

resourceName
string non-empty (?!^ +$)^.+$

The resource group's name.

resourceType
string
Default: "AWS"

The resource type such as cloud accounts, containers, or machines.

enabled
number
Enum: 0 1

When sending a request, use this attribute to enable or disable a resource group. When included in a response, returns 1 for enabled resource groups, or returns 0 for disabled resource groups.

object

The new resource group's properties. The data varies based on the value of the type attribute.

Responses

Request samples

Content type
application/json
Example
{
  • "resourceName": "string",
  • "resourceType": "AWS",
  • "enabled": 1,
  • "props": {
    }
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

Delete Resource Groups

Delete a resource group by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/ResourceGroups/{resourceGuid}

path Parameters
resourceGuid
required
string

Resource Group ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
{
  • "message": "Invalid ..."
}

Team Members

Team members can be granted access to multiple Lacework accounts and have different roles for each account. Team members can also be granted organization-level roles. For more information, see Team Members.

Note: The TeamMembers API is deprecated and is unavailable if you have migrated to the new RBAC model in your Lacework Console. See Access Control for more information about the new RBAC model.

Create Team Members Deprecated

Create a team member in your Lacework instance by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/TeamMembers

Here is an example body payload:

{ "userName": "jane.smith@mycompany.com", "userEnabled": 1, "props": { "firstName": "Jane", "lastName": "Smith", "company": "myCompany", "accountAdmin": true } }

Note: This API is deprecated and is unavailable if you have migrated to the new RBAC model in your Lacework Console. See Access Control for more information about the new RBAC model.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
schemaOption
string

Not required.

required
object
orgAdmin
boolean
Default: false

When sending a request, set to True to make the team member an organization admin. Otherwise, set to False. When included in a response, returns the role assigned to the team member. Note: If the team member is currently an organization admin, Lacework ignores the adminRoleAccounts and userRoleAccounts attributes.

orgUser
boolean
Default: false

When sending a request, set to True to make the new member an organization user. Otherwise, set to False When included in a response, returns the role assigned to the new member. Note: If the team member is currently an organization user, Lacework will ignore the userRoleAccounts attribute.

adminRoleAccounts
required
Array of strings

A list of account names for which this team member will be an admin.

userRoleAccounts
required
Array of strings

A list of account names for which this team member will be a user.

userEnabled
required
integer
Enum: 1 0
userName
required
string

user email address

Responses

Request samples

Content type
application/json
Example
{
  • "schemaOption": "With_Org-Access",
  • "props": {
    },
  • "orgAdmin": false,
  • "orgUser": false,
  • "adminRoleAccounts": [
    ],
  • "userRoleAccounts": [
    ],
  • "userEnabled": 1,
  • "userName": "string"
}

Response samples

Content type
application/json
Example
{
  • "data": {
    }
}

List All Team Members Deprecated

Get a list of team members in your Lacework instance by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/TeamMembers

Note: This API is deprecated and is unavailable if you have migrated to the new RBAC model in your Lacework Console. See Access Control for more information about the new RBAC model.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Search Team Members Deprecated

Search all team members in your Lacework instance by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/TeamMembers/search

To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

You can filter on the following fields:

  • custGuid

  • userGuid

  • userName

  • userEnabled

Here is an example body payload:

{ "filters" : [ { "expression": "eq", "field": "userName", "value": "jane.smith@mycompany.com" } ] }

Note: This API is deprecated and is unavailable if you have migrated to the new RBAC model in your Lacework Console. See Access Control for more information about the new RBAC model.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Team Member Details Deprecated

Get details about a team member by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/TeamMembers/{userGuid}

Replace {userGuid} with the userGuid value returned for a team member in the response when invoking the following endpoint: GET /api/v2/TeamMembers

Note: This API is deprecated and is unavailable if you have migrated to the new RBAC model in your Lacework Console. See Access Control for more information about the new RBAC model.

path Parameters
userGuid
required
string

User Guid

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
Example
{
  • "data": {
    }
}

Update Team Member Deprecated

Optionally update the userName anduserEnabled settings and the props sub-settings of the passed in team member. Update these settings by invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/TeamMembers/{userGuid}

Replace {userGuid} with the userGuid value returned for a team member in the response, when invoking the following endpoint: GET /api/v2/TeamMembers.

Here is an example body payload:

{ "props": {"firstName":"Jane"} }

Note: This API is deprecated and is unavailable if you have migrated to the new RBAC model in your Lacework Console. See Access Control for more information about the new RBAC model.

path Parameters
userGuid
required
string

User Guid

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Request Body schema: application/json
schemaOption
string

Not required.

object
orgAdmin
boolean
Default: false

When sending a request, set to True to make the team member an organization admin. Otherwise, set to False. When included in a response, returns the role assigned to the team member. Note: If the team member is currently an organization admin, Lacework ignores the adminRoleAccounts and userRoleAccounts attributes.

orgUser
boolean
Default: false

When sending a request, set to True to make the new member an organization user. Otherwise, set to False When included in a response, returns the role assigned to the new member. Note: If the team member is currently an organization user, Lacework will ignore the userRoleAccounts attribute.

adminRoleAccounts
Array of strings

A list of account names for which this team member will be an admin.

userRoleAccounts
Array of strings

A list of account names for which this team member will be a user.

userEnabled
integer
Enum: 1 0

Responses

Request samples

Content type
application/json
Example
{
  • "schemaOption": "With_Org-Access",
  • "props": {
    },
  • "orgAdmin": false,
  • "orgUser": false,
  • "adminRoleAccounts": [
    ],
  • "userRoleAccounts": [
    ],
  • "userEnabled": 1
}

Response samples

Content type
application/json
Example
{
  • "data": {
    }
}

Delete Team Member Deprecated

Delete a team member by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/TeamMembers/{userGuid}

Replace {userGuid} with the userGuid value returned for a team member in the response when invoking the following endpoint: GET /api/v2/TeamMembers

Note: This API is deprecated and is unavailable if you have migrated to the new RBAC model in your Lacework Console. See Access Control for more information about the new RBAC model.

path Parameters
userGuid
required
string

User Guid

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
{
  • "message": "Invalid ..."
}

Team Users

Role-based access control (RBAC) gives you control over user access to resources based on a defined role at an account level.

The Team Users API works with the new Lacework role-based access control (RBAC) model. After you enable RBAC in the Lacework Console, the Team Users API is available and the legacy Team Members API (deprecated) is disabled. For more information on the legacy API, see the Team Members APIs.

The Team Users API works with users and groups at the account level only; organization-level users are not supported. For information on working with account level users in the Lacework Console, see Access Control at Account Level.

The Lacework RBAC model defines two types of users: standard users and service users. Standard user accounts are typically associated with specific people in your organization, while service users are often shared among people and typically represent a service, client, or other type of programmatic Lacework integration.

See Access Control Overview for details on users and groups in Lacework.

Create Team Users

Create a standard or service user in a Lacework account using the following endpoint:

POST /api/v2/TeamUsers

In the request body, specify the type of user to create, a standard user or service user, as well as properties of the user.

Here is an example body payload for a standard user:

{"type": "StandardUser", "name": "name_one", "company": "company_name", "email": "test_email", "userEnabled": 1}

Here is an example body payload for a service user:

{"type": "ServiceUser", "name": "name_one", "description": "service_user_description", "userEnabled": 1}

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
type
required
string

The user type. This type cannot be changed after the user is created.

name
required
string

A name for the standard user.

userEnabled
number
Default: 1
Enum: 0 1

When sending a request, use this attribute to enable or disable a team user's access. When included in a response, returns 1 for enabled team users, or returns 0 for disabled team users. NOTE: This will eventually change to being true/false.

company
required
string

The name of the business or organization associated with the user.

email
required
string

The user's email address.

Responses

Request samples

Content type
application/json
Example
{
  • "type": "StandardUser",
  • "name": "string",
  • "userEnabled": 0,
  • "company": "string",
  • "email": "string"
}

Response samples

Content type
application/json
Example
{
  • "data": {
    }
}

List All Team Users

Get a list of all users in a Lacework account, including both standard and service users, by invoking the following endpoint:

GET /api/v2/TeamUsers

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Team Users Details

Get details about a user in a Lacework Account by invoking the following endpoint:

GET /api/v2/TeamUsers/{userGuid}

Replace {userGuid} with the userGuid value of the standard or service user whose details you want to retrieve. You can get the userGuid for a user in the response to the "List All Team Users" endpoint.

path Parameters
id
required
string

User Guid

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
Example
{
  • "data": {
    }
}

Update Team Users

Update an existing standard or service user by providing new values for the user properties to update using the following endpoint:

PATCH /api/v2/TeamUsers/{userGuid}

Replace {userGuid} with the userGuid value of the user you want to update. You can get the userGuid for a user in the response to the "List All Team Users" endpoint.

Here is an example body payload for a standard user:

{"name": "new_name", "userEnabled": 0}

Here is an example body payload for a service user:

{"name": "new_name", "userEnabled": 0, "description": "new_description"}

path Parameters
id
required
string

User Guid

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
type
string

The user type. This type cannot be changed after the user is created.

name
string

A name for the standard user.

userEnabled
number
Default: 1
Enum: 0 1

When sending a request, use this attribute to enable or disable a team user's access. When included in a response, returns 1 for enabled team users, or returns 0 for disabled team users. NOTE: This will eventually change to being true/false.

Responses

Request samples

Content type
application/json
Example
{
  • "type": "StandardUser",
  • "name": "string",
  • "userEnabled": 0
}

Response samples

Content type
application/json
Example
{
  • "data": {
    }
}

Delete Team Users

Delete a service or standard user to remove access for the user to the Lacework Console and Lacework APIs. Delete a user account using the following endpoint:

DELETE /api/v2/TeamUsers/{userGuid}

Replace {userGuid} with the userGuid value of the standard or service user whose details you want to retrieve. You can get the userGuid for a user in the response to the "List All Team Users" endpoint.

path Parameters
id
required
string

User Guid

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "message": "Invalid ..."
}

Template Files

Template Files are equivalent to CloudFormation template files.

AWS Config

For the file parameter, specify AwsConfig to download an AWS Config CloudFormation template for configuring an AWS Config integration to analyze AWS configuration compliance.

AWS Cloud Trail

For the file parameter, specify AwsCloudTrail to download an AWS CloudTrail CloudFormation template for configuring an AWS CloudTrail integration to monitor cloud account security.

AWS EKS Audit Logs

For the file parameter, specify AwsEksAudit to download an AWS EKS Audit Log template for configuring resources to allow monitoring of Kubernetes runtime security using audit logs on EKS (Step 1).

For the file parameter, specify AwsEksAuditSubscriptionFilter to download an AWS EKS Audit Log template for configuring an EKS cluster log group to monitor EKS runtime security. Optionally pass in intgGuid as a query parameter. This allows the intgGuid to get the SNS ARN, create the firehose ARN, and insert that into the template before returning it. This means you don't have to find the firehoseARN and insert it manually. Obtain the integration's intgGuid by using the GET https://YourLacework.lacework.net/api/v2/CloudAccounts endpoint (Step 2).

After downloading the template, you must upload and run the template file in the AWS Console. For information about setting up AWS CloudTrail and AWS Config integrations, see https://docs.lacework.com/initial-setup-of-aws-cloudtrail-and-config-integration. For information about setting up AWS EKS integrations, see https://docs.lacework.com/category/eks-audit-log-integrations. You must also create the integration in the Lacework Console.

Download Template File

Download the CloudFormation template from the Lacework Console for a specific template file name by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/TemplateFiles/{templateFileName}

Here is an example invocation:

GET https://YourLacework.lacework.net/api/v2/TemplateFiles/AwsConfig

Here is another example invocation:

GET https://YourLacework.lacework.net/api/v2/TemplateFiles/AwsCloudTrail

Optionally pass in intgGuid as a query parameter for the AwsEksAuditSubscriptionFilter template file name. Here is an example invocation:

GET https://YourLacework.lacework.net/api/v2/TemplateFiles/AwsEksAuditSubscriptionFilter?intgGuid=ROIJ898329....

path Parameters
templateFileName
required
string
Enum: "AwsCloudTrail" "AwsConfig"

The template's filename to download.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/octet-stream

Responses

Response samples

Content type
application/json
{
  • "message": "Invalid ..."
}

User Groups

A user group associates Lacework service and standard users with specific permissions in Lacework. See Team Users for information about service and standard users.

Add Users to User Groups

Add one or more users to an existing user group using the following endpoint:

POST /api/v2/UserGroups/{userGroupGuid}/addUsers

Replace {userGroupGuid} with the userGroupGuid value of the user group you want to add users to. You can get the userGroupGuid for a user group from the User Groups section under Settings in the Lacework platform.

In the request body, specify the users to add to the group as an array of user IDs.

Here is an example body payload:

{"userGuids": ["some_user_id"]}

See Add Standard Users to a User Group for more information.

path Parameters
userGroupGuid
required
string

User Group ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
userGuids
required
Array of strings[ items non-empty ]

Responses

Request samples

Content type
application/json
{
  • "userGuids": [
    ]
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

Remove Users from User Groups

Remove one or more users from a user group using the following endpoint:

POST /api/v2/UserGroups/{userGroupGuid}/removeUsers.

Replace {userGroupGuid} with the userGroupGuid value of the user group you details to remove users from. You can get the userGroupGuid for a user group from the User Groups section under Settings in the Lacework platform.

In the request body, specify the users to remove from the group as an array of user IDs.

Here is an example body payload:

{"userGuids": ["some_user_id"]}

path Parameters
userGroupGuid
required
string

User Group ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
userGuids
required
Array of strings[ items non-empty ]

Responses

Request samples

Content type
application/json
{
  • "userGuids": [
    ]
}

Response samples

Content type
application/json
{
  • "message": "Invalid ..."
}

User Profiles

An organization can contain multiple accounts so you can also manage components such as alerts, resource groups, team members, and audit logs at a more granular level inside an organization. For more information, see Organization Overview.

List Sub-accounts

List all sub-accounts that are managed by the YourLacework account by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/UserProfile

For example, if you specify the IT20.MyCompany organization account in YourLacework, this lists all sub-accounts of the IT20 account.

Here is an example invocation:

GET https://IT20.MyCompany.lacework.net/api/v2/UserProfile

The response reports details about organization accounts and non-organization accounts in addition to authorization and privilege details.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Org-Access
boolean

Use this attribute to specify if the access token has organization admin permissions. If the access token has only account permissions, use the Account-Name attribute to specify which account to access.

Account-Name
string

Use this attribute to specify which sub-account to access.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Vulnerabilities

Lacework provides the ability to assess, identify, and report vulnerabilities found in the operating system software packages in a Docker container image before the container image is deployed. Lacework also supports scanning of non-OS packages for programming languages (Java, Ruby, PHP, GO, NPM, .NET, Python).

Search Container Vulnerabilities

Search the scan (assessment), including the scan status, the vulnerabilities found in the scan, and statistics for those vulnerabilities by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Vulnerabilities/Containers/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days.

You can optionally filter returned vulnerabilities by severity, vulnerability ID, machine ID, and more. For more information, see CONTAINER_VULN_DETAILS_V View.

Here are some example body payloads:

  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "vulnId", "expression": "eq", "value": "CVE-2018-7169" } ] }
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "evalGuid", "expression": "eq", "value": "1234567a89012b34567890123cd56e78" } ] }
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "evalCtx.image_info.digest", "expression": "eq", "value": "sha256:2e05f1f668367c1fc0f1c9c02ee87521ed66541e6ebf0a31905b8cdd78d22611" }, { "field": "severity", "expression": "eq", "value": "Medium" } ],
    "returns": [ "imageId", "severity", "status", "vulnId", "evalCtx", "fixInfo", "featureKey" ] }

To search for container vulnerabilities of only active containers, first use the "Search Active Containers" endpoint to get a list of active containers. Then call "Search Container Vulnerabilities" and pass the image IDs from the "Search Active Containers" results as a filter with the in filter type.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Scan Container Vulnerabilities

Request that Lacework scans (evaluates) for vulnerabilities in the specified container image. Specify the container image by passing in a tag, repository, and registry in the body parameter. You must specify a container image and repository located in a registry domain that has already been integrated with Lacework.

For registries that are integrated using the Lacework generic Docker V2 Registry type, vulnerability scans can be started only by calling this API operation.

For registries that are integrated using any Lacework registry type except "Docker V2 Registry", vulnerability scans start when the container registry is initially integrated, when specified by the default scan schedule, or when this operation is called.

For more information, see https://docs.lacework.com/container-vulnerability-assessment-overview.

For more information about creating an API access key and token to run this operation and using this operation with organization resources, see https://docs.lacework.com/generate-api-access-keys-and-tokens.

Usage Example:

curl -X POST -H 'Content-Type: application/json' -d '{ "registry": "index.docker.io", "repository": "yourDockerOrg/yourRepository", "tag": "yourTag" }' "https://YourLacework.lacework.net/api/v2/Vulnerabilities/Containers/scan" -H "Authorization: Bearer YourAPIToken"

In the JSON body, do not prefix the registry or the repository with the http:// string.

This operation returns a unique requestId in the response that you can use to track the status of this scan/assessment.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
registry
required
string

The container registry to be assessed.

repository
required
string

The repository within the container registry to be assessed.

tag
required
string

The identifier tag as key:value pairs.

Responses

Request samples

Content type
application/json
{
  • "registry": "index.docker.io",
  • "repository": "yourDockerOrg/yourRepository",
  • "tag": "yourTag"
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

Track Container Scan Status

Track the progress and return data about an on-demand vulnerability scan that was started by calling the POST /api/v2/Vulnerabilities/Containers/scan operation. You must pass in the unique request id returned in the response of the POST Vulnerabilities/Containers/scan operation. For example,

GET https://YourLacework.lacework.net/api/v2/Vulnerabilities/Containers/scan/abcdefgh-123...

When completed, the scan operation returns an evalGuid, which you can use to get the results of the scan by passing it to the "Search Container Vulnerabilities" endpoint:

POST https://YourLacework.lacework.net/api/v2/Vulnerabilities/Containers/search

Pass the evalGuid in the request body, for example:

{ "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "evalGuid", "expression": "eq", "value": "1234567a89012b34567890123cd56e78" } ] }

path Parameters
requestId
required
string

Assessment Request ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
Example
{
  • "data": {
    }
}

Search Host Vulnerabilities

Search the scan (assessment), including the scan status, vulnerabilities found in the scan, and statistics about those vulnerabilities by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/Vulnerabilities/Hosts/search

Lacework highly recommends specifying a time range. Without a specified time range, the request uses the default time range of 24 hours prior to the current time. The maximum time range per API request is 7 days.

Optionally filter the returned vulnerabilities by severity, vulnerability ID, machine ID, and more. For more information, see HOST_VULN_DETAILS_V View.

Here are some example body payloads:

  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "vulnId", "expression": "eq", "value": "CVE-2018-7169" } ] }
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "evalGuid", "expression": "eq", "value": "1234567a89012b34567890123cd56e78" } ] }
  • { "timeFilter": { "startTime": "2021-08-28T20:30:00Z", "endTime": "2021-08-28T22:30:00Z"}, "filters": [ { "field": "machineTags.AmiId", "expression": "eq", "value": "ami-0d9ef0d809e365a36" }, { "field": "severity", "expression": "eq", "value": "Medium" } ],
    "returns": [ "mid", "severity", "status", "vulnId", "evalCtx", "fixInfo", "featureKey", "machineTags" ] }

To search for host vulnerabilities of only online machines, first use the "Search Machines" endpoint to get a list of online machines. Then call "Search Host Vulnerabilities", passing the machine IDs from the "Search Machines" results as a filter with the in filter type.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
object

The date/time range during which actions occurred.

Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "timeFilter": {
    },
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "paging": {},
  • "data": [
    ]
}

Scan Software Packages

Request an on-demand vulnerability assessment of your software packages to determine if the packages contain any common vulnerabilities and exposures. The response for detected CVEs includes CVE details. Only packages managed by a package manager for supported operating systems are reported.

Use the body parameter to specify the list of packages to scan for. In the package list, separate each package entry with a comma. Here is the list of supported OS types with some osVer examples:

  • { "os": "alpine", "osVer": "v3.1" ... }
  • { "os": "amzn", "osVer": "2" ... }
  • { "os": "amzn", "osVer": "2018.03" ... }
  • { "os": "centos", "osVer": "5" ... }
  • { "os": "debian", "osVer": "unstable" ... }
  • { "os": "debian", "osVer": "11" ... }
  • { "os": "oracle", "osVer": "8" ... }
  • { "os": "rhel", "osVer": "8" ... }
  • { "os": "ubuntu", "osVer": "19.10" ... }

For more information about creating an API access key and token to run this operation and using this operation with organization resources, see https://docs.lacework.com/generate-api-access-keys-and-tokens.

Usage Example:

curl -X POST -H 'Content-Type: application/json' -d '{ "osPkgInfoList": [ { "os":"Ubuntu", "osVer":"18.04", "pkg": "openssl","pkgVer": "1.1.1-1ubuntu2.1~18.04.5" } ] }' "https://YourLacework.lacework.net/api/v2/Vulnerabilities/SoftwarePackages/scan" -H "Authorization: Bearer YourAPIToken"

Note: Calls to this operation are rate limited to 10 calls per hour, per access key. If this rate limit is exceeded, an exception is thrown. Also, note that this operation is limited to 1k of packages per payload. If you require a payload larger than 1k, you must make multiple requests. For more information about creating an API access key and token to run this operation and using this operation with organization resources, see https://docs.lacework.com/generate-api-access-keys-and-tokens.

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
required
Array of objects non-empty [ items ]

A list of supported OS types.

Array (non-empty)
os
string

The OS type.

osVer
string

The OS version.

pkg
string

The package name.

pkgVer
string

The version of the package.

Responses

Request samples

Content type
application/json
{
  • "osPkgInfoList": [
    ]
}

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Vulnerability Exceptions

Lacework provides the ability to create exceptions for certain vulnerable resources and criteria. For example, a certain CVE for a certain package or all packages can be excepted until a set expiry time.

Create Vulnerability Exceptions

Create a vulnerability exception by specifying parameters in the request body when invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/VulnerabilityExceptions

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
exceptionName
required
string non-empty (?!^ +$)^.+$

Name of the exception.

exceptionReason
required
string
Enum: "False Positive" "Accepted Risk" "Compensating Controls" "Fix Pending" "Other"

Reason for creating an exception

object

The set of resources this exception can apply to. The data varies based on the value of the exceptionType attribute.

required
object

When sending a request, use this object to define the criteria of the vulnerability to be excluded. The criteria value changes depending on the type of criteria selected.

expiryTime
string

The exception's expiration date and time.

state
number
Value: 1

State

required
object

The vulnerability exception's properties.

exceptionType
required
string

Exception Type

Responses

Request samples

Content type
application/json
Example
{
  • "exceptionName": "string",
  • "exceptionReason": "False Positive",
  • "resourceScope": {
    },
  • "vulnerabilityCriteria": {
    },
  • "expiryTime": "string",
  • "state": 1,
  • "props": {
    },
  • "exceptionType": "Container"
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

List All Vulnerability Exceptions

Get a list of all vulnerability exceptions for the account by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/VulnerabilityExceptions

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Search Vulnerability Exceptions

Search vulnerability exceptions by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/VulnerabilityExceptions/search

To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

In the request body, optionally specify the list of fields to return in the response by specifying the list in the returns array. Here are some example body payloads:

  • { "filters": [ { "field": "exceptionType", "expression": "eq", "value": "Host" } ] }
  • { "filters": [ { "field": "exceptionType", "expression": "eq", "value": "Container" },
    { "field": "expiryTime", "expression": "gt", "value": "2021-01-01" } ],
    "returns": [ "name", "exceptionType", "expiryTime" ] }
header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Vulnerability Exception Details

Get details about a vulnerability exception by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/VulnerabilityExceptions/{exceptionGuid}

path Parameters
exceptionGuid
required
string

Vulnerability Exception ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "data": {
    }
}

Update Vulnerability Exceptions

Update a vulnerability exception by specifying parameters in the request body when invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/VulnerabilityExceptions/{exceptionGuid}

In the request body, only specify the parameters that you want to update, for example, { "exceptionReason" : "Other" }.

path Parameters
exceptionGuid
required
string

Vulnerability Exception ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
exceptionName
string non-empty (?!^ +$)^.+$

Name of the exception.

exceptionReason
string
Enum: "False Positive" "Accepted Risk" "Compensating Controls" "Fix Pending" "Other"

Reason for creating an exception

object

The set of resources this exception can apply to. The data varies based on the value of the exceptionType attribute.

object

When sending a request, use this object to define the criteria of the vulnerability to be excluded. The criteria value changes depending on the type of criteria selected.

expiryTime
string

The exception's expiration date and time.

state
number
Value: 1

State

object

The vulnerability exception's properties.

Responses

Request samples

Content type
application/json
Example
{
  • "exceptionName": "string",
  • "exceptionReason": "False Positive",
  • "resourceScope": {
    },
  • "vulnerabilityCriteria": {
    },
  • "expiryTime": "string",
  • "state": 1,
  • "props": {
    },
  • "exceptionType": "Container"
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

Delete Vulnerability Exceptions

Delete a vulnerability exception by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/VulnerabilityExceptions/{exceptionGuid}

path Parameters
exceptionGuid
required
string

Vulnerability Exception ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "message": "Invalid ..."
}

Vulnerability Policies

Lacework provides the ability to create container vulnerability policies to assess your container images at build and/or runtime based on your own unique requirements. For example, a policy can be created for any critical vulnerability with a fix available or a policy to target a specific CVE.

Create Vulnerability Policies

Create a vulnerability policy by specifying parameters in the request body when invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/VulnerabilityPolicies

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
policyType
required
string

The policy type such as DockerFile, DockerConfig, or Image.

policyName
required
string non-empty (?!^ +$)^.+$

Name of the policy.

policyEvalType
string
Default: "local"
Value: "local"

The evaluation type to use for the policy. The default value is local.

severity
required
string
Enum: "Critical" "High" "Medium" "Low" "Info"

The severity level of the policy; Info, Low, Medium, High, or Critical.

failOnViolation
number
Default: 0
Enum: 0 1

When sending a request, use this attribute to define what action is taken when a policy failure occurs. Set to 1 to permit container image deployment to continue even when the policy fails. Set to 0 to block container image deployment when the policy fails.

alertOnViolation
number
Default: 0
Enum: 0 1

When sending a request, set to 1 if you want to send alerts to an alert profile when a violation is detected. Set to 0 if you want to mute alerts when a violation is detected.

state
required
number
Enum: 0 1

When sending a request, set to 1 to enable the policy. Set to 0 to disable the policy.

required
object (VulnerabilityPolicies_DockerFile)
required
object

The vulnerability policy's properties.

Responses

Request samples

Content type
application/json
Example
{
  • "policyType": "DockerFile",
  • "policyName": "string",
  • "policyEvalType": "local",
  • "severity": "Critical",
  • "failOnViolation": 0,
  • "alertOnViolation": 0,
  • "state": 0,
  • "filter": {
    },
  • "props": {
    }
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

List All Vulnerability Policies

Get a list of all vulnerability policies for the account by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/VulnerabilityPolicies

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Search Vulnerability Policies

Search vulnerability policies by invoking the following endpoint:

POST https://YourLacework.lacework.net/api/v2/VulnerabilityPolicies/search

To limit the returned result, optionally specify one or more filters in the request body. For more information about using filters, see the Simple & Advanced Search section.

In the request body, optionally specify the list of fields to return in the response by specifying the list in the returns array. Here are some example body payloads:

  • { "filters": [ { "field": "policyType", "expression": "eq", "value": "DockerFile" } ] }
  • { "filters": [ { "field": "PolicyType", "expression": "eq", "value": "CVE" },
    { "field": "createdTime", "expression": "gt", "value": "2021-01-01" } ],
    "returns": [ "name", "policyType", "createdTime" ] }
header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
Array of objects[ items ]

One or more condition statements you can use to refine the data returned by the request. Only records that satisfy filtering conditions are returned. Multiple conditions are ANDd; that is, a record must satisfy all conditions for a match.

returns
Array of strings

Use this attribute to specify which top-level fields of the response schema you want to receive.

Responses

Request samples

Content type
application/json
{
  • "filters": [
    ],
  • "returns": [
    ]
}

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Vulnerability Policy Details

Get details about a vulnerability policy by invoking the following endpoint:

GET https://YourLacework.lacework.net/api/v2/VulnerabilityPolicies/{policyGuid}

path Parameters
policyGuid
required
string

Vulnerability Policies ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "data": {
    }
}

Update Vulnerability Policies

Update a vulnerability policy by specifying parameters in the request body when invoking the following endpoint:

PATCH https://YourLacework.lacework.net/api/v2/VulnerabilityPolicies/{policyGuid}

In the request body, only specify the parameters that you want to update, for example, { "severity" : "High" }.

path Parameters
policyGuid
required
string

Vulnerability Policies ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Request Body schema: application/json
policyType
string

The policy type such as DockerFile, DockerConfig, or Image.

policyName
string non-empty (?!^ +$)^.+$

Name of the policy.

policyEvalType
string
Default: "local"
Value: "local"

The evaluation type to use for the policy. The default value is local.

severity
string
Enum: "Critical" "High" "Medium" "Low" "Info"

The severity level of the policy; Info, Low, Medium, High, or Critical.

failOnViolation
number
Default: 0
Enum: 0 1

When sending a request, use this attribute to define what action is taken when a policy failure occurs. Set to 1 to permit container image deployment to continue even when the policy fails. Set to 0 to block container image deployment when the policy fails.

alertOnViolation
number
Default: 0
Enum: 0 1

When sending a request, set to 1 if you want to send alerts to an alert profile when a violation is detected. Set to 0 if you want to mute alerts when a violation is detected.

state
number
Enum: 0 1

When sending a request, set to 1 to enable the policy. Set to 0 to disable the policy.

object (VulnerabilityPolicies_DockerFile)
object

The vulnerability policy's properties.

Responses

Request samples

Content type
application/json
Example
{
  • "policyType": "DockerFile",
  • "policyName": "string",
  • "policyEvalType": "local",
  • "severity": "Critical",
  • "failOnViolation": 0,
  • "alertOnViolation": 0,
  • "state": 0,
  • "filter": {
    },
  • "props": {
    }
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

Delete Vulnerability Policies

Delete a vulnerability policy by invoking the following endpoint:

DELETE https://YourLacework.lacework.net/api/v2/VulnerabilityPolicies/{policyGuid}

path Parameters
policyGuid
required
string

Vulnerability Policies ID

header Parameters
Authorization
required
string

Bearer Access Token. For example, "Bearer {YourAPIToken}"

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{
  • "message": "Invalid ..."
}

Webhooks

Send notifications from your integration using a server token or signature.

Webhooks by Server Tokens

Send notifications from your integration using a server token.

You must specify the integration's server token that was generated by the Lacework Console when you created the integration that subscribes to notifications.

For more information, see https://docs.lacework.com/integrate-a-docker-v2-registry.

For more information about creating an API access key and token to run this operation and using this operation with organization resources, see https://docs.lacework.com/generate-api-access-keys-and-tokens.

Usage Example:

curl -H 'Content-Type: {content-type}' -X POST -d '{notification-body}' "https://YourLacework.lacework.net/api/v2/Webhooks/ServerTokens/DockerV2" -H "Authorization: Bearer YourServerToken"

Note: If a container registry integration is unsubscribed from notifications and then subscribed again, the same server token is used.

path Parameters
type
required
string
Enum: "AzureCR" "DockerV2" "JFrog"

The integration type such as AzureCR, DockerV2, JFrog.

header Parameters
Authorization
required
string

Bearer Server Token. For example, "Bearer {YourServerToken}"

Content-Type
required
string

application/json

Request Body schema: application/json

Integration specific notification body

object

Responses

Request samples

Content type
application/json
{ }

Response samples

Content type
application/json
{ }

Webhooks by Signature

Send notifications from your integration using a signature.

You must specify the integration's server token that was generated by the Lacework Console when you created the integration that subscribes to notifications. For more information, see https://docs.lacework.com/integrate-github-container-registry.

Usage Example:

curl -H 'Content-Type: {content-type}' -X POST "https://YourLacework.lacework.net/api/v2/Webhooks/Signatures/GithubCR" -H "x-hub-signature-256: sha256=sha256 payload hash with YourServerToken as secret"

Note: For a container registry integration, use the same server token if you want to re-subscribe to notifications after unsubscribing.

path Parameters
type
required
string
Value: "GithubCR"

The integration type such as GithubCR.

header Parameters
x-hub-signature-256
required
string
Example: x-hub-signature-256: sha256=123...

When your secret token is set, Lacework uses it to create a hash signature with each payload. This hash signature is included with the headers of each request as X-Hub-Signature-256.

Content-Type
required
string

application/json

Responses

Response samples

Content type
application/json
{ }