Skip to main content
All CollectionsConnectorsVulnerability Assessment
Lacework Connector
Lacework Connector

Learn all about integrating Lacework into the Vulcan Platform

Updated over a year ago

Overview

About Lacework

Lacework creates a temporal baseline built from collecting details on machines, processes, and user interactions to detect anomalies, generate appropriate alerts, and provide details for users to investigate and triage issues.

Why integrating Lacework into the Vulcan platform?

The Lacework Connector by Vulcan integrates with the Lacework Vulnerability Management and Lacework CSPM to pull and ingest asset types Hosts, Images, and Cloud Resources and vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.

Lacework Connector details

Supported products

Vulnerability management

CSPM

Categories

Vulnerability Assessment

Cloud

Ingested asset type(s)

Hosts

Images

Cloud Resources

Integration type

UNI directional (data is transferred from Lacework to the Vulcan Platform in one direction)

Supported version and type

SaaS (latest)

Connector Setup

Prerequisites and user permissions

  • The user created for Vulcan must be assigned a role with read access to the API.

  • The user used to generate the API key must be an organization admin and must remain one as long as the API is in use.

Generating Lacework API ID and Secret Keys

  1. Go to your Lacework platform using an Organization Admin user.

  2. Go to your Settings > API Keys

  3. Click +Add New

  4. Specify the name and description of the API Key (e.g., Vulcan) and click Generate API-Key again.

  5. Click Save.

  6. Once the API key has been created, click on the three dots and Download the Json file.

  7. Open the Json file and copy-paste the values of KeyId, secret, and account name to somewhere safe. Example:

    For the account name, you only need to copy the part before ".lacework.net". In this example, it would be "vulcancyber".

Configuring the Lacework Connector

  1. Log in to your Vulcan Cyber dashboard and go to Connectors.

  2. Click on Add a Connector.

  3. Click on the Lacework icon.

  4. Set up the Connector as follows:

    • Enter the Lacework Application name, Access API Key, and Secret key you generated earlier.

  5. Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Lacework instance, then click Create (or Save Changes).

  6. Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.

  7. Allow some time for the sync to complete. Then, you can review the sync status under Log.

  8. To confirm the sync is complete, navigate to the Connectors tab to check the sync status. Once the Lacework icon shows Connected, the connection is complete.

Lacework in the Vulcan Platform

Locating Lacework vulnerabilities in the Vulcan Platform

As Lacework discovers vulnerabilities, the Vulcan Platform Connector imports those vulnerabilities for reporting and action. You can view vulnerabilities via Connector by using the relevant filter:

  1. Open the Vulcan Platform dashboard and navigate to the Vulnerabilities.

  2. Click on the Search or filter vulnerabilities search box, scroll to the Vulnerability Source option, and click to filter by the vulnerability source.

  3. Locate Lacework on the vulnerability source/Connector list and click to filter results.

  4. Click on any vulnerability to view further information.

Locating Lacework assets in the Vulcan Platform

The lacework connector retrieves assets type Hosts, Images, and Cloud Resources from the Lacework platform.nTo locate all retrieved assets from Lacework:

  1. Open the Vulcan Cyber dashboard and navigate to Assets.

  2. Click on any of the Hosts/Images/Cloud Resources tabs.

  3. Click on the Search or filter input box and select Connector from the drop-down selection.

  4. Locate the Lacework option to view all synced assets.

Automating actions on vulnerabilities detected by Lacework

Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. You can take advantage of the automation capabilities of Vulcan Cyber and the Lacework Connector.

Click here to learn how to create automation in the Vulcan Cyber Platform.

From Lacework to the Vulcan Platform - Data Mapping

The Vulcan Platform integrates with Lacework through API to pull relevant vulnerabilities and assets data and map it into the relevant Vulcan Platform pages and fields.
The following asset types are retrieved and ingested from Lacework and mapped to the Vulcan platform:

Hosts mapping

Lacework field

Vulcan field

Value Example

MID

Asset uniqueness criteria*

7017305497656357098

HOSTNAME

Asset Name

ip-172-31-6-116.ec6.internal

Machine Properties:
DEFAULT_ROUTER

TAGS.Zone

TAGS.arch

KERNEL

KERNEL_RELEASE

KERNEL_VERSION

MACHINE_ID

CPU_INFO

MEMORY_INFO

Asset details

172.37.0.1

us-east-1d

amd64

Linux

5.4.0-1045-aws

47-Ubuntu SMP Tue Apr 13 07:02:25 UTC 2021

701730549654357098

See Machine Properties example

Host

Asset Type

TAGS.ExternalIp

TAGS.InternalIp

IP

44.000.111.22

OS or TAGS.os

OS

Ubuntu

Vulcan’s first ingestion date

Created date

RECORD_CREATED_TIME (Last known time)

Last seen date

2022-12-29T13:00:00.000Z

Packages (propagated from Asset-Vulnerability connection)

Packages

See Packages example

tags (machine tags)

Asset Tags

"Account": "348127001078", "AmiId": "ami-0ddbdea833a8d2f0d"…

See machine tags (asset tags) example

vulnId

Vulnerability uniqueness criteria*

CVE-2022-1271

vulnId

Vulnerability Title

cveProps.description

Vulnerability Description

See vulnerability description example

props.first_time_seen

props.last_updated_time

cveProps.link

severity

cveProps.metadata.NVD.CVSSv3.ImpactScore

Packages (propagated from Asset-Vulnerability connection)

Vulnerability Details

2022-12-30T13:00:00.000Z

2022-12-30T13:00:00.000Z

-

Medium

3.4

-

See vulnerability details example

cveProps.metadata.NVD.CVSSv3.Score or cveProps.metadata.NVD.CVSSv2.Score or severity (see Vulnerability Score Mapping)

CVSS

See CVSS score example

cveProps.metadata.NVD.CVSSv3.Vectors or cveProps.metadata.NVD.CVSSv2.Vectors

CVSS attack vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

vulnId + mid + featureKey.name + featureKey.version_installed + featureKey.package_path

Asset-Vulnerability connection uniqueness criteria*

props.first_time_seen

First seen

2022-12-29T13:00:00.000Z

See First seen example

props.last_updated_time

Last seen

2022-12-30T13:00:00.000Z

status (See Vulnerability Status Mapping)

Status

Vulnerable

Examples of Hosts retrieved fields and values

Machine Properties example

Packages example

Machine tags (asset tags) example

Vulnerability Description example

Vulnerability details example

CVSS score example

First Seen example

Images mapping

Lacework field

Vulcan field

Value Example

imageId

Asset uniqueness criteria*

sha256:bc64362a2152cda8a2…8de1d54d2d40

image_info.repo:evalCtx.image_info.registry:evalCtx.image_info.digest or imageId@containerName

Asset Name

See Image/Contianer example

tags.Hostname

evalCtx.image_info.digest or imageId (Vulcan’s sha256)

evalCtx.integration_props.NAME or tags.VmProvider(Vulcan’s cloud_type)

evalCtx.integration_props.REGISTRY_TYPE or propsContainer.CONTAINER_TYPE(Vulcan’s repository_type)

propsContainer.IMAGE_SIZE

propsContainer.IMAGE_REPO

propsContainer.IMAGE_AUTHOR

propsContainer.PRIVILEGED

propsContainer.NETWORK_MODE

tags.Zone

tags

Asset Details

See Image/Contianer example

Image

Asset Type

See Image/Contianer example

propsContainer.IMAGE_REPO

Repository

Bazel

TAGS.ExternalIp, TAGS.InternalIp

IP

44.000.111.22

tags.os

OS

linux

image_info.created_time or propsContainer.IMAGE_CREATED_TIME

Created date

2022-12-29T13:00:00.000Z

image_info.scan_created_time or endTime

Last seen date

2022-12-29T13:00:00.000Z

Packages (propagated from Asset-Vulnerability connection)

Components

See Packages example

tags (a.k.a. machine tags), evalCtx.image_info.tags, IMAGE_TAG

Tags - Vendor's tags

See Vendor tags example

propsContainer.PRIVILEGED

Tags - Additional

vulnId

Vulnerability uniqueness criteria*

CVE-2022-1271

vulnId

Vulnerability title

CVE-2022-1271

evalCtx.vuln_created_time

startTime

severity

cveProps.metadata.NVD.CVSSv3.ImpactScore

cveProps.metadata.NVD.CVSSv3.Score


featureProps.introduced_in (introduced in layer)
featureKey.namespace (os distribution )
src(file path)

Packages (propagated from Asset-Vulnerability connection)

Vulnerability Details

See Vulnerability details example

severity (see Vulnerability Score Mapping)

CVSS

10

vulnId + mid + featureKey.name + featureKey.version

Asset-Vulnerability connection uniqueness criteria*

2023-02-03T14:00:00.000Z

evalCtx.vuln_created_time

First seen

2023-02-03T14:00:00.000Z

startTime

Last seen

src

Location path

status (See Vulnerability Status Mapping - Image)

Status

Vulnerable

Examples of Images retrieved fields and values

Container/Image example

Packages example

Vendor tags example

Vulnerability details example

Cloud Resources mapping

Lacework field

Vulcan field

Value Example

urn or resource

Asset uniqueness criteria*

arn:aws:ec2:us-east-2:348165401078:volume/vol-01b7e944cc15418dd

urn or resource

Name

arn:aws:ec2:us-east-2:34813564361078:volume/vol-01b7e654c15418dd

urn or resource

ID

arn:aws:ec2:us-east-2:34817651078:volume/vol-01bt6y944cc154167hdd

csp

Cloud (provider)

AWS

cloudDetails

resourceConfig

resourceId

resourceRegion

resourceType or constraintFields(corresponds to Vulcan’s resource_type)

service

Asset Details

{"accountID": "348126541078"}

{"AliasArn": "arn:aws:kms:eu-…}

alias/aws/rds

eu-north-1

kms:alias

ec2

cloud_resource

Type

Vulcan’s first ingestion date

Created date

endTime or reportTime

Last seen date

2023-02-14T07:58:21.185Z

cloudDetails, resourceRegion,resourceTags,region

Tags - Additional

id

Vulnerability uniqueness criteria*

AWS_CIS_1_2

recommendation

Vulnerability Title

"User/Root password is enabled but MFA is not active"

description

Vulnerability Description

severity

lacework_info

lacework_id

tags

Vulnerability Details

Medium

General Security

severity (see Vulnerability Score Mapping)

CVSS

10

id + urn or resource

Asset-Vulnerability connection uniqueness criteria

Vulcan’s first ingestion date

First seen

reportTime

Last seen

2023-02-14T07:58:21.185Z

Vulnerable

Status

vulnerable

id

Solution uniqueness criteria*

AWS_CIS_1_2

Fix for recommendation

Fix title

remediation

Fix description

"Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password"

references

Fix reference

*Uniqueness criteria is a set of criteria that their combination determines the uniqueness of a vulnerability or an asset. The set includes:

  • Asset - token (domain)

  • Vulnerability title

  • Solution title

  • Vulnerability-Asset connection (Title + URL)

Vulnerability status mapping - Host

Lacework Status

Vulcan Status

Active

New

Vulnerable

Fixed

Fixed

Vulnerability status mapping - Image

Lacework Status

Vulcan Status

Vulnerable

Vulnerable

Good

Fixed

Vulnerability score mapping

Lacework score

Vulcan score

Critical

10

High

7

Medium

5

Low

3

Information

0

Update Mechanisms

Status update mechanisms

Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any were added).

The below table lists how the status update mechanism works in the Lacework connector.

Update type

Mechanism

Archiving Assets

An asset not found on the connector's last sync is archived and no longer presented on the Vulcan platform.

Change of Image vulnerability instances status from "Vulnerable" to "Fixed"

- When the vulnerability status on the vendor changes to "GOOD"

- When the vulnerability no longer appears in the scan findings

Change of Cloud Resources vulnerability instances status from "Vulnerable" to "Fixed"

- When the vulnerability no longer appears in the scan findings

Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).

API

API Endpoints in use

API

Use in Vulcan

Permissions required

https://{application}.lacework.net/api/v2/access/tokens

Generate access tokens for running other APIs

Non

https://{application}.lacework.net/api/v2/Entities/Containers/search

Assets (images: image + container)

None

https://{application}.lacework.net/api/v2/Entities/Machines/search

Host IDs for running other APIs

None

https://{application}.lacework.net/api/v2/Queries/execute

Assets (hosts)

None

https://{application}.lacework.net/api/v2/Hosts/search

Vulnerabilities and solutions (hosts)

None

https://{application}.lacework.net/api/v2/Vulnerabilities/Containers/search

Assets (images: registry) and vulnerabilities

None

https://{application}.lacework.net/api/v2/Configs/ComplianceEvaluations/search

Vulnerabilities and solutions (cloud resources)

None

https://{application}.lacework.net/api/v2/Inventory/search

Assets (cloud resources)

None

https://{application}.lacework.net/api/v2/Policies

Vulnerabilities (cloud resources)

None

Data Validation

How do I validate and compare the data between Lacework and the Vulcan Platform?

Asset count validation

First, when comparing the data, make sure to filter by the Latest Day on Lacework. This is the time frame on which data is pulled into Vulcan.

Hosts count validation

The number of unique machines should match the Lacework Host number on the Vulcan Platform. Lacework’s machines are mapped into Vulcan Hosts by MID.

To validate:

  1. On Lacework, and go to Resources > Host > Machines > Unique Machines

  2. On the Vulcan Platform, go to Assets > Hosts

  3. Filter by Connector - Lacework

Images count validation

The sum number of Lacwork Registry/ECR and DOCKER containers should match the Lacework Images number on the Vulcan Platform.

  • Lacework Containers type DOCKER are mapped into Vulcan Image as docker type without linked vulnerabilities.

  • Lacework Containers type Registry/ECR are mapped into Vulcan Image including the vulnerabilities connections.

To validate:

  1. On Lacework, go to Vulnerabilities > Containers > All Images

  2. Group the images by Image ID and make sure no other filter is applied. In the example below, 18 Registry/ECR images were found on top of a single DOCKER.

  3. On Vulcan, go to Assets > Images

  4. Filter by Connector - Lacework. The Vulcan Platform displays 19 images; 18 images with vulnerabilities (Registery/ECR) and one docker from the containers view on lacework.

Cloud Resources count validation

The sum number of Lacwork Registry/ECR and DOCKER containers should match the Lacework Images number on the Vulcan Platform.

  • Lacework Containers type DOCKER are mapped into Vulcan Image as docker type without linked vulnerabilities.

  • Lacework Containers type Registry/ECR are mapped into Vulcan Image including the vulnerabilities connections.

To validate:

  1. On Lacework, go to Resources and open each of AWS, GCP and Azure inventories.

  2. Click to download the Summary Report of each inventory.

  3. Open each report and filter out Resource name duplications to get the cloud resources count.

    The cloud resources count in addition to the number of cloud accounts integrated with Lacework and the number of the regions tracked by Lacework should equal the ingested Cloud Resources assets count on the Vulcan Platform.

Asset-Vulnerability count validation

Host-vulnerability connection count

The CVEs count on Lacework should match the unique CVEs count on the Vulcan Hosts. However, in case there are several vulnerability connections on the same host, the CVEs count on the Vulcan Platform might be higher than the one observed on Lacework.

  1. In Lacework, Go to Vulnerabilities > Hosts

  2. Group by Host and reset any other applied filter.

  3. On the Vulcan Platform, go to Assets > Hosts

  4. Filter by Connector - Lacework

Image-vulnerability connection count

The CVEs count on Lacework should match the unique CVEs count on the Vulcan Images. However, in case there are several vulnerability connections on the same host, the CVEs count on the Vulcan Platform might be higher than the one observed on Lacework.

  1. In Lacework, Go to Vulnerabilities > Containers > All Images

  2. Group the images by Image ID and make sure no other filter is applied.

  3. On the Vulcan Platform, go to Assets > Images

  4. Filter by Connector - Lacework

Related Articles
Purplemet Connector
Tenable.sc Connector
CrowdStrike Connector
Rapid7 Insight VM Connector (default new revision)
Armis Connector
Did this answer your question?