Overview

About Lacework

Lacework creates a temporal baseline built from collecting details on machines, processes, and user interactions to detect anomalies, generate appropriate alerts, and provide details for users to investigate and triage issues.

Why integrating Lacework into the Vulcan platform?

The Lacework Connector by Vulcan integrates with the Lacework Vulnerability Management and Lacework CSPM to pull and ingest asset types Hosts, Images, and Cloud Resources and vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.

Lacework Connector details

Supported products	Vulnerability management CSPM
Categories	Vulnerability Assessment Cloud
Ingested asset type(s)	Hosts Images Cloud Resources
Integration type	UNI directional (data is transferred from Lacework to the Vulcan Platform in one direction)
Supported version and type	SaaS (latest)

Connector Setup

Prerequisites and user permissions

The user created for Vulcan must be assigned a role with read access to the API.
The user used to generate the API key must be an organization admin and must remain one as long as the API is in use.

Generating Lacework API ID and Secret Keys

Go to your Lacework platform using an Organization Admin user.
Go to your Settings > API Keys
Click +Add New
Specify the name and description of the API Key (e.g., Vulcan) and click Generate API-Key again.
Click Save.
Once the API key has been created, click on the three dots and Download the Json file.
Open the Json file and copy-paste the values of KeyId, secret, and account name to somewhere safe. Example:
For the account name, you only need to copy the part before ".lacework.net". In this example, it would be "vulcancyber".

Configuring the Lacework Connector

Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the Lacework icon.
Set up the Connector as follows:
- Enter the Lacework Application name, Access API Key, and Secret key you generated earlier.
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Lacework instance, then click Create (or Save Changes).
Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.
Allow some time for the sync to complete. Then, you can review the sync status under Log.
To confirm the sync is complete, navigate to the Connectors tab to check the sync status. Once the Lacework icon shows Connected, the connection is complete.

Lacework in the Vulcan Platform

Locating Lacework vulnerabilities in the Vulcan Platform

As Lacework discovers vulnerabilities, the Vulcan Platform Connector imports those vulnerabilities for reporting and action. You can view vulnerabilities via Connector by using the relevant filter:

Open the Vulcan Platform dashboard and navigate to the Vulnerabilities.
Click on the Search or filter vulnerabilities search box, scroll to the Vulnerability Source option, and click to filter by the vulnerability source.
Locate Lacework on the vulnerability source/Connector list and click to filter results.
Click on any vulnerability to view further information.

Locating Lacework assets in the Vulcan Platform

The lacework connector retrieves assets type Hosts, Images, and Cloud Resources from the Lacework platform.nTo locate all retrieved assets from Lacework:

Open the Vulcan Cyber dashboard and navigate to Assets.
Click on any of the Hosts/Images/Cloud Resources tabs.
Click on the Search or filter input box and select Connector from the drop-down selection.
Locate the Lacework option to view all synced assets.

Automating actions on vulnerabilities detected by Lacework

Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. You can take advantage of the automation capabilities of Vulcan Cyber and the Lacework Connector.

Click here to learn how to create automation in the Vulcan Cyber Platform.

From Lacework to the Vulcan Platform - Data Mapping

The Vulcan Platform integrates with Lacework through API to pull relevant vulnerabilities and assets data and map it into the relevant Vulcan Platform pages and fields.
The following asset types are retrieved and ingested from Lacework and mapped to the Vulcan platform:

Hosts mapping
- Examples of Hosts retrieved fields and values
Images mapping
- Example of Images retrieved fields and values
Cloud Resources mapping
Vulnerability status mapping - Hosts
Vulnerability status mapping - Images
Vulnerability score mapping

Hosts mapping

Lacework field	Vulcan field	Value Example
`MID`	Asset uniqueness criteria*	`7017305497656357098`
`HOSTNAME`	Asset Name	`ip-172-31-6-116.ec6.internal`
Machine Properties: `DEFAULT_ROUTER` `TAGS.Zone` `TAGS.arch` `KERNEL` `KERNEL_RELEASE` `KERNEL_VERSION` `MACHINE_ID` `CPU_INFO` `MEMORY_INFO`	Asset details	`172.37.0.1` `us-east-1d` `amd64` `Linux` `5.4.0-1045-aws` `47-Ubuntu SMP Tue Apr 13 07:02:25 UTC 2021` `701730549654357098` See Machine Properties example
Host	Asset Type
`TAGS.ExternalIp` `TAGS.InternalIp`	IP	44.000.111.22
`OS` or `TAGS.os`	OS	Ubuntu
Vulcan’s first ingestion date	Created date
`RECORD_CREATED_TIME` (Last known time)	Last seen date	`2022-12-29T13:00:00.000Z`
Packages (propagated from Asset-Vulnerability connection)	Packages	See Packages example
`tags` (machine tags)	Asset Tags	"Account": "348127001078", "AmiId": "ami-0ddbdea833a8d2f0d"… See machine tags (asset tags) example
`vulnId`	Vulnerability uniqueness criteria*	CVE-2022-1271
`vulnId`	Vulnerability Title
`cveProps.description`	Vulnerability Description	See vulnerability description example
`props.first_time_seen` `props.last_updated_time` `cveProps.link` `severity` `cveProps.metadata.NVD.CVSSv3.ImpactScore` Packages (propagated from Asset-Vulnerability connection)	Vulnerability Details	2022-12-30T13:00:00.000Z 2022-12-30T13:00:00.000Z - Medium 3.4 - See vulnerability details example
`cveProps.metadata.NVD.CVSSv3.Score` or `cveProps.metadata.NVD.CVSSv2.Score` or `severity` (see Vulnerability Score Mapping)	CVSS	See CVSS score example
`cveProps.metadata.NVD.CVSSv3.Vectors` or `cveProps.metadata.NVD.CVSSv2.Vectors`	CVSS attack vector	AV:N/AC:M/Au:N/C:P/I:P/A:P
`vulnId` + `mid` + `featureKey.name` + `featureKey.version_installed` + `featureKey.package_path`	Asset-Vulnerability connection uniqueness criteria*
`props.first_time_seen`	First seen	2022-12-29T13:00:00.000Z See First seen example
`props.last_updated_time`	Last seen	2022-12-30T13:00:00.000Z
`status` (See Vulnerability Status Mapping)	Status	Vulnerable

Examples of Hosts retrieved fields and values

Machine Properties example

Packages example

Machine tags (asset tags) example

Vulnerability Description example

Vulnerability details example

CVSS score example

First Seen example

Images mapping

Lacework field	Vulcan field	Value Example
`imageId`	Asset uniqueness criteria*	sha256:bc64362a2152cda8a2…8de1d54d2d40
`image_info.repo`:`evalCtx.image_info.registry`:`evalCtx.image_info.digest` or `imageId`@`containerName`	Asset Name	See Image/Contianer example
`tags.Hostname` `evalCtx.image_info.digest` or `imageId` (Vulcan’s `sha256`) `evalCtx.integration_props.NAME` or `tags.VmProvider`(Vulcan’s `cloud_type`) `evalCtx.integration_props.REGISTRY_TYPE` or `propsContainer.CONTAINER_TYPE`(Vulcan’s `repository_type`) `propsContainer.IMAGE_SIZE` `propsContainer.IMAGE_REPO` `propsContainer.IMAGE_AUTHOR` `propsContainer.PRIVILEGED` `propsContainer.NETWORK_MODE` `tags.Zone` `tags`	Asset Details	See Image/Contianer example
Image	Asset Type	See Image/Contianer example
`propsContainer.IMAGE_REPO`	Repository	Bazel
`TAGS.ExternalIp`, `TAGS.InternalIp`	IP	44.000.111.22
`tags.os`	OS	linux
`image_info.created_time` or `propsContainer.IMAGE_CREATED_TIME`	Created date	2022-12-29T13:00:00.000Z
`image_info.scan_created_time` or `endTime`	Last seen date	2022-12-29T13:00:00.000Z
Packages (propagated from Asset-Vulnerability connection)	Components	See Packages example
`tags` (a.k.a. machine tags), `evalCtx.image_info.tags`, `IMAGE_TAG`	Tags - Vendor's tags	See Vendor tags example
`propsContainer.PRIVILEGED`	Tags - Additional
`vulnId`	Vulnerability uniqueness criteria*	CVE-2022-1271
`vulnId`	Vulnerability title	CVE-2022-1271
`evalCtx.vuln_created_time` `startTime` `severity` `cveProps.metadata.NVD.CVSSv3.ImpactScore` `cveProps.metadata.NVD.CVSSv3.Score` `featureProps.introduced_in` (introduced in layer) `featureKey.namespace` (os distribution ) `src`(file path) Packages (propagated from Asset-Vulnerability connection)	Vulnerability Details	See Vulnerability details example
`severity` (see Vulnerability Score Mapping)	CVSS	10
`vulnId` + `mid` + `featureKey.name` + `featureKey.version`	Asset-Vulnerability connection uniqueness criteria*	2023-02-03T14:00:00.000Z
`evalCtx.vuln_created_time`	First seen	2023-02-03T14:00:00.000Z
`startTime`	Last seen
`src`	Location path
`status` (See Vulnerability Status Mapping - Image)	Status	Vulnerable

Examples of Images retrieved fields and values

Container/Image example

Packages example

Vendor tags example

Vulnerability details example

Cloud Resources mapping

Lacework field	Vulcan field	Value Example
`urn` or `resource`	Asset uniqueness criteria*	arn:aws:ec2:us-east-2:348165401078:volume/vol-01b7e944cc15418dd
`urn` or `resource`	Name	arn:aws:ec2:us-east-2:34813564361078:volume/vol-01b7e654c15418dd
`urn` or `resource`	ID	arn:aws:ec2:us-east-2:34817651078:volume/vol-01bt6y944cc154167hdd
`csp`	Cloud (provider)	AWS
`cloudDetails` `resourceConfig` `resourceId` `resourceRegion` `resourceType` or `constraintFields`(corresponds to Vulcan’s resource_type) `service`	Asset Details	{"accountID": "348126541078"} {"AliasArn": "arn:aws:kms:eu-…} alias/aws/rds eu-north-1 kms:alias ec2
`cloud_resource`	Type
Vulcan’s first ingestion date	Created date
`endTime` or `reportTime`	Last seen date	2023-02-14T07:58:21.185Z
`cloudDetails`, `resourceRegion`,`resourceTags`,`region`	Tags - Additional
`id`	Vulnerability uniqueness criteria*	AWS_CIS_1_2
`recommendation`	Vulnerability Title	"User/Root password is enabled but MFA is not active"
`description`	Vulnerability Description
`severity` `lacework_info` `lacework_id` `tags`	Vulnerability Details	Medium General Security
`severity` (see Vulnerability Score Mapping)	CVSS	10
`id` + `urn` or `resource`	Asset-Vulnerability connection uniqueness criteria
Vulcan’s first ingestion date	First seen
`reportTime`	Last seen	2023-02-14T07:58:21.185Z
Vulnerable	Status	vulnerable
`id`	Solution uniqueness criteria*	AWS_CIS_1_2
Fix for `recommendation`	Fix title
`remediation`	Fix description	"Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password"
`references`	Fix reference

*Uniqueness criteria is a set of criteria that their combination determines the uniqueness of a vulnerability or an asset. The set includes:

Asset - token (domain)
Vulnerability title
Solution title
Vulnerability-Asset connection (Title + URL)

Vulnerability status mapping - Host

Lacework Status	Vulcan Status
Active New	Vulnerable
Fixed	Fixed

Vulnerability status mapping - Image

Lacework Status	Vulcan Status
Vulnerable	Vulnerable
Good	Fixed

Vulnerability score mapping

Lacework score	Vulcan score
Critical	10
High	7
Medium	5
Low	3
Information	0

Update Mechanisms

Status update mechanisms

Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any were added).

The below table lists how the status update mechanism works in the Lacework connector.

Update type	Mechanism
Archiving Assets	An asset not found on the connector's last sync is archived and no longer presented on the Vulcan platform.
Change of Image vulnerability instances status from "Vulnerable" to "Fixed"	- When the vulnerability status on the vendor changes to "GOOD" - When the vulnerability no longer appears in the scan findings
Change of Cloud Resources vulnerability instances status from "Vulnerable" to "Fixed"	- When the vulnerability no longer appears in the scan findings

Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).

API

API Endpoints in use

API	Use in Vulcan	Permissions required
https://{application}.lacework.net/api/v2/access/tokens	Generate access tokens for running other APIs	Non
https://{application}.lacework.net/api/v2/Entities/Containers/search	Assets (images: image + container)	None
https://{application}.lacework.net/api/v2/Entities/Machines/search	Host IDs for running other APIs	None
https://{application}.lacework.net/api/v2/Queries/execute	Assets (hosts)	None
https://{application}.lacework.net/api/v2/Hosts/search	Vulnerabilities and solutions (hosts)	None
https://{application}.lacework.net/api/v2/Vulnerabilities/Containers/search	Assets (images: registry) and vulnerabilities	None
https://{application}.lacework.net/api/v2/Configs/ComplianceEvaluations/search	Vulnerabilities and solutions (cloud resources)	None
https://{application}.lacework.net/api/v2/Inventory/search	Assets (cloud resources)	None
https://{application}.lacework.net/api/v2/Policies	Vulnerabilities (cloud resources)	None

Data Validation

How do I validate and compare the data between Lacework and the Vulcan Platform?

Asset count validation

First, when comparing the data, make sure to filter by the Latest Day on Lacework. This is the time frame on which data is pulled into Vulcan.

Hosts count validation

The number of unique machines should match the Lacework Host number on the Vulcan Platform. Lacework’s machines are mapped into Vulcan Hosts by MID.

To validate:

On Lacework, and go to Resources > Host > Machines > Unique Machines
On the Vulcan Platform, go to Assets > Hosts
Filter by Connector - Lacework

Images count validation

The sum number of Lacwork Registry/ECR and DOCKER containers should match the Lacework Images number on the Vulcan Platform.

Lacework Containers type DOCKER are mapped into Vulcan Image as docker type without linked vulnerabilities.
Lacework Containers type Registry/ECR are mapped into Vulcan Image including the vulnerabilities connections.

To validate:

On Lacework, go to Vulnerabilities > Containers > All Images
Group the images by Image ID and make sure no other filter is applied. In the example below, 18 Registry/ECR images were found on top of a single DOCKER.
On Vulcan, go to Assets > Images
Filter by Connector - Lacework. The Vulcan Platform displays 19 images; 18 images with vulnerabilities (Registery/ECR) and one docker from the containers view on lacework.

Cloud Resources count validation

The sum number of Lacwork Registry/ECR and DOCKER containers should match the Lacework Images number on the Vulcan Platform.

Lacework Containers type DOCKER are mapped into Vulcan Image as docker type without linked vulnerabilities.
Lacework Containers type Registry/ECR are mapped into Vulcan Image including the vulnerabilities connections.

To validate:

On Lacework, go to Resources and open each of AWS, GCP and Azure inventories.
Click to download the Summary Report of each inventory.
Open each report and filter out Resource name duplications to get the cloud resources count.
The cloud resources count in addition to the number of cloud accounts integrated with Lacework and the number of the regions tracked by Lacework should equal the ingested Cloud Resources assets count on the Vulcan Platform.

Asset-Vulnerability count validation

Host-vulnerability connection count

The CVEs count on Lacework should match the unique CVEs count on the Vulcan Hosts. However, in case there are several vulnerability connections on the same host, the CVEs count on the Vulcan Platform might be higher than the one observed on Lacework.

In Lacework, Go to Vulnerabilities > Hosts
Group by Host and reset any other applied filter.
On the Vulcan Platform, go to Assets > Hosts
Filter by Connector - Lacework

Image-vulnerability connection count

The CVEs count on Lacework should match the unique CVEs count on the Vulcan Images. However, in case there are several vulnerability connections on the same host, the CVEs count on the Vulcan Platform might be higher than the one observed on Lacework.

In Lacework, Go to Vulnerabilities > Containers > All Images
Group the images by Image ID and make sure no other filter is applied.
On the Vulcan Platform, go to Assets > Images
Filter by Connector - Lacework

PrismaCloud Compute (CWPP) Connector

Wiz Connector

Tenable.sc Connector

CrowdStrike Connector

Rapid7 Insight VM Connector (previous revision)