Lacework
This Integration is part of the Lacework Pack.#
Lacework provides end-to-end cloud security automation for AWS, Azure, and GCP with a comprehensive view of risks across cloud workloads and containers. This integration was integrated and tested with version 2 of the Lacework APIs
Configure Lacework on Cortex XSOAR#
Navigate to Settings > Integrations > Servers & Services.
Search for Lacework.
Click Add instance to create and configure a new integration instance.
Parameter Required Lacework Account Name (i.e. Sub-Domain of the URL: <ACCOUNT>.lacework.net) True Lacework Sub-Account Name (If Required) False Lacework API Key True Lacework API Secret True Lacework Alert Severity Threshold True Fetch incidents False Incident type False Lacework Alert History to Import (in days) False Click Test to validate the URLs, token, and connection.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
lw-get-alert-details#
Fetch details for a specific Alert in Lacework.
Base Command#
lw-get-alert-details
Input#
| Argument Name | Description | Required |
|---|---|---|
| alert_id | The Lacework Alert ID to be retrieved. | Required |
| scope | The scope of data to retrieve from Lacework for the specified Alert ID. Possible values are: Details, Investigation, Events, RelatedAlerts, Integrations, Timeline. Default is Details. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Lacework.Alert.startTime | Date | The start time of the alert. |
| Lacework.Alert.endTime | Date | The end time of the alert. |
| Lacework.Alert.alertType | String | The type of the alert. |
| Lacework.Alert.alertName | String | The name of the alert. |
| Lacework.Alert.alertId | String | The ID of the alert. |
| Lacework.Alert.severity | String | The severity of the alert. |
| Lacework.Alert.status | String | The status of the alert. |
| Lacework.Alert.alertInfo.description | String | The alert description provides why the potential threat occurred. |
| Lacework.Alert.alertInfo.subject | String | The alert subject. In some cases, the alert subject can be the same as the alert name. |
| Lacework.Alert.entityMap | Unknown | The entity map for the alert. |
lw-get-aws-compliance-assessment#
Fetch the latest AWS compliance data from Lacework.
Base Command#
lw-get-aws-compliance-assessment
Input#
| Argument Name | Description | Required |
|---|---|---|
| account_id | The AWS Account ID to use when fetching compliance data. | Required |
| report_type | The Report Type to fetch from Lacework. Possible values are: AWS_CIS_S3, HIPAA, ISO_2700, NIST_800-53_Rev4, NIST_800-171_Rev2, PCI, SOC. Default is AWS_CIS_S3. | Optional |
| rec_id | Setting the 'rec_id' will filter compliance results for the specified Recommendation ID. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Lacework.Compliance.reportType | String | The Type of the compliance report. |
| Lacework.Compliance.reportTitle | String | The Title of the compliance report. |
| Lacework.Compliance.recommendations.SUPPRESSIONS | String | The suppressions for the current recommendation. |
| Lacework.Compliance.recommendations.INFO_LINK | String | The URL to the compliance violation information. |
| Lacework.Compliance.recommendations.ASSESSED_RESOURCE_COUNT | Number | The number of assessed resources for the violation. |
| Lacework.Compliance.recommendations.STATUS | String | The status of the recommendation. |
| Lacework.Compliance.recommendations.REC_ID | String | The ID of the recommendation. |
| Lacework.Compliance.recommendations.CATEGORY | String | The category of the recommendation |
| Lacework.Compliance.recommendations.SERVICE | String | The service associated with the recommendation. |
| Lacework.Compliance.recommendations.TITLE | String | The title of the recommendation. |
| Lacework.Compliance.recommendations.VIOLATIONS.region | String | The region of the violating resource. |
| Lacework.Compliance.recommendations.VIOLATIONS.reasons | String | The reason for the violation. |
| Lacework.Compliance.recommendations.VIOLATIONS.resource | String | The resource causing the violation. |
| Lacework.Compliance.recommendations.RESOURCE_COUNT | Number | The number of resources associated with the compliance failure. |
| Lacework.Compliance.recommendations.SEVERITY | Number | The severity of the compliance failure. |
| Lacework.Compliance.summary.NUM_RECOMMENDATIONS | Number | The number of recommendations contained in the report. |
| Lacework.Compliance.summary.NUM_SEVERITY_2_NON_COMPLIANCE | Number | The number of Severity 2 compliance violations. |
| Lacework.Compliance.summary.NUM_SEVERITY_4_NON_COMPLIANCE | Number | The number of Severity 4 compliance violations. |
| Lacework.Compliance.summary.NUM_SEVERITY_1_NON_COMPLIANCE | Number | The number of severity 1 compliance violations. |
| Lacework.Compliance.summary.NUM_COMPLIANT | Number | The number of compliant resources. |
| Lacework.Compliance.summary.NUM_SEVERITY_3_NON_COMPLIANCE | Number | The number of severity 3 compliance violations. |
| Lacework.Compliance.summary.ASSESSED_RESOURCE_COUNT | Number | The number of assessed resources. |
| Lacework.Compliance.summary.NUM_SUPPRESSED | Number | The number of suppressed alerts. |
| Lacework.Compliance.summary.NUM_SEVERITY_5_NON_COMPLIANCE | Number | The number of severity 5 compliance violations. |
| Lacework.Compliance.summary.NUM_NOT_COMPLIANT | Number | The number of resources not in compliance. |
| Lacework.Compliance.summary.VIOLATED_RESOURCE_COUNT | Number | The number of resources violating compliance. |
| Lacework.Compliance.summary.SUPPRESSED_RESOURCE_COUNT | Number | The number of resources with suppressed violations. |
| Lacework.Compliance.accountId | String | The AWS account ID. |
| Lacework.Compliance.accountAlias | String | The AWS account alias. |
| Lacework.Compliance.tenantId | String | The Azure tenant ID. |
| Lacework.Compliance.tenantName | String | The Azure tenant name. |
| Lacework.Compliance.subscriptionId | String | The Azure subscription ID. |
| Lacework.Compliance.subscriptionName | String | The Azure subscription name. |
| Lacework.Compliance.projectId | String | The GCP project ID. |
| Lacework.Compliance.projectName | String | The GCP project name. |
| Lacework.Compliance.organizationId | String | The GCP organization ID. |
| Lacework.Compliance.organizationName | String | The GCP organization name. |
| Lacework.Compliance.reportTime | String | The time the report completed. |
lw-get-azure-compliance-assessment#
Fetch the latest Azure compliance data from Lacework.
Base Command#
lw-get-azure-compliance-assessment
Input#
| Argument Name | Description | Required |
|---|---|---|
| tenant_id | The Azure Tenant ID to use when fetching compliance data. | Required |
| subscription_id | The Azure Subscription ID to use when fetching compliance data. | Required |
| report_type | The Report Type to fetch from Lacework. Possible values are: AZURE_CIS, AZURE_PCI, AZURE_SOC. Default is AZURE_CIS. | Optional |
| rec_id | Setting the 'rec_id' will filter compliance results for the specified Recommendation ID. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Lacework.Compliance.reportType | String | The Type of the compliance report. |
| Lacework.Compliance.reportTitle | String | The Title of the compliance report. |
| Lacework.Compliance.recommendations.SUPPRESSIONS | String | The suppressions for the current recommendation. |
| Lacework.Compliance.recommendations.INFO_LINK | String | The URL to the compliance violation information. |
| Lacework.Compliance.recommendations.ASSESSED_RESOURCE_COUNT | Number | The number of assessed resources for the violation. |
| Lacework.Compliance.recommendations.STATUS | String | The status of the recommendation. |
| Lacework.Compliance.recommendations.REC_ID | String | The ID of the recommendation. |
| Lacework.Compliance.recommendations.CATEGORY | String | The category of the recommendation |
| Lacework.Compliance.recommendations.SERVICE | String | The service associated with the recommendation. |
| Lacework.Compliance.recommendations.TITLE | String | The title of the recommendation. |
| Lacework.Compliance.recommendations.VIOLATIONS.region | String | The region of the violating resource. |
| Lacework.Compliance.recommendations.VIOLATIONS.reasons | String | The reason for the violation. |
| Lacework.Compliance.recommendations.VIOLATIONS.resource | String | The resource causing the violation. |
| Lacework.Compliance.recommendations.RESOURCE_COUNT | Number | The number of resources associated with the compliance failure. |
| Lacework.Compliance.recommendations.SEVERITY | Number | The severity of the compliance failure. |
| Lacework.Compliance.summary.NUM_RECOMMENDATIONS | Number | The number of recommendations contained in the report. |
| Lacework.Compliance.summary.NUM_SEVERITY_2_NON_COMPLIANCE | Number | The number of Severity 2 compliance violations. |
| Lacework.Compliance.summary.NUM_SEVERITY_4_NON_COMPLIANCE | Number | The number of Severity 4 compliance violations. |
| Lacework.Compliance.summary.NUM_SEVERITY_1_NON_COMPLIANCE | Number | The number of severity 1 compliance violations. |
| Lacework.Compliance.summary.NUM_COMPLIANT | Number | The number of compliant resources. |
| Lacework.Compliance.summary.NUM_SEVERITY_3_NON_COMPLIANCE | Number | The number of severity 3 compliance violations. |
| Lacework.Compliance.summary.ASSESSED_RESOURCE_COUNT | Number | The number of assessed resources. |
| Lacework.Compliance.summary.NUM_SUPPRESSED | Number | The number of suppressed alerts. |
| Lacework.Compliance.summary.NUM_SEVERITY_5_NON_COMPLIANCE | Number | The number of severity 5 compliance violations. |
| Lacework.Compliance.summary.NUM_NOT_COMPLIANT | Number | The number of resources not in compliance. |
| Lacework.Compliance.summary.VIOLATED_RESOURCE_COUNT | Number | The number of resources violating compliance. |
| Lacework.Compliance.summary.SUPPRESSED_RESOURCE_COUNT | Number | The number of resources with suppressed violations. |
| Lacework.Compliance.accountId | String | The AWS account ID. |
| Lacework.Compliance.accountAlias | String | The AWS account alias. |
| Lacework.Compliance.tenantId | String | The Azure tenant ID. |
| Lacework.Compliance.tenantName | String | The Azure tenant name. |
| Lacework.Compliance.subscriptionId | String | The Azure subscription ID. |
| Lacework.Compliance.subscriptionName | String | The Azure subscription name. |
| Lacework.Compliance.projectId | String | The GCP project ID. |
| Lacework.Compliance.projectName | String | The GCP project name. |
| Lacework.Compliance.organizationId | String | The GCP organization ID. |
| Lacework.Compliance.organizationName | String | The GCP organization name. |
| Lacework.Compliance.reportTime | String | The time the report completed. |
lw-get-gcp-compliance-assessment#
Fetch the latest GCP compliance data from Lacework.
Base Command#
lw-get-gcp-compliance-assessment
Input#
| Argument Name | Description | Required |
|---|---|---|
| project_id | The GCP Project ID to use when fetching compliance data. | Required |
| report_type | The Report Type to fetch from Lacework. Possible values are: GCP_CIS, GCP_PCI, GCP_SOC. Default is GCP_CIS. | Optional |
| rec_id | Setting the 'rec_id' will filter compliance results for the specified Recommendation ID. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Lacework.Compliance.reportType | String | The Type of the compliance report. |
| Lacework.Compliance.reportTitle | String | The Title of the compliance report. |
| Lacework.Compliance.recommendations.SUPPRESSIONS | String | The suppressions for the current recommendation. |
| Lacework.Compliance.recommendations.INFO_LINK | String | The URL to the compliance violation information. |
| Lacework.Compliance.recommendations.ASSESSED_RESOURCE_COUNT | Number | The number of assessed resources for the violation. |
| Lacework.Compliance.recommendations.STATUS | String | The status of the recommendation. |
| Lacework.Compliance.recommendations.REC_ID | String | The ID of the recommendation. |
| Lacework.Compliance.recommendations.CATEGORY | String | The category of the recommendation |
| Lacework.Compliance.recommendations.SERVICE | String | The service associated with the recommendation. |
| Lacework.Compliance.recommendations.TITLE | String | The title of the recommendation. |
| Lacework.Compliance.recommendations.VIOLATIONS.region | String | The region of the violating resource. |
| Lacework.Compliance.recommendations.VIOLATIONS.reasons | String | The reason for the violation. |
| Lacework.Compliance.recommendations.VIOLATIONS.resource | String | The resource causing the violation. |
| Lacework.Compliance.recommendations.RESOURCE_COUNT | Number | The number of resources associated with the compliance failure. |
| Lacework.Compliance.recommendations.SEVERITY | Number | The severity of the compliance failure. |
| Lacework.Compliance.summary.NUM_RECOMMENDATIONS | Number | The number of recommendations contained in the report. |
| Lacework.Compliance.summary.NUM_SEVERITY_2_NON_COMPLIANCE | Number | The number of Severity 2 compliance violations. |
| Lacework.Compliance.summary.NUM_SEVERITY_4_NON_COMPLIANCE | Number | The number of Severity 4 compliance violations. |
| Lacework.Compliance.summary.NUM_SEVERITY_1_NON_COMPLIANCE | Number | The number of severity 1 compliance violations. |
| Lacework.Compliance.summary.NUM_COMPLIANT | Number | The number of compliant resources. |
| Lacework.Compliance.summary.NUM_SEVERITY_3_NON_COMPLIANCE | Number | The number of severity 3 compliance violations. |
| Lacework.Compliance.summary.ASSESSED_RESOURCE_COUNT | Number | The number of assessed resources. |
| Lacework.Compliance.summary.NUM_SUPPRESSED | Number | The number of suppressed alerts. |
| Lacework.Compliance.summary.NUM_SEVERITY_5_NON_COMPLIANCE | Number | The number of severity 5 compliance violations. |
| Lacework.Compliance.summary.NUM_NOT_COMPLIANT | Number | The number of resources not in compliance. |
| Lacework.Compliance.summary.VIOLATED_RESOURCE_COUNT | Number | The number of resources violating compliance. |
| Lacework.Compliance.summary.SUPPRESSED_RESOURCE_COUNT | Number | The number of resources with suppressed violations. |
| Lacework.Compliance.accountId | String | The AWS account ID. |
| Lacework.Compliance.accountAlias | String | The AWS account alias. |
| Lacework.Compliance.tenantId | String | The Azure tenant ID. |
| Lacework.Compliance.tenantName | String | The Azure tenant name. |
| Lacework.Compliance.subscriptionId | String | The Azure subscription ID. |
| Lacework.Compliance.subscriptionName | String | The Azure subscription name. |
| Lacework.Compliance.projectId | String | The GCP project ID. |
| Lacework.Compliance.projectName | String | The GCP project name. |
| Lacework.Compliance.organizationId | String | The GCP organization ID. |
| Lacework.Compliance.organizationName | String | The GCP organization name. |
| Lacework.Compliance.reportTime | String | The time the report completed. |
lw-get-gcp-projects-by-organization#
Fetch a list of GCP projects that are under an organization.
Base Command#
lw-get-gcp-projects-by-organization
Input#
| Argument Name | Description | Required |
|---|---|---|
| organization_id | The GCP Organization ID to use when fetching projects data. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Lacework.GCP.organization | String | The GCP Organization. |
| Lacework.GCP.projects | String | The GCP Projects associated to the Organization. |
lw-get-compliance-report#
Fetch a specified compliance report from Lacework.
Base Command#
lw-get-compliance-report
Input#
| Argument Name | Description | Required |
|---|---|---|
| primary_query_id | The primary ID that is used to fetch the report; for example, AWS Account ID or Azure Tenant ID. | Optional |
| secondary_query_id | The secondary ID that is used to fetch the report; for example, GCP Project ID or Azure Subscription ID. | Optional |
| report_name | The report definition's name that is used when generating the report. | Optional |
| report_type | The report's notification type; for example, AZURE_NIST_CSF. Possible values are: AZURE_CIS, AZURE_CIS_131, AZURE_SOC, AZURE_SOC_Rev2, AZURE_PCI, AZURE_PCI_Rev2, AZURE_ISO_27001, AZURE_NIST_CSF, AZURE_NIST_800_53_REV5, AZURE_NIST_800_171_REV2, AZURE_HIPAA, AWS_CIS_S3, NIST_800-53_Rev4, NIST_800-171_Rev2, ISO_2700, HIPAA, SOC, AWS_SOC_Rev2, GCP_HIPAA, PCI, GCP_CIS, GCP_SOC, GCP_CIS12, GCP_K8S, GCP_PCI_Rev2, GCP_SOC_Rev2, GCP_HIPAA_Rev2, GCP_ISO_27001, GCP_NIST_CSF, GCP_NIST_800_53_REV4, GCP_NIST_800_171_REV2, GCP_PCI, AWS_CIS_14, GCP_CIS13, AWS_CMMC_1.02, AWS_HIPAA, AWS_ISO_27001:2013, AWS_NIST_CSF, AWS_NIST_800-171_rev2, AWS_NIST_800-53_rev5, AWS_PCI_DSS_3.2.1, AWS_SOC_2, LW_AWS_SEC_ADD_1_0. Default is LW_AWS_SEC_ADD_1_0. | Optional |
| template_name | The template's name that is used for the report; for example, Default. Default is Default. | Required |
| rec_id | Setting the 'rec_id' will filter compliance results for the specified Recommendation ID. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Lacework.Compliance.reportType | String | The Type of the compliance report. |
| Lacework.Compliance.reportTitle | String | The Title of the compliance report. |
| Lacework.Compliance.recommendations.SUPPRESSIONS | String | The suppressions for the current recommendation. |
| Lacework.Compliance.recommendations.INFO_LINK | String | The URL to the compliance violation information. |
| Lacework.Compliance.recommendations.ASSESSED_RESOURCE_COUNT | Number | The number of assessed resources for the violation. |
| Lacework.Compliance.recommendations.STATUS | String | The status of the recommendation. |
| Lacework.Compliance.recommendations.REC_ID | String | The ID of the recommendation. |
| Lacework.Compliance.recommendations.CATEGORY | String | The category of the recommendation |
| Lacework.Compliance.recommendations.SERVICE | String | The service associated with the recommendation. |
| Lacework.Compliance.recommendations.TITLE | String | The title of the recommendation. |
| Lacework.Compliance.recommendations.VIOLATIONS.region | String | The region of the violating resource. |
| Lacework.Compliance.recommendations.VIOLATIONS.reasons | String | The reason for the violation. |
| Lacework.Compliance.recommendations.VIOLATIONS.resource | String | The resource causing the violation. |
| Lacework.Compliance.recommendations.RESOURCE_COUNT | Number | The number of resources associated with the compliance failure. |
| Lacework.Compliance.recommendations.SEVERITY | Number | The severity of the compliance failure. |
| Lacework.Compliance.summary.NUM_RECOMMENDATIONS | Number | The number of recommendations contained in the report. |
| Lacework.Compliance.summary.NUM_SEVERITY_2_NON_COMPLIANCE | Number | The number of Severity 2 compliance violations. |
| Lacework.Compliance.summary.NUM_SEVERITY_4_NON_COMPLIANCE | Number | The number of Severity 4 compliance violations. |
| Lacework.Compliance.summary.NUM_SEVERITY_1_NON_COMPLIANCE | Number | The number of severity 1 compliance violations. |
| Lacework.Compliance.summary.NUM_COMPLIANT | Number | The number of compliant resources. |
| Lacework.Compliance.summary.NUM_SEVERITY_3_NON_COMPLIANCE | Number | The number of severity 3 compliance violations. |
| Lacework.Compliance.summary.ASSESSED_RESOURCE_COUNT | Number | The number of assessed resources. |
| Lacework.Compliance.summary.NUM_SUPPRESSED | Number | The number of suppressed alerts. |
| Lacework.Compliance.summary.NUM_SEVERITY_5_NON_COMPLIANCE | Number | The number of severity 5 compliance violations. |
| Lacework.Compliance.summary.NUM_NOT_COMPLIANT | Number | The number of resources not in compliance. |
| Lacework.Compliance.summary.VIOLATED_RESOURCE_COUNT | Number | The number of resources violating compliance. |
| Lacework.Compliance.summary.SUPPRESSED_RESOURCE_COUNT | Number | The number of resources with suppressed violations. |
| Lacework.Compliance.accountId | String | The AWS account ID. |
| Lacework.Compliance.accountAlias | String | The AWS account alias. |
| Lacework.Compliance.tenantId | String | The Azure tenant ID. |
| Lacework.Compliance.tenantName | String | The Azure tenant name. |
| Lacework.Compliance.subscriptionId | String | The Azure subscription ID. |
| Lacework.Compliance.subscriptionName | String | The Azure subscription name. |
| Lacework.Compliance.projectId | String | The GCP project ID. |
| Lacework.Compliance.projectName | String | The GCP project name. |
| Lacework.Compliance.organizationId | String | The GCP organization ID. |
| Lacework.Compliance.organizationName | String | The GCP organization name. |
| Lacework.Compliance.reportTime | String | The time the report completed. |
lw-get-container-vulnerabilities#
Fetch container vulnerability information from Lacework.
Base Command#
lw-get-container-vulnerabilities
Input#
| Argument Name | Description | Required |
|---|---|---|
| start_time | A "%Y-%m-%dT%H:%M:%SZ" structured timestamp to begin from. (ex. "2020-01-01T01:10:00Z"). | Optional |
| end_time | A "%Y-%m-%dT%H:%M:%SZ" structured timestamp to end at. (ex. "2020-01-01T01:10:00Z"). | Optional |
| filters | An array of objects to add information to refine your search results. | Optional |
| returns | An array of strings to specify which top-level fields of the response schema you want to receive. | Optional |
| limit | An integer representing a limit on the number or results to return. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Lacework.Vulnerability.Container.evalCtx.exception_props | String | The exception properties that were applied in the evaluation |
| Lacework.Vulnerability.Container.evalCtx.image_info | Date | The image information for the container scanned in the evaluation |
| Lacework.Vulnerability.Container.evalCtx.integration_props | String | The properties of the integration that performed the evaluation |
| Lacework.Vulnerability.Container.evalCtx.is_reeval | Boolean | A boolean representing whether the evaluation was a re-evaluation |
| Lacework.Vulnerability.Container.evalCtx.request_source | String | The source of the evaluation request |
| Lacework.Vulnerability.Container.evalCtx.scan_batch_id | String | The scan batch ID for the evaluation |
| Lacework.Vulnerability.Container.evalCtx.scan_request_props | String | The scan request properties for the evaluation |
| Lacework.Vulnerability.Container.evalCtx.vuln_batch_id | String | The vulnerability batch ID for the evaluation |
| Lacework.Vulnerability.Container.evalCtx.vuln_created_time | Date | The time at which the vulnerability was created |
| Lacework.Vulnerability.Container.featureKey.name | String | The name of the package identified in the evaluation |
| Lacework.Vulnerability.Container.featureKey.namespace | String | The namespace of the package identified in the evaluation |
| Lacework.Vulnerability.Container.featureKey.version | String | The version of the package identified in the evaluation |
| Lacework.Vulnerability.Container.featureProps.feed | String | The type of data feed used in the evaluation |
| Lacework.Vulnerability.Container.featureProps.introduced_in | String | The Dockerfile command which introduced the vulnerability |
| Lacework.Vulnerability.Container.featureProps.layer | String | The SHA256 hash of the layer which introduced the vulnerability |
| Lacework.Vulnerability.Container.featureProps.src | String | The path within the container identifying the source of the vulnerability data |
| Lacework.Vulnerability.Container.featureProps.version_format | String | The format of the version data for the vulnerable package |
| Lacework.Vulnerability.Container.fixInfo.fix_available | Number | An integer representing whether a fix is available for the vulnerability |
| Lacework.Vulnerability.Container.fixInfo.fixed_version | String | The version in which the vulnerability is fixed for the CVE and package |
| Lacework.Vulnerability.Container.imageId | String | The image ID of the container identified in the evaluation |
| Lacework.Vulnerability.Container.severity | String | The severity of the vulnerability identified in the evaluation |
| Lacework.Vulnerability.Container.startTime | Date | The start time for the vulnerability evaluation |
| Lacework.Vulnerability.Container.status | String | The status of the vulnerability identified in the evaluation |
| Lacework.Vulnerability.Container.vulnId | String | The vulnerability ID (CVE, ALAS, etc.) |
| Lacework.Vulnerability.Container.vulnHash | String | A unique hash of all data contained in the vulnerability |
lw-get-host-vulnerabilities#
Fetch host vulnerability information from Lacework.
Base Command#
lw-get-host-vulnerabilities
Input#
| Argument Name | Description | Required |
|---|---|---|
| start_time | A "%Y-%m-%dT%H:%M:%SZ" structured timestamp to begin from. (ex. "2020-01-01T01:10:00Z"). | Optional |
| end_time | A "%Y-%m-%dT%H:%M:%SZ" structured timestamp to end at. (ex. "2020-01-01T01:10:00Z"). | Optional |
| filters | An array of objects to add information to refine your search results. | Optional |
| returns | An array of strings to specify which top-level fields of the response schema you want to receive. | Optional |
| limit | An integer representing a limit on the number or results to return. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Lacework.Vulnerability.Host.cveProps.description | String | The CVE Properties description |
| Lacework.Vulnerability.Host.cveProps.link | String | The CVE Properties description URL |
| Lacework.Vulnerability.Host.endTime | Date | The end time for the vulnerability evaluation period |
| Lacework.Vulnerability.Host.evalCtx.exception_props.status | String | The status of any exception properties for the evaluation |
| Lacework.Vulnerability.Host.evalCtx.hostname | String | The hostname of the host assessed in the evaluation |
| Lacework.Vulnerability.Host.evalCtx.mc_eval_guid | String | The GUID for the evaluation |
| Lacework.Vulnerability.Host.featureKey.name | String | The name of the package identified in the evaluation |
| Lacework.Vulnerability.Host.featureKey.namespace | String | The namespace of the package identified in the evaluation |
| Lacework.Vulnerability.Host.featureKey.package_active | Number | An integer representing whether the package is Active on the host |
| Lacework.Vulnerability.Host.featureKey.version_installed | String | The version of the package identified in the evaluation |
| Lacework.Vulnerability.Host.fixInfo.fix_available | String | An integer representing whether a fix is available for the vulnerability |
| Lacework.Vulnerability.Host.fixInfo.fixed_version | String | The version in which the vulnerability is fixed for the CVE and package |
| Lacework.Vulnerability.Host.machineTags | String | A string representing the machine tags in key/value pairs |
| Lacework.Vulnerability.Host.mid | String | The machine ID for the host identified in the evaluation |
| Lacework.Vulnerability.Host.severity | String | The severity of the vulnerability identified in the evaluation |
| Lacework.Vulnerability.Host.startTime | Date | The start time for the vulnerability evaluation period |
| Lacework.Vulnerability.Host.status | String | The status of the vulnerability identified in the evaluation |
| Lacework.Vulnerability.Host.vulnId | String | The vulnerability ID (CVE, ALAS, etc.) |
| Lacework.Vulnerability.Host.vulnHash | String | A unique hash of all data contained in the vulnerability |