Collect Lacework Cloud Security logs

Supported in:

Google secops SIEM

Overview

This parser extracts fields from Lacework Cloud Security JSON logs, transforming them into UDM format. It maps raw log fields to UDM fields, handling various data types and enriching the event with additional context from tags, ultimately classifying the event type based on the presence of principal and target information.

Before you begin

Ensure that you have the following prerequisites:

Google Security Operations instance.
Privileged access to FortiCNAPP Lacework.

Set up feeds

To configure a feed, follow these steps:

Go to SIEM Settings > Feeds.
Click Add New Feed.
On the next page, click Configure a single feed.
In the Feed namefield, enter a name for the feed (for example, Lacework Logs).
Select Webhookas the Source type.
Select Laceworkas the Log type.
Click Next.
Optional: Specify values for the following input parameters:
- Split delimiter: the delimiter that is used to separate log lines, such as \n .
Click Next.
Review the feed configuration in the Finalizescreen, and then click Submit.
Click Generate Secret Keyto generate a secret key to authenticate this feed.
Copy and store the secret key. You cannot view this secret key again. If needed, you can regenerate a new secret key, but this action makes the previous secret key obsolete.
From the Detailstab, copy the feed endpoint URL from the Endpoint Informationfield. You need to specify this endpoint URL in your client application.
Click Done.

Create an API key for the webhook feed

Go to Google Cloud console > Credentials.

Go to Credentials
Click Create credentials, and then select API key.
Restrict the API key access to the Chronicle API.

Specify the endpoint URL

In your client application, specify the HTTPS endpoint URL provided in the webhook feed.
Enable authentication by specifying the API key and secret key as part of the custom header in the following format:
```
 X-goog-api-key = API_KEY 
X-Webhook-Access-Key = SECRET 
 
```
Recommendation: Specify the API key as a header instead of specifying it in the URL.
If your webhook client doesn't support custom headers, you can specify the API key and secret key using query parameters in the following format:
```
  ENDPOINT_URL 
?key= API_KEY 
&secret= SECRET 
 
```
Replace the following:
- ENDPOINT_URL : the feed endpoint URL.
- API_KEY : the API key to authenticate to Google SecOps.
- SECRET : the secret key that you generated to authenticate the feed.

Configure a Lacework Webhook for Google SecOps

Sign in to the Lacework FortiCNAPP Console with administrative privileges.
Go to Settings > Notifications > Alert channels.
Click + Add new.
Select Webhook.
Click Next.
Specify a unique name to the channel (for example, Google SecOps).
Webhook URL: enter the <ENDPOINT_URL> followed by <API_KEY> and <SECRET> .
Click Save.
Select Alert rulesand configure your required alert routing details.

UDM Mapping Table

Log Field	UDM Mapping	Logic
`AGENT_VERSION`	`metadata.product_version`	Directly mapped from the `AGENT_VERSION` field.
`CREATED_TIME`	`metadata.event_timestamp`	Directly mapped from the `CREATED_TIME` field, converted to a timestamp.
`FILEDATA_HASH`	`target.file.sha256`	Directly mapped from the `FILEDATA_HASH` field.
`FILE_PATH`	`target.file.full_path`	Directly mapped from the `FILE_PATH` field.
`IP_ADDR`	`principal.ip`	Directly mapped from the `IP_ADDR` field.
`OS`	`target.platform`	Mapped from the `OS` field. Logic converts various OS strings (Linux, Windows, Mac) to UDM enum values (LINUX, WINDOWS, MAC). Defaults to UNKNOWN_PLATFORM if no match is found.
`STATUS`	`additional.fields[].key:"STATUS", value.string_value`	Directly mapped from the `STATUS` field as an additional field.
`TAGS.Account`	`metadata.product_deployment_id`	Directly mapped from the `TAGS.Account` field.
`TAGS.AmiId`	`additional.fields[].key:"AmiId", value.string_value`	Directly mapped from the `TAGS.AmiId` field as an additional field.
`TAGS.ExternalIp`	`target.ip`	Directly mapped from the `TAGS.ExternalIp` field.
`TAGS.Hostname`	`principal.hostname`	Directly mapped from the `TAGS.Hostname` field.
`TAGS.InstanceId`	`target.asset_id`	Directly mapped from the `TAGS.InstanceId` field, prefixed with "Device Instance Id: ".
`TAGS.LwTokenShort`	`additional.fields[].key:"LwTokenShort", value.string_value`	Directly mapped from the `TAGS.LwTokenShort` field as an additional field.
`TAGS.MID`	`additional.fields[].key:"MID", value.string_value`	Directly mapped from the `MID` field as an additional field.
`TAGS.MODE`	`additional.fields[].key:"MODE", value.string_value`	Directly mapped from the `MODE` field as an additional field.
`TAGS.Name`	`additional.fields[].key:"Name", value.string_value`	Directly mapped from the `TAGS.Name` field as an additional field.
`TAGS.QSConfigName-vfzg0`	`additional.fields[].key:"QSConfigName", value.string_value`	Directly mapped from the `TAGS.QSConfigName-vfzg0` field as an additional field.
`TAGS.ResourceType`	`target.resource.resource_subtype`	Directly mapped from the `TAGS.ResourceType` field.
`TAGS.SubnetId`	`target.resource.attribute.labels[].key:"Subnet Id", value`	Directly mapped from the `TAGS.SubnetId` field as a label within target.resource.attribute.
`TAGS.VmInstanceType`	`target.resource.attribute.labels[].key:"VmInstanceType", value`	Directly mapped from the `TAGS.VmInstanceType` field as a label within target.resource.attribute.
`TAGS.VmProvider`	`target.resource.attribute.labels[].key:"VmProvider", value`	Directly mapped from the `TAGS.VmProvider` field as a label within target.resource.attribute.
`TAGS.VpcId`	`target.resource.product_object_id`	Directly mapped from the `TAGS.VpcId` field.
`TAGS.Zone`	`target.cloud.availability_zone`	Directly mapped from the `TAGS.Zone` field.
`TAGS.alpha.eksctl.io/nodegroup-name`	`additional.fields[].key:"eksctl_nodegroup_name", value.string_value`	Directly mapped from the `TAGS.alpha.eksctl.io/nodegroup-name` field as an additional field.
`TAGS.alpha.eksctl.io/nodegroup-type`	`additional.fields[].key:"eksctl_nodegroup_type", value.string_value`	Directly mapped from the `TAGS.alpha.eksctl.io/nodegroup-type` field as an additional field.
`TAGS.arch`	`principal.platform_version`	Directly mapped from the `TAGS.arch` field.
`TAGS.aws:autoscaling:groupName`	`additional.fields[].key:"autoscaling_groupName", value.string_value`	Directly mapped from the `TAGS.aws:autoscaling:groupName` field as an additional field.
`TAGS.aws:ec2:fleet-id`	`additional.fields[].key:"ec2_fleetid", value.string_value`	Directly mapped from the `TAGS.aws:ec2:fleet-id` field as an additional field.
`TAGS.aws:ec2launchtemplate:id`	`additional.fields[].key:"ec2launchtemplate_id", value.string_value`	Directly mapped from the `TAGS.aws:ec2launchtemplate:id` field as an additional field.
`TAGS.aws:ec2launchtemplate:version`	`additional.fields[].key:"ec2launchtemplate_ver", value.string_value`	Directly mapped from the `TAGS.aws:ec2launchtemplate:version` field as an additional field.
`TAGS.aws:eks:cluster-name`	`additional.fields[].key:"eks_cluster_name", value.string_value`	Directly mapped from the `TAGS.aws:eks:cluster-name` field as an additional field.
`TAGS.enableCrowdStrike`	`additional.fields[].key:"enableCrowdStrike", value.string_value`	Directly mapped from the `TAGS.enableCrowdStrike` field as an additional field.
`TAGS.falconx.io/application`	`additional.fields[].key:"io/application", value.string_value`	Directly mapped from the `TAGS.falconx.io/application` field as an additional field.
`TAGS.falconx.io/environment`	`additional.fields[].key:"io/environment", value.string_value`	Directly mapped from the `TAGS.falconx.io/environment` field as an additional field.
`TAGS.falconx.io/managedBy`	`additional.fields[].key:"io/managedBy", value.string_value`	Directly mapped from the `TAGS.falconx.io/managedBy` field as an additional field.
`TAGS.falconx.io/project`	`additional.fields[].key:"io/project", value.string_value`	Directly mapped from the `TAGS.falconx.io/project` field as an additional field.
`TAGS.falconx.io/proxy-type`	`additional.fields[].key:"io/proxy_type", value.string_value`	Directly mapped from the `TAGS.falconx.io/proxy-type` field as an additional field.
`TAGS.falconx.io/service`	`additional.fields[].key:"io/service", value.string_value`	Directly mapped from the `TAGS.falconx.io/service` field as an additional field.
`TAGS.falconx.io/team`	`additional.fields[].key:"io/team", value.string_value`	Directly mapped from the `TAGS.falconx.io/team` field as an additional field.
`TAGS.k8s.io/cluster-autoscaler/enabled`	`additional.fields[].key:"k8s_autoscaler_enabled", value.string_value`	Directly mapped from the `TAGS.k8s.io/cluster-autoscaler/enabled` field as an additional field.
`TAGS.k8s.io/cluster-autoscaler/falcon`	`additional.fields[].key:"k8s_cluster_autoscaler", value.string_value`	Directly mapped from the `TAGS.k8s.io/cluster-autoscaler/falcon` field as an additional field.
`TAGS.kubernetes.io/cluster/falcon`	`additional.fields[].key:"kubernetes_io_cluster", value.string_value`	Directly mapped from the `TAGS.kubernetes.io/cluster/falcon` field as an additional field.
`TAGS.lw_KubernetesCluster`	`additional.fields[].key:"lw_KubernetesCluster", value.string_value`	Directly mapped from the `TAGS.lw_KubernetesCluster` field as an additional field.
`LAST_UPDATE`	`additional.fields[].key:"LAST_UPDATE", value.string_value`	Directly mapped from the `LAST_UPDATE` field as an additional field. Hardcoded to "LACEWORK". Hardcoded to "Lacework Cloud Security".
`metadata.event_type`	`metadata.event_type`	Determined by logic. Set to "NETWORK_CONNECTION" if both principal.ip and target.ip are present, "STATUS_UPDATE" if only principal.ip is present, and "GENERIC_EVENT" otherwise.

Need more help? Get answers from Community members and Google SecOps professionals.