To get the most complete data out of Lacework, Red Canary makes a series of API calls to compile data for investigation.
Each Lacework Alert is centered around an Alert record containing stateful data reflecting the description, type, status, and severity of an alert.
There is little information which can be used in an investigation just using the Alert record, except for identifying the type and severity of the Alert. More information about the Alert is needed in order to collect the details to investigate it. Those details are organized as “Alert Scopes” in Lacework.
Example:
Red Canary retrieves the the following Alert Scopes for each Lacework alert under investigation:
- "Details"
- "Investigation"
- "Events"
- "RelatedAlerts"
- "Integrations"
- "Timeline"
After retrieving information from each scope, Red Canary assembles all the data as a single alert, which is then processed by Red Canary.
Example:
Note the “scope…” key fields highlighted below the alert core (this alert payload has been shortened for brevity):
{
"alertId": 2688,
"alertName": "New AWS User",
"startTime": "2023-08-08T21:00:00.000Z",
"alertType": "ServiceCalledawsApi",
"severity": "High",
"internetExposure": "UnknownInternetExposure",
"reachability": "UnknownReachability",
"derivedFields": {
"category": "Anomaly",
"sub_category": "Cloud Activity",
"source": "aws"
},
"endTime": "2023-08-08T22:00:00.000Z",
"lastUserUpdatedTime": "0",
"status": "Open",
"alertInfo": {
"description": "For account: xxxxxxxxxxx : User johndoe accessed using AWS for the first time",
"subject": "For account: xxxxxxxxxxx : User johndoe accessed using AWS for the first time"
},
"evolvingAlert": false,
"scopeDetails": [
"alertId": 2688,
"alertName": "New AWS User",
},
"scopeInvestigation": [
{
"question": "Has a new user been involved in the event in the last 60 days?",
"answer": "No"
},
{
"question": "Have the users involved in the event authenticated without MFA in the last 60 days?",
"answer": "No"
},
{
"question": "Have any of the users involved in the event used the Root account in the last 60 days?",
"answer": "No"
}
...
],
"scopeEvents": null,
"scopeRelatedAlerts": [
{
"eventType": "awsServiceAccessedInRegion",
"eventId": "15792",
"severity": "4",
"startTime": "2023-04-17T22:00:00Z",
"endTime": "2023-04-17T23:00:00Z",
"rank": 3,
"eventInfo": {
"description": "For account: xxxxxxxxxxx : User johndoe accessed using AWS for the first time",
"subject": "For account: xxxxxxxxxxx : User johndoe accessed using AWS for the first time"
},
"eventName": "aws service accessed in region"
},
{
"eventType": "awsServiceAccountLoggedInFromSource",
"eventId": "14745",
"severity": "2",
"startTime": "2023-03-31T16:00:00Z",
"endTime": "2023-03-31T17:00:00Z",
"rank": 2,
"eventInfo": {
"description": "For account: xxxxxxxxxxx : User johndoe accessed using AWS for the first time from a new source Houston,Texas,United States of America for the first time ",
"subject": "aws service account logged in from new source: For account: xxxxxxxxxxx : User johndoe accessed using AWS for the first time from a new source Houston,Texas,United States of America for the first time "
},
"eventName": "aws service account logged in from new source"
},
...
],
"scopeIntegrations": [
{
"alertChannel": {
"INTG_GUID": "ACMECORP_0FD4C25F772C1D3A3EE50F04095CAE3B880D969",
...
"scopeTimeline": null
}
Comments
0 comments
Please sign in to leave a comment.