You can create a custom webhook that receives Lacework event notifications from a Lacework integration and forwards those events to another application.
Overview
After you configure a Lacework webhook integration, when Lacework generates an event, it automatically sends that event to the URL endpoint you configure in the webhook integration. Lacework generates a new event by sending an HTTP POST request with the following Lacework payload as shown in the following example.
{ "event_title": "Compliance Changed", "event_link": "https://myLacework.lacework.net/ui/investigate/Event/120884?startTime=1565370000000&endTime=1565373600000", "lacework_account": "myLacework", "event_source": "AzureCompliance", "event_summary":"Azure Account myLacework Pay-As-You-Go: Azure_CIS_2_1 Ensure that standard pricing tier is selected changed from compliant to non-compliant", "event_timestamp":"09 Aug 2019 17:00 GMT", "event_type": "Compliance", "event_id": "120884", "event_severity": "4" }
The following table describes Lacework payload elements.
Field Name | Description |
event_title | The title of the Lacework event. |
event_link | The link to the event in the Lacework Console. |
lacework_account | The Lacework Application where the event occurred. The myLacework part of the Lacework Application URL: myLacework.lacework.net. |
event_source | The source of the event or where the event occurred. |
event_summary | A summary of the event including a description of why the event occurred. |
event_timestamp | The timestamp of when the event occurred. |
event_type | The type (or category) of the event. |
event_id | The Lacework id for the event. |
event_severity | The severity of the event between numbers 1 and 5. The number 1 is the highest severity and 5 is the lowest severity. |
Create a webhook to receive the HTTP POST request from Lacework and then perform some action. For example, your webhook could read the payload from the Lacework HTTP POST request, parse the properties from the incoming payload, generate another event with the properties in a different format, and send that event to another application such as Opsgenie.
Add a Lacework Integration
After you create a webhook to receive the HTTP POST request from Lacework, return to the Lacework Console and complete the following steps.:
- Log in to the Lacework Console with a Lacework user that has administrative privileges.
- Select Settings > Integrations.
- Under OUTGOING, select Webhook.
- Click + Add Integration.
- Name the integration.
- In the Webhook URL, enter the URL of your webhook that will receive the HTTP POST request from Lacework.
- From the Alert Severity Level drop-down, select an event (alert) severity level. Lacework forwards events that only meet or exceed the chosen threshold.
- Click Save.