You can create a custom webhook that receives Lacework alert notifications from a Lacework alert channel and forwards those alerts to another application.
Overview
After you configure a Lacework webhook alert channel, when Lacework generates an alert, it automatically sends that alert to the URL endpoint you configure in the webhook channel. Lacework generates a new alert by sending an HTTP POST request with the following Lacework payload as shown in the following example.
{
"event_title": "Compliance Changed",
"event_link": "https://myLacework.lacework.net/ui/investigate/Event/120884?startTime=1565370000000&endTime=1565373600000",
"lacework_account": "myLacework",
"event_source": "AzureCompliance",
"event_description":"Azure Account myLacework Pay-As-You-Go: Azure_CIS_2_1 Ensure that standard pricing tier is selected changed from compliant to non-compliant",
"event_timestamp":"27 May 2021 17:00 GMT",
"event_type": "Compliance",
"event_id": "120884",
"event_severity": "4",
"rec_id": "Azure_CIS_2_1"
}
The following table describes Lacework payload elements.
| Field Name | Description |
|---|---|
| event_title | The title of the Lacework event. |
| event_link | The link to the event in the Lacework Console. |
| lacework_account | The Lacework application where the event occurred. The myLacework part of the Lacework application URL: myLacework.lacework.net. |
| event_source | The source of the event or where the event occurred. |
| event_description | A description of the event including a description of why the event occurred. |
| event_timestamp | The timestamp of when the event occurred. |
| event_type | The type (or category) of the event. |
| event_id | The Lacework ID for the event. |
| event_severity | The severity of the event between numbers 1 and 5. The number 1 is the highest severity and 5 is the lowest severity. |
| rec_id | The recommendation ID. Only compliance events have the recommendation ID field. |
Create a webhook to receive the HTTP POST request from Lacework and then perform some action. For example, your webhook could read the payload from the Lacework HTTP POST request, parse the properties from the incoming payload, generate another alert with the properties in a different format, and send that alert to another application such as Opsgenie.
Create a Lacework Alert Channel
After you create a webhook to receive the HTTP POST request from Lacework, return to the Lacework Console and complete the following steps:
- Log in to the Lacework Console with a Lacework user that has administrative privileges.
- Navigate to Settings > Alert Routing > Alert Channels.
- Click + Create New.
- Select Webhook.
- Name the channel.
In the Webhook URL, enter the URL of your webhook that will receive the HTTP POST request from Lacework. If the third-party that is receiving the HTTP POST request requires an API token, enter the API Token as part of the URL, for example:
https://mySampleEnv.live.dynatrace.com/apiZvl/time?api-token=abcdefjhij1234567890
Click Save.
- Click Alert Rules and configure your required alert routing details/options by leveraging the alert channel you created.