- GCP Audit Log Polygraph—The GCP Audit Log dossier now includes a Lacework Polygraph to help you visualize your Audit Trail data in a streamlined way and identify any misconfigurations or events.
- Group Events by Resources in the AWS CloudWatch Alert Channel—Support for configuring the AWS CloudWatch Alert Channel to create multiple AWS CloudWatch events when multiple resources are generating the same event. For example, if three different S3 resources are generating the same event, three AWS events are created on the AWS CloudWatch event bus. For more information, see https://support.lacework.com/hc/en-us/articles/360005840174-AWS-CloudWatch.
- Updated First Seen Time for AWS CloudTrail, Azure and GCP policies—Events generated by the rules in the AWS CloudTrail, Azure and GCP policies now report a more accurate First Seen Time instead of the start timestamp of the event evaluation time period (1 hour).
- New Python Script for Creating Azure Integrations—This new app.py script has the following features:
- Supports creating a single Lacework Azure Compliance Integration and a single Lacework Azure Activity Log Integration in a single script run. In a script run, you must create a Lacework Azure Compliance Integration. You cannot create just a Lacework Azure Activity Log Integration.
- Supports entering the configuration settings interactively from prompts or by specifying a configuration YAML file.
- Supports rolling back the changes made in Azure if the script encounters a problem.
For more information, see https://support.lacework.com/hc/en-us/articles/360036688133.
Manage at Scale
Lacework manage at scale capabilities provides streamlined workflows to manage organizations, accounts, and alerts. Manage at scale introduces the following features:
- Invitation only, limited beta. Organizations—Organizations allow you to centrally manage your environment’s security, compliance, and access control by aggregating information from all your accounts. To use the organizations feature with Lacework, you must perform a one-time enrollment process using an existing account. For details, see https://support.lacework.com/hc/en-us/articles/360041727394.
- Multiple Account support—One organization can contain multiple accounts, allowing you to manage alerts, resource groups, team members, and audit logs for individual accounts and for the entire organization. A team member may have access to multiple accounts and can easily switch between them. The ability to enroll in organizations is currently in invitation only, limited beta.
- Alert channels and Alert rules—You can now separately manage alert channels (how to send alerts) and alert rules (which alert types to send). This provides the flexibility to send different alerts based on severity, resource type, and category to different alert channels. Settings are grouped under Alert Routing and available in Alert Channels (previously referred to as outgoing integrations) and Alert Rules. You can manage alerts at the account level and the organization level. For details, see https://support.lacework.com/hc/en-us/articles/360041773194 and https://support.lacework.com/hc/en-us/articles/360042236733.
- Just-in-Time User Provisioning for SAML authentication—SAML capabilities now include the Just-in-Time (JIT) User Provisioning option. Enabling the JIT option allows for on-the-fly creation of a team member the first time they try to log in. This eliminates the need to create team members in Lacework in advance. Enrolling your accounts in an organization allows you to control authentication for all accounts within the organization. For details about setting up JIT for an account or organization, see https://support.lacework.com/hc/en-us/articles/360041774034.
- Resource groups—You can categorize Lacework-identifiable assets (AWS, Azure, GCP, containers, machines) into resource groups, which you can manage at the account level. Organization-level resource groups can contain Lacework accounts. For details, see https://support.lacework.com/hc/en-us/articles/360041727354.
- Audit logs—Audit logs enable you to view the history of all actions performed within an account. Logged actions include who initiated specific alert suppression, setting modifications, logins, agent token changes, etc. For details, see https://support.lacework.com/hc/en-us/articles/360042198473.
- Report rules—You can now separately manage which account reports to send and who receives reports. Settings are grouped under Alert Routing and available in Alert Channels (previously referred to as outgoing integrations) and Report Rules. For details, see https://support.lacework.com/hc/en-us/articles/360041766754.
Manage at scale introduces the following Lacework Console changes:
- Authentication—If you enroll in an organization, authentication settings are located under organization settings. For accounts within an organization, authentication mechanisms at the account level are not available. You can set authentication only at the organization level. If you do not enroll in an organization, authentication remains under account settings.
- Integrations—The Integrations menu now contains only incoming integrations. The integrations previously categorized together as incoming integrations are now separate menus in account settings: Cloud Accounts, Container Registry, and Snowflake Data Share. The outgoing integrations are now referred to as Alert Channels, which is a separate menu item in account settings under Alert Routing.
- Team members—The Users menu is now named Team Members. Team members can belong to multiple accounts and can have a different role for each account.
- API keys—The settings page for managing and creating Lacework API keys is now named API Keys; it was previously named Access Keys. You can find API Keys under account settings. API Keys are now named and can optionally have a description. Also, to get the secret key, download the generated API key file and open it in an editor.
- Agent tokens—The settings for managing and creating Lacework agent tokens are now available in account settings under the Agents menu with the other agent-related information and settings. Agent tokens are now named and can optionally have a description. You can use the Agent token name to logically separate your deployments, for example, by environment types (QA, Dev, etc.) or system types (CentOS, RHEL, etc.).
- Usage—Usage insights are located under organization settings if you enrolled in an organization.
- Running On-demand Reports—Running a report is now available only through the compliance reports pages. The Integrations page no longer displays the button to run on-demand reports.
- Dashboard—The dashboard is now a separate top-level menu item; it is no longer nested under the Monitoring menu.
This feature is currently in invitation only, limited beta.
- Asset inventory provides the Lacework Console with comprehensive visibility into AWS assets that are integrated with Lacework. The Asset Inventory page allows you to assess in-use cloud assets, monitor their risk and compliance, and view configuration changes. The Asset Inventory page is available under the Monitor menu. This feature provides visibility to members with limited or no access to the AWS Management Console.