Integrate Lacework Polygraph with Red Canary
    • 26 Aug 2024
    • 4 Minutes to read
    • PDF

    Integrate Lacework Polygraph with Red Canary

    • PDF

    Article summary

    Integrating Lacework Polygraph with Red Canary enhances cloud security posture by combining cloud-native threat detection with expert threat hunting. It leverages Lacework's comprehensive cloud security platform to identify vulnerabilities and suspicious activities, while Red Canary's security experts prioritize and investigate critical threats. To integrate Lacework Polygraph with Red Canary, follow the procedure below from beginning to end.

    Prerequisites

    • You must have Lacework Admin access to create the necessary API keys.

    • You must have access to create an external service in Red Canary.

    How Red Canary works with Lacework alert data

    To get the most complete data out of Lacework, Red Canary makes a series of API calls to compile data for investigation.

    Each Lacework Alert is centered around an Alert record containing stateful data reflecting the description, type, status, and severity of an alert.

    There is little information which can be used in an investigation just using the Alert record, except for identifying the type and severity of the Alert. More information about the Alert is needed in order to collect the details to investigate it. Those details are organized as “Alert Scopes” in Lacework.

    Red Canary retrieves the the following Alert Scopes for each Lacework alert under investigation:

    • "Details"

    • "Investigation"

    • "Events"

    • "RelatedAlerts"

    • "Integrations"

    • "Timeline"

    After retrieving information from each scope, Red Canary assembles all the data as a single alert, which is then processed by Red Canary.

    Example:

    Note the “scope…” key fields highlighted below the alert core (this alert payload has been shortened for brevity):

    {
    
      "alertId": 2688,
    
      "alertName": "New AWS User",
    
      "startTime": "2023-08-08T21:00:00.000Z",
    
      "alertType": "ServiceCalledawsApi",
    
      "severity": "High",
    
      "internetExposure": "UnknownInternetExposure",
    
      "reachability": "UnknownReachability",
    
      "derivedFields": {
    
        "category": "Anomaly",
    
        "sub_category": "Cloud Activity",
    
        "source": "aws"
    
      },
    
      "endTime": "2023-08-08T22:00:00.000Z",
    
      "lastUserUpdatedTime": "0",
    
      "status": "Open",
    
      "alertInfo": {
    
        "description": "For account: xxxxxxxxxxx  : User johndoe accessed using AWS for the first time",
    
        "subject": "For account: xxxxxxxxxxx  : User johndoe accessed using AWS for the first time"
    
      },
    
      "evolvingAlert": false,
    
      "scopeDetails": [
    
        "alertId": 2688,
    
        "alertName": "New AWS User",
    
        
    
      },
    
      "scopeInvestigation": [
    
        {
    
          "question": "Has a new user been involved in the event in the last 60 days?",
    
          "answer": "No"
    
        },
    
        {
    
          "question": "Have the users involved in the event authenticated without MFA in the last 60 days?",
    
          "answer": "No"
    
        },
    
        {
    
          "question": "Have any of the users involved in the event used the Root account in the last 60 days?",
    
          "answer": "No"
    
        }
    
        ...
    
      ],
    
      "scopeEvents": null,
    
      "scopeRelatedAlerts": [
    
        {
    
          "eventType": "awsServiceAccessedInRegion",
    
          "eventId": "15792",
    
          "severity": "4",
    
          "startTime": "2023-04-17T22:00:00Z",
    
          "endTime": "2023-04-17T23:00:00Z",
    
          "rank": 3,
    
          "eventInfo": {
    
            "description": "For account: xxxxxxxxxxx  : User johndoe accessed using AWS for the first time",
    
            "subject": "For account: xxxxxxxxxxx  : User johndoe accessed using AWS for the first time"
    
          },
    
          "eventName": "aws service accessed in region"
    
        },
    
        {
    
          "eventType": "awsServiceAccountLoggedInFromSource",
    
          "eventId": "14745",
    
          "severity": "2",
    
          "startTime": "2023-03-31T16:00:00Z",
    
          "endTime": "2023-03-31T17:00:00Z",
    
          "rank": 2,
    
          "eventInfo": {
    
            "description": "For account: xxxxxxxxxxx  : User johndoe accessed using AWS for the first time from a new source Houston,Texas,United States of America for the first time ",
    
            "subject": "aws service account logged in from new source: For account: xxxxxxxxxxx  : User johndoe accessed using AWS for the first time from a new source Houston,Texas,United States of America for the first time "
    
          },
    
          "eventName": "aws service account logged in from new source"
    
        },
    
        ...
    
      ],
    
      "scopeIntegrations": [
    
        {
    
          "alertChannel": {
    
            "INTG_GUID": "ACMECORP_0FD4C25F772C1D3A3EE50F04095CAE3B880D969",
    
        ...
    
      "scopeTimeline": null
    
    }

    Step 1: Lacework–Create your Lacework API keys

    Create your Lacework API keys to begin the alert sync between Lacework and Red Canary.

    1. From the Lacework navigation menu, click Settings.

      1.png

    2. Click Users, select Account level tab, and then click +Add New.

      2.png

    3. From the Choose a User type dropdown, select Service user.

    4. Enter a name for your user.

    5. Enter a description for your user.

    6. Click Next.

    7. From the select a user group for added users dropdown, select Power User.

      3.png

    8. Click Save.

    9. From the Configuration section, click API keys.

      4.png

    10. Click the Service user API keys tab.

      5.png

    11. Click the ellipses dropdown (...), and then click Download.

      6.png

    12. Copy and save the.json file with your API keys. You will use this in a later step.

    Step 2: Red Canary–Create Integration

    Enter your Lacework API key information into Red Canary to start sending your Lacework alerts to Red Canary.

    1. From your Red Canary homepage, click Integrations.

    2. Choose See all integrations.

    3. Type and select Lacework Polygraph.

    4. Click Configure.

    5. Enter the Organization name, Secret Key ID, and Secret Key from the.json file you downloaded in Step 1.11.

      Note: For the Organization field, you need to begin the URL with https:// (example: https://orgname.lacework.net).

    6. Click Save.

      9.png


    Was this article helpful?