Document toolboxDocument toolbox

monitor.lacework

Owned by Anthony Shevlin (Deactivated)
Last updated: Sept 06, 2023
1 min read

[ Introduction ] [ Valid tags and data tables  ] [ Table structure ]

Introduction

The tags beginning with monitor.lacework identify events generated by Lacework.

Valid tags and data tables 

The full tag must have at least three levels. The first two are fixed as monitor.lacework. The third level identifies the type of events sent and the fourth the subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Lacework

monitor.lacework.agent.applications

monitor.lacework.agent.applications

monitor.lacework.agent.connnections

monitor.lacework.agent.connnections

monitor.lacework.agent.dns_query

monitor.lacework.agent.dns_query

monitor.lacework.agent.interfaces

monitor.lacework.agent.interfaces

monitor.lacework.agent.machine_summary

monitor.lacework.agent.machine_summary

monitor.lacework.agent.new_hashes

monitor.lacework.agent.new_hashes

monitor.lacework.agent.package

monitor.lacework.agent.package

monitor.lacework.agent.process_summary

monitor.lacework.agent.process_summary

monitor.lacework.alerts.events

monitor.lacework.alerts.events

monitor.lacework.alerts.events

monitor.lacework.alerts

monitor.lacework.awscloudtrail.alert_details

monitor.lacework.awscloudtrail.alert_details

For more information, read more about Devo tags.

Table structure

These are the fields displayed in these tables:

monitor.lacework.agent.applications

Field

Type

Extra field

Field

Type

Extra field

eventdate

timestamp

 

hostname

str

 

app_name

str

 

container_info__vm_type

str

 

end_time

str

 

exe_path

str

 

mid

int4

 

net_stats__num_bytes_external_client

int4

 

net_stats__num_bytes_external_server

int4

 

net_stats__num_bytes_in_external_client

int4

 

net_stats__num_bytes_in_external_server

int4

 

net_stats__num_bytes_in_internal_client

int4

 

net_stats__num_bytes_in_internal_server

int4

 

net_stats__num_bytes_internal_client

int4

 

net_stats__num_bytes_internal_server

int4

 

net_stats__num_bytes_out_internal_client

int4

 

net_stats__num_bytes_out_internal_server

int4

 

net_stats__num_in_bytes

int4

 

net_stats__num_in_client_bytes

int4

 

net_stats__num_in_server_bytes

int4

 

net_stats__num_out_bytes

int4

 

net_stats__num_out_client_bytes

int4

 

net_stats__num_out_server_bytes

int4

 

net_stats__num_total_bytes

int4

 

props_machine__hostname

str

 

props_machine__ip_addr

ip4

 

props_machine__mem_kbytes

int4

 

props_machine__num_users

int4

 

props_machine__tags__account

str

 

props_machine__tags__ami_id

str

 

props_machine__tags__external_ip

str

 

props_machine__tags__hostname

str

 

props_machine__tags__instance_id

str

 

props_machine__tags__internal_ip

ip4

 

props_machine__tags__lw_token_short

str

 

props_machine__tags__subnet_id

str

 

props_machine__tags__vm_instance_type

str

 

props_machine__tags__vm_provider

str

 

props_machine__tags__vpc_id

str

 

props_machine__tags__zone

str

 

props_machine__tags__arch

str

 

props_machine__tags__os

str

 

props_machine__up_time

int4

 

start_time

str

 

username__effective

str

 

username__original

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

monitor.lacework.agent.connnections

Field

Type

Extra field

Field

Type

Extra field

eventdate

timestamp

 

hostname

str

 

dst_entity_id__mid

int4

 

dst_entity_id__port

int4

 

dst_entity_id__protocol

str

 

dst_entity_id__ip_addr

ip4

 

dst_entity_id__ip_internal

int4

 

dst_entity_id__hostname

str

 

dst_entity_type

str

 

dst_in_bytes

int4

 

dst_out_bytes

int4

 

endpoint_details

str

 

end_time

str

 

num_conns

int4

 

src_entity_id__ip_addr

ip4

 

src_entity_id__ip_internal

int4

 

src_entity_id__mid

int4

 

src_entity_id__pid_hash

int8

 

src_entity_type

str

 

src_in_bytes

int4

 

src_out_bytes

int4

 

start_time

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

monitor.lacework.agent.dns_query

Field

Type

Extra field

Field

Type

Extra field

eventdate

timestamp

 

hostname

str

 

created_time

str

 

dns_server_ip

ip4

 

fqdn

str

 

host_ip_addr

ip4

 

mid

int4

 

ttl

int4

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

monitor.lacework.agent.interfaces

Field

Type

Extra field

Field

Type

Extra field

eventdate

timestamp

 

hostname

str

 

created_time

str

 

hw_addr

str

 

ip_addr

str

 

mid

int4

 

name

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

monitor.lacework.agent.machine_summary

Field

Type

Extra field

Field

Type

Extra field

eventdate

timestamp

 

hostname

str

 

end_time

str

 

entity_type

str

 

hostname2

str

 

machine_tags__account

str

 

machine_tags__ami_id

str

 

machine_tags__external_ip

str

 

machine_tags__hostname

str

 

machine_tags__instance_id

str

 

machine_tags__internal_ip

ip4

 

machine_tags__lw_token_short

str

 

machine_tags__subnet_id

str

 

machine_tags__vm_instance_type

str

 

machine_tags__vm_provider

str

 

machine_tags__vpc_id

str

 

machine_tags__zone

str

 

machine_tags__arch

str

 

machine_tags__os

str

 

mid

int4

 

primary_ip_addr

ip4

 

start_time

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

monitor.lacework.agent.new_hashes

Field

Type

Extra field

Field

Type

Extra field

eventdate

timestamp

 

hostname

str

 

end_time

str

 

filedata_hash

str

 

start_time

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

monitor.lacework.agent.package

Field

Type

Extra field

Field

Type

Extra field

eventdate

timestamp

 

hostname

str

 

arch

str

 

created_time

str

 

mid

int4

 

package_name

str

 

version

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

monitor.lacework.agent.process_summary

Field

Type

Extra field

Field

Type

Extra field

eventdate

timestamp

 

hostname

str

 

cmdline_hash

str

 

end_time

str

 

file_path

str

 

mid

int4

 

pid

int8

 

ppid

int8

 

process_start_time

str

 

start_time

str

 

uid

int4

 

username

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

monitor.lacework.alerts.events

Field

Type

Extra field

Field

Type

Extra field

eventdate

timestamp

 

hostname

str

 

event_title

str

 

event_link

str

 

lacework_account

str

 

event_source

str

 

event_description

str

 

event_timestamp

str

 

event_type

str

 

event_id

str

 

event_severity

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

monitor.lacework.alerts

Field

Type

Extra field

Source field name

Field

Type

Extra field

Source field name

eventdate

timestamp

 

 

hostname

str

 

 

subtype

str

 

vsubtype

event_title

str

 

 

event_link

str

 

 

lacework_account

str

 

 

event_source

str

 

 

event_description

str

 

 

event_timestamp

str

 

 

event_type

str

 

 

event_id

str

 

 

event_severity

str

 

 

hostchain

str

✓

 

tag

str

✓

 

rawMessage

str

✓

 

monitor.lacework.awscloudtrail.alert_details

Field

Type

Extra field

Field transformation

Source field name

Field

Type

Extra field

Field transformation

Source field name

eventdate

timestamp

 

 

 

hostname

str

 

 

 

end_time

str

 

 

 

entity_map_api_key__api_str

str

 

join(entity_map_api_key__api, ',')

entity_map_api_key__api

entity_map_api_key__service_str

str

 

join(entity_map_api_key__service, ',')

entity_map_api_key__service

entity_map_api_props__all_timestamps_str

str

 

join(entity_map_api_props__all_timestamps, ',')

entity_map_api_props__all_timestamps

entity_map_api_props__source_ip_address_list_str

str

 

entity_map_api_props__source_ip_address_list

entity_map_api_props__user_list_str

str

 

entity_map_api_props__user_list

entity_map_ct_raw_time_key__first_time_str

str

 

entity_map_ct_raw_time_key__first_time

entity_map_ct_raw_time_key__last_time_str

str

 

entity_map_ct_raw_time_key__last_time

entity_map_ct_raw_time_props__all_timestamps_str

str

 

entity_map_ct_raw_time_props__all_timestamps

entity_map_ct_user_key__account_str

str

 

entity_map_ct_user_key__account

entity_map_ct_user_key__mfa_str

str

 

entity_map_ct_user_key__mfa

entity_map_ct_user_key__principal_id_str

str

 

entity_map_ct_user_key__principal_id

entity_map_ct_user_key__username_str

str

 

entity_map_ct_user_key__username

entity_map_ct_user_props__all_timestamps_str

str

 

entity_map_ct_user_props__all_timestamps

entity_map_ct_user_props__api_list_str

str

 

entity_map_ct_user_props__api_list

entity_map_ct_user_props__region_list_str

str

 

entity_map_ct_user_props__region_list

entity_map__region_key__region_str

str

 

entity_map__region_key__region

entity_map__region_props__account_list_str

str

 

entity_map__region_props__account_list

entity_map__rules_triggered_key__triggered_rule_id_str

str

 

entity_map__rules_triggered_key__triggered_rule_id

entity_map__rules_triggered_props__rule_description_str

str

 

entity_map__rules_triggered_props__rule_description

entity_map__rules_triggered_props__rule_id_str

str

 

entity_map__rules_triggered_props__rule_id

entity_map__rules_triggered_props__rule_severity_str

str

 

entity_map__rules_triggered_props__rule_severity

entity_map__rules_triggered_props__rule_title_str

str

 

entity_map__rules_triggered_props__rule_title

entity_map__source_ip_address_key__ip_addr_str

str

 

entity_map__source_ip_address_key__ip_addr

entity_map__source_ip_address_props__api_list_str

str

 

entity_map__source_ip_address_props__api_list

entity_map__resource_key__name_str

str

 

entity_map__resource_key__name

entity_map__resource_key__value_str

str

 

entity_map__resource_key__value

event_actor

str

 

 

 

event_id

int4

 

 

 

event_model

str

 

 

 

event_type

str

 

 

 

start_time

str

 

 

 

hostchain

str

✓

 

 

tag

str

✓

 

 

rawMessage

str

✓

 

Â