Documentation
¶
Index ¶
- Variables
- func LogTypes() logtypes.Group
- type Lacework
- type LaceworkAPI
- type LaceworkApplication
- type LaceworkCTUser
- type LaceworkContainer
- type LaceworkCustomRule
- type LaceworkDNSName
- type LaceworkData
- type LaceworkDataArray
- type LaceworkEntityMap
- type LaceworkFileDataHash
- type LaceworkFileExePath
- type LaceworkIPAddress
- type LaceworkMachine
- type LaceworkNewViolation
- type LaceworkParser
- type LaceworkProcess
- type LaceworkRecID
- type LaceworkRegion
- type LaceworkResource
- type LaceworkSourceIPAddress
- type LaceworkUser
- type LaceworkViolationReason
Constants ¶
This section is empty.
Variables ¶
View Source
var LaceworkDesc = `Lacework.Events represents the content of an exported Lacework Alert S3 Object.`
LaceworkDesc is the lacework description
Functions ¶
Types ¶
type Lacework ¶
type Lacework struct {
EventCategory *string `json:"EVENT_CATEGORY" validate:"required" description:"The category the event falls into"`
EventDetails *LaceworkDataArray `json:"EVENT_DETAILS" validate:"required" description:"The event details"`
Severity *numerics.Integer `json:"SEVERITY" validate:"required" description:"The severity level of the alert"`
StartTime *timestamp.LaceworkTimestamp `json:"START_TIME" validate:"required" description:"The event start time."`
Summary *string `json:"SUMMARY" validate:"required" description:"The alert title and quick summary"`
EventType *string `json:"EVENT_TYPE" validate:"required" description:"The type of event"`
EventName *string `json:"EVENT_NAME" validate:"required" description:"The event name"`
Link *string `json:"LINK" validate:"required" description:"A link to the Lacework dashboard for the event"`
EventID *numerics.Integer `json:"EVENT_ID" validate:"required" description:"The eventID reference"`
Account *string `json:"ACCOUNT" validate:"required" description:"The Lacework tenent that created the event"`
Source *string `json:"SOURCE" validate:"required" description:"The data source the event triggered on"`
// NOTE: added to end of struct to allow expansion later
parsers.PantherLog
}
Lacework struct for Events
type LaceworkAPI ¶
type LaceworkAPI struct {
EventSource *string `json:"SERVICE,omitempty"`
EventName *string `json:"API,omitempty"`
}
LaceworkAPI contains aip based info for AWS
type LaceworkApplication ¶
type LaceworkApplication struct {
Application *string `json:"APPLICATION,omitempty"`
HasExternalConns *numerics.Integer `json:"HAS_EXTERNAL_CONNS,omitempty"`
IsClient *numerics.Integer `json:"IS_CLIENT,omitempty"`
IsServer *numerics.Integer `json:"IS_SERVER,omitempty"`
EarliestKnownTime *timestamp.RFC3339 `json:"EARLIEST_KNOWN_TIME,omitempty"`
}
LaceworkApplication is the app info
type LaceworkCTUser ¶
type LaceworkCTUser struct {
Username *string `json:"USERNAME,omitempty"`
AccountID *string `json:"ACCOUNT_ID,omitempty"`
MFA *numerics.Integer `json:"MFA,omitempty"`
APIList []string `json:"API_LIST,omitempty"`
RegionList []string `json:"REGION_LIST,omitempty"`
AccessKeyID *string `json:"PRINCIPAL_ID,omitempty"`
}
LaceworkCTUser contains user info
type LaceworkContainer ¶
type LaceworkContainer struct {
ImageRepo *string `json:"IMAGE_REPO,omitempty"`
ImageTag *string `json:"IMAGE_TAG,omitempty"`
HasExternalConns *numerics.Integer `json:"HAS_EXTERNAL_CONNS,omitempty"`
IsClient *numerics.Integer `json:"IS_CLIENT,omitempty"`
IsServer *numerics.Integer `json:"IS_SERVER,omitempty"`
FirstSeenTime *timestamp.RFC3339 `json:"FIRST_SEEN_TIME,omitempty"`
PodNamespace *string `json:"POD_NAMESPACE,omitempty"`
PodIPAddress *string `json:"POD_IP_ADDR,omitempty"`
}
LaceworkContainer is container info
type LaceworkCustomRule ¶
type LaceworkCustomRule struct {
LastUpdatedTime *timestamp.RFC3339 `json:"LAST_UPDATED_TIME,omitempty"`
LastUpdatedUser *string `json:"LAST_UPDATED_USER,omitempty"`
DisplayFilter *string `json:"DISPLAY_FILTER,omitempty"`
RuleGUID *string `json:"RULE_GUID,omitempty"`
}
LaceworkCustomRule contains custom created rule info
type LaceworkDNSName ¶
type LaceworkDNSName struct {
Hostname *string `json:"HOSTNAME,omitempty"`
PortList []int32 `json:"PORT_LIST,omitempty"`
TotalINBytes *float32 `json:"TOTAL_IN_BYTES,omitempty"`
TotalOUTBytes *float32 `json:"TOTAL_OUT_BYTES,omitempty"`
}
LaceworkDNSName is DNS info
type LaceworkData ¶
type LaceworkData struct {
StartTime *timestamp.RFC3339 `json:"START_TIME" description:"The event start time."`
EndTime *timestamp.RFC3339 `json:"END_TIME" description:"The event end time."`
EventType *string `json:"EVENT_TYPE" description:"The event type description eg - launched new binary."`
EventID *string `json:"EVENT_ID" description:"The event alert ID."`
EventActor *string `json:"EVENT_ACTOR" description:"The origin of the event eg - AWS, User."`
EventModel *string `json:"EVENT_MODEL" description:"The model that triggered an alert."`
EntityMap *LaceworkEntityMap `json:"ENTITY_MAP" description:"The map of related fields to the detection alert."`
}
LaceworkData is the main level data
type LaceworkDataArray ¶
type LaceworkDataArray struct {
Data []LaceworkData `json:"data" description:"The array of event data"`
}
LaceworkDataArray s
type LaceworkEntityMap ¶
type LaceworkEntityMap struct {
User []LaceworkUser `json:"User,omitempty" description:"Any user based info involved in an alert."`
Application []LaceworkApplication `json:"Application,omitempty" description:"Any application based info involved in an alert."`
Machine []LaceworkMachine `json:"Machine,omitempty" description:"Any machine based info involved in an alert."`
Container []LaceworkContainer `json:"Container,omitempty" description:"Any container based info involved in an alert."`
DNSName []LaceworkDNSName `json:"DnsName,omitempty" description:"Any dns based info involved in an alert."`
IPAddress []LaceworkIPAddress `json:"IpAddress,omitempty" description:"Any ip based info involved in an alert."`
Process []LaceworkProcess `json:"Process,omitempty" description:"Any process based info involved in an alert."`
FileDataHash []LaceworkFileDataHash `json:"FileDataHash,omitempty" description:"Any filehash based info involved in an alert."`
FileExePath []LaceworkFileExePath `json:"FileExePath,omitempty" description:"Any executable filepath information."`
SourceIPAddress []LaceworkSourceIPAddress `json:"SourceIpAddress,omitempty" description:"Source IP based information."`
API []LaceworkAPI `json:"API,omitempty" description:"The service and endpoint."`
Region []LaceworkRegion `json:"Region,omitempty" description:"Regional based information."`
CTUser []LaceworkCTUser `json:"CT_User,omitempty" description:"Cloudtrail user information."`
Resource []LaceworkResource `json:"Resource,omitempty" description:"Resource values."`
RecID []LaceworkRecID `json:"RecId,omitempty" description:"Receiver account info."`
CustomRule []LaceworkCustomRule `json:"CustomRule,omitempty" description:"Custom Rule info."`
NewViolation []LaceworkNewViolation `json:"NewViolation,omitempty" description:"Violation Ref."`
ViolationReason []LaceworkViolationReason `json:"ViolationReason,omitempty" description:"A reason for the violation."`
}
LaceworkEntityMap is the raw event details
type LaceworkFileDataHash ¶
type LaceworkFileDataHash struct {
FiledataHash *string `json:"FILEDATA_HASH,omitempty"`
MachineCount *numerics.Integer `json:"MACHINE_COUNT,omitempty"`
EXEPathList []string `json:"EXE_PATH_LIST,omitempty"`
FirstSeenTime *timestamp.RFC3339 `json:"FIRST_SEEN_TIME,omitempty"`
ISKnownBad *numerics.Integer `json:"IS_KNOWN_BAD,omitempty"`
}
LaceworkFileDataHash contains hash data
type LaceworkFileExePath ¶
type LaceworkFileExePath struct {
EXEPath *string `json:"EXE_PATH,omitempty"`
FirstSeenTime *timestamp.RFC3339 `json:"FIRST_SEEN_TIME,omitempty"`
LastFileDataHash *string `json:"LAST_FILEDATA_HASH,omitempty"`
LastPackageName *string `json:"LAST_PACKAGE_NAME,omitempty"`
LastVersion *string `json:"LAST_VERSION,omitempty"`
LastFileOwner *string `json:"LAST_FILE_OWNER,omitempty"`
}
LaceworkFileExePath contains exe path info
type LaceworkIPAddress ¶
type LaceworkIPAddress struct {
SourceIPAddress *string `json:"IP_ADDRESS,omitempty"`
TotalINBytes *float32 `json:"TOTAL_IN_BYTES,omitempty"`
TotalOUTBytes *float32 `json:"TOTAL_OUT_BYTES,omitempty"`
ThreatTags []string `json:"THREAT_TAGS,omitempty"`
ThreatSource *jsoniter.RawMessage `json:"THREAT_SOURCE,omitempty"`
Country *string `json:"COUNTRY,omitempty"`
Region *string `json:"REGION,omitempty"`
PortList []int32 `json:"PORT_LIST,omitempty"`
FirstSeenTime *string `json:"FIRST_SEEN_TIME,omitempty"`
}
LaceworkIPAddress is IP info
type LaceworkMachine ¶
type LaceworkMachine struct {
Hostname *string `json:"HOSTNAME,omitempty"`
ExternalIP *string `json:"EXTERNAL_IP,omitempty"`
InstanceID *string `json:"INSTANCE_ID,omitempty"`
InstanceName *string `json:"INSTANCE_NAME,omitempty"`
CPUPercentage *float32 `json:"CPU_PERCENTAGE,omitempty"`
InternalIPAddress *string `json:"INTERNAL_IP_ADDR,omitempty"`
IsExternal *numerics.Integer `json:"IS_EXTERNAL,omitempty"`
}
LaceworkMachine contains machine datas
type LaceworkNewViolation ¶
type LaceworkNewViolation struct {
RECID *string `json:"REC_ID,omitempty"`
Reason *string `json:"REASON,omitempty"`
Resource *string `json:"RESOURCE,omitempty"`
}
LaceworkNewViolation contains violation info
type LaceworkParser ¶
type LaceworkParser struct{}
LaceworkParser parses Lacework Alert logs
func (*LaceworkParser) LogType ¶
func (p *LaceworkParser) LogType() string
LogType returns the log type supported by this parser
func (*LaceworkParser) New ¶
func (p *LaceworkParser) New() parsers.LogParser
New LaceworkParser parses the data
func (*LaceworkParser) Parse ¶
func (p *LaceworkParser) Parse(log string) ([]*parsers.PantherLog, error)
Parse returns the parsed events or nil if parsing failed
type LaceworkProcess ¶
type LaceworkProcess struct {
Hostname *string `json:"HOSTNAME,omitempty"`
ProcessID *numerics.Integer `json:"PROCESS_ID,omitempty"`
ProcessStartTime *timestamp.RFC3339 `json:"PROCESS_START_TIME,omitempty"`
CommandLine *string `json:"CMDLINE,omitempty"`
CPUPercentage *float32 `json:"CPU_PERCENTAGE,omitempty"`
}
LaceworkProcess contains Proc info
type LaceworkRecID ¶
type LaceworkRecID struct {
RECID *string `json:"REC_ID,omitempty"`
RecipientAccountID *string `json:"ACCOUNT_ID,omitempty"`
AccountAlias *string `json:"ACCOUNT_ALIAS,omitempty"`
Title *string `json:"TITLE,omitempty"`
Status *string `json:"STATUS,omitempty"`
EVALType *string `json:"EVAL_TYPE,omitempty"`
EVALGUID *string `json:"EVAL_GUID,omitempty"`
}
LaceworkRecID contains the receiver account Id infor
type LaceworkRegion ¶
type LaceworkRegion struct {
Region *string `json:"REGION,omitempty"`
RecipientAccountID []string `json:"ACCOUNT_LIST,omitempty"`
}
LaceworkRegion contatins regional info
type LaceworkResource ¶
type LaceworkResource struct {
Name *string `json:"NAME,omitempty"`
Value *string `json:"VALUE,omitempty"`
}
LaceworkResource contains resource info
type LaceworkSourceIPAddress ¶
type LaceworkSourceIPAddress struct {
SourceIPAddress *string `json:"IP_ADDRESS,omitempty"`
Region *string `json:"REGION,omitempty"`
Country *string `json:"COUNTRY,omitempty"`
}
LaceworkSourceIPAddress contains ip info
type LaceworkUser ¶
type LaceworkUser struct {
Hostname *string `json:"MACHINE_HOSTNAME,omitempty"`
Username *string `json:"USERNAME,omitempty"`
}
LaceworkUser is user info
type LaceworkViolationReason ¶
type LaceworkViolationReason struct {
RECID *string `json:"REC_ID,omitempty"`
Reason *string `json:"REASON,omitempty"`
}
LaceworkViolationReason is violation details
Source Files
Click to show internal directories.
Click to hide internal directories.