Lacework supports sending events to Eventarc for delivery to interested subscribers.
| The Lacework Polygraph® Data Platform delivers end-to-end visibility and automated insight on risks across multicloud environments, collecting, analyzing, and correlating data. Customers depend on Lacework to drive revenue, bring products to market faster and safer, and consolidate security solutions into a single platform. Learn more about using Lacework. |  |
To subscribe to events from Lacework, complete the following steps:
Before you begin
Ensure that you have enabled the Eventarc and Eventarc Publishing APIs:
Console
gcloud
gcloud services enable \ eventarc.googleapis.com \ eventarcpublishing.googleapis.comIf you are enabling a customer-managed encryption key (CMEK) for a channel, enable the Cloud Key Management Service API.
Console
gcloud
gcloud services enable cloudkms.googleapis.com
Retrieve the provider name used by Lacework
The provider name is required when creating and using a channel. You can list
all Eventarc providers and retrieve their details, including
supported event types, by running gcloud commands.
For example, you can list all third-party providers in any location:
gcloud eventarc providers list --filter='eventTypes.type!~^google*' --location=-
The output includes something similar to the following:
NAME: lacework LOCATION: us-central1
For details, see List event providers.
Retrieve the events supported by Lacework
An event type is needed when creating an Eventarc
trigger. You can list Lacework's supported event
types, by running a gcloud command:
gcloud eventarc providers describe lacework \ --location=LOCATION
Replace LOCATION with a supported Eventarc
region.
For example:
gcloud eventarc providers describe lacework --location=us-central1
The output is similar to the following:
displayName: Lacework eventTypes: - type: lacework.polygraph.v1.application name: projects/project-id/locations/us-central1/providers/lacework [...]
Make note of the event type to use when creating an Eventarc trigger.
Create a channel for Lacework events
To subscribe to events from Lacework, you must create a channel:
Console
In the Google Cloud console, go to the Eventarc > Channels page.
Click Create channel.
Select a Channel type and Provider.
For example, select Third-party > Lacework.
In the Channel name field, enter a name for the channel.
In the Region list, select a supported Eventarc region.
Optionally, select the Use a customer-managed encryption key (CMEK) checkbox and, in the CMEK encryption key list, select a key ring that you have created for the region.
For more information, see Use customer-managed encryption keys.
Click Create.
gcloud
gcloud eventarc channels create CHANNEL_NAME \ --provider lacework \ --project PROJECT_ID \ --location LOCATION
Replace the following:
CHANNEL_NAME: a name for the channelPROJECT_ID: your Google Cloud project IDYou can find your project ID on the Welcome page of the Google Cloud console.
LOCATION: a supported Eventarc region
You can optionally use a --crypto-key flag to specify a fully qualified
Cloud KMS key name in the format
projects/PROJECT_NAME/locations/LOCATION/keyRings/RING_NAME/cryptoKeys/KEY_NAME.
For more information, see Use customer-managed encryption keys.
For details, see Create a channel.
Retrieve specific details to convey to Lacework
After creating a channel, you can retrieve specific details to convey to Lacework:
Console
In the Google Cloud console, go to the Eventarc > Channels page.
From the list of channels, click a channel to view its details.
The channel status should be
Pending.Copy the Channel full name and Activation token value. Both will be needed later to convey to Lacework and activate the channel.
gcloud
gcloud eventarc channels describe CHANNEL_NAME \ --project PROJECT_ID \ --location LOCATION
The output is similar to the following:
activationToken: aS7dXs1b79AcXsf createTime: '2021-11-15T15:20:31.582356065Z' name: projects/project-id/locations/us-central1/channels/lacework-channel provider: projects/project-id/locations/us-central1/providers/lacework pubsubTopic: projects/project-id/topics/eventarc-channel-us-central1-lacework-channel-077 state: PENDING uid: c6703a91-ccd3-4c32-a729-967393f23a29 updateTime: '2021-11-15T15:21:03.689597653Z'
Note that the channel is in a PENDING state. To activate the channel, you
must provide the activationToken value and the channel name to
Lacework.
Learn more about the channel state.
Send the channel details to Lacework
Use the form available at https://eventarc.laceworkalliances.com to convey to Lacework the following channel details.
Lacework instance: a name for the instance. This is used to name the Pub/Sub topic and is required when configuring the alert channel. We suggest using the Eventarc channel short name.
For example:
lacework-alertsChannel: the full channel name, including the Google Cloud project ID and location of the resource. For example:
projects/PROJECT_ID/locations/LOCATION/channels/CHANNEL_ID
Activation token: the token is valid for 24 hours after the channel's creation. After 24 hours, the channel becomes INACTIVE.
For example:
aS7dXs1b79AcXsf
After completing the form, submit it.
Configure the Lacework alert channel
After you have submitted the channel details, follow the Lacework instructions to configure the alert channel.
Once Lacework receives the required information, and has initialized the connection between their ecosystem and the channel, the state of the channel changes from PENDING to ACTIVE.
Lacework can now send events to your project and you can start consuming the events.
Deploy an event receiver
To test the configuration, deploy an event receiver—in this case, a Workflows workflow that logs received events—and create an Eventarc trigger that routes events from Lacework to the event receiver. You must use a service account that has been granted the appropriate roles to access your Google Cloud project resources.
Enable the Workflows and Workflow Executions APIs:
Console
gcloud
gcloud services enable \ workflows.googleapis.com \ workflowexecutions.googleapis.comCreate a service account and grant it the
roles/logging.logWriterandroles/workflows.invokerroles:Console
In the Google Cloud console, go to the Service Accounts page.
Select your project.
In the Service account name field, enter a name. The Google Cloud console fills in the Service account ID field based on this name. Optionally, add a description.
Click Create and continue.
In the Select a role list, select Logging > Logs Writer.
Click Add another role and select Workflows > Workflows Invoker.
Click Continue.
To finish creating the service account, click Done.
gcloud
gcloud iam service-accounts create MY_SERVICE_ACCOUNT gcloud projects add-iam-policy-binding PROJECT_ID \ --role="roles/workflows.invoker" \ --member="serviceAccount:MY_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com" gcloud projects add-iam-policy-binding PROJECT_ID \ --role="roles/logging.logWriter" \ --member="serviceAccount:MY_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com"Replace
MY_SERVICE_ACCOUNTwith a name for your service account.For more information about how to control access to Workflows resources, see Use IAM to control access.
Create and deploy a workflow that logs a received event:
Console
In the Google Cloud console, go to the Workflows page.
Click Create.
Name your workflow
logEventsWorkflow.Choose a supported Workflows region; for example, us-central1.
Select the Service account you previously created.
Click Next.
In the workflow editor, enter the following definition for your workflow:
main: params: [event] steps: - logStep: call: sys.log args: data: ${event}Click Deploy.
gcloud
- Open a terminal or Cloud Shell.
- In your home directory, create a new file called
logEventsWorkflow.yaml. Copy and paste the following into the new file and save it:
main: params: [event] steps: - logStep: call: sys.log args: data: ${event}Deploy the workflow:
gcloud workflows deploy logEventsWorkflow \ --source=logEventsWorkflow.yaml \ --location LOCATIONReplace
LOCATIONwith a supported Workflows region; for example,us-central1.
Create an Eventarc trigger to route events from Lacework to the target workflow:
Console
In the Google Cloud console, go to the Eventarc > Triggers page.
Click Create trigger.
Type a Trigger name.
This is the ID of the trigger and it must start with a letter. For example,
my-event-channel-trigger.Select a Trigger type and Event provider.
This is the partner service that is the source of events. For example, select Third-party > Lacework.
Select the appropriate Channel.
Select an Event.
For example: lacework.polygraph.v1.application
Optionally, in the Filters section, specify an appropriate attribute and value.
Select the Service account you previously created to invoke your workflow.
For the Event destination, select Workflows, and then select the workflow you previously created.
Click Create.
gcloud
gcloud eventarc triggers create TRIGGER \ --location=LOCATION \ --destination-workflow=logEventsWorkflow \ --event-filters=type=lacework.polygraph.v1.application \ --channel=CHANNEL_NAME \ --project=PROJECT_ID \ --service-account="MY_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com"Replace
TRIGGERwith the ID of the trigger or a fully qualified identifier. For example,my-event-channel-trigger.For more information, see Create a trigger for a third-party provider.
Test the routing of events
You can now test the entire configuration and ensure that an event from Lacework is routed to the workflow event receiver which logs the received event.
From the Lacework Console, in the list of alert channels, find your channel and, in Integration, click Test.
This triggers an execution of the workflow and you should see an
Integration test was successfulmessage.To verify that a workflow execution was triggered, list the last five executions:
gcloud workflows executions list ${MY_WORKFLOW} --limit=5The output should be similar to the following, listing a NAME and STATE equal to
SUCCEEDEDfor each workflow execution.NAME: projects/606789101455/locations/us-central1/workflows/logEventsWorkflow/executions/8c02b8f1-8836-4a6d-99d9-fc321eb9668f STATE: SUCCEEDED START_TIME: 2021-09-13T19:15:10.275677049Z END_TIME: 2021-09-13T19:15:10.963136883Z NAME: projects/606789101455/locations/us-central1/workflows/logEventsWorkflow/executions/a6319d9d-36a6-4117-904e-3d1118bdc90a STATE: SUCCEEDED START_TIME: 2021-09-13T17:28:51.492864252Z END_TIME: 2021-09-13T17:28:52.227212414ZEvery time a workflow executes a single run of the logic contained in a workflow's definition, it automatically triggers at least two execution logs: one at the start of an execution and one at the end. To view the logs do the following:
In the Google Cloud console, go to the Workflows page:
Go to WorkflowsTo access a workflow's Details page, click the workflow's name.
To view the logs, click Logs. The output should be similar to the following:
2022-06-10 13:49:50.019 BST {data: {…}, datacontenttype: application/json,[...] { "eventCategory": "TestEvent", "id": "a91ca1a5-85e7-4dad-a329-cf7deba8e14d", "severity": "0", "source": "//lacework/alertChannel/test", "type": "lacework.polygraph.v1.application", "link": "https://login.lacework.net", "eventName": "Test Event", "datacontenttype": "application/json", "resource": "TestEvent", "specversion": "1.0", "data": { "EVENT_ID": "0", "EVENT_TYPE": "TestEvent", "START_TIME": "10 Jun 2022 12:49 GMT", "LINK": "https://login.lacework.net", "EVENT_DETAILS": { "data": null }, "SEVERITY": 0, "SUMMARY": "This is a test Message.", "EVENT_CATEGORY": "TestEvent", "EVENT_NAME": "Test Event" } }
What's next
- Learn more about third-party events
- Learn more about Eventarc
- Learn more about Workflows