LaceWork API Keys

Description

General

• Documentation: https://docs.lacework.com/api/api-access-keys-and-tokens

• Summary: Lacework is a cloud security platform. It enables the automation of cloud security without the need for manual setup of rules and policies. Users can use their API access key and its associated KeyID to obtain a short-lived Access Token to interact with the API. The URL of said API reassembles the following format: https://{LaceworkInstanceName}.lacework.net. This detector aims at catching the Lacework organization URL, API access key and the KeyID.

• IPs allowlist: According to the documentation, this feature is currently not available for the API.

• Scopes: The permissions attached to the obtained access token depends on the type of the login account that created the secret key and the access key ID:

• Organization admin: access token gives organization admin privileges.
• Account admin: access token gives admin privileges for any organization sub-accounts where that admin is an account admin.
• Account user: this account does not have privileges to create access tokens. More details about this Role-Based API Authentication can be found in the official documentation.

Revoke the secret

An API access key can be either disabled or deleted. See (official documentation)[https://docs.lacework.com/api/api-access-keys-and-tokens].

Check for suspicious activity

It is possible to monitor activity performed within a lacework account either via their audit logs dashboard or dedicated API endpoint.

Details for Lacework API Keys With Account

• Family: credentials

• Category: monitoring

• Company: Lacework

• High recall: False

• Validity check available: True

• Analyzer available: False

• On-premise instances exist: False

• Only valid secrets raise an alert: False

• Minimum number of matches: 3

• Occurrences found for one million commits: 0.006

• Prefixed: False

• PreValidators:

- type: ContentWhitelistPreValidator
  patterns:
    - lacework

Examples

- text: |
    lacework_account    = "safe-account"
    lacework_api_key    = "SAFEACC_F3758175A0533880B17581CF6B4DF862A9D9A737A5CC192C"
    lacework_api_secret = "_b5be5dd45b6be7492743f2f90a36dba3"
  subdomain: safe-account
  client_id: SAFEACC_F3758175A0533880B17581CF6B4DF862A9D9A737A5CC192C
  client_secret: _b5be5dd45b6be7492743f2f90a36dba3

- text: |
    lacework_account    = "s4fe-account"
    lacework_api_key    = "S4FEACC_F3758175A0533880B17581CF6B4DF862A9D9A737A5CC192C"
    lacework_api_secret = "_b5be5dd45b6be7492743f2f90a36dba3"
  subdomain: s4fe-account
  client_id: S4FEACC_F3758175A0533880B17581CF6B4DF862A9D9A737A5CC192C
  client_secret: _b5be5dd45b6be7492743f2f90a36dba3

Details for Lacework API Keys With URL

• Family: credentials

• Category: monitoring

• Company: Lacework

• High recall: False

• Validity check available: True

• Analyzer available: False

• On-premise instances exist: False

• Only valid secrets raise an alert: False

• Minimum number of matches: 3

• Occurrences found for one million commits: 0.001

• Prefixed: False

• PreValidators:

- type: ContentWhitelistPreValidator
  patterns:
    - lacework

Examples

- text: |
    lacework_instance_url    = "safe-account.lacework.net"
    lacework_api_key    = "SAFEACC_F3758175A0533880B17581CF6B4DF862A9D9A737A5CC192C"
    lacework_api_secret = "_b5be5dd45b6be7492743f2f90a36dba3"
  subdomain: safe-account
  client_id: SAFEACC_F3758175A0533880B17581CF6B4DF862A9D9A737A5CC192C
  client_secret: _b5be5dd45b6be7492743f2f90a36dba3

- text: |
    lacework_instance_url    = "s4fe-account.lacework.net"
    lacework_api_key    = "S4FEACC_F3758175A0533880B17581CF6B4DF862A9D9A737A5CC192C"
    lacework_api_secret = "_b5be5dd45b6be7492743f2f90a36dba3"
  subdomain: s4fe-account
  client_id: S4FEACC_F3758175A0533880B17581CF6B4DF862A9D9A737A5CC192C
  client_secret: _b5be5dd45b6be7492743f2f90a36dba3