Retrieve the evidence or observation details.

External Documentation

To learn more, visit the Lacework documentation.

Parameters

ParameterDescription
End TimeQuery for changed files until given timestamp.
Start TimeQuery for changed files since given timestamp.

Example Output

{
	"data": [
		{
			"endTime": "2022-03-18T01:00:00.000Z",
			"eventCount": 7738,
			"eventType": "CloudTrailDefaultAlert",
			"id": 438898,
			"srcEvent": {
				"awsRegion": "us-west-2",
				"event": {
					"additionalEventData": {
						"AuthenticationMethod": "AuthHeader",
						"CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
						"SignatureVersion": "SigV4",
						"bytesTransferredIn": 0,
						"bytesTransferredOut": 137,
						"x-amz-id-2": "wl+gKI0I80T1CIBzz8d96nX5XcesTU/eIeo8SwdNqmSH2ZYFZssPmlqNhJJnhvewgefx6Babcqc="
					},
					"awsRegion": "us-west-2",
					"eventCategory": "Management",
					"eventID": "1dddd61c-7608-87d8-b9f8-4a52495bdbb1",
					"eventName": "GetBucketLocation",
					"eventSource": "s3.amazonaws.com",
					"eventTime": "2022-03-18T00:04:08Z",
					"eventType": "AwsApiCall",
					"eventVersion": "1.08",
					"managementEvent": true,
					"readOnly": true,
					"recipientAccountId": "631668038012",
					"requestID": "SRZY6EVTR8Q3ADSJ",
					"requestParameters": {
						"Host": "s3.us-west-2.amazonaws.com",
						"bucketName": "redhat-k8-crio-bucket",
						"location": ""
					},
					"resources": [
						{
							"ARN": "arn:aws:s3:::redhat-k8-crio-bucket",
							"accountId": "631668038012",
							"type": "Aws::s3::bucket"
						}
					],
					"sourceIPAddress": "36.223.225.183",
					"tlsDetails": {
						"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
						"clientProvidedHostHeader": "s3.us-west-2.amazonaws.com",
						"tlsVersion": "TLSv1.2"
					},
					"userAgent": "[aws-sdk-go/1.37.0 (go1.15.8; linux; amd64)]",
					"userIdentity": {
						"accessKeyId": "ABCDEFGHIJKLMNOPQRST",
						"accountId": "631668038012",
						"arn": "arn:aws:sts::631668038012:assumed-role/masters.redhatk8crio.k8s.local/i-06443e34ddc641957",
						"principalId": "ABCDEFGHIJKL123456789",
						"sessionContext": {
							"attributes": {
								"creationDate": "2022-03-17T23:58:00Z",
								"mfaAuthenticated": "false"
							},
							"ec2RoleDelivery": "2.0",
							"sessionIssuer": {
								"accountId": "631668038012",
								"arn": "arn:aws:iam::631668038012:role/masters.redhatk8crio.k8s.local",
								"principalId": "ABCDEFGHIJKL123456789",
								"type": "Role",
								"userName": "masters.redhatk8crio.k8s.local"
							},
							"webIdFederationData": {}
						},
						"type": "Assumedrole"
					}
				},
				"eventName": "GetBucketLocation",
				"eventSource": "s3.amazonaws.com",
				"is_assumed_role": true,
				"principalId": "ABCDEFGHIJKL123456789",
				"recipientAccountId": "631668038012",
				"sourceIPAddress": "36.223.225.183",
				"userIdentity": {
					"accessKeyId": "ABCDEFGHIJKLMNOPQRST",
					"accountId": "631668038012",
					"arn": "arn:aws:sts::631668038012:assumed-role/masters.redhatk8crio.k8s.local/i-06443e34ddc641957",
					"principalId": "ABCDEFGHIJKL123456789",
					"sessionContext": {
						"attributes": {
							"creationDate": "2022-03-17T23:58:00Z",
							"mfaAuthenticated": "false"
						},
						"ec2RoleDelivery": "2.0",
						"sessionIssuer": {
							"accountId": "631668038012",
							"arn": "arn:aws:iam::631668038012:role/masters.redhatk8crio.k8s.local",
							"principalId": "ABCDEFGHIJKL123456789",
							"type": "Role",
							"userName": "masters.redhatk8crio.k8s.local"
						},
						"webIdFederationData": {}
					},
					"type": "Assumedrole"
				},
				"userIdentityAccount": "631668038012",
				"userIdentityName": "masters.redhatk8crio.k8s.local",
				"userIdentityType": "AssumedRole",
				"username": "AssumedRole/631668038012:masters.redhatk8crio.k8s.local"
			},
			"srcType": "AwsResource",
			"startTime": "2022-03-18T00:00:00.000Z"
		},
		{
			"endTime": "2022-03-18T01:00:00.000Z",
			"eventCount": 7738,
			"eventType": "CloudTrailDefaultAlert",
			"id": 438898,
			"srcEvent": {
				"awsRegion": "us-west-2",
				"event": {
					"additionalEventData": {
						"AuthenticationMethod": "AuthHeader",
						"CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
						"SignatureVersion": "SigV4",
						"bytesTransferredIn": 0,
						"bytesTransferredOut": 137,
						"x-amz-id-2": "hhxqxS6lksuIoI/E8eZqZ1xg+yqLSVwoXBgFb3doT0+e3QJzoDyGuQ6RqVkL8zjyhVBKhbQGC9E="
					},
					"awsRegion": "us-west-2",
					"eventCategory": "Management",
					"eventID": "1338a37d-4309-44bb-9f68-30c39ce152b0",
					"eventName": "GetBucketLocation",
					"eventSource": "s3.amazonaws.com",
					"eventTime": "2022-03-18T00:17:27Z",
					"eventType": "AwsApiCall",
					"eventVersion": "1.08",
					"managementEvent": true,
					"readOnly": true,
					"recipientAccountId": "631668038012",
					"requestID": "T7SB5GS78Q8ZA4KV",
					"requestParameters": {
						"Host": "s3.us-west-2.amazonaws.com",
						"bucketName": "asset-mgt-dev-697",
						"location": ""
					},
					"resources": [
						{
							"ARN": "arn:aws:s3:::asset-mgt-dev-697",
							"accountId": "631668038012",
							"type": "Aws::s3::bucket"
						}
					],
					"sourceIPAddress": "10.0.198.115",
					"tlsDetails": {
						"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
						"clientProvidedHostHeader": "s3.us-west-2.amazonaws.com",
						"tlsVersion": "TLSv1.2"
					},
					"userAgent": "[aws-sdk-go/1.40.53 (go1.16; linux; amd64)]",
					"userIdentity": {
						"accessKeyId": "ABCDEFGHIJKLMNOPQRST",
						"accountId": "631668038012",
						"arn": "arn:aws:iam::631668038012:user/user1-7nsnk-managed-velero-operator-iam-credentia-dr7ss",
						"principalId": "ABCDEFGHIJKL123456789",
						"type": "Iamuser",
						"userName": "user1-7nsnk-managed-velero-operator-iam-credentia-dr7ss"
					},
					"vpcEndpointId": "vpce-0b01b13fbbcec47fa"
				},
				"eventName": "GetBucketLocation",
				"eventSource": "s3.amazonaws.com",
				"is_assumed_role": false,
				"principalId": "ABCDEFGHIJKL123456789",
				"recipientAccountId": "631668038012",
				"sourceIPAddress": "10.0.198.115",
				"userIdentity": {
					"accessKeyId": "ABCDEFGHIJKLMNOPQRST",
					"accountId": "631668038012",
					"arn": "arn:aws:iam::631668038012:user/user1-7nsnk-managed-velero-operator-iam-credentia-dr7ss",
					"principalId": "ABCDEFGHIJKL123456789",
					"type": "Iamuser",
					"userName": "user1-7nsnk-managed-velero-operator-iam-credentia-dr7ss"
				},
				"userIdentityAccount": "631668038012",
				"userIdentityType": "IAMUser",
				"username": "IAMUser/631668038012:user1-7nsnk-managed-velero-operator-iam-credentia-dr7ss"
			},
			"srcType": "AwsResource",
			"startTime": "2022-03-18T00:00:00.000Z"
		}
	]
}

Workflow Library Example

Search Events with Lacework and Send Results Via Email

Preview this Workflow on desktop