Search Events
Retrieve the evidence or observation details.
External Documentation
To learn more, visit the Lacework documentation.
Parameters
| Parameter | Description |
|---|---|
| End Time | Query for changed files until given timestamp. |
| Start Time | Query for changed files since given timestamp. |
Example Output
{
"data": [
{
"endTime": "2022-03-18T01:00:00.000Z",
"eventCount": 7738,
"eventType": "CloudTrailDefaultAlert",
"id": 438898,
"srcEvent": {
"awsRegion": "us-west-2",
"event": {
"additionalEventData": {
"AuthenticationMethod": "AuthHeader",
"CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"SignatureVersion": "SigV4",
"bytesTransferredIn": 0,
"bytesTransferredOut": 137,
"x-amz-id-2": "wl+gKI0I80T1CIBzz8d96nX5XcesTU/eIeo8SwdNqmSH2ZYFZssPmlqNhJJnhvewgefx6Babcqc="
},
"awsRegion": "us-west-2",
"eventCategory": "Management",
"eventID": "1dddd61c-7608-87d8-b9f8-4a52495bdbb1",
"eventName": "GetBucketLocation",
"eventSource": "s3.amazonaws.com",
"eventTime": "2022-03-18T00:04:08Z",
"eventType": "AwsApiCall",
"eventVersion": "1.08",
"managementEvent": true,
"readOnly": true,
"recipientAccountId": "631668038012",
"requestID": "SRZY6EVTR8Q3ADSJ",
"requestParameters": {
"Host": "s3.us-west-2.amazonaws.com",
"bucketName": "redhat-k8-crio-bucket",
"location": ""
},
"resources": [
{
"ARN": "arn:aws:s3:::redhat-k8-crio-bucket",
"accountId": "631668038012",
"type": "Aws::s3::bucket"
}
],
"sourceIPAddress": "36.223.225.183",
"tlsDetails": {
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "s3.us-west-2.amazonaws.com",
"tlsVersion": "TLSv1.2"
},
"userAgent": "[aws-sdk-go/1.37.0 (go1.15.8; linux; amd64)]",
"userIdentity": {
"accessKeyId": "ABCDEFGHIJKLMNOPQRST",
"accountId": "631668038012",
"arn": "arn:aws:sts::631668038012:assumed-role/masters.redhatk8crio.k8s.local/i-06443e34ddc641957",
"principalId": "ABCDEFGHIJKL123456789",
"sessionContext": {
"attributes": {
"creationDate": "2022-03-17T23:58:00Z",
"mfaAuthenticated": "false"
},
"ec2RoleDelivery": "2.0",
"sessionIssuer": {
"accountId": "631668038012",
"arn": "arn:aws:iam::631668038012:role/masters.redhatk8crio.k8s.local",
"principalId": "ABCDEFGHIJKL123456789",
"type": "Role",
"userName": "masters.redhatk8crio.k8s.local"
},
"webIdFederationData": {}
},
"type": "Assumedrole"
}
},
"eventName": "GetBucketLocation",
"eventSource": "s3.amazonaws.com",
"is_assumed_role": true,
"principalId": "ABCDEFGHIJKL123456789",
"recipientAccountId": "631668038012",
"sourceIPAddress": "36.223.225.183",
"userIdentity": {
"accessKeyId": "ABCDEFGHIJKLMNOPQRST",
"accountId": "631668038012",
"arn": "arn:aws:sts::631668038012:assumed-role/masters.redhatk8crio.k8s.local/i-06443e34ddc641957",
"principalId": "ABCDEFGHIJKL123456789",
"sessionContext": {
"attributes": {
"creationDate": "2022-03-17T23:58:00Z",
"mfaAuthenticated": "false"
},
"ec2RoleDelivery": "2.0",
"sessionIssuer": {
"accountId": "631668038012",
"arn": "arn:aws:iam::631668038012:role/masters.redhatk8crio.k8s.local",
"principalId": "ABCDEFGHIJKL123456789",
"type": "Role",
"userName": "masters.redhatk8crio.k8s.local"
},
"webIdFederationData": {}
},
"type": "Assumedrole"
},
"userIdentityAccount": "631668038012",
"userIdentityName": "masters.redhatk8crio.k8s.local",
"userIdentityType": "AssumedRole",
"username": "AssumedRole/631668038012:masters.redhatk8crio.k8s.local"
},
"srcType": "AwsResource",
"startTime": "2022-03-18T00:00:00.000Z"
},
{
"endTime": "2022-03-18T01:00:00.000Z",
"eventCount": 7738,
"eventType": "CloudTrailDefaultAlert",
"id": 438898,
"srcEvent": {
"awsRegion": "us-west-2",
"event": {
"additionalEventData": {
"AuthenticationMethod": "AuthHeader",
"CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"SignatureVersion": "SigV4",
"bytesTransferredIn": 0,
"bytesTransferredOut": 137,
"x-amz-id-2": "hhxqxS6lksuIoI/E8eZqZ1xg+yqLSVwoXBgFb3doT0+e3QJzoDyGuQ6RqVkL8zjyhVBKhbQGC9E="
},
"awsRegion": "us-west-2",
"eventCategory": "Management",
"eventID": "1338a37d-4309-44bb-9f68-30c39ce152b0",
"eventName": "GetBucketLocation",
"eventSource": "s3.amazonaws.com",
"eventTime": "2022-03-18T00:17:27Z",
"eventType": "AwsApiCall",
"eventVersion": "1.08",
"managementEvent": true,
"readOnly": true,
"recipientAccountId": "631668038012",
"requestID": "T7SB5GS78Q8ZA4KV",
"requestParameters": {
"Host": "s3.us-west-2.amazonaws.com",
"bucketName": "asset-mgt-dev-697",
"location": ""
},
"resources": [
{
"ARN": "arn:aws:s3:::asset-mgt-dev-697",
"accountId": "631668038012",
"type": "Aws::s3::bucket"
}
],
"sourceIPAddress": "10.0.198.115",
"tlsDetails": {
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "s3.us-west-2.amazonaws.com",
"tlsVersion": "TLSv1.2"
},
"userAgent": "[aws-sdk-go/1.40.53 (go1.16; linux; amd64)]",
"userIdentity": {
"accessKeyId": "ABCDEFGHIJKLMNOPQRST",
"accountId": "631668038012",
"arn": "arn:aws:iam::631668038012:user/user1-7nsnk-managed-velero-operator-iam-credentia-dr7ss",
"principalId": "ABCDEFGHIJKL123456789",
"type": "Iamuser",
"userName": "user1-7nsnk-managed-velero-operator-iam-credentia-dr7ss"
},
"vpcEndpointId": "vpce-0b01b13fbbcec47fa"
},
"eventName": "GetBucketLocation",
"eventSource": "s3.amazonaws.com",
"is_assumed_role": false,
"principalId": "ABCDEFGHIJKL123456789",
"recipientAccountId": "631668038012",
"sourceIPAddress": "10.0.198.115",
"userIdentity": {
"accessKeyId": "ABCDEFGHIJKLMNOPQRST",
"accountId": "631668038012",
"arn": "arn:aws:iam::631668038012:user/user1-7nsnk-managed-velero-operator-iam-credentia-dr7ss",
"principalId": "ABCDEFGHIJKL123456789",
"type": "Iamuser",
"userName": "user1-7nsnk-managed-velero-operator-iam-credentia-dr7ss"
},
"userIdentityAccount": "631668038012",
"userIdentityType": "IAMUser",
"username": "IAMUser/631668038012:user1-7nsnk-managed-velero-operator-iam-credentia-dr7ss"
},
"srcType": "AwsResource",
"startTime": "2022-03-18T00:00:00.000Z"
}
]
}
Workflow Library Example
Search Events with Lacework and Send Results Via Email
Preview this Workflow on desktop