`laceworksdk.api`

Lacework API wrappers.

Subpackages

laceworksdk.api.v2

Submodules

Package Contents

Classes

`ActivitiesAPI`	A class used to represent the Activities API endpoint
`AgentAccessTokensAPI`	A class used to represent the Agent Access Tokens API endpoint
`AgentInfoAPI`	A class used to represent the Agent Info API endpoint
`AlertChannelsAPI`	A class used to represent the Alert Channels API endpoint
`AlertProfilesAPI`	A class used to represent the Alert Profiles API endpoint
`AlertRulesAPI`	A class used to represent the Alert Rules API endpoint
`AlertsAPI`	A class used to represent the Alerts API endpoint
`AuditLogsAPI`	A class used to represent the Audit Log API endpoint
`CloudAccountsAPI`	A class used to represent the Cloud Accounts API endpoint
`CloudActivitiesAPI`	A class used to represent the Cloud Activities API endpoint
`ConfigsAPI`	A class used to represent the Configs API endpoint
`ContainerRegistriesAPI`	A class used to represent the Container Registries API endpoint
`ContractInfoAPI`	A class used to represent the Contract Info API endpoint
`DatasourcesAPI`	A class used to represent the Datasources API endpoint
`DataExportRulesAPI`	A class used to represent the Data Export Rules API endpoint
`EntitiesAPI`	A class used to represent the Entities API endpoint
`EventsAPI`	A class used to represent the Events API endpoint
`InventoryAPI`	A class used to represent the Inventory API endpoint
`OrganizationInfoAPI`	A class used to represent the Organization Info API endpoint
`PoliciesAPI`	A class used to represent the Policies API endpoint
`PolicyExceptionsAPI`	A class used to represent the Policies Exceptions API endpoint
`QueriesAPI`	A class used to represent the Queries API endpoint
`ReportDefinitionsAPI`	A class used to represent the Report Definition API endpoint
`ReportRulesAPI`	A class used to represent the Report Rules API endpoint
`ReportsAPI`	A class used to represent the Reports API endpoint
`ResourceGroupsAPI`	A class used to represent the Resource Groups API endpoint
`SchemasAPI`	A class used to represent the Schemas API endpoint
`TeamMembersAPI`	A class used to represent the Team Members API endpoint
`TeamUsersAPI`	A class used to represent the Team Users API endpoint .
`UserGroupsAPI`	A class used to represent the User Groups API endpoint .
`UserProfileAPI`	A class used to represent the User Profile API endpoint .
`VulnerabilitiesAPI`	A class used to represent the Vulnerabilities API endpoint .
`VulnerabilityExceptionsAPI`	A class used to represent the Vulnerabilities Exceptions API endpoint .
`VulnerabilityPoliciesAPI`	A class used to represent the Vulnerabilities Policies API endpoint .
`LaceworkClient`	Lacework API wrapper for Python.

class laceworksdk.api.ActivitiesAPI(session)[source]

A class used to represent the Activities API endpoint

Get information about network activities detected through the Lacework agent.

The Activities API endpoint is a parent for different types of activities that can be queried.

Attributes:

changed_files:: A ChangedFilesAPI instance.
connections:: A ConnectionsAPI instance.
dns:: A DnsAPI instance.
user_logins:: A UserLoginsAPI instance.

class ChangedFilesAPI(session, object_type, endpoint_root='/api/v2')[source]

Bases: laceworksdk.api.search_endpoint.SearchEndpoint

A class used to represent the Changed Files API endpoint

Search for changed files in your environment

property session: Get the HttpSession instance the object is using.

search(json=None, resource=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –
The desired search parameters:
- timeFilter (dict, optional): A dict containing the time frame for the search:
  - startTime (str): The start time for the search
  - endTime (str): The end time for the search
- filters (list of dict, optional): Filters based on field contents:
  - field (str): The name of the data field to which the condition applies
  - expression (str): The comparison operator for the filter condition. Valid values are:
  ”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
  - value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
  - values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
- returns (list of str, optional): The fields to return
resource (str) – The Lacework API resource to search (Example: “AlertChannels”)

Yields:

dict – returns a generator which yields a page of objects at a time as returned by the Lacework API.

class ConnectionsAPI(session, object_type, endpoint_root='/api/v2')[source]

Bases: laceworksdk.api.search_endpoint.SearchEndpoint

A class used to represent the Connections API endpoint

Search for connections in your environment.

property session: Get the HttpSession instance the object is using.

search(json=None, resource=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –
The desired search parameters:
- timeFilter (dict, optional): A dict containing the time frame for the search:
  - startTime (str): The start time for the search
  - endTime (str): The end time for the search
- filters (list of dict, optional): Filters based on field contents:
  - field (str): The name of the data field to which the condition applies
  - expression (str): The comparison operator for the filter condition. Valid values are:
  ”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
  - value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
  - values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
- returns (list of str, optional): The fields to return
resource (str) – The Lacework API resource to search (Example: “AlertChannels”)

Yields:

dict – returns a generator which yields a page of objects at a time as returned by the Lacework API.

class DnsAPI(session, object_type, endpoint_root='/api/v2')[source]

Bases: laceworksdk.api.search_endpoint.SearchEndpoint

A class used to represent the DNS Lookup API endpoint

Search for DNS summaries in your environment.

property session: Get the HttpSession instance the object is using.

search(json=None, resource=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –
The desired search parameters:
- timeFilter (dict, optional): A dict containing the time frame for the search:
  - startTime (str): The start time for the search
  - endTime (str): The end time for the search
- filters (list of dict, optional): Filters based on field contents:
  - field (str): The name of the data field to which the condition applies
  - expression (str): The comparison operator for the filter condition. Valid values are:
  ”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
  - value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
  - values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
- returns (list of str, optional): The fields to return
resource (str) – The Lacework API resource to search (Example: “AlertChannels”)

Yields:

dict – returns a generator which yields a page of objects at a time as returned by the Lacework API.

class UserLoginsAPI(session, object_type, endpoint_root='/api/v2')[source]

Bases: laceworksdk.api.search_endpoint.SearchEndpoint

A class used to represent the UserLogins API endpoint

Search for user logins in your environment.

property session: Get the HttpSession instance the object is using.

search(json=None, resource=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –
The desired search parameters:
- timeFilter (dict, optional): A dict containing the time frame for the search:
  - startTime (str): The start time for the search
  - endTime (str): The end time for the search
- filters (list of dict, optional): Filters based on field contents:
  - field (str): The name of the data field to which the condition applies
  - expression (str): The comparison operator for the filter condition. Valid values are:
  ”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
  - value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
  - values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
- returns (list of str, optional): The fields to return
resource (str) – The Lacework API resource to search (Example: “AlertChannels”)

Yields:

dict – returns a generator which yields a page of objects at a time as returned by the Lacework API.

class laceworksdk.api.AgentAccessTokensAPI(session)[source]

Bases: laceworksdk.api.crud_endpoint.CrudEndpoint

A class used to represent the Agent Access Tokens API endpoint

To connect to the Lacework instance, Lacework agents require an agent access token.

property session: Get the HttpSession instance the object is using.

create(alias, enabled, props=None, **request_params)[source]

A method to create a new agent access token.

Parameters:

alias (str) – A string representing the name you wish to give to the created token.
enabled (bool|int) – A boolean/integer representing whether the token is enabled.
props (dict, optional) – A dict containing optional values for the following fields: - description(str, optional): a description of the token - os(str, optional): the operating system - subscription(str, optional): The subscription level of the token. Valid values are: “standard”, “professional”, “enterprise”
request_params (dict) – Use to pass any additional parameters the API

Returns:

The new access token

Return type:

dict

get_by_id(id)[source]

A method to get an agent access token by its ID.

Parameters:: id (str) – A string representing the object ID.
Returns:: a JSON object containing info regarding the requested access token
Return type:: dict

update(id, token_enabled=None, props=None, **request_params)[source]

A method to update an agent access token.

Parameters:

id (str) – A string representing the object ID.
token_enabled (bool|int, optional) – A boolean/integer representing whether the object is enabled.
props (dict, optional) –
A dict containing optional values for the following fields:
- description (str, optional): a description of the token
- os (str, optional): the operating system
- subscription (str, optional): The subscription level of the token. Valid values are:
”standard”, “professional”, “enterprise”
request_params (dict) – Use to pass any additional parameters the API

Returns:

The updated access token.

Return type:

dict

delete()[source]: Lacework does not currently allow for agent access tokens to be deleted.

get(id=None, resource=None, **request_params)

A method to get objects.

Parameters:

id (str) – A string representing the object ID.
resource (str) – The Lacework API resource type to get.
request_params (any) – A dictionary of parameters to add to the request.

Returns:

JSON containing the retrieved object(s)

Return type:

dict

search(json=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –

The desired search parameters:

timeFilter (dict, optional): A dict containing the time frame for the search:
- startTime (str): The start time for the search
- endTime (str): The end time for the search
filters (list of dict, optional): Filters based on field contents:
- field (str): The name of the data field to which the condition applies
- expression (str): The comparison operator for the filter condition. Valid values are:
”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
- value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
- values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
returns (list of str, optional): The fields to return

Returns:

returns a dict containing the search results

Return type:

dict

class laceworksdk.api.AgentInfoAPI(session)[source]

Bases: laceworksdk.api.search_endpoint.SearchEndpoint

A class used to represent the Agent Info API endpoint

View and verify information about all agents.

property session: Get the HttpSession instance the object is using.

search(json=None, resource=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –
The desired search parameters:
- timeFilter (dict, optional): A dict containing the time frame for the search:
  - startTime (str): The start time for the search
  - endTime (str): The end time for the search
- filters (list of dict, optional): Filters based on field contents:
  - field (str): The name of the data field to which the condition applies
  - expression (str): The comparison operator for the filter condition. Valid values are:
  ”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
  - value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
  - values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
- returns (list of str, optional): The fields to return
resource (str) – The Lacework API resource to search (Example: “AlertChannels”)

Yields:

dict – returns a generator which yields a page of objects at a time as returned by the Lacework API.

class laceworksdk.api.AlertChannelsAPI(session)[source]

Bases: laceworksdk.api.crud_endpoint.CrudEndpoint

A class used to represent the Alert Channels API endpoint

Lacework combines alert channels with alert rules or report rules to provide a flexible method for routing alerts and reports.

property session: Get the HttpSession instance the object is using.

create(name, type, enabled, data, **request_params)[source]

A method to create a new AlertChannels object.

Parameters:

name (str) – The name of the alert channel you wish to create.
type (str) – The type of alert channel you wish to create. See the API docs for valid values.
enabled (bool|int) – A boolean/integer representing whether the object is enabled. (0 or 1)
data (dict) –
A dict matching the schema for the specified type. See the API docs for valid values.
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The new alert channel

Return type:

dict

get(guid=None, type=None)[source]

A method to get all Alert Channels, optionally filtered by guid and/or type.

Parameters:

guid (str, optional) – The alert channel GUID.
type (str, optional) – A string representing the alert channel type.

Returns:

The channel(s) requested.

Return type:

dict

get_by_guid(guid)[source]

A method to get AlertChannels objects by GUID.

Parameters:: guid (str) – The alert channel GUID.
Returns:: The channel(s) requested.
Return type:: dict

get_by_type(type)[source]

A method to get AlertChannels objects by type.

Parameters:: type (str) – The alert channel type to return
Returns:: The channel(s) requested.
Return type:: dict

update(guid, name=None, type=None, enabled=None, data=None, **request_params)[source]

A method to update an AlertChannels object.

Parameters:

guid (str) – The guild of the alert channel to update.
name (str) – The name of the alert channel you wish to update.
type (str) –
The type of alert channel you wish to update. See the API docs for valid values.
enabled (bool|int) – A boolean/integer representing whether the object is enabled. (0 or 1)
data (dict) –
A dict matching the schema for the specified type. See the API docs for valid values.
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The updated alert channel info.

Return type:

dict

delete(guid)[source]

A method to delete an AlertChannels object.

Parameters:: guid (str) – A string representing the object GUID.
Returns:: a Requests response object containing the response code
Return type:: requests.models.Response

test(guid)[source]

A method to test an AlertChannels object.

Parameters:: guid (str) – A string representing the object GUID.
Returns:: a Requests response object containing the response code
Return type:: requests.models.Response

search(json=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –

The desired search parameters:

timeFilter (dict, optional): A dict containing the time frame for the search:
- startTime (str): The start time for the search
- endTime (str): The end time for the search
filters (list of dict, optional): Filters based on field contents:
- field (str): The name of the data field to which the condition applies
- expression (str): The comparison operator for the filter condition. Valid values are:
”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
- value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
- values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
returns (list of str, optional): The fields to return

Returns:

returns a dict containing the search results

Return type:

dict

class laceworksdk.api.AlertProfilesAPI(session)[source]

Bases: laceworksdk.api.crud_endpoint.CrudEndpoint

A class used to represent the Alert Profiles API endpoint

An alert profile is a set of metadata that defines how your LQL queries get consumed into events and alerts.

property session: Get the HttpSession instance the object is using.

create(alert_profile_id, alerts, extends, **request_params)[source]

A method to create a new AlertProfiles object.

Parameters:

alert_profile_id (str) – A unique ID to name the new alert profile
extends (str) – The base alert profile object.
alerts (list of dict) –
A list of dictionaries containing alert details to create. Alert fields are:
- name (str): The name of the alert.
- eventName (str): The name to show in Event Triage.
- description (str): The description to show in Event Triage.
- subject (str): The subject to show in the Event Dossier.
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

A JSON object containing the created Alert Profile

Return type:

dict

get(id=None)[source]

A method to get AlertProfiles objects.

Parameters:: id (str) – A string representing the alert profile ID.
Returns:: The returned alert profile(s)
Return type:: dict

get_by_id(id)[source]

A method to get an AlertProfiles object by ID.

Parameters:: id (str) – A string representing the alert profile ID.
Returns:: The returned alert profile(s)
Return type:: dict

search(**request_params)[source]: Search functionality is not yet implemented for Alert Profiles.

update(id, alerts=None, **request_params)[source]

A method to update an AlertProfiles object.

Parameters:

id (str) – A string representing the object ID.
alerts (list of dicts) –
A list of dictionaries containing alert details to update. Alert fields are:
- name (str): The name of the alert.
- eventName (str): The name to show in Event Triage.
- description (str): The description to show in Event Triage.
- subject (str): The subject to show in the Event Dossier.
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The updated Alert Profile

Return type:

dict

delete(id)[source]

A method to delete an AlertProfiles object.

Parameters:: id (str) – A string representing the alert profile ID.
Returns:: a Requests response object containing the response code
Return type:: requests.models.Response

class laceworksdk.api.AlertRulesAPI(session)[source]

Bases: laceworksdk.api.crud_endpoint.CrudEndpoint

A class used to represent the Alert Rules API endpoint

Lacework combines alert channels and alert rules to provide a flexible method for routing alerts. For alert channels, you define information about where to send alerts, such as to Jira, Slack, or email. For alert rules, you define information about which alert types to send, such as critical and high severity compliance alerts.

property session: Get the HttpSession instance the object is using.

create(type, filters, intg_guid_list, **request_params)[source]

A method to create new Alert Rules.

Parameters:

type (str) – The type of the alert rule. Valid values are: “Event”
filters (dict) –
The alert rule definition. See the API docs for valid values.
intg_guid_list (list of str) – A list of GUIDs representing the alert channels to use.
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The new rule.

Return type:

dict

get(guid=None)[source]

A method to get AlertRules objects.

Parameters:: guid (str) – The alert rule GUID to retrieve.
Returns:: The alert rule(s)
Return type:: dict

get_by_guid(guid)[source]

A method to get an AlertRules object by GUID.

Parameters:: guid (str) – The alert rule GUID.
Returns:: The alert rule
Return type:: dict

update(guid, filters=None, intg_guid_list=None, **request_params)[source]

A method to update an AlertRules object.

Parameters:

guid (str) – The Alert Rule GUID you wish to update.
filters (dict, optional) –
The alert rule definition. See the API docs for valid values.
intg_guid_list (list of str, optional) – A list of GUIDs representing the alert channels to use.
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The updated alert rule

Return type:

dict

delete(guid)[source]

A method to delete an AlertRules object.

Parameters:: guid (str) – The alert rule GUID.
Returns:: a Requests response object containing the response code
Return type:: requests.models.Response

search(json=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –

The desired search parameters:

timeFilter (dict, optional): A dict containing the time frame for the search:
- startTime (str): The start time for the search
- endTime (str): The end time for the search
filters (list of dict, optional): Filters based on field contents:
- field (str): The name of the data field to which the condition applies
- expression (str): The comparison operator for the filter condition. Valid values are:
”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
- value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
- values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
returns (list of str, optional): The fields to return

Returns:

returns a dict containing the search results

Return type:

dict

class laceworksdk.api.AlertsAPI(session)[source]

Bases: laceworksdk.api.search_endpoint.SearchEndpoint

A class used to represent the Alerts API endpoint

Lacework provides real-time alerts that are interactive and manageable. Each alert contains various metadata information, such as severity level, type, status, alert category, and associated tags.

property session: Get the HttpSession instance the object is using.

get(start_time=None, end_time=None, limit=None, **request_params)[source]

A method to get Alerts.

Parameters:

start_time (str) – A “%Y-%m-%dT%H:%M:%SZ” structured timestamp to begin from.
end_time (str) – A “%Y-%m-%dT%H:%M:%S%Z” structured timestamp to end at.
limit (int) – An integer representing the number of Alerts to return.
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The requested alert(s)

Return type:

dict

get_details(id, scope, **request_params)[source]

A method to get Alerts objects by ID.

Parameters:

id (str) – The alert ID.
scope (str) – The scope of the details to return. Valid values are: “Details”, “Investigation”, “Events”, “RelatedAlerts”, “Integrations”, “Timeline”
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The requested alert details.

Return type:

dict

comment(id, comment)[source]

A method to comment on an Alerts object.

Parameters:

id (str) – The alert ID.
comment (str) – The comment to post.

Returns:

The posted comment

Return type:

dict

close(id, reason, comment=None)[source]

A method to close an Alert.

Parameters:

id (str) – The alert ID.
comment (str, option) – A comment on the reason. If 0 is chosen for the “reason” field then the “comment” field is required.
reason (int) – An number representing the close reason. Valid values are: 0: Other, 1: False positive, 2: Not enough information, 3: Malicious and have resolution in place, 4: Expected because of routine testing

Returns:

a Requests response object containing the response code

Return type:

requests.models.Response

search(json=None, resource=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –
The desired search parameters:
- timeFilter (dict, optional): A dict containing the time frame for the search:
  - startTime (str): The start time for the search
  - endTime (str): The end time for the search
- filters (list of dict, optional): Filters based on field contents:
  - field (str): The name of the data field to which the condition applies
  - expression (str): The comparison operator for the filter condition. Valid values are:
  ”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
  - value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
  - values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
- returns (list of str, optional): The fields to return
resource (str) – The Lacework API resource to search (Example: “AlertChannels”)

Yields:

dict – returns a generator which yields a page of objects at a time as returned by the Lacework API.

class laceworksdk.api.AuditLogsAPI(session)[source]

Bases: laceworksdk.api.base_endpoint.BaseEndpoint

A class used to represent the Audit Log API endpoint

Get audit logs.

property session: Get the HttpSession instance the object is using.

get(start_time=None, end_time=None, **request_params)[source]

A method to get audit logs.

Parameters:

start_time (str) – A “%Y-%m-%dT%H:%M:%SZ” structured timestamp to begin from.
end_time (str) – A “%Y-%m-%dT%H:%M:%S%Z” structured timestamp to end at.
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The audit logs for the requested time period.

Return type:

dict

search(json=None)[source]

A method to search audit logs.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (list of dicts) –

A list of dictionaries containing the desired search parameters:

field (str): The name of the data field to which the condition applies
expression (str): The comparison operator for the filter condition. Valid values are:

”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.

Yields:

dict – returns a generator which yields a page of objects at a time as returned by the Lacework API.

class laceworksdk.api.CloudAccountsAPI(session)[source]

Bases: laceworksdk.api.crud_endpoint.CrudEndpoint

A class used to represent the Cloud Accounts API endpoint

Cloud accounts are integrations between Lacework and cloud providers such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform.

property session: Get the HttpSession instance the object is using.

create(name, type, enabled, data, **request_params)[source]

A method to create a new cloud accounts integration.

Parameters:

name (str) – The name of the integration to create.
type (str) –
The type of the integration. See the API docs for valid values.
enabled (bool|int) – Whether the object is enabled.
data (dict) –
The definition of the new integration to create. Note this changes depending on the value of the “type” field. See the API docs for valid values.
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

Details of the newly created cloud account integration.

Return type:

dict

get(guid=None, type=None)[source]

A method to get cloud account integrations. Using no args will get all integrations.

Parameters:

guid (str, optional) – The GUID of the integration to retrieve.
type (str, optional) – The type of the integration(s) to retrieve. Valid types are: “AwsCfg”, “AwsCtSqs”, “AwsEksAudit”, “AwsUsGovCfg”, “AwsUsGovCtSqs”, “AzureAlSeq”, “AzureCfg”, “GcpAtSes”, “GcpCfg”

Returns:

The details of the requested integration(s)

Return type:

dict

get_by_guid(guid)[source]

A method to get a cloud account integration by its GUID.

Parameters:: guid (str) – The GUID of the integration to retrieve.
Returns:: The details of the requested integration.
Return type:: dict

get_by_type(type)[source]

A method to get cloud account integration(s) by type.

Parameters:: type (str, optional) – The type of the integration(s) to retrieve. Valid types are: “AwsCfg”, “AwsCtSqs”, “AwsEksAudit”, “AwsUsGovCfg”, “AwsUsGovCtSqs”, “AzureAlSeq”, “AzureCfg”, “GcpAtSes”, “GcpCfg”
Returns:: The details of the requested integration(s)
Return type:: dict

update(guid, name=None, type=None, enabled=None, data=None, **request_params)[source]

A method to update an CloudAccounts object.

Parameters:

guid (str) – The GUID of the integration to update.
name (str, optional) – The integration name.
type (str) –
The type of the integration. See the API docs for valid values.
enabled (bool|int) – Whether the object is enabled.
data (dict) –
The definition of the new integration to create. Note this changes depending on the value of the “type” field. See the API docs for valid values.
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The updated details for the integration specified.

Return type:

dict

delete(guid)[source]

A method to delete a cloud account integration.

Parameters:: guid (str) – The integration GUID to delete.
Returns:: a Requests response object containing the response code
Return type:: requests.models.Response

search(json=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –

The desired search parameters:

timeFilter (dict, optional): A dict containing the time frame for the search:
- startTime (str): The start time for the search
- endTime (str): The end time for the search
filters (list of dict, optional): Filters based on field contents:
- field (str): The name of the data field to which the condition applies
- expression (str): The comparison operator for the filter condition. Valid values are:
”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
- value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
- values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
returns (list of str, optional): The fields to return

Returns:

returns a dict containing the search results

Return type:

dict

class laceworksdk.api.CloudActivitiesAPI(session)[source]

Bases: laceworksdk.api.base_endpoint.BaseEndpoint

A class used to represent the Cloud Activities API endpoint

Get information about cloud activities for the integrated AWS cloud accounts in your Lacework instance.

property session: Get the HttpSession instance the object is using.

get(start_time=None, end_time=None, **request_params)[source]

A method to get cloud activities objects.

Parameters:

start_time (str) – A “%Y-%m-%dT%H:%M:%SZ” structured timestamp to begin from.
end_time (str) – A “%Y-%m-%dT%H:%M:%S%Z” structured timestamp to end at.
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The requested cloud activity data.

Return type:

dict

get_pages(start_time=None, end_time=None, **request_params)[source]

A method to get an iterator of activities

A helper method that yields a generator which allows you to iterate through the resulting pages of activities. Call this instead of the “get” method if you don’t want to write your own code to get the paginated results.

Parameters:

start_time (str) – A “%Y-%m-%dT%H:%M:%SZ” structured timestamp to begin from.
end_time (str) – A “%Y-%m-%dT%H:%M:%S%Z” structured timestamp to end at.
request_params (dict, optional) – Use to pass any additional parameters the API

Yields:

dict – a generator which yields a dict of cloud activities.

get_data_items(start_time=None, end_time=None, **request_params)[source]

A method to get an iterator of activities

A helper method that yields a generator which allows you to iterate through the resulting pages of activities. Call this instead of the “get” method if you don’t want to write your own code to get the paginated results.

Parameters:

start_time (str) – A “%Y-%m-%dT%H:%M:%SZ” structured timestamp to begin from.
end_time (str) – A “%Y-%m-%dT%H:%M:%S%Z” structured timestamp to end at.
request_params (dict, optional) – Use to pass any additional parameters the API

Yields:

dict – a generator which yields multipe dicts of cloud activities.

search(json=None)[source]

A method to search cloud activities.

Parameters:

json (list of dicts) –

A list of dictionaries containing the desired search parameters:

field (str): The name of the data field to which the condition applies
expression (str): The comparison operator for the filter condition. Valid values are:

”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
value (str, optional): The value that the condition checks for in the specified field. Use this attribute

when using an operator that requires a single value.

values (list of str, optional): The values that the condition checks for in the specified field. Use this

attribute when using an operator that requires multiple values.

Yields:

dict – returns a generator which yields a page of objects at a time as returned by the Lacework API.

class laceworksdk.api.ConfigsAPI(session)[source]

A class used to represent the Configs API endpoint

Get information about compliance configurations.

The Configs API endpoint is a parent for different types of configs that can be queried.

compliance_evaluations

A ComplianceEvaluationsAPI instance.

Type:: ComplianceEvaluationsAPI

azure_subscriptions

An AzureSubscriptions instance.

Type:: AzureSubscriptions

gcp_projects

A GcpProjects instance.

Type:: GcpProjects

class AzureSubscriptions(session, object_type, endpoint_root='/api/v2')[source]

Bases: laceworksdk.api.read_endpoint.ReadEndpoint

A class used to represent the Azure Subscriptions API endpoint.

Get a list of Azure subscription IDs for an entire account or for a specific Azure tenant.

property session: Get the HttpSession instance the object is using.

get(id=None, resource=None, **request_params)

A method to get objects.

Parameters:

id (str) – A string representing the object ID.
resource (str) – The Lacework API resource type to get.
request_params (dict) – Use to pass any additional parameters the API

Returns:

the requested o

Return type:

dict

class GcpProjects(session, object_type, endpoint_root='/api/v2')[source]

Bases: laceworksdk.api.read_endpoint.ReadEndpoint

A class used to represent the GCP Projects API endpoint.

property session: Get the HttpSession instance the object is using.

get(id=None, resource=None, **request_params)

A method to get objects.

Parameters:

id (str) – A string representing the object ID.
resource (str) – The Lacework API resource type to get.
request_params (dict) – Use to pass any additional parameters the API

Returns:

the requested o

Return type:

dict

class ComplianceEvaluationsAPI(session, object_type, endpoint_root='/api/v2')[source]

Bases: laceworksdk.api.search_endpoint.SearchEndpoint

A class used to represent the Compliance Evaluations API endpoint.

property session: Get the HttpSession instance the object is using.

search(json=None, resource=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –
The desired search parameters:
- timeFilter (dict, optional): A dict containing the time frame for the search:
  - startTime (str): The start time for the search
  - endTime (str): The end time for the search
- filters (list of dict, optional): Filters based on field contents:
  - field (str): The name of the data field to which the condition applies
  - expression (str): The comparison operator for the filter condition. Valid values are:
  ”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
  - value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
  - values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
- returns (list of str, optional): The fields to return
resource (str) – The Lacework API resource to search (Example: “AlertChannels”)

Yields:

dict – returns a generator which yields a page of objects at a time as returned by the Lacework API.

class laceworksdk.api.ContainerRegistriesAPI(session)[source]

Bases: laceworksdk.api.crud_endpoint.CrudEndpoint

A class used to represent the Container Registries API endpoint

Lacework provides the ability to assess, identify, and report vulnerabilities found in the operating system software packages in a Docker container image. After integrating a container registry in Lacework, Lacework finds all container images in the registry repositories, assesses those container images for software packages with known vulnerabilities, and reports them.

property session: Get the HttpSession instance the object is using.

create(name, type, enabled, data, **request_params)[source]

A method to create a new container registry integration.

Parameters:

name (str) – The name to use to create the container registry integration.
enabled (bool|int) – Whether the integration is enabled.
type (str) –
The type of the integration. See the API docs for valid values.
enabled – Whether the object is enabled.
data (dict) –
The definition of the new integration to create. Note this changes depending on the value of the “type” field. See the API docs for valid values.
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

Details for the newly created container registry integration

Return type:

dict

get(guid=None, type=None)[source]

A method to get ContainerRegistries objects. Using no args will get all integrations.

Parameters:

guid (str, optional) – The GUID of the container registry integration to get.
type (str, optional) – The type of the container registry integration(s) to get. Valid types are: “ContVulnCfg”

Returns:

The details of the requested integration(s)

Return type:

dict

get_by_guid(guid)[source]

A method to get a container registry integration by GUID.

Parameters:: guid (str) – The GUID of the container registry integration to get
Returns:: The details of the requested integration
Return type:: dict

get_by_type(type)[source]

A method to get container registry integration(s) by type.

Parameters:: type (str) – The type of the container registry integration(s) to get. Valid types are: “ContVulnCfg”
Returns:: The details of the requested integration(s)
Return type:: dict

update(guid, name=None, type=None, enabled=None, data=None, **request_params)[source]

A method to update an ContainerRegistries object.

Parameters:

guid – A string representing the object GUID.
name (str) – The name to use to create the container registry integration.
enabled (bool|int) – Whether the integration is enabled.
type (str) –
The type of the integration. See the API docs for valid values.
enabled – Whether the object is enabled.
data (dict) –
The definition of the new integration to create. Note this changes depending on the value of the “type” field. See the API docs for valid values.
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

Details for the updated container registry integration

Return type:

dict

delete(guid)[source]

A method to delete a container registry integration .

Parameters:: guid (str) – The GUID of the container registry integration to delete
Returns:: a Requests response object containing the response code
Return type:: requests.models.Response

search(json=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –

The desired search parameters:

timeFilter (dict, optional): A dict containing the time frame for the search:
- startTime (str): The start time for the search
- endTime (str): The end time for the search
filters (list of dict, optional): Filters based on field contents:
- field (str): The name of the data field to which the condition applies
- expression (str): The comparison operator for the filter condition. Valid values are:
”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
- value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
- values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
returns (list of str, optional): The fields to return

Returns:

returns a dict containing the search results

Return type:

dict

class laceworksdk.api.ContractInfoAPI(session)[source]

Bases: laceworksdk.api.base_endpoint.BaseEndpoint

A class used to represent the Contract Info API endpoint

Get Lacework contract information.

property session: Get the HttpSession instance the object is using.

get(**request_params)[source]

A method to get contract info

Returns:: Contract info for the lacework instance. request_params (dict, optional): Use to pass any additional parameters the API
Return type:: dict

class laceworksdk.api.DatasourcesAPI(session)[source]

Bases: laceworksdk.api.base_endpoint.BaseEndpoint

A class used to represent the Datasources API endpoint

Get schema details for all datasources that you can query using LQL.

property session: Get the HttpSession instance the object is using.

get()[source]

A method to get Datasources.

Returns:: All datasources
Return type:: dict

get_datasource(datasource)[source]

A method to get the schema for a particular datasource.

Parameters:: datasource (str) – The name of the datasource schema get.
Returns:: The datasource schema.
Return type:: dict

list_data_sources()[source]

A method to list the datasources that are available.

Returns:: Each tuple has two entries, source name and description.
Return type:: list of tuples

class laceworksdk.api.DataExportRulesAPI(session)[source]

Bases: laceworksdk.api.crud_endpoint.CrudEndpoint

A class used to represent the Data Export Rules API endpoint

S3 data export allows you to export data collected from your Lacework account and send it to an S3 bucket of your choice. You can extend Lacework processed/normalized data to report/visualize alone or combine with other business/security data to get insights and make meaningful business decisions.

property session: Get the HttpSession instance the object is using.

create(type, filters, intg_guid_list, **request_params)[source]

A method to create a new DataExportRules object.

Parameters:

type (str) – The type of data export rule to create. Valid values are: “Dataexport”
intg_guid_list (list of str) – The guids of the alert channels for the rule to use
filters (dict) –
A dict containing the fields needed to define the rule. fields are:
- name (str): The name of the alert
- enabled (bool|int): Whether the export rule is enabled
- description (str, optional): The description of the export rule
- profileVersions (list of str, optional): A list of profile versions
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The created data export rule

Return type:

dict

get(guid=None)[source]

A method to get data export rules. Using no args will get all rules.

Parameters:: guid (str, optional) – The guid of the rule to get.
Returns:: The requested data export rule(s)
Return type:: dict

get_by_guid(guid)[source]

A method to get an DataExportRules object by GUID.

Parameters:: guid (str) – The guid of the rule to get.
Returns:: The requested data export rule
Return type:: dict

update(guid, filters=None, intg_guid_list=None, **request_params)[source]

A method to update an existing DataExportRules object.

Parameters:

guid (str) – The guid of the export rule to update
intg_guid_list (list of str) – The guids of the alert channels for the rule to use
filters (dict) –
A dict containing the fields needed to define the rule. fields are:
- name (str, optional): The name of the alert
- enabled (bool|int, optional): Whether the export rule is enabled
- description (str, optional): The description of the export rule
- profileVersions (list of str, optional): A list of profile versions
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The updated data export rule

Return type:

dict

delete(guid)[source]

A method to delete a data export rule.

Parameters:: guid (str) – The GUID of the data export rule to delete
Returns:: a Requests response object containing the response code
Return type:: requests.models.Response

search(json=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –

The desired search parameters:

timeFilter (dict, optional): A dict containing the time frame for the search:
- startTime (str): The start time for the search
- endTime (str): The end time for the search
filters (list of dict, optional): Filters based on field contents:
- field (str): The name of the data field to which the condition applies
- expression (str): The comparison operator for the filter condition. Valid values are:
”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
- value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
- values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
returns (list of str, optional): The fields to return

Returns:

returns a dict containing the search results

Return type:

dict

class laceworksdk.api.EntitiesAPI(session)[source]

A class used to represent the Entities API endpoint

The Entities API endpoint is simply a parent for different types of entities that can be queried.

Attributes:

applications:: A ApplicationsAPI instance.
command_lines:: A CommandLinesAPI instance.
containers:: A ContainersAPI instance.
files:: A FilesAPI instance.
images:: A ImagesAPI instance.
internal_ip_addresses:: A InternalIPAddressesAPI instance.
k8s_pods:: A K8sPodsAPI instance.
machines:: A MachinesAPI instance.
machine_details:: A MachineDetailsAPI instance.
network_interfaces:: A NetworkInterfacesAPI instance.
new_file_hashes:: A NewFileHashesAPI instance.
packages:: A PackagesAPI instance.
processes:: A ProcessesAPI instance.
users:: A UsersAPI instance.

class ApplicationsAPI(session, object_type, endpoint_root='/api/v2')[source]

Bases: laceworksdk.api.search_endpoint.SearchEndpoint

A class used to represent the Applications API endpoint.

Methods:

search(json=None): A method to search Applications objects.

property session: Get the HttpSession instance the object is using.

search(json=None, resource=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –
The desired search parameters:
- timeFilter (dict, optional): A dict containing the time frame for the search:
  - startTime (str): The start time for the search
  - endTime (str): The end time for the search
- filters (list of dict, optional): Filters based on field contents:
  - field (str): The name of the data field to which the condition applies
  - expression (str): The comparison operator for the filter condition. Valid values are:
  ”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
  - value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
  - values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
- returns (list of str, optional): The fields to return
resource (str) – The Lacework API resource to search (Example: “AlertChannels”)

Yields:

dict – returns a generator which yields a page of objects at a time as returned by the Lacework API.

class CommandLinesAPI(session, object_type, endpoint_root='/api/v2')[source]

Bases: laceworksdk.api.search_endpoint.SearchEndpoint

A class used to represent the Command Lines API endpoint.

Methods:

search(json=None): A method to search CommandLines objects.

property session: Get the HttpSession instance the object is using.

search(json=None, resource=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –
The desired search parameters:
- timeFilter (dict, optional): A dict containing the time frame for the search:
  - startTime (str): The start time for the search
  - endTime (str): The end time for the search
- filters (list of dict, optional): Filters based on field contents:
  - field (str): The name of the data field to which the condition applies
  - expression (str): The comparison operator for the filter condition. Valid values are:
  ”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
  - value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
  - values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
- returns (list of str, optional): The fields to return
resource (str) – The Lacework API resource to search (Example: “AlertChannels”)

Yields:

dict – returns a generator which yields a page of objects at a time as returned by the Lacework API.

class ContainersAPI(session, object_type, endpoint_root='/api/v2')[source]

Bases: laceworksdk.api.search_endpoint.SearchEndpoint

A class used to represent the Containers API endpoint.

Methods:

search(json=None): A method to search Containers objects.

property session: Get the HttpSession instance the object is using.

search(json=None, resource=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –
The desired search parameters:
- timeFilter (dict, optional): A dict containing the time frame for the search:
  - startTime (str): The start time for the search
  - endTime (str): The end time for the search
- filters (list of dict, optional): Filters based on field contents:
  - field (str): The name of the data field to which the condition applies
  - expression (str): The comparison operator for the filter condition. Valid values are:
  ”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
  - value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
  - values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
- returns (list of str, optional): The fields to return
resource (str) – The Lacework API resource to search (Example: “AlertChannels”)

Yields:

dict – returns a generator which yields a page of objects at a time as returned by the Lacework API.

class FilesAPI(session, object_type, endpoint_root='/api/v2')[source]

Bases: laceworksdk.api.search_endpoint.SearchEndpoint

A class used to represent the Files API endpoint.

Methods:

search(json=None): A method to search Files objects.

property session: Get the HttpSession instance the object is using.

search(json=None, resource=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –
The desired search parameters:
- timeFilter (dict, optional): A dict containing the time frame for the search:
  - startTime (str): The start time for the search
  - endTime (str): The end time for the search
- filters (list of dict, optional): Filters based on field contents:
  - field (str): The name of the data field to which the condition applies
  - expression (str): The comparison operator for the filter condition. Valid values are:
  ”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
  - value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
  - values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
- returns (list of str, optional): The fields to return
resource (str) – The Lacework API resource to search (Example: “AlertChannels”)

Yields:

dict – returns a generator which yields a page of objects at a time as returned by the Lacework API.

class ImagesAPI(session, object_type, endpoint_root='/api/v2')[source]

Bases: laceworksdk.api.search_endpoint.SearchEndpoint

A class used to represent the Images API endpoint.

Methods:

search(json=None): A method to search Images objects.

property session: Get the HttpSession instance the object is using.

search(json=None, resource=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –
The desired search parameters:
- timeFilter (dict, optional): A dict containing the time frame for the search:
  - startTime (str): The start time for the search
  - endTime (str): The end time for the search
- filters (list of dict, optional): Filters based on field contents:
  - field (str): The name of the data field to which the condition applies
  - expression (str): The comparison operator for the filter condition. Valid values are:
  ”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
  - value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
  - values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
- returns (list of str, optional): The fields to return
resource (str) – The Lacework API resource to search (Example: “AlertChannels”)

Yields:

dict – returns a generator which yields a page of objects at a time as returned by the Lacework API.

class InternalIPAddressesAPI(session, object_type, endpoint_root='/api/v2')[source]

Bases: laceworksdk.api.search_endpoint.SearchEndpoint

A class used to represent the Internal IP Addresses API endpoint.

Methods:

search(json=None): A method to search InternalIPAddresses objects.

property session: Get the HttpSession instance the object is using.

search(json=None, resource=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –
The desired search parameters:
- timeFilter (dict, optional): A dict containing the time frame for the search:
  - startTime (str): The start time for the search
  - endTime (str): The end time for the search
- filters (list of dict, optional): Filters based on field contents:
  - field (str): The name of the data field to which the condition applies
  - expression (str): The comparison operator for the filter condition. Valid values are:
  ”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
  - value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
  - values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
- returns (list of str, optional): The fields to return
resource (str) – The Lacework API resource to search (Example: “AlertChannels”)

Yields:

dict – returns a generator which yields a page of objects at a time as returned by the Lacework API.

class K8sPodsAPI(session, object_type, endpoint_root='/api/v2')[source]

Bases: laceworksdk.api.search_endpoint.SearchEndpoint

A class used to represent the K8s Pods API endpoint.

Methods:

search(json=None): A method to search K8sPods objects.

property session: Get the HttpSession instance the object is using.

search(json=None, resource=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –
The desired search parameters:
- timeFilter (dict, optional): A dict containing the time frame for the search:
  - startTime (str): The start time for the search
  - endTime (str): The end time for the search
- filters (list of dict, optional): Filters based on field contents:
  - field (str): The name of the data field to which the condition applies
  - expression (str): The comparison operator for the filter condition. Valid values are:
  ”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
  - value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
  - values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
- returns (list of str, optional): The fields to return
resource (str) – The Lacework API resource to search (Example: “AlertChannels”)

Yields:

dict – returns a generator which yields a page of objects at a time as returned by the Lacework API.

class MachinesAPI(session, object_type, endpoint_root='/api/v2')[source]

Bases: laceworksdk.api.search_endpoint.SearchEndpoint

A class used to represent the Machines API endpoint.

Methods:

search(json=None): A method to search Machines objects.

property session: Get the HttpSession instance the object is using.

search(json=None, resource=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –
The desired search parameters:
- timeFilter (dict, optional): A dict containing the time frame for the search:
  - startTime (str): The start time for the search
  - endTime (str): The end time for the search
- filters (list of dict, optional): Filters based on field contents:
  - field (str): The name of the data field to which the condition applies
  - expression (str): The comparison operator for the filter condition. Valid values are:
  ”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
  - value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
  - values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
- returns (list of str, optional): The fields to return
resource (str) – The Lacework API resource to search (Example: “AlertChannels”)

Yields:

dict – returns a generator which yields a page of objects at a time as returned by the Lacework API.

class MachineDetailsAPI(session, object_type, endpoint_root='/api/v2')[source]

Bases: laceworksdk.api.search_endpoint.SearchEndpoint

A class used to represent the Machine Details API endpoint.

Methods:

search(json=None): A method to search MachineDetails objects.

property session: Get the HttpSession instance the object is using.

search(json=None, resource=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –
The desired search parameters:
- timeFilter (dict, optional): A dict containing the time frame for the search:
  - startTime (str): The start time for the search
  - endTime (str): The end time for the search
- filters (list of dict, optional): Filters based on field contents:
  - field (str): The name of the data field to which the condition applies
  - expression (str): The comparison operator for the filter condition. Valid values are:
  ”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
  - value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
  - values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
- returns (list of str, optional): The fields to return
resource (str) – The Lacework API resource to search (Example: “AlertChannels”)

Yields:

dict – returns a generator which yields a page of objects at a time as returned by the Lacework API.

class NetworkInterfacesAPI(session, object_type, endpoint_root='/api/v2')[source]

Bases: laceworksdk.api.search_endpoint.SearchEndpoint

A class used to represent the Network Interfaces API endpoint.

Methods:

search(json=None): A method to search NetworkInterfaces objects.

property session: Get the HttpSession instance the object is using.

search(json=None, resource=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –
The desired search parameters:
- timeFilter (dict, optional): A dict containing the time frame for the search:
  - startTime (str): The start time for the search
  - endTime (str): The end time for the search
- filters (list of dict, optional): Filters based on field contents:
  - field (str): The name of the data field to which the condition applies
  - expression (str): The comparison operator for the filter condition. Valid values are:
  ”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
  - value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
  - values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
- returns (list of str, optional): The fields to return
resource (str) – The Lacework API resource to search (Example: “AlertChannels”)

Yields:

dict – returns a generator which yields a page of objects at a time as returned by the Lacework API.

class NewFileHashesAPI(session, object_type, endpoint_root='/api/v2')[source]

Bases: laceworksdk.api.search_endpoint.SearchEndpoint

A class used to represent the New File Hashes API endpoint.

Methods:

search(json=None): A method to search NewFileHashes objects.

property session: Get the HttpSession instance the object is using.

search(json=None, resource=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –
The desired search parameters:
- timeFilter (dict, optional): A dict containing the time frame for the search:
  - startTime (str): The start time for the search
  - endTime (str): The end time for the search
- filters (list of dict, optional): Filters based on field contents:
  - field (str): The name of the data field to which the condition applies
  - expression (str): The comparison operator for the filter condition. Valid values are:
  ”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
  - value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
  - values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
- returns (list of str, optional): The fields to return
resource (str) – The Lacework API resource to search (Example: “AlertChannels”)

Yields:

dict – returns a generator which yields a page of objects at a time as returned by the Lacework API.

class PackagesAPI(session, object_type, endpoint_root='/api/v2')[source]

Bases: laceworksdk.api.search_endpoint.SearchEndpoint

A class used to represent the Packages API endpoint.

Methods:

search(json=None): A method to search Packages objects.

property session: Get the HttpSession instance the object is using.

search(json=None, resource=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –
The desired search parameters:
- timeFilter (dict, optional): A dict containing the time frame for the search:
  - startTime (str): The start time for the search
  - endTime (str): The end time for the search
- filters (list of dict, optional): Filters based on field contents:
  - field (str): The name of the data field to which the condition applies
  - expression (str): The comparison operator for the filter condition. Valid values are:
  ”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
  - value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
  - values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
- returns (list of str, optional): The fields to return
resource (str) – The Lacework API resource to search (Example: “AlertChannels”)

Yields:

dict – returns a generator which yields a page of objects at a time as returned by the Lacework API.

class ProcessesAPI(session, object_type, endpoint_root='/api/v2')[source]

Bases: laceworksdk.api.search_endpoint.SearchEndpoint

A class used to represent the Processes API endpoint.

Methods:

search(json=None): A method to search Processes objects.

property session: Get the HttpSession instance the object is using.

search(json=None, resource=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –
The desired search parameters:
- timeFilter (dict, optional): A dict containing the time frame for the search:
  - startTime (str): The start time for the search
  - endTime (str): The end time for the search
- filters (list of dict, optional): Filters based on field contents:
  - field (str): The name of the data field to which the condition applies
  - expression (str): The comparison operator for the filter condition. Valid values are:
  ”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
  - value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
  - values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
- returns (list of str, optional): The fields to return
resource (str) – The Lacework API resource to search (Example: “AlertChannels”)

Yields:

dict – returns a generator which yields a page of objects at a time as returned by the Lacework API.

class UsersAPI(session, object_type, endpoint_root='/api/v2')[source]

Bases: laceworksdk.api.search_endpoint.SearchEndpoint

A class used to represent the Users API endpoint.

Methods:

search(json=None): A method to search Users objects.

property session: Get the HttpSession instance the object is using.

search(json=None, resource=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –
The desired search parameters:
- timeFilter (dict, optional): A dict containing the time frame for the search:
  - startTime (str): The start time for the search
  - endTime (str): The end time for the search
- filters (list of dict, optional): Filters based on field contents:
  - field (str): The name of the data field to which the condition applies
  - expression (str): The comparison operator for the filter condition. Valid values are:
  ”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
  - value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
  - values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
- returns (list of str, optional): The fields to return
resource (str) – The Lacework API resource to search (Example: “AlertChannels”)

Yields:

dict – returns a generator which yields a page of objects at a time as returned by the Lacework API.

class laceworksdk.api.EventsAPI(session)[source]

Bases: laceworksdk.api.search_endpoint.SearchEndpoint

A class used to represent the Events API endpoint

View and verify the evidence or observation details of individual events.

property session: Get the HttpSession instance the object is using.

search(json=None, resource=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –
The desired search parameters:
- timeFilter (dict, optional): A dict containing the time frame for the search:
  - startTime (str): The start time for the search
  - endTime (str): The end time for the search
- filters (list of dict, optional): Filters based on field contents:
  - field (str): The name of the data field to which the condition applies
  - expression (str): The comparison operator for the filter condition. Valid values are:
  ”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
  - value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
  - values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
- returns (list of str, optional): The fields to return
resource (str) – The Lacework API resource to search (Example: “AlertChannels”)

Yields:

dict – returns a generator which yields a page of objects at a time as returned by the Lacework API.

class laceworksdk.api.InventoryAPI(session)[source]

Bases: laceworksdk.api.search_endpoint.SearchEndpoint

A class used to represent the Inventory API endpoint

View and monitor in-use cloud resources’ risk, compliance, and configuration changes.

property session: Get the HttpSession instance the object is using.

scan(csp)[source]

A method to trigger a resource inventory scan.

Parameters:: csp (string) – The cloud service provider to run the scan on. Valid values are: “AWS” “Azure” “GCP”
Returns:: Status of scan
Return type:: dict

status(csp)[source]

A method to get the status of a Resource Inventory scan.

Parameters:: csp (string) – The cloud service provider to run the scan on. Valid values are: “AWS” “Azure” “GCP”
Returns:: Status of scan
Return type:: dict

search(json=None, resource=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –
The desired search parameters:
- timeFilter (dict, optional): A dict containing the time frame for the search:
  - startTime (str): The start time for the search
  - endTime (str): The end time for the search
- filters (list of dict, optional): Filters based on field contents:
  - field (str): The name of the data field to which the condition applies
  - expression (str): The comparison operator for the filter condition. Valid values are:
  ”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
  - value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
  - values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
- returns (list of str, optional): The fields to return
resource (str) – The Lacework API resource to search (Example: “AlertChannels”)

Yields:

dict – returns a generator which yields a page of objects at a time as returned by the Lacework API.

class laceworksdk.api.OrganizationInfoAPI(session)[source]

Bases: laceworksdk.api.base_endpoint.BaseEndpoint

A class used to represent the Organization Info API endpoint

Return information about whether the Lacework account is an organization account and, if it is, what the organization account URL is.

property session: Get the HttpSession instance the object is using.

get()[source]

A method to get organization info.

Returns:: Organization info
Return type:: dict

class laceworksdk.api.PoliciesAPI(session)[source]

Bases: laceworksdk.api.crud_endpoint.CrudEndpoint

A class used to represent the Policies API endpoint

Policies are a mechanism used to add annotated metadata to queries for improving the context of alerts, reports, and information displayed in the Lacework Console. You can fully customize policies.

property session: Get the HttpSession instance the object is using.

create(policy_type, query_id, enabled, title, description, remediation, severity, alert_enabled, alert_profile, limit=1000, eval_frequency=None, tags=[], **request_params)[source]

A method to create a new Policies object.

Parameters:

policy_type (str, optional) – The policy type. Valid values are: “Violation”
query_id (str) – The policy query ID.
enabled (bool) – Whether the policy is enabled.
title (str) – The policy title.
description (str) – The policy description.
remediation (str) – The remediation strategy for the object.
severity (str) – A string representing the object severity. Valid values are : “info”, “low”, “medium”, “high”, “critical”
alert_enabled (bool) – A boolean representing whether alerting is enabled.
alert_profile (str, optional) – A string representing the alert profile.
limit (int, optional) – An integer representing the number of results to return. (Default value = 1000)
tags (list of str) – A list of policy tags
eval_frequency (str, optional, deprecated) – A string representing the frequency in which to evaluate the object. Valid values are: “Hourly”, “Daily”
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The newly created policy.

Return type:

dict

get(policy_id=None)[source]

A method to get Policies objects. Using no args will get all policies.

Parameters:: policy_id (str, optional) – A string representing the object policy ID.
Returns:: The requested policies
Return type:: dict

get_by_id(policy_id)[source]

A method to get a Policies object by policy ID.

Parameters:: policy_id (str) – A string representing the object policy ID.
Returns:: The requested policy
Return type:: dict

update(policy_id, policy_type=None, query_id=None, enabled=None, title=None, description=None, remediation=None, severity=None, alert_enabled=None, alert_profile=None, limit=None, tags=[], eval_frequency=None, **request_params)[source]

A method to update a Lacework Query Language (LQL) policy.

Parameters:

policy_id (str) – A string representing the object policy ID.
policy_type (str, optional) – The policy type. Valid values are: “Violation”
query_id (str, optional) – The policy query ID.
enabled (bool, optional) – Whether the policy is enabled.
title (str, optional) – The policy title.
description (str, optional) – The policy description.
remediation (str, optional) – The remediation strategy for the object.
severity (str, optional) – A string representing the object severity. Valid values are : “info”, “low”, “medium”, “high”, “critical”
alert_enabled (bool, optional) – A boolean representing whether alerting is enabled.
alert_profile (str, optional) – A string representing the alert profile.
limit (int, optional) – An integer representing the number of results to return. (Default value = 1000)
tags (list of str, optional) – A list of policy tags
eval_frequency (str, optional, deprecated) – A string representing the frequency in which to evaluate the object. Valid values are: “Hourly”, “Daily”
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The newly created policy.

Return type:

dict

bulk_update(json)[source]

A method to update Policy objects in bulk.

Parameters:: json (list of dicts) – A list of dictionaries containing policy configuration. - policyId (str): The ID of the policy. - enabled (bool): The status of the policy. - severity (str): The severity of the policy. Valid values: “info”, “low”, “medium”, “high”, “critical”
Returns:: The updated policies.
Return type:: dict

delete(policy_id)[source]

A method to delete a policy.

Parameters:: policy_id (str) – A string representing the policy ID.
Returns:: a Requests response object containing the response code
Return type:: requests.models.Response

search(json=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –

The desired search parameters:

timeFilter (dict, optional): A dict containing the time frame for the search:
- startTime (str): The start time for the search
- endTime (str): The end time for the search
filters (list of dict, optional): Filters based on field contents:
- field (str): The name of the data field to which the condition applies
- expression (str): The comparison operator for the filter condition. Valid values are:
”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
- value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
- values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
returns (list of str, optional): The fields to return

Returns:

returns a dict containing the search results

Return type:

dict

class laceworksdk.api.PolicyExceptionsAPI(session)[source]

Bases: laceworksdk.api.crud_endpoint.CrudEndpoint

A class used to represent the Policies Exceptions API endpoint

Policy exceptions are a mechanism used to maintain the policies but allow you to circumvent one or more restrictions.

property session: Get the HttpSession instance the object is using.

create(policy_id, description, constraints, **request_params)[source]

A method to create a new Exceptions object.

Parameters:

policy_id (str) – The object policy ID.
description (str, optional) – The object description.
constraints (list of dicts) – The object constraints. Dict fields are: - field_key (str): A string representing the constraint key. Values are: ‘accountIds’, ‘resourceNames’, ‘regionNames’ and ‘resourceTags’ - field_values (list of str): Constraint values
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The created policy exception

Return type:

dict

get(exception_id=None, policy_id=None)[source]

A method to get Exceptions objects.

Parameters:

exception_id (str, optional) – A string representing the exception ID. (Default value = None)
policy_id – The ID of the policy for which to get the exceptions.

Returns:

The requested exception(s)

Return type:

dict

get_by_id(exception_id, policy_id)[source]

A method to get a Exceptions object by policy ID.

Parameters:

exception_id (str) – A string representing the exception ID. (Default value = None)
policy_id – The ID of the policy for which to get the exceptions.

Returns:

The requested exception(s)

Return type:

dict

update(exception_id, policy_id, description=None, constraints=None, **request_params)[source]

A method to create a new Exceptions object.

Parameters:

exception_id (str) – The exception ID to update.
policy_id (str) – The object policy ID.
description (str, optional) – The object description.
constraints (list of dicts, optional) – The object constraints. Dict fields are: - field_key (str): A string representing the constraint key. Values are: ‘accountIds’, ‘resourceNames’, ‘regionNames’ and ‘resourceTags’ - field_values (list of str): Constraint values
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The updated policy exception

Return type:

dict

delete(exception_id, policy_id)[source]

A method to delete a policy xception

Parameters:

exception_id (str) – The exception ID.
policy_id (str) – The policy ID.

Returns:

a Requests response object containing the response code

Return type:

requests.models.Response

search(json=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –

The desired search parameters:

timeFilter (dict, optional): A dict containing the time frame for the search:
- startTime (str): The start time for the search
- endTime (str): The end time for the search
filters (list of dict, optional): Filters based on field contents:
- field (str): The name of the data field to which the condition applies
- expression (str): The comparison operator for the filter condition. Valid values are:
”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
- value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
- values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
returns (list of str, optional): The fields to return

Returns:

returns a dict containing the search results

Return type:

dict

class laceworksdk.api.QueriesAPI(session)[source]

Bases: laceworksdk.api.crud_endpoint.CrudEndpoint

A class used to represent the Queries API endpoint

Queries are the mechanism used to interactively request information from a specific curated datasource. Queries have a defined structure for authoring detections.

property session: Get the HttpSession instance the object is using.

create(query_id, query_text, evaluator_id=None, **request_params)[source]

A method to create a new Queries object.

Parameters:

query_id (str) – Name of the new query.
query_text (str) – The object query text.
evaluator_id (str, optional) – A string representing the evaluator in which the query is to be run.
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The newly created query

Return type:

dict

get(query_id=None)[source]

A method to get registered queries. Using no args will get all registered queries.

Parameters:: query_id (str, optional) – The query ID to get.
Returns:: The requested querie(s)
Return type:: dict

get_by_id(query_id)[source]

A method to get a Queries object by query ID.

Parameters:: query_id (str) – The query ID to get.
Returns:: The requested querie(s)
Return type:: dict

execute(evaluator_id=None, query_id=None, query_text=None, arguments={})[source]

A method to execute a Queries object.

Parameters:

evaluator_id (str, optional) – The evaluator in which the query object is to be run.
query_id (str, optional) – The query ID.
query_text (str) – The query text.
str (arguments (dict of) – str): A dictionary of key/value pairs to be used as arguments in the query object.
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The query results

Return type:

dict

execute_by_id(query_id, arguments={})[source]

A method to execute a Queries object by query ID.

Parameters:

query_id (str) – The query ID to execute
str (arguments (dict of) – str): A dictionary of key/value pairs to be used as arguments in the query object.

Returns:

The query results

Return type:

dict

validate(query_text, evaluator_id=None, **request_params)[source]

A method to validate a Queries object.

Parameters:

query_text (str) – The query text to validate
evaluator_id (str, optional) – The evaluator in which the query is to be run.
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

Validation Results

Return type:

dict

update(query_id, query_text, **request_params)[source]

A method to update a Queries object.

Parameters:

query_id (str) – Name of the new query.
query_text (str, optional) – The object query text.
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The updated created query

Return type:

dict

delete(query_id)[source]

A method to delete a query.

Parameters:: query_id (str) – The ID of the query to delete
Returns:: a Requests response object containing the response code
Return type:: requests.models.Response

search(json=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –

The desired search parameters:

timeFilter (dict, optional): A dict containing the time frame for the search:
- startTime (str): The start time for the search
- endTime (str): The end time for the search
filters (list of dict, optional): Filters based on field contents:
- field (str): The name of the data field to which the condition applies
- expression (str): The comparison operator for the filter condition. Valid values are:
”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
- value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
- values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
returns (list of str, optional): The fields to return

Returns:

returns a dict containing the search results

Return type:

dict

class laceworksdk.api.ReportDefinitionsAPI(session)[source]

Bases: laceworksdk.api.crud_endpoint.CrudEndpoint

A class used to represent the Report Definition API endpoint

A report definition contains data retrieval and layout information for a report. Lacework provides endpoints to create a report definition, to list all definitions, and to update or delete a definition.

property session: Get the HttpSession instance the object is using.

create(report_name, report_type, sub_report_type, report_definition, **request_params)[source]

A method to create a new report definition.

Parameters:

report_name (str) – The name of the report definition.
report_type (str) – Type of the report definition. Valid values: “COMPLIANCE”
sub_report_type (str) – The sub-type of the report definition. Valid values: “AWS”, “GCP”, “Azure”
report_definition (dict) –
A dictionary representing the report definition. Fields are:
- sections (list of dicts): A list of dictionaries representing the sections of the report definition. Fields are:
  - category (str): The section’s category.
  - title (str): The section’s title.
  - policies (list of str): A list strings representing the section’s policies.
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The created report definition

Return type:

dict

get(id=None)[source]

A method to get report definitions. Using no args will get all report definitions.

Parameters:: id (str, optional) – The report definition ID to get.
Returns:: The requested report definition(s)
Return type:: dict

get_by_id(id)[source]

A method to get a report definition by ID.

Parameters:: id (str) – The report definition ID to get.
Returns:: The requested report definition
Return type:: dict

search()[source]

A method to ‘pass’ when attempting to search ReportDefinitions objects.

Search functionality is not yet implemented for Alert Profiles.

update(id, report_name, report_definition, **request_params)[source]

A method to update a report definition.

Parameters:

id – A string representing the object ID.
report_name (str) – The name of the report definition.
report_definition (dict) –
A dictionary representing the report definition. Fields are:
- sections (list of dicts): A list of dictionaries representing the sections of the report definition. Fields are:
  - category (str): The section’s category.
  - title (str): The section’s title.
  - policies (list of str): A list strings representing the section’s policies.
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The updated report definition

Return type:

dict

delete(id)[source]

A method to delete a report definition.

Parameters:: id (str) – The ID of the report definition to delete.
Returns:: a Requests response object containing the response code
Return type:: requests.models.Response

class laceworksdk.api.ReportRulesAPI(session)[source]

Bases: laceworksdk.api.crud_endpoint.CrudEndpoint

A class used to represent the Report Rules API endpoint

Lacework combines alert channels and report rules to provide a flexible method for routing reports. For report rules, you define information about which reports to send. For alert channels, you define where to send reports such as to Jira, Slack, or email.

property session: Get the HttpSession instance the object is using.

create(type, filters, intg_guid_list, report_notification_types, **request_params)[source]

A method to create a new report rule.

Parameters:

type (str) – The type of report rule. Valid values: ‘Report’
intg_guid_list (list of str) – A list of integration GUIDs representing the report channels to use.
filters (dict) –
A dictionary containing the definition of the new rule. Fields are:
- name (str): The report rule name
- description (str, optional): The report rule description
- enabled (bool|int): Whether the report rule is enabled
- resourceGroups (list of str): A list of resource groups to apply the rule to
- severity (list of ints): A list severities to apply the rule to. Valid values: 1=Critical 2=High 3=Medium 4=Low 5=Info
report_notification_types (dict) –
A dict of booleans for the report types that you want the rule to apply to. Fields are:

”agentEvents”, “awsCis14”, “awsCisS3”, “awsCloudtrailEvents”, “awsComplianceEvents”, “awsCis14IsoIec270022022”, “awsCyberEssentials22”, “awsCsaCcm405”, “azureActivityLogEvents”, “azureCis”, “azureCis131”, “azureComplianceEvents”, “azurePci”, “azurePciRev2”, “azureSoc”, “azureSocRev2”, “azureIso27001”, “azureHipaa”, “azureNistCsf”, “azureNist80053Rev5”, “azureNist800171Rev2”, “gcpAuditTrailEvents”, “gcpCis”, “gcpComplianceEvents”, “gcpHipaa”, “gcpHipaaRev2”, “gcpIso27001”, “gcpCis12”, “gcpCis13”, “gcpK8s”, “gcpPci”, “gcpPciRev2”, “gcpSoc”, “gcpSocRev2”, “gcpNistCsf”, “gcpNist80053Rev4”, “gcpNist800171Rev2”, “hipaa”, “iso2700”, “k8sAuditLogEvents”, “nist800”-“53Rev4”, “nist800”-“171Rev2”, “openShiftCompliance”, “openShiftComplianceEvents”, “pci”, “platformEvents”, “soc”, “awsSocRev2”, “trendReport”, “awsPciDss321”, “awsNist80053Rev5”, “awsSoc2”, “awsNist800171Rev2”, “awsNistCsf”, “awsCmmc102”, “awsHipaa”, “awsIso270012013”
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The created report rule

Return type:

dict

get(guid=None)[source]

A method to get ReportRules objects. Using no args will get all report rules.

Parameters:: guid (str, optional) – The GUID of the report rule to get
Returns:: The requested report rule(s)
Return type:: dict

get_by_guid(guid)[source]

A method to get a report rule by GUID.

Parameters:: guid (str) – The GUID of the report rule to get
Returns:: The requested report rule(s)
Return type:: dict

update(guid, filters=None, intg_guid_list=None, report_notification_types=None, **request_params)[source]

A method to update a ReportRules object.

Parameters:

guid (str) – The GUID of the report rule to update
intg_guid_list (list of str, optional) – A list of integration GUIDs representing the report channels to use
filters (dict, optional) –
A dictionary containing the definition of the new rule. Fields are:
- name (str): The report rule name
- description (str, optional): The report rule description
- enabled (bool|int, optional): Whether the report rule is enabled
- resourceGroups (list of str, optional): A list of resource groups to apply the rule to
- severity (list of ints, optional): A list severities to apply the rule to. Valid values: 1=Critical 2=High 3=Medium 4=Low 5=Info
report_notification_types (dict) –
A dict of booleans for the report types that you want the rule to apply to. Fields are:

”agentEvents”, “awsCis14”, “awsCisS3”, “awsCloudtrailEvents”, “awsComplianceEvents”, “awsCis14IsoIec270022022”, “awsCyberEssentials22”, “awsCsaCcm405”, “azureActivityLogEvents”, “azureCis”, “azureCis131”, “azureComplianceEvents”, “azurePci”, “azurePciRev2”, “azureSoc”, “azureSocRev2”, “azureIso27001”, “azureHipaa”, “azureNistCsf”, “azureNist80053Rev5”, “azureNist800171Rev2”, “gcpAuditTrailEvents”, “gcpCis”, “gcpComplianceEvents”, “gcpHipaa”, “gcpHipaaRev2”, “gcpIso27001”, “gcpCis12”, “gcpCis13”, “gcpK8s”, “gcpPci”, “gcpPciRev2”, “gcpSoc”, “gcpSocRev2”, “gcpNistCsf”, “gcpNist80053Rev4”, “gcpNist800171Rev2”, “hipaa”, “iso2700”, “k8sAuditLogEvents”, “nist800”-“53Rev4”, “nist800”-“171Rev2”, “openShiftCompliance”, “openShiftComplianceEvents”, “pci”, “platformEvents”, “soc”, “awsSocRev2”, “trendReport”, “awsPciDss321”, “awsNist80053Rev5”, “awsSoc2”, “awsNist800171Rev2”, “awsNistCsf”, “awsCmmc102”, “awsHipaa”, “awsIso270012013”
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The created report rule

Return type:

dict

delete(guid)[source]

A method to delete a report rule.

Parameters:: guid (str) – The GUID of the report rule to delete.
Returns:: a Requests response object containing the response code
Return type:: requests.models.Response

search(json=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –

The desired search parameters:

timeFilter (dict, optional): A dict containing the time frame for the search:
- startTime (str): The start time for the search
- endTime (str): The end time for the search
filters (list of dict, optional): Filters based on field contents:
- field (str): The name of the data field to which the condition applies
- expression (str): The comparison operator for the filter condition. Valid values are:
”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
- value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
- values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
returns (list of str, optional): The fields to return

Returns:

returns a dict containing the search results

Return type:

dict

class laceworksdk.api.ReportsAPI(session)[source]

Bases: laceworksdk.api.base_endpoint.BaseEndpoint

A class used to represent the Reports API endpoint

Lacework combines details about non-compliant resources that are in violation into reports. You must configure at least one cloud integration with AWS, Azure, or GCP to receive these reports.

property session: Get the HttpSession instance the object is using.

get(primary_query_id=None, secondary_query_id=None, format=None, report_type=None, **request_params)[source]

A method to get Reports objects.

Parameters:

primary_query_id (str) – The primary ID that is used to fetch the report. (AWS Account ID or Azure Tenant ID)
secondary_query_id (str) – The secondary ID that is used to fetch the report. (GCP Project ID or Azure Subscription ID)
format (str, optional) – The format of the report. Valid values: “csv”, “html”, “json”, “pdf”
report_type (str) – The type of the report. See available reports for a list of report types. Valid values are in the “API Format” column.
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The details of the report

Return type:

dict

class laceworksdk.api.ResourceGroupsAPI(session)[source]

Bases: laceworksdk.api.crud_endpoint.CrudEndpoint

A class used to represent the Resource Groups API endpoint

Resource groups provide a way to categorize Lacework-identifiable assets.

property session: Get the HttpSession instance the object is using.

create(resource_name, resource_type, enabled, props, **request_params)[source]

A method to create a new ResourceGroups object.

Parameters:

resource_name (str) – The resource group name.
resource_type (str) –
The resource group type. See the API docs for a list of types.
enabled (bool|int) – Whether the object is enabled.
props (dict) –
The new resource group’s properties. The format varies based on the value of the type arg. See the API docs for valid fields.
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The newly created resource group

Return type:

dict

get(guid=None)[source]

A method to get resource groups. Using no args will get all resource groups.

Parameters:: guid (str, optional) – The GUID of the resource group to get.
Returns:: The requested resource group(s)
Return type:: dict

get_by_guid(guid)[source]

A method to get resource groups by GUID.

Parameters:: guid (str) – The GUID of the resource group to get.
Returns:: The requested resource group(s)
Return type:: dict

update(guid, resource_name=None, resource_type=None, enabled=None, props=None, **request_params)[source]

A method to update an ResourceGroups object.

Parameters:

guid (str) – A string representing the object GUID.
resource_name (str, optional) – The resource group name.
resource_type (str, optional) –
The resource group type. See the API docs for a list of types.
enabled (bool|int, optional) – Whether the object is enabled.
props (dict, optional) –
The new resource group’s properties. The format varies based on the value of the type arg. See the API docs for valid fields.
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The newly created resource group

Return type:

dict

delete(guid)[source]

A method to delete a resource groups.

Parameters:: guid (str) – The GUID of the resource group to delete.
Returns:: a Requests response object containing the response code
Return type:: requests.models.Response

search(json=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –

The desired search parameters:

timeFilter (dict, optional): A dict containing the time frame for the search:
- startTime (str): The start time for the search
- endTime (str): The end time for the search
filters (list of dict, optional): Filters based on field contents:
- field (str): The name of the data field to which the condition applies
- expression (str): The comparison operator for the filter condition. Valid values are:
”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
- value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
- values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
returns (list of str, optional): The fields to return

Returns:

returns a dict containing the search results

Return type:

dict

class laceworksdk.api.SchemasAPI(session)[source]

Bases: laceworksdk.api.base_endpoint.BaseEndpoint

A class used to represent the Schemas API endpoint

Get details about the available Lacework schemas.

property session: Get the HttpSession instance the object is using.

get(type=None, subtype=None)[source]

A method to get schema objects. Using no args will get all schemas.

Parameters:

type (str, optional) – The schema type to retrieve. Valid values are any API resource listed in the Lacework API documentation .Examples include “AlertChannels”, “CloudAccounts”, “AgentAccessTokens”, etc..
subtype (str, optional) –
The subtype to retrieve. Subtypes are only available for API resources that have “type” like fields. For instance the “AlertChannels” resource has subtypes such as “AwsS3”, “SlackChannel”, etc. See the Lacework API documentation for more info.

Returns:

The requested schema

Return type:

dict

get_by_subtype(type, subtype)[source]

A method to fetch a specific subtype schema.

Parameters:

type (str) –
The schema type to retrieve. Valid values are any API resource listed in the Lacework API documentation .Examples include “AlertChannels”, “CloudAccounts”, “AgentAccessTokens”, etc..
subtype (str) –
The subtype to retrieve. Subtypes are only available for API resources that have “type” like fields. For instance the “AlertChannels” resource has subtypes such as “AwsS3”, “SlackChannel”, etc. See the Lacework API documentation for more info.

Returns:

The requested schema

Return type:

dict

class laceworksdk.api.TeamMembersAPI(session)[source]

Bases: laceworksdk.api.crud_endpoint.CrudEndpoint

A class used to represent the Team Members API endpoint

DEPRECATED. Please use the TeamUsersAPI class instead.

Team members can be granted access to multiple Lacework accounts and have different roles for each account. Team members can also be granted organization-level roles.

Note: The TeamMembers API is deprecated and is unavailable if you have migrated to the new RBAC model in your Lacework Console.

property session: Get the HttpSession instance the object is using.

create(user_name, user_enabled, props, org_admin=None, org_user=None, admin_role_accounts=None, user_role_accounts=None, **request_params)[source]

A method to create a new team member.

Parameters:

user_name (str) – The email address of the user.
user_enabled (bool|int) – Whether the object is enabled.
props (dict) – The user configuration. Fields are: - firstName (str): The first name of the team member. - lastName (str): The last name of the team member. - company (str): The company of the team member. - accountAdmin (bool, optional): A boolean representing if the team member is an account admin.
org_admin (bool, optional) – Is the user an organization admin. (Organization-level Access Required)
org_user (bool, optional) – Is the user is an organization user. (Organization-level Access Required)
admin_role_accounts (list of str) – A list accounts where the user is an admin. (Organization-level Access Required)
user_role_accounts (list of str) – A list of where the team member is a user. (Organization-level Access Required)
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The newly created team member.

Return type:

dict

get(guid=None)[source]

A method to get team members. Using no args will get all team members.

Parameters:: guid (str, optional) – The GUID of the team member to get.
Returns:: The requested team member
Return type:: dict

get_by_guid(guid)[source]

A method to get a team member by GUID.

Parameters:: guid (str) – The GUID of the team member to get.
Returns:: The requested team member
Return type:: dict

update(guid, user_name=None, user_enabled=None, props=None, org_admin=None, org_user=None, admin_role_accounts=None, user_role_accounts=None, **request_params)[source]

A method to update a TeamMembers object.

Parameters:

guid – A string representing the object GUID.
user_name (str) – The email address of the user.
user_enabled (bool|int) – Whether the object is enabled.
props (dict) – The user configuration. Fields are: - firstName (str): The first name of the team member. - lastName (str): The last name of the team member. - company (str): The company of the team member. - accountAdmin (bool, optional): A boolean representing if the team member is an account admin.
org_admin (bool, optional) – Is the user an organization admin. (Organization-level Access Required)
org_user (bool, optional) – Is the user is an organization user. (Organization-level Access Required)
admin_role_accounts (list of str) – A list accounts where the user is an admin. (Organization-level Access Required)
user_role_accounts (list of str) – A list of where the team member is a user. (Organization-level Access Required)
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The updated team member.

Return type:

dict

delete(guid)[source]

A method to delete a team member.

Parameters:: guid (str) – The GUID of the team member to delete
Returns:: a Requests response object containing the response code
Return type:: requests.models.Response

search(json=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –

The desired search parameters:

timeFilter (dict, optional): A dict containing the time frame for the search:
- startTime (str): The start time for the search
- endTime (str): The end time for the search
filters (list of dict, optional): Filters based on field contents:
- field (str): The name of the data field to which the condition applies
- expression (str): The comparison operator for the filter condition. Valid values are:
”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
- value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
- values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
returns (list of str, optional): The fields to return

Returns:

returns a dict containing the search results

Return type:

dict

class laceworksdk.api.TeamUsersAPI(session)[source]

Bases: laceworksdk.api.crud_endpoint.CrudEndpoint

A class used to represent the Team Users API endpoint .

The Team Users API works with the new Lacework role-based access control (RBAC) model. After you enable RBAC in the Lacework Console, the Team Users API is available and the legacy Team Members API (deprecated) is disabled.

property session: Get the HttpSession instance the object is using.

get(guid=None)[source]

(Experimental API) A method to get team users. Using no args will get all team users.

Parameters:: guid (str, optional) – The GUID of the team user to get.
Returns:: The requested team user(s)
Return type:: dict

get_by_guid(guid)[source]

(Experimental API) A method to get a TeamUsers object by GUID.

Parameters:: guid (str) – The GUID of the team user to get.
Returns:: The requested team user(s)
Return type:: dict

create(name, email=None, company=None, description=None, user_enabled=True, type='StandardUser', **request_params)[source]

A method to create a new team users standard user object.

Parameters:

name (str) – The friendly name of the user.
email (str) – The email address of the user (valid only for type=StandardUser).
company (str) – The company of the user (valid only for type=StandardUser).
description (str) – A description text for describing service accounts (valid only for ServiceUser)
user_enabled (bool|int, optional) – Whether the new team user is enabled.
type (str, optional) – The type of the user to create. Valid values: “StandardUser”, “ServiceUser” (Default value = “StandardUser”)
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The newly created team user

Return type:

dict

update(guid, name=None, user_enabled=None, description=None, **request_params)[source]

(Experimental API) A method to update a TeamUsers object.

Parameters:

guid (str) – The GUID of the team user to update
name (str) – The friendly name of the user.
user_enabled (bool|int, optional) – Whether the new team user is enabled.
description (str) – A description text for describing service accounts (valid only for ServiceUser).
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The newly created team user

Return type:

dict

delete(guid)[source]

A method to delete a team user.

Parameters:: guid (str) – The GUID of the team user to delete
Returns:: a Requests response object containing the response code
Return type:: requests.models.Response

search(json=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –

The desired search parameters:

timeFilter (dict, optional): A dict containing the time frame for the search:
- startTime (str): The start time for the search
- endTime (str): The end time for the search
filters (list of dict, optional): Filters based on field contents:
- field (str): The name of the data field to which the condition applies
- expression (str): The comparison operator for the filter condition. Valid values are:
”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
- value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
- values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
returns (list of str, optional): The fields to return

Returns:

returns a dict containing the search results

Return type:

dict

class laceworksdk.api.UserGroupsAPI(session)[source]

Bases: laceworksdk.api.base_endpoint.BaseEndpoint

A class used to represent the User Groups API endpoint .

A user group associates Lacework service and standard users with specific permissions in Lacework.

property session: Get the HttpSession instance the object is using.

add_users(guid, user_guids)[source]

A method to add users to existing UserGroup object.

Parameters:

guid (str) – The GUID of the UserGroup to modify
user_guids (list of str) – An array of user guids to add to the user group

Returns:

The modified results

Return type:

dict

remove_users(guid, user_guids)[source]

A method to remove users from an existing UserGroup object.

Parameters:

guid (str) – The GUID of the UserGroup object to modify.
user_guids (list of str) – An array of user guids to remove from the user group

Returns:

The modified results

Return type:

dict

class laceworksdk.api.UserProfileAPI(session)[source]

Bases: laceworksdk.api.base_endpoint.BaseEndpoint

A class used to represent the User Profile API endpoint .

An organization can contain multiple accounts so you can also manage components such as alerts, resource groups, team members, and audit logs at a more granular level inside an organization.

property session: Get the HttpSession instance the object is using.

get(account_name=None)[source]

A method to get Lacework sub-accounts that are managed by your organization account. Using no args will get all sub-accounts.

Parameters:: account_name (str, optional) – Specify which sub-account to list.
Returns:: Details of the requested sub-account(s)
Return type:: dict

class laceworksdk.api.VulnerabilitiesAPI(session)[source]

A class used to represent the Vulnerabilities API endpoint .

The Vulnerabilities API endpoint is a parent for different types of vulnerabilities that can be queried. Due to namespace overlap with the v1 API, this class is a subclass of VulnerabilityAPI to expose those methods and provide backwards compatibility.

Attributes:

containers:: A ContainerVulnerabilitiesAPI instance.
hosts:: A HostVulnerabilitiesAPI instance.
packages:: A SoftwarePackagesAPI instance.

class ContainerVulnerabilitiesAPI(session, object_type, endpoint_root='/api/v2')[source]

Bases: laceworksdk.api.search_endpoint.SearchEndpoint

A class used to represent the Container Vulnerabilities API endpoint.

property session: Get the HttpSession instance the object is using.

scan(registry, repository, tag, **request_params)[source]

A method to issue Container Vulnerability scans.

Parameters:

registry (str) – The container registry to use.
repository (str) – The container repository to use.
tag (str) – The container tag to use.
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The status of the requested scan

Return type:

dict

status(request_id)[source]

A method to get the status of a Container Vulnerability scan.

Parameters:: request_id (str) – The request ID of the container scan
Returns:: The status of the requested scan
Return type:: dict

search(json=None, resource=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –
The desired search parameters:
- timeFilter (dict, optional): A dict containing the time frame for the search:
  - startTime (str): The start time for the search
  - endTime (str): The end time for the search
- filters (list of dict, optional): Filters based on field contents:
  - field (str): The name of the data field to which the condition applies
  - expression (str): The comparison operator for the filter condition. Valid values are:
  ”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
  - value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
  - values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
- returns (list of str, optional): The fields to return
resource (str) – The Lacework API resource to search (Example: “AlertChannels”)

Yields:

dict – returns a generator which yields a page of objects at a time as returned by the Lacework API.

class ImageSummaryVulnerabilitiesAPI(session, object_type, endpoint_root='/api/v2')[source]

Bases: laceworksdk.api.search_endpoint.SearchEndpoint

A class used to represent the ImageSummary Vulnerabilities API endpoint.

property session: Get the HttpSession instance the object is using.

search(json=None, resource=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –
The desired search parameters:
- timeFilter (dict, optional): A dict containing the time frame for the search:
  - startTime (str): The start time for the search
  - endTime (str): The end time for the search
- filters (list of dict, optional): Filters based on field contents:
  - field (str): The name of the data field to which the condition applies
  - expression (str): The comparison operator for the filter condition. Valid values are:
  ”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
  - value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
  - values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
- returns (list of str, optional): The fields to return
resource (str) – The Lacework API resource to search (Example: “AlertChannels”)

Yields:

dict – returns a generator which yields a page of objects at a time as returned by the Lacework API.

class HostVulnerabilitiesAPI(session, object_type, endpoint_root='/api/v2')[source]

Bases: laceworksdk.api.search_endpoint.SearchEndpoint

A class used to represent the Host Vulnerabilities API endpoint.

property session: Get the HttpSession instance the object is using.

search(json=None, resource=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –
The desired search parameters:
- timeFilter (dict, optional): A dict containing the time frame for the search:
  - startTime (str): The start time for the search
  - endTime (str): The end time for the search
- filters (list of dict, optional): Filters based on field contents:
  - field (str): The name of the data field to which the condition applies
  - expression (str): The comparison operator for the filter condition. Valid values are:
  ”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
  - value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
  - values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
- returns (list of str, optional): The fields to return
resource (str) – The Lacework API resource to search (Example: “AlertChannels”)

Yields:

dict – returns a generator which yields a page of objects at a time as returned by the Lacework API.

class SoftwarePackagesAPI(session, object_type, endpoint_root='/api/v2')[source]

Bases: laceworksdk.api.base_endpoint.BaseEndpoint

A class used to represent the Software Packages API endpoint.

property session: Get the HttpSession instance the object is using.

scan(os_pkg_info_list, **request_params)[source]

A method to initiate a software package vulnerability scan.

Parameters:

os_pkg_info_list (list of dict) –
A list of packages to be scanned given the OS, OS version, package, and package version. Fields are:
- os (str): The name of the operating system.
- osVer (str): The version of the operating system.
- pkg (str): The name of the software package.
- pkgVer (str): The verion of the software package.
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The resulting vulnerability data

Return type:

dict

class laceworksdk.api.VulnerabilityExceptionsAPI(session)[source]

Bases: laceworksdk.api.crud_endpoint.CrudEndpoint

A class used to represent the Vulnerabilities Exceptions API endpoint .

Lacework provides the ability to create exceptions for certain vulnerable resources and criteria. For example, a certain CVE for a certain package or all packages can be excepted until a set expiry time.

property session: Get the HttpSession instance the object is using.

create(exception_name, exception_reason, exception_type, props, vulnerability_criteria, resource_scope=None, expiry_time=None, state=True, **request_params)[source]

A method to create a new vulnerability exception.

Parameters:

exception_name (str) – The name of the exception.
exception_reason (str) – The exception reason. Valid values: “False Positive”, “Accepted Risk”, “Compensating Controls”, “Fix Pending”, “Other”
exception_type (str) – The exception type. Valid values: “Container”, “Host”
props (dict of str) – The properties of the exception. Fields are: - description (str): The exception description - createdBy (str): The creator of the exception - updatedBy (str): The updator of the exception.
vulnerability_criteria (dic) –
The criteria for excepted vulnerabilities. Fields are:
- cve (list of str): The vulnerability (CVE) ID(s) that you want to constrain the exception to
- package (list of dict): The package name(s) (for example, an operating system or language package). This can include a version number
- severity (list of str): The severity levels of the vulnerability to constrain the exception to. Valid values: “Info”, “Low”, “Medium”, “High”, “Critical”
- fixable (list of int): The fixability status (0 or 1)
resource_scope (dict) –
The scope of resources for which to apply the exception. Fields for this dict change depending on the “exception type” field. See the API docs for field info.
expiry_time (str) – The expiration time for the exception.
state (bool|int) – Whether the exception is enabled.
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The newly created vulnerability exception

Return type:

dict

get(guid=None)[source]

A method to get vulnerability exceptions. Using no args will get all vulnerability exceptions.

Parameters:: guid (str, optional) – The GUID of the vulnerability exception to get.
Returns:: The requested vulnerability exception(s)
Return type:: dict

get_by_guid(guid)[source]

A method to get vulnerability exceptions by GUID.

Parameters:: guid (str) – The GUID of the vulnerability exception to get.
Returns:: The requested vulnerability exception(s)
Return type:: dict

update(guid, exception_name=None, exception_reason=None, props=None, vulnerability_criteria=None, resource_scope=None, expiry_time=None, state=None, **request_params)[source]

A method to update a VulnerabilityExceptions object.

Parameters:

guid – A string representing the object GUID.
exception_name (str, optional) – The name of the exception.
exception_reason (str, optional) – The exception reason. Valid values: “False Positive”, “Accepted Risk”, “Compensating Controls”, “Fix Pending”, “Other”
props (dict of str) – The properties of the exception. Fields are: - description (str, optional): The exception description - createdBy (str, optional): The creator of the exception - updatedBy (str, optional): The updator of the exception.
vulnerability_criteria (dic) –
The criteria for excepted vulnerabilities. Fields are:
- cve (list of str): The vulnerability (CVE) ID(s) that you want to constrain the exception to
- package (list of dict): The package name(s) (for example, an operating system or language package). This can include a version number
- severity (list of str): The severity levels of the vulnerability to constrain the exception to. Valid values: “Info”, “Low”, “Medium”, “High”, “Critical”
- fixable (list of int): The fixability status (0 or 1)
resource_scope (dict, optional) –
The scope of resources for which to apply the exception. Fields for this dict change depending on the “exception type” field. See the API docs for field info.
expiry_time (str, optional) – The expiration time for the exception.
state (bool|int, optional) – Whether the exception is enabled.
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The updated vulnerability exception

Return type:

dict

delete(guid)[source]

A method to delete a vulnerability exception.

Parameters:: guid (str) – The GUID of the vulnerability exception to delete
Returns:: a Requests response object containing the response code
Return type:: requests.models.Response

search(json=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –

The desired search parameters:

timeFilter (dict, optional): A dict containing the time frame for the search:
- startTime (str): The start time for the search
- endTime (str): The end time for the search
filters (list of dict, optional): Filters based on field contents:
- field (str): The name of the data field to which the condition applies
- expression (str): The comparison operator for the filter condition. Valid values are:
”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
- value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
- values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
returns (list of str, optional): The fields to return

Returns:

returns a dict containing the search results

Return type:

dict

class laceworksdk.api.VulnerabilityPoliciesAPI(session)[source]

Bases: laceworksdk.api.crud_endpoint.CrudEndpoint

A class used to represent the Vulnerabilities Policies API endpoint .

Lacework provides the ability to create container vulnerability policies to assess your container images at build and/or runtime based on your own unique requirements. For example, a policy can be created for any critical vulnerability with a fix available or a policy to target a specific CVE.

property session: Get the HttpSession instance the object is using.

create(policy_type, policy_name, severity, state, filter, props, policy_eval_type=None, fail_on_violation=False, alert_on_violation=False, **request_params)[source]

A method to create a new vulnerability policy.

Parameters:

policy_type (str) – The type of the policy. See API documentation for valid values
policy_name (str) – The name of the policy.
severity (str) – The severity of the policy. Valid values: “Info”, “Low”, “Medium”, “High”, “Critical”
state (bool|int) – A boolean representing the state of the policy.
filter (dict) –
The filter data for the policy type specified in the “policyType” field. See API documentation for fields.
props (dict) –
The vulnerability policy’s properties. Fields are:
- description (str): The property description.
- createdBy (str): The creator of the property.
- updatedBy (str): The updater of the property.
policy_eval_type (str, optional) – The policy evaluation type. Valid values: “local”
fail_on_violation (bool|int, optional) – Whether the policy should fail on violations. (Default = False)
alert_on_violation – (bool|int, optional): Whether the policy should alert on violations. (Default = False)
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The newly created vulnerability policy

Return type:

dict

get(guid=None)[source]

A method to get vulnerability policies. Using no args will get all vulnerability policies.

Parameters:: guid (str, optional) – The GUID of the vulnerability policy to get
Returns:: The requested vulnerability policie(s)
Return type:: dict

get_by_guid(guid)[source]

A method to get a vulnerability policy by GUID.

Parameters:: guid (str) – The GUID of the vulnerability policy to get
Returns:: The requested vulnerability policie(s)
Return type:: dict

update(guid, policy_type=None, policy_name=None, severity=None, state=None, filter=None, props=None, policy_eval_type=None, fail_on_violation=None, alert_on_violation=None, **request_params)[source]

A method to update a VulnerabilityPolicies object.

Parameters:

guid (str) – The GUID of the policy to update
policy_type (str, optional) –
The type of the policy. See API documentation for valid values
policy_name (str, optional) – The name of the policy.
severity (str, optional) – The severity of the policy. Valid values: “Info”, “Low”, “Medium”, “High”, “Critical”
state (bool|int, optional) – A boolean representing the state of the policy.
filter (dict, optional) –
The filter data for the policy type specified in the “policyType” field. See API documentation for fields.
props (dict) –
The vulnerability policy’s properties. Fields are:
- description (str): The property description.
- createdBy (str): The creator of the property.
- updatedBy (str): The updater of the property.
policy_eval_type (str, optional) – The policy evaluation type. Valid values: “local”
fail_on_violation (bool|int, optional) – Whether the policy should fail on violations. (Default = False)
alert_on_violation – (bool|int, optional): Whether the policy should alert on violations. (Default = False)
request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

updated vulnerability policy

Return type:

dict

delete(guid)[source]

A method to delete a vulnerability policy.

Parameters:: guid (str) – The GUID of the vulnerability policy to delete
Returns:: a Requests response object containing the response code
Return type:: requests.models.Response

search(json=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

json (dict) –

The desired search parameters:

timeFilter (dict, optional): A dict containing the time frame for the search:
- startTime (str): The start time for the search
- endTime (str): The end time for the search
filters (list of dict, optional): Filters based on field contents:
- field (str): The name of the data field to which the condition applies
- expression (str): The comparison operator for the filter condition. Valid values are:
”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”
- value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.
- values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.
returns (list of str, optional): The fields to return

Returns:

returns a dict containing the search results

Return type:

dict

class laceworksdk.api.LaceworkClient(account=None, subaccount=None, api_key=None, api_secret=None, api_token=None, instance=None, base_domain=None, profile=None)[source]

Lacework API wrapper for Python.

property subaccount: Returns the value of the session’s subaccount.

set_org_level_access(org_level_access)[source]: A method to set whether the client should use organization-level API calls.

set_subaccount(subaccount)[source]: A method to update the subaccount the client should use for API calls.

laceworksdk.api

Subpackages

Submodules

Package Contents

Classes

Attributes:

Attributes:

Methods:

Methods:

Methods:

Methods:

Methods:

Methods:

Methods:

Methods:

Methods:

Methods:

Methods:

Methods:

Methods:

Methods:

Attributes:

`laceworksdk.api`