laceworksdk.api.v2.alerts

Lacework Alerts API wrapper.

Module Contents

Classes

AlertsAPI

A class used to represent the Alerts API endpoint
class laceworksdk.api.v2.alerts.AlertsAPI(session)[source]

Bases: laceworksdk.api.search_endpoint.SearchEndpoint

A class used to represent the Alerts API endpoint

Lacework provides real-time alerts that are interactive and manageable. Each alert contains various metadata information, such as severity level, type, status, alert category, and associated tags.

property session

Get the HttpSession instance the object is using.

get(start_time=None, end_time=None, limit=None, **request_params)[source]

A method to get Alerts.

Parameters:

  • start_time (str) – A “%Y-%m-%dT%H:%M:%SZ” structured timestamp to begin from.

  • end_time (str) – A “%Y-%m-%dT%H:%M:%S%Z” structured timestamp to end at.

  • limit (int) – An integer representing the number of Alerts to return.

  • request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The requested alert(s)

Return type:

dict

get_details(id, scope, **request_params)[source]

A method to get Alerts objects by ID.

Parameters:

  • id (str) – The alert ID.

  • scope (str) – The scope of the details to return. Valid values are: “Details”, “Investigation”, “Events”, “RelatedAlerts”, “Integrations”, “Timeline”

  • request_params (dict, optional) – Use to pass any additional parameters the API

Returns:

The requested alert details.

Return type:

dict

comment(id, comment)[source]

A method to comment on an Alerts object.

Parameters:

  • id (str) – The alert ID.

  • comment (str) – The comment to post.

Returns:

The posted comment

Return type:

dict

close(id, reason, comment=None)[source]

A method to close an Alert.

Parameters:

  • id (str) – The alert ID.

  • comment (str, option) – A comment on the reason. If 0 is chosen for the “reason” field then the “comment” field is required.

  • reason (int) – An number representing the close reason. Valid values are: 0: Other, 1: False positive, 2: Not enough information, 3: Malicious and have resolution in place, 4: Expected because of routine testing

Returns:

a Requests response object containing the response code

Return type:

requests.models.Response

search(json=None, resource=None)

A method to search objects.

See the API documentation for this API endpoint for valid fields to search against.

NOTE: While the “value” and “values” fields are marked as “optional” you must use one of them, depending on the operation you are using.

Parameters:

  • json (dict) –

    The desired search parameters:

    • timeFilter (dict, optional): A dict containing the time frame for the search:

      • startTime (str): The start time for the search

      • endTime (str): The end time for the search

    • filters (list of dict, optional): Filters based on field contents:

      • field (str): The name of the data field to which the condition applies

      • expression (str): The comparison operator for the filter condition. Valid values are:

      ”eq”, “ne”, “in”, “not_in”, “like”, “ilike”, “not_like”, “not_ilike”, “not_rlike”, “rlike”, “gt”, “ge”, “lt”, “le”, “between”

      • value (str, optional): The value that the condition checks for in the specified field. Use this attribute when using an operator that requires a single value.

      • values (list of str, optional): The values that the condition checks for in the specified field. Use this attribute when using an operator that requires multiple values.

    • returns (list of str, optional): The fields to return

  • resource (str) – The Lacework API resource to search (Example: “AlertChannels”)

Yields:

dict – returns a generator which yields a page of objects at a time as returned by the Lacework API.