Lacework Python SDK Usage
The Lacework Python SDK closely mirrors the Lacework API
in structure. The main class of the SDK is LaceworkClient
which has attributes representing
the various resources/endpoints of the Lacework API. Depending on the resource, these attributes
will have some combination of CRUD and search methods, though a few have other unique methods.
You can read about the various attributes and methods of the SDK here.
Usage Examples
Example 1: Create a New User
This example leverages the team_users
attribute
to create a new Lacework user.
from laceworksdk import LaceworkClient
lw = LaceworkClient(profile="default")
response = lw.team_users.create("testuser", "testuser@testdomain.com", "Test Company")
Example 2: Searching for an Alert
This example leverages the alerts
attribute
to find all Critical
alerts that occured in the last 24 hours.
from laceworksdk import LaceworkClient
from datetime import datetime, timedelta, timezone
lw = LaceworkClient(profile="default")
# Lacework will require us to specify a search window in a specific format
# The following will allow us to specify a window that starts 1 day ago
# and ends "now"
current_time = datetime.now(timezone.utc)
start_time = current_time - timedelta(days=1)
start_time = start_time.strftime("%Y-%m-%dT%H:%M:%S%z")
end_time = current_time.strftime("%Y-%m-%dT%H:%M:%S%z")
# We need to specify our start time, end time, and search criteria in this structure
# In this case we are specifying that the alert "severity" property should be equal
# to "Critical"
filters = {
"timeFilter": {
"startTime": start_time,
"endTime": end_time
},
"filters":
[
{
"field": "severity",
"expression": "eq",
"value": "critical"
}
]
}
# Make the API call, note that all search methods in this SDK will return
# Generators, not lists or dicts
alerts = lw.alerts.search(json=filters)
Note: This search will return a generator object, not a list or dict. If you are unfamiliar with Python generators you may want to read up on them.
Example 3: Retrieving a Compliance Report
This example leverages the cloud_accounts
attribute
first to retrieve a list of AWS account integrations, specifically those that retrieve “config”
information. It uses a python list comprehension to select the first one it finds and parses the
AWS account ID from that data.
Once it has a valid AWS account integration it uses this to pull a CIS 1.4 report using the
reports
attribute.
from laceworksdk import LaceworkClient
lw = LaceworkClient(profile="default")
# Get a list of accounts
accounts = lw.cloud_accounts.get()['data']
# List comprehension to filter out disabled or misconfigured integrations
# as well as only select for "config" type integrations
config_accounts = [account for account in accounts if ("Cfg" in account['type'] and account['enabled'] == 1 and account['state']['ok'] is True)]
# Loop through what's left and find the first AWS integration
for config_account in config_accounts:
if config_account['type'] == 'AwsCfg':
# Parse the AWS account ID from the account details
arn_elements = config_account['data']['crossAccountCredentials']['roleArn'].split(':')
primary_query_id = arn_elements[4]
break
# Leverage the retrieved account ID to pull a CIS 1.4 report for that account
# in html format
response = lw.reports.get(primary_query_id=primary_query_id,
format="html",
type="COMPLIANCE",
report_type="AWS_CIS_14")
More Examples
You can find more examples in the “examples” folder of the github repository here.