Lacework delivers end-to-end visibility into what's happening across your cloud environment, including detecting threats, vulnerabilities, misconfigurations, and unusual activity, so you can innovate with speed and safety.
This document provides information about the Lacework connector, which facilitates automated interactions, with a Lacework server using FortiSOAR™ playbooks. Add the Lacework connector as a step in FortiSOAR™ playbooks and perform automated operations with Lacework.
Connector Version: 1.1.0
FortiSOAR™ Version Tested on: 7.6.0-5012
Lacework Version Tested on: v2
Authored By: Fortinet
Certified: Yes
The following enhancements have been made to the Lacework FortiCNAPP Connector in version 1.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-lacework
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Lacework connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | Specify the URL of the Lacework server to connect and perform the automated operations. |
| Key ID | Specify the access key ID configured for your account to access the Lacework endpoint. |
| Secret Key | Specify the secret key configured for your account to access the Lacework endpoint. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is selected, i.e., set to true. |
You can use the following automated operations in playbooks and also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Search Alerts | Retrieves a detailed list of alerts based on alert ID, start time, alert type, severity, status, and other filter criteria that you have specified. | search_alerts Investigation |
| Get Alerts Details | Retrieves details about an alert based on the alert ID and scope you have specified. | get_alert_details Investigation |
| Get Alert Entities | Retrieves a list of all entities associated with a specified alert ID for which additional context is available. The entity can be any non-compliant resource, such as a machine or IP address. | get_alert_entities Investigation |
| Get Alert Entity Details | Retrieves details about an entity associated with the specified alert ID for which additional context is available. | get_alert_entity_details Investigation |
| Add Comment to Alert | Adds a user comment on an alert's timeline based on the alert ID you have specified. | add_comment_to_alert Investigation |
| Close Alert | Updates the status of an alert to 'Closed'.
NOTE: A closed alert cannot be reopened. |
close_alert Investigation |
| Run LQL Query | Retrieves a list of results based on the LQL query, start time, and other filter criteria that you have specified. | lql_query Investigation |
| Search Host Vulnerabilities | Retrieves a detailed list of vulnerability states based on start time, severity, and other filter criteria that you have specified. | search_host_vulnerabilities Investigation |
| Search Container Vulnerabilities | Retrieves a detailed list of vulnerability states based on start time, severity, and other filter criteria that you have specified. | search_container_vulnerabilities Investigation |
| Search Configuration | Retrieves a detailed list of config states based on policy ID, start time, and other filter criteria that you have specified. | search_configuration Investigation |
| Execute an API Call | Sends an API request to any API endpoint based on specified HTTP method, endpoint, and other input parameters that you have specified, enabling flexible API interactions tailored to user needs. | send_custom_request Investigation |
| Parameter | Description |
|---|---|
| Start Time | (Optional) Specify the start time for the search. Supported time formats: yyyy-MM-dd, yyyy-MM-ddTHH, yyyy-MM-ddTHH:mm:ssZ, yyyy-MM-ddTHH:mm:ss.SSSZ. By default, the value is 24 hours before the current time.
NOTE: The difference between start time and end time should not be greater than 7 Days. |
| End Time | (Optional) Specify the end time for the search. Supported time formats: yyyy-MM-dd, yyyy-MM-ddTHH, yyyy-MM-ddTHH:mm:ssZ, yyyy-MM-ddTHH:mm:ss.SSSZ. By default, the value is the current time.
NOTE: The difference between start time and end time should not be greater than 7 Days. |
| Alert ID | (Optional) Specify an alert ID to retrieve the specified alert's details. |
| Alert Type | (Optional) Specify the alert type to filter alerts retrieved. |
| Severity | (Optional) Select severity to filter alerts retrieved. You can select from the following options:
|
| Status | (Optional) Select the status to filter alerts retrieved. You can select from the following options:
|
| Alert Category | (Optional) Select the category to filter alerts retrieved. You can select from the following options:
|
| Alert Sub Category | (Optional) Select the sub category to filter alerts retrieved. You can select from the following options:
|
| Source | (Optional) Select the source to filter alerts retrieved. You can select from the following options:
|
| Returns | (Optional) Specify a comma-separated list of top-level fields of the response schema to receive. For example: alertId, alertName, alertType, alertInfo. |
The output contains the following populated JSON schema:
[
{
"alertId": "",
"startTime": "",
"alertType": "",
"severity": "",
"internetExposure": "",
"reachability": "",
"derivedFields": {
"category": "",
"sub_category": "",
"source": ""
},
"endTime": "",
"lastUserUpdatedTime": "",
"status": "",
"alertName": "",
"alertInfo": {
"subject": "",
"description": ""
},
"policyId": ""
}
]
| Parameter | Description |
|---|---|
| Alert ID | Specify an alert ID to retrieve the specified alert's details. |
| Scope | Select the scope to filter and limit the response retrieved. You can select from the following options:
|
The output contains the following populated JSON schema:
Output schema when you choose Scope as Details:
{
"data": {
"alertId": "",
"startTime": "",
"alertType": "",
"severity": "",
"endTime": "",
"lastUserUpdatedTime": "",
"status": "",
"alertName": "",
"alertInfo": {
"subject": "",
"description": "",
"isExpectedLWBehavior": "",
"customerCount": "",
"supportingFacts": [
{
"supportingFactText": "",
"subElements": []
}
]
},
"entityMap": {
"API": "",
"CT_User": "",
"CT_RawTime": "",
"Region": "",
"Resource": "",
"RulesTriggered": "",
"SourceIpAddress": ""
}
}
}
Output schema when you choose Scope as Investigation:
{
"data": [
{
"question": "",
"answer": ""
}
]
}
Output schema when you choose Scope as Events:
{
"data": [
{
"awsRegion": "",
"eventName": "",
"eventSource": "",
"sourceIpAddress": "",
"recipientAccountId": "",
"mfa": "",
"eventTime": "",
"userIdentity": "",
"additionalEventInfo": {
"errorCode": "",
"errorMessage": "",
"eventID": "",
"eventTime": "",
"eventType": "",
"eventVersion": "",
"readOnly": "",
"requestID": "",
"userAgent": ""
},
"requestParameters": "",
"compositeEventId": "",
"id": "",
"name": "",
"descriptionText": "",
"compositeStartTime": "",
"compositeEndTime": "",
"entityKeys": [],
"tagMetadata": [
{
"tagMetadata": {
"customerFacingId": "",
"id": "",
"name": "",
"orderIndex": "",
"parentId": "",
"type": "",
"url": "",
"version": ""
}
}
]
}
]
}
Output schema when you choose Scope as RelatedAlerts:
{
"data": [
{
"eventType": "",
"eventId": "",
"severity": "",
"startTime": "",
"endTime": "",
"eventModel": "",
"eventProps": {
"description": "",
"dstEntities": "",
"eventActor": "",
"srcEntities": ""
},
"keys": "",
"rank": "",
"eventInfo": {
"subject": "",
"description": ""
},
"eventName": ""
}
]
}
Output schema when you choose Scope as Integrations:
{
"data": [
{
"alertChannel": "",
"alertIntegrationId": "",
"createdTime": "",
"alertId": "",
"integrationType": "",
"integrationContext": {
"id": "",
"link": ""
},
"intgGuid": "",
"lastSyncTime": "",
"alertIntegrationStatus": "",
"status": "",
"isBidirectional": ""
}
]
}
Output schema when you choose Scope as Timeline:
{
"data": [
{
"alertChannel": "",
"id": "",
"alertId": "",
"createdTime": "",
"entryType": "",
"entryAuthorType": "",
"intgGuid": "",
"message": {},
"externalTime": "",
"user": "",
"updateContext": {
"newIntegration": {
"createdTime": "",
"alertId": "",
"lastSyncTime": "",
"alertIntegrationStatus": "",
"status": "",
"isBidirectional": ""
}
},
"alertIntegration": ""
}
]
}
| Parameter | Description |
|---|---|
| Alert ID | Specify an alert ID to retrieve the specified alert's entities. |
The output contains the following populated JSON schema:
{
"data": [
{
"entities": [
{
"entityValue": "",
"contextEntityType": ""
}
],
"countOfEntities": ""
}
]
}
| Parameter | Description |
|---|---|
| Alert ID | Specify an alert ID to retrieve the details about an entity associated with the specified alert. |
| Entity Type | Select the type of entity. You can select from the following options:
|
| Entity Value | Specify the corresponding entity value such as the Machine identifier (MID) or IP address for the selected entity type. |
The output contains the following populated JSON schema:
Output schema when you choose Entity Type as IpAddress:
{
"data": {
"isAgentInstalled": "",
"isInternalIp": "",
"laceworkLabs": {
"customerCount": "",
"badIpAddress": "",
"startTimeRange": "",
"endTimeRange": ""
},
"virusTotal": {
"securityVendorsCount": "",
"source": "",
"network": "",
"autonomousSystemNumber": "",
"autonomousSystemLabel": "",
"regionalInternalRegistry": "",
"country": "",
"continent": "",
"startTimeRange": "",
"endTimeRange": ""
},
"ipAddressSummary": {
"country": "",
"region": "",
"city": "",
"countryCode": "",
"startTimeRange": "",
"endTimeRange": ""
},
"resolvedIpInformation": {
"resolvedIPInfo": [
{
"dnsResolverIp": "",
"dnsName": "",
"resolvedIp": ""
}
],
"startTimeRange": "",
"endTimeRange": ""
},
"uniqueProcessDetails": {
"uniqueProcesses": [
{
"cmdLine": "",
"launchTime": "",
"hostname": ""
}
],
"startTimeRange": "",
"endTimeRange": ""
},
"networkActivityOverview": {
"externalServerConn": {
"count": ""
},
"externalClientConn": {
"count": ""
},
"externalInBytes": {
"count": ""
},
"externalOutBytes": {
"count": ""
},
"startTimeRange": "",
"endTimeRange": ""
}
}
}
Output schema when you choose Entity Type as Machine:
{
"data": {
"criticalAndHighRisk": {
"vulnerabilities": {
"criticalCount": "",
"highCount": "",
"startTimeRange": "",
"endTimeRange": ""
},
"alerts": {
"criticalCount": "",
"highCount": "",
"startTimeRange": "",
"endTimeRange": ""
},
"attackPaths": {
"criticalCount": "",
"otherCount": "",
"startTimeRange": "",
"endTimeRange": ""
}
},
"customResourceGroups": {
"resourceGroups": [
{
"name": "",
"guid": ""
}
],
"startTimeRange": "",
"endTimeRange": ""
},
"cloudServiceProvider": {
"cloudServiceProvider": "",
"accountAlias": "",
"accountId": "",
"startTimeRange": "",
"endTimeRange": ""
},
"machineProperties": {
"name": "",
"ipAddress": "",
"lastBootTime": "",
"cpu": "",
"osType": "",
"memoryInfo": "",
"kernelRelease": "",
"kernelVersion": "",
"macAddress": "",
"defaultRouter": "",
"promiscuous": "",
"startTimeRange": "",
"endTimeRange": ""
},
"machineTagSummary": {
"amiId": "",
"instanceId": "",
"subnetId": "",
"vmInstanceType": "",
"vmProvider": "",
"lwTokenShort": "",
"internalIp": "",
"arch": "",
"vpcId": "",
"zone": "",
"os": "",
"account": "",
"startTimeRange": "",
"endTimeRange": ""
},
"networkActivityOverview": {
"externalServerConn": {
"count": ""
},
"externalClientConn": {
"count": ""
},
"externalInBytes": {
"count": ""
},
"externalOutBytes": {
"count": ""
},
"startTimeRange": "",
"endTimeRange": ""
}
}
}
| Parameter | Description |
|---|---|
| Alert ID | Specify an alert ID to add a user comment on the alert's timeline. |
| Comment | Specify the comment to be added to the alert's timeline. |
| Format | (Optional) Select the comment's format. You can select from the following options:
|
The output contains the following populated JSON schema:
{
"data": {
"id": "",
"alertId": "",
"createdTime": "",
"entryType": "",
"entryAuthorType": "",
"message": {
"format": "",
"value": ""
},
"externalTime": "",
"user": {
"userGuid": "",
"username": ""
},
"updateContext": {}
}
}
| Parameter | Description |
|---|---|
| Alert ID | Specify an alert ID to close the specified alert. |
| Reason | Select the reason for closing the alert. You can select from the following options:
|
| Comment | Specify a brief description of the selected reason.
NOTE: This field is mandatory if the Reason selected is Other. |
The output contains the following populated JSON schema:
{
"message": ""
}
| Parameter | Description |
|---|---|
| LQL Query | Specify the LQL (Lacework Query Language) formatted query. For example:{source return} |
| Start Time | (Optional) Specify the start time of the duration within which to search. By default, the value is 24 hours before the current time.
NOTE: The difference between start time and end time should not be more than 7 Days. |
| End Time | (Optional) Specify the end time of the duration within which to search. By default, the value is the current time.
NOTE: The difference between start time and end time should not be more than 7 Days. |
| Limit | (Optional) Specify the maximum count of rows to return. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Start Time | (Optional) Specify the start time of the duration within which to search. By default, the value is 24 hours before the current time.
NOTE: The difference between start time and end time should not be more than 7 Days. |
| End Time | (Optional) Specify the end time of the duration within which to search. By default, the value is the current time.
NOTE: The difference between start time and end time should not be more than 7 Days. |
| Package Status | (Optional) Select the package status to filter retrieved host vulnerabilities. You can choose from the following options:
|
| Kernel Status | (Optional) Select the kernel status to filter retrieved host vulnerabilities. You can choose from the following options:
|
| Internet Reachability | (Optional) Select the internet reachability to filter retrieved host vulnerabilities. You can either leave it blank or select Direct. |
| Public Exploit Available | (Optional) Select the public exploit available to filter retrieved host vulnerabilities. You can choose from the following options:
|
| Fix Available | (Optional) Select the 'Fix Available' status to filter retrieved host vulnerabilities. You can choose from the following options:
|
| AWS Account ID | (Optional) Specify an AWS account ID to filter retrieved host vulnerabilities. |
| Azure Tenant ID | (Optional) Specify an Azure tenant ID to filter retrieved host vulnerabilities. |
| Azure Subscription ID | (Optional) Specify an Azure subscription ID to filter retrieved host vulnerabilities. |
| GCP Project ID | (Optional) Specify a GCP project ID to filter retrieved host vulnerabilities. |
| AWS Instance ID | (Optional) Specify an AWS instance ID to filter retrieved host vulnerabilities. For example: i-11112421523. |
| AWS AMI ID | (Optional) Specify an AWS AMI ID to filter retrieved host vulnerabilities. |
| Machine Hostname | (Optional) Specify a machine hostname to filter retrieved host vulnerabilities. |
| Machine Name | (Optional) Specify a machine name to filter retrieved host vulnerabilities. |
| Severity | (Optional) Select severity to filter retrieved host vulnerabilities. You can choose from the following options:
|
| Returns | (Optional) Specify a comma-separated list of top-level fields of the response schema to receive. For example: riskScore, riskInfo. |
The output contains the following populated JSON schema:
[
{
"cveProps": {},
"cveRiskInfo": {},
"cveRiskScore": {},
"endTime": "",
"evalCtx": {},
"evalGuid": {},
"featureKey": {},
"fixInfo": {},
"hostRiskInfo": {},
"hostRiskScore": "",
"machineTags": {},
"mid": "",
"packageStatus": "",
"props": {},
"region": "",
"riskInfo": {},
"riskScore": "",
"severity": "",
"startTime": "",
"status": "",
"vulnId": ""
}
]
| Parameter | Description |
|---|---|
| Start Time | (Optional) Specify the start time of the duration within which to search. By default, the value is 24 hours before the current time.
NOTE: The difference between start time and end time should not be more than 7 Days. |
| End Time | (Optional) Specify the end time of the duration within which to search. By default, the value is the current time.
NOTE: The difference between start time and end time should not be more than 7 Days. |
| Package Status | (Optional) Select the package status to filter retrieved container vulnerabilities. You can choose from the following options:
|
| Internet Reachability | (Optional) Select the internet reachability to filter retrieved container vulnerabilities. You can either leave it blank or select Direct. |
| Public Exploit Available | (Optional) Select the public exploit available to filter retrieved container vulnerabilities. You can choose from the following options:
|
| Image ID | (Optional) Specify an image ID to filter retrieved container vulnerabilities. |
| Fix Available | (Optional) Select the 'Fix Available' status status to filter retrieved container vulnerabilities. You can choose from the following options:
|
| Severity | (Optional) Select severity to filter retrieved container vulnerabilities. You can choose from the following options:
|
| Returns | (Optional) Specify a comma-separated list of top-level fields of the response schema to receive. For example: cveRiskInfo, cveRiskScore. |
The output contains the following populated JSON schema:
[
{
"cveProps": {
"description": "",
"link": "",
"source": ""
},
"cveRiskInfo": {
"HOST_COUNT": "",
"IMAGE_COUNT": "",
"PKG_COUNT": "",
"SEVERITY_LEVEL": "",
"score": ""
},
"cveRiskScore": "",
"evalCtx": {
"collector_type": "",
"cve_batch_info": [
{
"cve_created_time": ""
}
],
"image_info": {
"created_time": "",
"digest": "",
"id": "",
"registry": "",
"repo": "",
"scan_created_time": "",
"size": "",
"status": "",
"tags": [],
"type": ""
},
"integration_props": {},
"is_reeval": "",
"request_source": "",
"scan_batch_id": "",
"scan_request_props": {
"data_format_version": "",
"props": {
"data_format_version": "",
"scanner_version": ""
},
"scanCompletionUtcTime": "",
"scan_start_time": "",
"scanner_version": ""
},
"vuln_batch_id": "",
"vuln_created_time": ""
},
"evalGuid": "",
"featureKey": {
"name": "",
"namespace": "",
"version": ""
},
"featureProps": {
"feed": "",
"introduced_in": "",
"layer": "",
"src": "",
"version_format": ""
},
"fixInfo": {
"fix_available": "",
"fixed_version": ""
},
"imageId": "",
"imageRiskInfo": {
"factors": [],
"factors_breakdown": {
"active_containers": "",
"cve_counts": {
"Critical": "",
"High": "",
"Medium": "",
"Other": ""
},
"exploit_summary": {
"disclosure_in_wild": "",
"exploit_public": "",
"exploit_virus_malware": "",
"exploit_wormified": ""
},
"internet_reachability": ""
}
},
"imageRiskScore": "",
"packageStatus": "",
"riskInfo": {
"factors": [],
"factors_breakdown": {
"active_containers": "",
"cve_counts": {
"Critical": "",
"High": "",
"Medium": "",
"Other": ""
},
"exploit_summary": {
"disclosure_in_wild": "",
"exploit_public": "",
"exploit_virus_malware": "",
"exploit_wormified": ""
},
"internet_reachability": ""
}
},
"riskScore": "",
"severity": "",
"startTime": "",
"status": "",
"vulnId": ""
}
]
| Parameter | Description |
|---|---|
| Dataset | Select the dataset to filter retrieved configurations. You can select from the following options:
|
| Start Time | (Optional) Specify the start time of the duration within which to search. By default, the value is 24 hours before the current time.
NOTE: The difference between start time and end time should not be more than 7 Days. |
| End Time | (Optional) Specify the end time of the duration within which to search. By default, the value is the current time.
NOTE: The difference between start time and end time should not be more than 7 Days. |
| AWS Account ID | (Optional) Specify an AWS account ID to filter retrieved configurations. |
| Azure Tenant ID | (Optional) Specify an Azure tenant ID to filter retrieved configurations. |
| Azure Subscription ID | (Optional) Specify an Azure subscription ID to filter retrieved configurations. |
| GCP Project ID | (Optional) Specify a GCP project ID to filter retrieved configurations. |
| Policy ID | (Optional) Specify a policy ID to filter retrieved configurations. For example: lacework-global-634. |
| Region | (Optional) Specify a region to filter retrieved configurations. For example: us-east-1. |
| Resource ID | (Optional) Specify a resource ID to filter retrieved configurations. For example: arn:aws:kms:us-east-1:111111111:key/xxxx-xxx-xxxx-xxxxx. |
| Severity | (Optional) Select severity to filter retrieved configurations. You can choose from the following options:
|
| Status | (Optional) Select the status to filter retrieved configurations. You can choose from the following options:
|
| Returns | (Optional) Specify a comma-separated list of top-level fields of the response schema to receive. For example: account, severity, status. |
The output contains the following populated JSON schema:
[
{
"account": {
"AccountId": "",
"Account_Alias": ""
},
"evalType": "",
"id": "",
"reason": "",
"recommendation": "",
"region": "",
"reportTime": "",
"resource": "",
"section": "",
"severity": "",
"status": ""
}
]
| Parameter | Description |
|---|---|
| HTTP Method | Select an HTTP action for the request. You can select from the following options:
|
| Endpoint | Specify the target API URL path for the request. For example, if the URL is " https://lacework.net/api/v2/Vulnerabilities/Hosts/search", the endpoint would be "Vulnerabilities/Hosts/search". |
| Query Parameters | (Optional) Specify any optional parameters to add to the URL and refine the request. |
| Request Payload | (Optional) Specify data, as JSON, to be sent as the request payload (typically for POST or PUT requests). |
The output contains a non-dictionary value.
The Sample - Lacework FortiCNAPP - 1.1.0 playbook collection comes bundled with the Lacework connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Lacework connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling data from Lacework FortiCNAPP. Currently, alerts ingested from Lacework FortiCNAPP are mapped to Alerts in FortiSOAR™. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming Lacework FortiCNAPP alerts to FortiSOAR™'s Alerts.
The Data Ingestion Wizard helps you to configure the scheduled pulling of data from Lacework FortiCNAPP into FortiSOAR™. It also lets you pull some sample data from Lacework FortiCNAPP using which you can define the mapping of data between Lacework FortiCNAPP and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the Lacework FortiCNAPP alerts.
To begin configuring data ingestion, click Configure Data Ingestion on the Lacework FortiCNAPP connector's Configurations page.
Click Let's Start by fetching some data, to open the Fetch Data screen.
Sample data is required to create a field mapping between Lacework FortiCNAPP data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch alerts from Lacework FortiCNAPP. You can specify the Fetch Alerts Since, Alert Type, Severity, Status, etc. to fetch alerts from Lacework FortiCNAPP.
The fetched data is used to create a mapping between the alerts from Lacework FortiCNAPP and FortiSOAR Alerts. Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of the ingested alerts Lacework FortiCNAPP to the fields of Alerts present in FortiSOAR™.
NOTE: The selected date and time must be within the last 7 days.
To map a field, click the key in the sample data to add the Jinja value of the field. For example, to map the severity parameter of an ingested alert from Lacework FortiCNAPP to the Severity parameter of a FortiSOAR™ Alert, click the Severity field and then click the severity field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Lacework FortiCNAPP, so that the content gets pulled from the Lacework FortiCNAPP integration into FortiSOAR™
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron expression for the schedule. For example, if you want to pull data from Lacework FortiCNAPP every 5 minutes, click Every X Minute, and in the minute box enter */5. This would mean that based on the configuration you have set up, data, i.e., alerts will be pulled from Lacework FortiCNAPP every 5 minutes.
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
Lacework delivers end-to-end visibility into what's happening across your cloud environment, including detecting threats, vulnerabilities, misconfigurations, and unusual activity, so you can innovate with speed and safety.
This document provides information about the Lacework connector, which facilitates automated interactions, with a Lacework server using FortiSOAR™ playbooks. Add the Lacework connector as a step in FortiSOAR™ playbooks and perform automated operations with Lacework.
Connector Version: 1.1.0
FortiSOAR™ Version Tested on: 7.6.0-5012
Lacework Version Tested on: v2
Authored By: Fortinet
Certified: Yes
The following enhancements have been made to the Lacework FortiCNAPP Connector in version 1.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-lacework
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Lacework connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | Specify the URL of the Lacework server to connect and perform the automated operations. |
| Key ID | Specify the access key ID configured for your account to access the Lacework endpoint. |
| Secret Key | Specify the secret key configured for your account to access the Lacework endpoint. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is selected, i.e., set to true. |
You can use the following automated operations in playbooks and also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Search Alerts | Retrieves a detailed list of alerts based on alert ID, start time, alert type, severity, status, and other filter criteria that you have specified. | search_alerts Investigation |
| Get Alerts Details | Retrieves details about an alert based on the alert ID and scope you have specified. | get_alert_details Investigation |
| Get Alert Entities | Retrieves a list of all entities associated with a specified alert ID for which additional context is available. The entity can be any non-compliant resource, such as a machine or IP address. | get_alert_entities Investigation |
| Get Alert Entity Details | Retrieves details about an entity associated with the specified alert ID for which additional context is available. | get_alert_entity_details Investigation |
| Add Comment to Alert | Adds a user comment on an alert's timeline based on the alert ID you have specified. | add_comment_to_alert Investigation |
| Close Alert | Updates the status of an alert to 'Closed'.
NOTE: A closed alert cannot be reopened. |
close_alert Investigation |
| Run LQL Query | Retrieves a list of results based on the LQL query, start time, and other filter criteria that you have specified. | lql_query Investigation |
| Search Host Vulnerabilities | Retrieves a detailed list of vulnerability states based on start time, severity, and other filter criteria that you have specified. | search_host_vulnerabilities Investigation |
| Search Container Vulnerabilities | Retrieves a detailed list of vulnerability states based on start time, severity, and other filter criteria that you have specified. | search_container_vulnerabilities Investigation |
| Search Configuration | Retrieves a detailed list of config states based on policy ID, start time, and other filter criteria that you have specified. | search_configuration Investigation |
| Execute an API Call | Sends an API request to any API endpoint based on specified HTTP method, endpoint, and other input parameters that you have specified, enabling flexible API interactions tailored to user needs. | send_custom_request Investigation |
| Parameter | Description |
|---|---|
| Start Time | (Optional) Specify the start time for the search. Supported time formats: yyyy-MM-dd, yyyy-MM-ddTHH, yyyy-MM-ddTHH:mm:ssZ, yyyy-MM-ddTHH:mm:ss.SSSZ. By default, the value is 24 hours before the current time.
NOTE: The difference between start time and end time should not be greater than 7 Days. |
| End Time | (Optional) Specify the end time for the search. Supported time formats: yyyy-MM-dd, yyyy-MM-ddTHH, yyyy-MM-ddTHH:mm:ssZ, yyyy-MM-ddTHH:mm:ss.SSSZ. By default, the value is the current time.
NOTE: The difference between start time and end time should not be greater than 7 Days. |
| Alert ID | (Optional) Specify an alert ID to retrieve the specified alert's details. |
| Alert Type | (Optional) Specify the alert type to filter alerts retrieved. |
| Severity | (Optional) Select severity to filter alerts retrieved. You can select from the following options:
|
| Status | (Optional) Select the status to filter alerts retrieved. You can select from the following options:
|
| Alert Category | (Optional) Select the category to filter alerts retrieved. You can select from the following options:
|
| Alert Sub Category | (Optional) Select the sub category to filter alerts retrieved. You can select from the following options:
|
| Source | (Optional) Select the source to filter alerts retrieved. You can select from the following options:
|
| Returns | (Optional) Specify a comma-separated list of top-level fields of the response schema to receive. For example: alertId, alertName, alertType, alertInfo. |
The output contains the following populated JSON schema:
[
{
"alertId": "",
"startTime": "",
"alertType": "",
"severity": "",
"internetExposure": "",
"reachability": "",
"derivedFields": {
"category": "",
"sub_category": "",
"source": ""
},
"endTime": "",
"lastUserUpdatedTime": "",
"status": "",
"alertName": "",
"alertInfo": {
"subject": "",
"description": ""
},
"policyId": ""
}
]
| Parameter | Description |
|---|---|
| Alert ID | Specify an alert ID to retrieve the specified alert's details. |
| Scope | Select the scope to filter and limit the response retrieved. You can select from the following options:
|
The output contains the following populated JSON schema:
Output schema when you choose Scope as Details:
{
"data": {
"alertId": "",
"startTime": "",
"alertType": "",
"severity": "",
"endTime": "",
"lastUserUpdatedTime": "",
"status": "",
"alertName": "",
"alertInfo": {
"subject": "",
"description": "",
"isExpectedLWBehavior": "",
"customerCount": "",
"supportingFacts": [
{
"supportingFactText": "",
"subElements": []
}
]
},
"entityMap": {
"API": "",
"CT_User": "",
"CT_RawTime": "",
"Region": "",
"Resource": "",
"RulesTriggered": "",
"SourceIpAddress": ""
}
}
}
Output schema when you choose Scope as Investigation:
{
"data": [
{
"question": "",
"answer": ""
}
]
}
Output schema when you choose Scope as Events:
{
"data": [
{
"awsRegion": "",
"eventName": "",
"eventSource": "",
"sourceIpAddress": "",
"recipientAccountId": "",
"mfa": "",
"eventTime": "",
"userIdentity": "",
"additionalEventInfo": {
"errorCode": "",
"errorMessage": "",
"eventID": "",
"eventTime": "",
"eventType": "",
"eventVersion": "",
"readOnly": "",
"requestID": "",
"userAgent": ""
},
"requestParameters": "",
"compositeEventId": "",
"id": "",
"name": "",
"descriptionText": "",
"compositeStartTime": "",
"compositeEndTime": "",
"entityKeys": [],
"tagMetadata": [
{
"tagMetadata": {
"customerFacingId": "",
"id": "",
"name": "",
"orderIndex": "",
"parentId": "",
"type": "",
"url": "",
"version": ""
}
}
]
}
]
}
Output schema when you choose Scope as RelatedAlerts:
{
"data": [
{
"eventType": "",
"eventId": "",
"severity": "",
"startTime": "",
"endTime": "",
"eventModel": "",
"eventProps": {
"description": "",
"dstEntities": "",
"eventActor": "",
"srcEntities": ""
},
"keys": "",
"rank": "",
"eventInfo": {
"subject": "",
"description": ""
},
"eventName": ""
}
]
}
Output schema when you choose Scope as Integrations:
{
"data": [
{
"alertChannel": "",
"alertIntegrationId": "",
"createdTime": "",
"alertId": "",
"integrationType": "",
"integrationContext": {
"id": "",
"link": ""
},
"intgGuid": "",
"lastSyncTime": "",
"alertIntegrationStatus": "",
"status": "",
"isBidirectional": ""
}
]
}
Output schema when you choose Scope as Timeline:
{
"data": [
{
"alertChannel": "",
"id": "",
"alertId": "",
"createdTime": "",
"entryType": "",
"entryAuthorType": "",
"intgGuid": "",
"message": {},
"externalTime": "",
"user": "",
"updateContext": {
"newIntegration": {
"createdTime": "",
"alertId": "",
"lastSyncTime": "",
"alertIntegrationStatus": "",
"status": "",
"isBidirectional": ""
}
},
"alertIntegration": ""
}
]
}
| Parameter | Description |
|---|---|
| Alert ID | Specify an alert ID to retrieve the specified alert's entities. |
The output contains the following populated JSON schema:
{
"data": [
{
"entities": [
{
"entityValue": "",
"contextEntityType": ""
}
],
"countOfEntities": ""
}
]
}
| Parameter | Description |
|---|---|
| Alert ID | Specify an alert ID to retrieve the details about an entity associated with the specified alert. |
| Entity Type | Select the type of entity. You can select from the following options:
|
| Entity Value | Specify the corresponding entity value such as the Machine identifier (MID) or IP address for the selected entity type. |
The output contains the following populated JSON schema:
Output schema when you choose Entity Type as IpAddress:
{
"data": {
"isAgentInstalled": "",
"isInternalIp": "",
"laceworkLabs": {
"customerCount": "",
"badIpAddress": "",
"startTimeRange": "",
"endTimeRange": ""
},
"virusTotal": {
"securityVendorsCount": "",
"source": "",
"network": "",
"autonomousSystemNumber": "",
"autonomousSystemLabel": "",
"regionalInternalRegistry": "",
"country": "",
"continent": "",
"startTimeRange": "",
"endTimeRange": ""
},
"ipAddressSummary": {
"country": "",
"region": "",
"city": "",
"countryCode": "",
"startTimeRange": "",
"endTimeRange": ""
},
"resolvedIpInformation": {
"resolvedIPInfo": [
{
"dnsResolverIp": "",
"dnsName": "",
"resolvedIp": ""
}
],
"startTimeRange": "",
"endTimeRange": ""
},
"uniqueProcessDetails": {
"uniqueProcesses": [
{
"cmdLine": "",
"launchTime": "",
"hostname": ""
}
],
"startTimeRange": "",
"endTimeRange": ""
},
"networkActivityOverview": {
"externalServerConn": {
"count": ""
},
"externalClientConn": {
"count": ""
},
"externalInBytes": {
"count": ""
},
"externalOutBytes": {
"count": ""
},
"startTimeRange": "",
"endTimeRange": ""
}
}
}
Output schema when you choose Entity Type as Machine:
{
"data": {
"criticalAndHighRisk": {
"vulnerabilities": {
"criticalCount": "",
"highCount": "",
"startTimeRange": "",
"endTimeRange": ""
},
"alerts": {
"criticalCount": "",
"highCount": "",
"startTimeRange": "",
"endTimeRange": ""
},
"attackPaths": {
"criticalCount": "",
"otherCount": "",
"startTimeRange": "",
"endTimeRange": ""
}
},
"customResourceGroups": {
"resourceGroups": [
{
"name": "",
"guid": ""
}
],
"startTimeRange": "",
"endTimeRange": ""
},
"cloudServiceProvider": {
"cloudServiceProvider": "",
"accountAlias": "",
"accountId": "",
"startTimeRange": "",
"endTimeRange": ""
},
"machineProperties": {
"name": "",
"ipAddress": "",
"lastBootTime": "",
"cpu": "",
"osType": "",
"memoryInfo": "",
"kernelRelease": "",
"kernelVersion": "",
"macAddress": "",
"defaultRouter": "",
"promiscuous": "",
"startTimeRange": "",
"endTimeRange": ""
},
"machineTagSummary": {
"amiId": "",
"instanceId": "",
"subnetId": "",
"vmInstanceType": "",
"vmProvider": "",
"lwTokenShort": "",
"internalIp": "",
"arch": "",
"vpcId": "",
"zone": "",
"os": "",
"account": "",
"startTimeRange": "",
"endTimeRange": ""
},
"networkActivityOverview": {
"externalServerConn": {
"count": ""
},
"externalClientConn": {
"count": ""
},
"externalInBytes": {
"count": ""
},
"externalOutBytes": {
"count": ""
},
"startTimeRange": "",
"endTimeRange": ""
}
}
}
| Parameter | Description |
|---|---|
| Alert ID | Specify an alert ID to add a user comment on the alert's timeline. |
| Comment | Specify the comment to be added to the alert's timeline. |
| Format | (Optional) Select the comment's format. You can select from the following options:
|
The output contains the following populated JSON schema:
{
"data": {
"id": "",
"alertId": "",
"createdTime": "",
"entryType": "",
"entryAuthorType": "",
"message": {
"format": "",
"value": ""
},
"externalTime": "",
"user": {
"userGuid": "",
"username": ""
},
"updateContext": {}
}
}
| Parameter | Description |
|---|---|
| Alert ID | Specify an alert ID to close the specified alert. |
| Reason | Select the reason for closing the alert. You can select from the following options:
|
| Comment | Specify a brief description of the selected reason.
NOTE: This field is mandatory if the Reason selected is Other. |
The output contains the following populated JSON schema:
{
"message": ""
}
| Parameter | Description |
|---|---|
| LQL Query | Specify the LQL (Lacework Query Language) formatted query. For example:{source return} |
| Start Time | (Optional) Specify the start time of the duration within which to search. By default, the value is 24 hours before the current time.
NOTE: The difference between start time and end time should not be more than 7 Days. |
| End Time | (Optional) Specify the end time of the duration within which to search. By default, the value is the current time.
NOTE: The difference between start time and end time should not be more than 7 Days. |
| Limit | (Optional) Specify the maximum count of rows to return. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Start Time | (Optional) Specify the start time of the duration within which to search. By default, the value is 24 hours before the current time.
NOTE: The difference between start time and end time should not be more than 7 Days. |
| End Time | (Optional) Specify the end time of the duration within which to search. By default, the value is the current time.
NOTE: The difference between start time and end time should not be more than 7 Days. |
| Package Status | (Optional) Select the package status to filter retrieved host vulnerabilities. You can choose from the following options:
|
| Kernel Status | (Optional) Select the kernel status to filter retrieved host vulnerabilities. You can choose from the following options:
|
| Internet Reachability | (Optional) Select the internet reachability to filter retrieved host vulnerabilities. You can either leave it blank or select Direct. |
| Public Exploit Available | (Optional) Select the public exploit available to filter retrieved host vulnerabilities. You can choose from the following options:
|
| Fix Available | (Optional) Select the 'Fix Available' status to filter retrieved host vulnerabilities. You can choose from the following options:
|
| AWS Account ID | (Optional) Specify an AWS account ID to filter retrieved host vulnerabilities. |
| Azure Tenant ID | (Optional) Specify an Azure tenant ID to filter retrieved host vulnerabilities. |
| Azure Subscription ID | (Optional) Specify an Azure subscription ID to filter retrieved host vulnerabilities. |
| GCP Project ID | (Optional) Specify a GCP project ID to filter retrieved host vulnerabilities. |
| AWS Instance ID | (Optional) Specify an AWS instance ID to filter retrieved host vulnerabilities. For example: i-11112421523. |
| AWS AMI ID | (Optional) Specify an AWS AMI ID to filter retrieved host vulnerabilities. |
| Machine Hostname | (Optional) Specify a machine hostname to filter retrieved host vulnerabilities. |
| Machine Name | (Optional) Specify a machine name to filter retrieved host vulnerabilities. |
| Severity | (Optional) Select severity to filter retrieved host vulnerabilities. You can choose from the following options:
|
| Returns | (Optional) Specify a comma-separated list of top-level fields of the response schema to receive. For example: riskScore, riskInfo. |
The output contains the following populated JSON schema:
[
{
"cveProps": {},
"cveRiskInfo": {},
"cveRiskScore": {},
"endTime": "",
"evalCtx": {},
"evalGuid": {},
"featureKey": {},
"fixInfo": {},
"hostRiskInfo": {},
"hostRiskScore": "",
"machineTags": {},
"mid": "",
"packageStatus": "",
"props": {},
"region": "",
"riskInfo": {},
"riskScore": "",
"severity": "",
"startTime": "",
"status": "",
"vulnId": ""
}
]
| Parameter | Description |
|---|---|
| Start Time | (Optional) Specify the start time of the duration within which to search. By default, the value is 24 hours before the current time.
NOTE: The difference between start time and end time should not be more than 7 Days. |
| End Time | (Optional) Specify the end time of the duration within which to search. By default, the value is the current time.
NOTE: The difference between start time and end time should not be more than 7 Days. |
| Package Status | (Optional) Select the package status to filter retrieved container vulnerabilities. You can choose from the following options:
|
| Internet Reachability | (Optional) Select the internet reachability to filter retrieved container vulnerabilities. You can either leave it blank or select Direct. |
| Public Exploit Available | (Optional) Select the public exploit available to filter retrieved container vulnerabilities. You can choose from the following options:
|
| Image ID | (Optional) Specify an image ID to filter retrieved container vulnerabilities. |
| Fix Available | (Optional) Select the 'Fix Available' status status to filter retrieved container vulnerabilities. You can choose from the following options:
|
| Severity | (Optional) Select severity to filter retrieved container vulnerabilities. You can choose from the following options:
|
| Returns | (Optional) Specify a comma-separated list of top-level fields of the response schema to receive. For example: cveRiskInfo, cveRiskScore. |
The output contains the following populated JSON schema:
[
{
"cveProps": {
"description": "",
"link": "",
"source": ""
},
"cveRiskInfo": {
"HOST_COUNT": "",
"IMAGE_COUNT": "",
"PKG_COUNT": "",
"SEVERITY_LEVEL": "",
"score": ""
},
"cveRiskScore": "",
"evalCtx": {
"collector_type": "",
"cve_batch_info": [
{
"cve_created_time": ""
}
],
"image_info": {
"created_time": "",
"digest": "",
"id": "",
"registry": "",
"repo": "",
"scan_created_time": "",
"size": "",
"status": "",
"tags": [],
"type": ""
},
"integration_props": {},
"is_reeval": "",
"request_source": "",
"scan_batch_id": "",
"scan_request_props": {
"data_format_version": "",
"props": {
"data_format_version": "",
"scanner_version": ""
},
"scanCompletionUtcTime": "",
"scan_start_time": "",
"scanner_version": ""
},
"vuln_batch_id": "",
"vuln_created_time": ""
},
"evalGuid": "",
"featureKey": {
"name": "",
"namespace": "",
"version": ""
},
"featureProps": {
"feed": "",
"introduced_in": "",
"layer": "",
"src": "",
"version_format": ""
},
"fixInfo": {
"fix_available": "",
"fixed_version": ""
},
"imageId": "",
"imageRiskInfo": {
"factors": [],
"factors_breakdown": {
"active_containers": "",
"cve_counts": {
"Critical": "",
"High": "",
"Medium": "",
"Other": ""
},
"exploit_summary": {
"disclosure_in_wild": "",
"exploit_public": "",
"exploit_virus_malware": "",
"exploit_wormified": ""
},
"internet_reachability": ""
}
},
"imageRiskScore": "",
"packageStatus": "",
"riskInfo": {
"factors": [],
"factors_breakdown": {
"active_containers": "",
"cve_counts": {
"Critical": "",
"High": "",
"Medium": "",
"Other": ""
},
"exploit_summary": {
"disclosure_in_wild": "",
"exploit_public": "",
"exploit_virus_malware": "",
"exploit_wormified": ""
},
"internet_reachability": ""
}
},
"riskScore": "",
"severity": "",
"startTime": "",
"status": "",
"vulnId": ""
}
]
| Parameter | Description |
|---|---|
| Dataset | Select the dataset to filter retrieved configurations. You can select from the following options:
|
| Start Time | (Optional) Specify the start time of the duration within which to search. By default, the value is 24 hours before the current time.
NOTE: The difference between start time and end time should not be more than 7 Days. |
| End Time | (Optional) Specify the end time of the duration within which to search. By default, the value is the current time.
NOTE: The difference between start time and end time should not be more than 7 Days. |
| AWS Account ID | (Optional) Specify an AWS account ID to filter retrieved configurations. |
| Azure Tenant ID | (Optional) Specify an Azure tenant ID to filter retrieved configurations. |
| Azure Subscription ID | (Optional) Specify an Azure subscription ID to filter retrieved configurations. |
| GCP Project ID | (Optional) Specify a GCP project ID to filter retrieved configurations. |
| Policy ID | (Optional) Specify a policy ID to filter retrieved configurations. For example: lacework-global-634. |
| Region | (Optional) Specify a region to filter retrieved configurations. For example: us-east-1. |
| Resource ID | (Optional) Specify a resource ID to filter retrieved configurations. For example: arn:aws:kms:us-east-1:111111111:key/xxxx-xxx-xxxx-xxxxx. |
| Severity | (Optional) Select severity to filter retrieved configurations. You can choose from the following options:
|
| Status | (Optional) Select the status to filter retrieved configurations. You can choose from the following options:
|
| Returns | (Optional) Specify a comma-separated list of top-level fields of the response schema to receive. For example: account, severity, status. |
The output contains the following populated JSON schema:
[
{
"account": {
"AccountId": "",
"Account_Alias": ""
},
"evalType": "",
"id": "",
"reason": "",
"recommendation": "",
"region": "",
"reportTime": "",
"resource": "",
"section": "",
"severity": "",
"status": ""
}
]
| Parameter | Description |
|---|---|
| HTTP Method | Select an HTTP action for the request. You can select from the following options:
|
| Endpoint | Specify the target API URL path for the request. For example, if the URL is " https://lacework.net/api/v2/Vulnerabilities/Hosts/search", the endpoint would be "Vulnerabilities/Hosts/search". |
| Query Parameters | (Optional) Specify any optional parameters to add to the URL and refine the request. |
| Request Payload | (Optional) Specify data, as JSON, to be sent as the request payload (typically for POST or PUT requests). |
The output contains a non-dictionary value.
The Sample - Lacework FortiCNAPP - 1.1.0 playbook collection comes bundled with the Lacework connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Lacework connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling data from Lacework FortiCNAPP. Currently, alerts ingested from Lacework FortiCNAPP are mapped to Alerts in FortiSOAR™. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming Lacework FortiCNAPP alerts to FortiSOAR™'s Alerts.
The Data Ingestion Wizard helps you to configure the scheduled pulling of data from Lacework FortiCNAPP into FortiSOAR™. It also lets you pull some sample data from Lacework FortiCNAPP using which you can define the mapping of data between Lacework FortiCNAPP and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the Lacework FortiCNAPP alerts.
To begin configuring data ingestion, click Configure Data Ingestion on the Lacework FortiCNAPP connector's Configurations page.
Click Let's Start by fetching some data, to open the Fetch Data screen.
Sample data is required to create a field mapping between Lacework FortiCNAPP data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch alerts from Lacework FortiCNAPP. You can specify the Fetch Alerts Since, Alert Type, Severity, Status, etc. to fetch alerts from Lacework FortiCNAPP.
The fetched data is used to create a mapping between the alerts from Lacework FortiCNAPP and FortiSOAR Alerts. Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of the ingested alerts Lacework FortiCNAPP to the fields of Alerts present in FortiSOAR™.
NOTE: The selected date and time must be within the last 7 days.
To map a field, click the key in the sample data to add the Jinja value of the field. For example, to map the severity parameter of an ingested alert from Lacework FortiCNAPP to the Severity parameter of a FortiSOAR™ Alert, click the Severity field and then click the severity field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Lacework FortiCNAPP, so that the content gets pulled from the Lacework FortiCNAPP integration into FortiSOAR™
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron expression for the schedule. For example, if you want to pull data from Lacework FortiCNAPP every 5 minutes, click Every X Minute, and in the minute box enter */5. This would mean that based on the configuration you have set up, data, i.e., alerts will be pulled from Lacework FortiCNAPP every 5 minutes.
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.