Lacework is a cloud security platform for DevOps, workloads, and cloud containers, and includes an agent for collecting important host-based data. Panther can collect, normalize, and monitor Lacework logs to help you identify threats or suspicious activity in real time. Your normalized data is then retained to enable future security investigations in a serverless data lake powered by Snowflake.
Use Cases for Lacework Logs
Panther supports more than 20 different types of Lacework logs. Common SIEM use cases for Lacework logs include:
- Identifying containers and hosts not running Lacework
- Monitoring for changed files in your environment
- Detecting suspicious or malicious DNS queries
- Investigating user details or login activity
Onboarding Lacework with Panther
Panther’s integration for Lacework is simple and quick to configure, allowing you to onboard your logs in just a few minutes. Simply select Lacework from the list of pre-defined log sources, select your preferred data transport method (AWS S3 or SQS), and configure Lacework to push logs to your data transport source.
For more details on onboarding Lacework logs or for supported log schema, you can view our Lacework documentation here.
Parsing, Normalizing, & Analyzing Lacework Logs
As Panther ingests your Lacework logs, they are parsed, normalized, and stored in a Snowflake security data lake. This allows your security team to build detections, identify anomalies, and conduct investigations on Lacework logs in the context of days, weeks, or months of data.
Panther applies normalization fields to all log records, which standardizes names for attributes and allows you to correlate data across all log sources. You can use Panther’s various search tools - such as Data Explorer, Indicator Search, and Query Builder - to investigate your normalized logs for suspicious activity or vulnerabilities. For more on querying and searching normalized log data in Panther, check out our documentation on Investigations & Search.
Easily Customizable Detections
With Panther, your team won’t be confined to restrictive detection rules or proprietary languages as seen in other SIEM platforms. Panther is built around detection-as-code principles, giving you the ability to write Python to define detection logic and to integrate external systems like version control and CI/CD pipelines into your detection engineering processes. This results in powerful, flexible, and reusable scripting of detections for your team.
Panther fire alerts when your detection rules or policies for Lacework are triggered, and integrates with a variety of alert destinations to allow for easy access and management of alerts for your security team. Alerts can also be sent to alert context or SOAR platforms for more remediation options.
Alerts are grouped into five different severity levels: Info, Low, Medium, High, and Critical. Security teams have the options to dynamically designate severity based on specific log event attributes.
If you have any questions about ingesting or monitoring Lacework logs in Panther, we’re here to help. All customers have access to our technical support team via a dedicated Slack channel, email, or in-app messenger.
You can view our detailed documentation on configuring and monitoring Lacework logs here, or customers can join the Panther Community to share best practices or custom detections for monitoring Lacework.
The Ideal SIEM for Lacework
With Panther, you don’t have to waste precious time and effort on operational overhead, struggle with restrictive detections, or pay skyrocketing costs to keep up with the growth of your data. Panther was founded by a team of veteran security practitioners who struggled with legacy SIEM challenges first-hand, and built a scalable, cloud-native platform to solve them.
Panther is a cloud-native SIEM built for security operations at scale, offering powerful detection-as-code, intuitive security workflows, and actionable real-time alerts to keep up with the needs of today’s security teams. For a powerful, practical, and scalable SIEM solution for Lacework, request a demo today.