Skip to main content

Document/Data API Integration

Sync your doc metadata and/or activity logs of various SaaS platforms to Lacework Edge.

For each provider, you will need to provision and grant permissions to API credentials and provide them to Lacework Edge in our Admin UI.

Box

Create a new App, get credentials

  1. Navigate to the Box Developers Console
  2. Select Create New App
  3. Select Custom App
  4. For Authentication Method, select Server Authentication (Client Credentials Grant)
  5. Enter AppName of your choosing, for example "Lacework Edge Integration"
  6. Navigate to the Configuration page. Copy the values for Client ID and Client Secret and store them for later use.

App permissions and authorization

  1. Select App + Enterprise Access
  2. Enable the following Application Scopes:
    • Read all files and folders stored in Box (needed for folder list items)
    • Write all files and folders stored in Box (needed for Revoke access)
    • Manage users (needed for users API)
    • Manage groups (needed for groups API)
    • Manage enterprise properties (needed for event logs)
  3. Enable the following Advanced Features:
    • Make API calls using the as-user header (needed to get access to a user's file/folders)
  4. Save the changes in the App. The App should show now up on the admin console.
  5. Authorize the App.
  6. Get the Enterprise ID from the App

Provide credentials to Lacework Edge

  1. Login to the Lacework Edge dashboard as an admin.
  2. Navigate to the settings page, click Integrations, and select Box.
  3. Enter the previously gathered Tenant ID (Enterprise ID), Client ID, and Client Secret value strings into the form and click Save.

GitHub

Note: This integration requires a GitHub Enterprise-level account.

Create a new App

  1. Navigate to your GitHub org's apps settings as an org admin.
    • https://github.com/organizations/<your_org>/settings/apps
  2. Click New GitHub App in the upper right corner of the page
  3. Name the app laceworkedge, enter https://edge-guardian.io for the home page URL
  4. Uncheck the Webhook Active checkbox
  5. Set Permissions under Organization permissions:
    • Set Administration to Read-only
    • Set Members to Read and write. (write is required for reading SAML external identities)
  6. Click the "Create GitHub App" button at the bottom of the page.

Credentials and IP allow list

  1. After creating the app, you will be navigated to the app details page.
    • https://github.com/organizations/<your_org>/settings/apps/edgeguardian
  2. Copy the numeric App ID value shown at the top of the page, you'll need this ID later
  3. In the Private keys section click the Generate a private key button and save the file for later use.
  4. If you are using an IP allow list with your GitHub Organization, enter the following IPs in the IP allow list section of the app:
    • 3.130.51.7
    • 3.132.35.85
    • 3.135.150.112
    • 3.20.171.248
    • 3.21.108.49
    • 34.223.89.26
    • 35.155.126.182
    • 52.37.238.27
    • 54.203.120.185
    • 54.212.124.21

Install the App, get credentials

  1. Click the Install App tab on the left side at the top of the app details page
    • https://github.com/organizations/<your_org>/settings/apps/edgeguardian/installations
  2. Click the Install button to install the app on your desired org
  3. You'll be redirected to the app installation details page
    • https://github.com/organizations/<your_org>/settings/apps/edgeguardian/installations/<install_id>
  4. Copy the numeric install ID value from the end of the URL on this page, you'll need this ID later
  5. Copy the textual organization name value from the URL on this page, you'll need this name later

Provide credentials to Lacework Edge

  1. Login to the Lacework Edge dashboard as an admin.
  2. Navigate to the settings page, click Integrations, and select Github.
  3. Enter the Github organization name, App ID, Install ID and Private Key into the form and click Save:
    • For the Private Key, paste the entire contents of the file, including private key header and footer.

Google Workspace

Enable APIs, create service account and credentials

Note:* These steps are performed in Google Cloud Console.

  1. Login to the Google Cloud Console as an admin user.
  2. Select the appropriate project from the drop-down list at the top-left of the page.
    • If another project needs to be created for Lacework Edge integration, a new project can be added by clicking IAM & Admin > Create a project in the left menu.
  3. Once the correct project is selected, navigate to APIs and Services > Enabled APIs & Services in the left menu.
    • Click Enable APIs and services
    • Search for Admin SDK API
    • Click on the tile in the results.
    • Click Enable in the API's details.
    • Search for Google Drive API and enable it as well.
  4. Navigate to IAM and Admin > Service Accounts in the left menu.
  5. Click Create Service Account.
    • Give your service account a name (i.e. laceworkedge) and click Create and Continue.
    • Note: You do not need to grant this Service Account any roles here.
    • Click Done.
  6. Click on the new service account. In the Details tab, copy the values for Email and Unique ID and store them for later use.
  7. Click the Keys tab, then click Add Key > Create New Key.
  8. Choose JSON key type and click Create. This will download the key file. Click Close once downloaded.

Assign Roles to service account

Note: These steps are performed in Google Workspace Admin Console

  1. Login to the Google Workspace Admin Console as an admin user.
  2. Navigate to Security > Access and data control > API Controls in the left menu.
  3. Scroll to the bottom of the page and click on Manage Domain Wide Delegation
  4. Click on Add New in the API clients menu bar.
  5. Click Authorize

Provide credentials to Lacework Edge

  1. Login to the Lacework Edge dashboard as an admin.
  2. Navigate to the settings page, click Integrations, and select Google Workspace.
  3. For Admin User Email, enter any Google Workspace admin user's email address.
    • The Service Account will use Domain-Wide Delegation to impersonate this admin user, in order to access the APIs permitted earlier as OAuth Scopes.
    • Ideally, create or use an admin user account which is not tied to a real user, however any admin user will work here.
  4. For Client ID and Service Account Email, provide the Unique ID and Email that you saved from the Google Cloud Admin Console.
  5. Add the private key
    • Private key is present in the JSON file downloaded earlier.
    • Copy and paste everything inside the double-quotes of the private_key value.
  6. Click Save

Microsoft Office 365

To configure the MS365/O365 integration, you'll need to register an application, grant it appropriate permissions, gather the tenant ID, client ID, and client secret values from the Azure AD portal, and enter these values into the Lacework Edge Admin Dashboard.

Register a new App

Note: If you have already created an application in Azure for the Azure Active Directory integration, you can reuse that.

  1. Login to the Azure Active Directory Admin Center as a user of role Global Administrator, Cloud Application Administrator, Application Administrator or Owner.
  2. Navigate to Azure Active Directory > App registrations and click New registration.
    • Give it a name, i.e. Lacework Edge Integration.
    • Leave the defaults for "Supported account types" and "Redirect URI".
    • Click Register.
  3. Once created, you'll be shown the Overview section. Copy the values for Application (client) ID and Directory (tenant) ID and store them for later use.
  4. Navigate to Owners in the Manage section of the left menu.
  5. Copy the user name listed for your user and store it along with the Client and Tenant IDs.

Grant API permissions

  1. Open the API permissions section within your App registration.
  2. Remove any existing permissions (User.Read is added by default).
    • Click '...' to the right of the permission name and click Remove permission
  3. Click + Add a permission, choose the Office 365 Management APIs tile, then click Application permissions.
  4. Check the following two permissions and then click Add permissions buttom at the bottom:
    • ActivityFeed.Read
    • ActivityFeed.ReadDlp
  5. Click + Add a permission again, choose the Microsoft Graph tile, then click Application permissions. Add the following two permissions by searching for them, clicking the checkbox next to them, then clicking the Add permissions button at the bottom:
    • Files.Read.All
    • Sites.Read.All
    • Sites.ReadWrite.All (Optional, to allow Lacework Edge to revoke a user's access to files)
  6. Click the Grant admin consent button at the top of the permissions table and click Yes in the popup.

Generate Client Secret

Note: If you have already created an cliet secret in Azure for the Azure Active Directory integration, you can reuse that.

  1. Navigate to the Certificates & secrets section.
  2. Click + New client secret.
  3. Enter "Lacework Edge" for the description and select "24 months" for the expiration. Click Add.
  4. Click the Copy icon in the Value column of the client secret and store it for later use where you stored the Client and Tenant IDs.
    • Important: you want the Value and not the "Secret ID".

Provide credentials to Lacework Edge

  1. Login to the Lacework Edge dashboard as an admin.
  2. Navigate to the settings page, click Integrations, and select Office 365.
  3. Enter the previously gathered Tenant ID, Client ID, and Client Secret Value strings into the form and click Save.

Salesforce

Configure App, get credentials

  1. In Salesforce, under Apps > App Manager, click New Connected App. App details:
    • Name the app Lacework Edge
    • Enter all other required information, such as contact name and email address.
    • Check the box for Enable OAuth settings
    • Set callback url to https://localhost
    • Choose the following OAuth scopes:
      • Manage User data via APIs (api)
      • Perform requests at any time (refresh_token, offline_access)
    • Click Save
  2. Click Manage button in App you created.
  3. Under OAuth policies, make sure Refresh Token Policy is set to Refresh token is valid until revoked.
  4. Return to the App and click Manage Consumer Details
  5. Copy the Consumer Key and Consumer Secret and store them for later use.
  6. Obtain request_code by browsing to the url in this form (request_code will be present in the address bar in response): https://<salesforce_url>/services/oauth2/authorize?response_type=code&redirect_uri=https%3A%2F%2Flocalhost&client_id=<consumer_key> 7 When asked to authorize access to Lacework Edge, click Allow
  7. Using curl or Postman, open the following URL as a POST, replacing <request_code>, <customer_key> and <consumer_secret> with the values you saved earlier (example is for curl):
        curl -X POST https://<salesforce_url>/services/oauth2/token?grant_type=authorization_code&redirect_uri=https%3A%2F%2Flocalhost&code=<request_code>&client_id=<consumer_key>&client_secret=<consumer_secret>
  1. The response will contain a refresh_token. Please copy and save it to the same place where you have strored Consumer Key and Consumer Secret.
  2. Get your Salesforce Tenant from your URL, in the form https://<salesforce_tenant>.my.salesforce.com

Provide credentials to Lacework Edge

  1. Login to the Lacework Edge dashboard as an admin.
  2. Navigate to the settings page, click Integrations, and select Salesforce.
  3. Enter your Salesforce Tenant and the 3 credentials you copied earlier into the form and click Save.

Snowflake

Get subdomain ID

Your Snowflake subdomain ID is found in your Snowflake URL in the form: https://<snowflake_subdomain>.snowflakecomputing.com

Create certificate pair

  1. Run the following commands in a shell (assumes openssl is installed on this host)
        # generate 2048-bit pkcs8 encoded RSA private key
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 | openssl pkcs8 -topk8 -nocrypt > private_key.p8
# extract 2048-bit PKI encoded RSA public key from the private key
openssl pkey -pubout -in private_key.p8 -out public_key.pub

Provision role and user, get credentials

  1. Identify a warehouse (or create new) to be used for integration.
  2. Create a new role or identify an existing one to use.
        USE ROLE ACCOUNTADMIN;
CREATE ROLE <integration role>; -- eg. EG_SNOWFLAKE_INTEGRATION_ROLE
  1. Grant privileges for querying SNOWFLAKE database:
        GRANT USAGE ON <warehouse> TO ROLE "<integration role>";
GRANT MONITOR ON ACCOUNT TO ROLE "<integration role>";
GRANT imported PRIVILEGES ON DATABASE SNOWFLAKE to ROLE "<integration role>";
  1. Create a new user or identify an existing one to use.
        USE ROLE USERADMIN;
CREATE USER <user> password='Redacted!';
  1. Grant the aformentioned role to the user which will be used for integration:
        GRANT ROLE <integration role> TO USER <integration user>;
ALTER USER <integration user> SET DEFAULT_ROLE = <integration role>;
  1. Add the public key you created earlier to the integration user
    • Note: Exclude the cert header and footer when copying and pasting the public key.
        ALTER USER <integration user> SET RSA_PUBLIC_KEY='<public_key>';

Provide credentials to Lacework Edge

  1. Login to the Lacework Edge dashboard as an admin.
  2. Navigate to the settings page, click Integrations, and select Snowflake.
  3. Enter your Snowflake subdomain ID and the credentials you created earlier into the form and click Save.
    • Private Key should be the whole .p8 file you generated, including cert header and footer.