# Lacework MCP

> Lacework (Cloud Security & CNAPP) connects your AI agent to deep cloud security data. You can search behavioral alerts for anomalies like AWS IAM brute-forcing or Kubernetes breakouts. It audits cloud assets, scans container images, and checks live hosts for critical vulnerabilities using specialized query language.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** cnapp, threat-detection, vulnerability-scanning, cloud-security, kubernetes-security, iam-auditing

## Description

Connecting Lacework's security data directly into your AI client changes how you hunt threats in the cloud. Instead of clicking through endless dashboards trying to piece together what went wrong, you talk to your agent. Your agent handles the complex queries across your entire infrastructure footprint. You can ask it to find all running instances that might be exposed or check if any container image has a known weakness before deployment. When you run into complexity—like mapping out every single unrestricted S3 bucket—your Vinkius connection lets you access those detailed logs conversationally. It’s about getting immediate, actionable answers on your cloud security posture without manual dashboard filtering.

## Tools

### list_container_vulnerabilities
Checks container registries or deployment clusters to list any static image vulnerabilities found before a build goes live.

### get_alert
Retrieves the detailed data payload for an alert, showing exactly what behavior deviated from the norm and which accounts were involved.

### list_host_vulnerabilities
Identifies critical or high-impact vulnerabilities that are actively running on specific cloud hosts or virtual machines.

### search_cloud_inventory
Queries the real-time asset inventory to dynamically list all active instances, networking perimeters, and unmanaged S3 buckets.

### search_alerts
Fetches security events related to anomalous Kubernetes activity, AWS IAM brute force attempts, or massive data transfers within a time frame.

### search_cve_exposure
Filters the entire cloud infrastructure to show precisely which machines are currently vulnerable to a given CVE identifier.

### list_security_policies
Lists all global security policies enforced by Lacework, confirming what structural norms must be maintained.

### list_lql_queries
Retrieves the available structure of custom queries so you know how to check for specific compliance requirements.

### list_resource_groups
Lists logical groups (like 'Production' or 'Staging') that help organize and evaluate security policies across your cloud architecture.

### execute_query
Runs a custom Lacework Query Language request to analyze large datasets for specific patterns, such as anomalous login sequences.

## Prompt Examples

**Prompt:** 
```
Search for all Critical alerts from the last 24 hours
```

**Response:** 
```
Searching alerts… I've identified 3 Critical alerts in your Lacework account: 1) Anomalous Kubernetes Process, 2) AWS Root Account Access from new IP, 3) Massive Data Exfiltration detected. Which one would you like to investigate first?
```

**Prompt:** 
```
List all host vulnerabilities for our Production resource group
```

**Response:** 
```
Retrieving host vulnerabilities… Found 12 active CVEs across 4 instances in the Production group. Highlights: 2 Critical (Log4j related) and 5 High impact. I can provide the Machine IDs and remediation steps for the critical ones.
```

**Prompt:** 
```
Are there any unrestricted S3 buckets currently visible in our inventory?
```

**Response:** 
```
Auditing cloud inventory… I've discovered 2 unrestricted S3 buckets (AWS:S3:Bucket): 'public-assets-prod' and 'temp-data-dump'. Both allow world-readable access. Would you like to see the associated security policies for these assets?
```

## Capabilities

### Search Behavioral Security Alerts
Find deep telemetry data related to anomalous activity, such as unusual Kubernetes processes or AWS access attempts.

### Audit Cloud Asset Inventory
Get a real-time list of every running instance and any unrestricted cloud resources across your accounts.

### Identify Host Vulnerabilities
Check live VMs (like EC2 or GCE) to see which critical vulnerabilities are currently executing on the machine.

### Scan Container Image Flaws
Examine images stored in registries like ECR or DockerHub for known CVEs before they get promoted into production.

### Check for Specific Vulnerability Exposure
Pinpoint exactly which nodes across your entire cloud setup are exposed to a specific flaw, like Log4j.

### Run Advanced Threat Queries
Execute custom queries using Lacework Query Language (LQL) to analyze vast datasets for patterns of abuse or unusual activity.

## Use Cases

### Finding the Source of an Outage
An engineer notices service degradation and needs to know if a recent change introduced a vulnerability. They ask their agent to run `list_host_vulnerabilities` on the affected cluster, quickly identifying two high-impact CVEs that need patching.

### Pre-Deployment Security Check
A DevOps team is ready to push a new microservice. Instead of manual testing, they use `list_container_vulnerabilities` via the agent to scan the image registry and confirm zero critical flaws.

### Compliance Audit for Public Data
A compliance officer needs proof that no sensitive data is publicly exposed. They ask the agent to run `search_cloud_inventory`, which immediately flags two unrestricted S3 buckets requiring policy lockdown.

### Investigating a Suspicious Login Spike
The security team detects an unusual login pattern. Instead of manually sifting through logs, they use the agent to `search_alerts` for suspicious activity and then run `execute_query` for behavioral confirmation.

## Benefits

- Stop manually searching dashboards. Use the agent to run an `execute_query` for complex threat hunting, finding anomalies like API key abuse in seconds.
- Don't wait for incidents. Run a vulnerability check using `list_host_vulnerabilities` or `list_container_vulnerabilities` to proactively find weaknesses before they are exploited.
- Eliminate blind spots. Use `search_cloud_inventory` to discover every single running asset, especially those unrestricted S3 buckets that should be locked down.
- Respond faster during an emergency. With `search_cve_exposure`, you can instantly map out every vulnerable machine when a zero-day exploit hits.
- Keep your infrastructure clean. Use the agent to review all security policies via `list_security_policies` and ensure continuous compliance auditing.

## How It Works

The bottom line is you get immediate visibility into complex cloud risks without ever having to navigate a dashboard or write a query yourself.

1. Subscribe to this MCP and provide your Lacework Account Key ID and Secret.
2. Direct your AI client, like Claude or Cursor, to the connection. The agent now has access to your live cloud security data.
3. Ask a direct question, for example: 'Show me all unrestricted S3 buckets.' Your agent runs the necessary query and returns a clean list of assets.

## Frequently Asked Questions

**How does Lacework (Cloud Security & CNAPP) MCP find unrestricted S3 buckets?**
It uses the `search_cloud_inventory` tool to query the real-time cloud control plane. This finds any bucket that is publicly readable or writable, regardless of where it appears in your account structure.

**What if I want to check for a specific vulnerability like Log4j?**
You use `search_cve_exposure`. You provide the CVE ID, and this MCP filters all integrated machines across your cloud estate to tell you exactly which nodes are impacted.

**Can I find evidence of a brute force attempt using Lacework (Cloud Security & CNAPP) MCP?**
Yes. Running `search_alerts` will fetch events related to AWS IAM brute-forcing attempts, giving you the specific time window and accounts involved in the attack.

**Does this MCP only check my live VMs?**
No. It checks both running hosts using `list_host_vulnerabilities` AND it scans container images in registries like ECR/DockerHub using `list_container_vulnerabilities`.

**What is the best way to use Lacework (Cloud Security & CNAPP) MCP for compliance?**
First, run `list_security_policies` to understand your ruleset. Then, use a custom query via `execute_query` to test specific compliance checks against your actual data.