Linking Lacework FortiCNAPP as a source

Alpha release

This source is currently in alpha. The interface and available tables may change.

The Lacework FortiCNAPP (Fortinet) connector syncs your cloud security data – alerts, host and container vulnerabilities, compliance evaluations, machines, agents, and console audit logs – into PostHog, so you can trend cloud risk, audit control coverage, and correlate security findings with the rest of your data.

Prerequisites

You need a Lacework FortiCNAPP account and an API key. Creating API keys requires an account admin role. In the FortiCNAPP Console, go to Settings > Configuration > API keys, click Add New, then download the generated key file to get the key ID and secret key.

Adding a data source

  1. In PostHog, go to the Sources tab of the data pipeline section.
  2. Click + New source and click Link next to this source.
  3. Enter your credentials (see Configuration below) and click Next.
  4. Select the tables you want to sync, choose a sync method and frequency, then click Import.

Once the syncs are complete, you can start querying this data in PostHog.

When linking Lacework FortiCNAPP, you'll need:

  • Account name – the first part of your FortiCNAPP URL: https://<account name>.lacework.net.
  • API key ID – the keyId value from the downloaded API key file.
  • Secret key – the secret value from the downloaded API key file.

Sync modes

Each table can be synced in one of several modes, depending on what the source supports:

  • Webhook (when available) – the source pushes changes to PostHog in real time. Fastest freshness, lowest ongoing cost, and the only mode that reliably captures updates and deletes.
  • Incremental – only new or updated rows are synced on each run, using a cursor field (such as an updated_at timestamp). Cheaper than a full refresh, but deletes aren't captured.
  • Append only – new rows are appended using a cursor field; existing rows are never updated. Ideal for immutable, append-only tables like event logs.
  • Full refresh – the whole table is reloaded on every sync. Use it when a table has no reliable cursor or when you need deletions reflected.

See sync methods for a full explanation of how each mode works and how to choose between them.

Most tables (vulnerabilities, compliance evaluations, machines, audit logs) are append-only histories of time-windowed records without a unique row id, so they support append and full refresh syncs. The alerts table also supports incremental sync on startTime; note that incremental syncs filter by when an alert started, so status changes on older alerts are only picked up by a full refresh.

The Lacework API only serves recent history, so the first sync (and any full refresh) reaches back a bounded window: 90 days for alerts, audit logs, and compliance evaluations, 30 days for vulnerabilities and machines, and 7 days for the agent inventory.

Lacework rate-limits API access to 480 requests per hour. Large environments may need more than one sync run to complete the initial backfill; syncs pick up where they left off.

Configuration

OptionTypeRequired
Account nametextYes
API key IDtextYes
Secret keypasswordYes

Supported tables

TableDescriptionSync methodIncremental fieldPrimary key
alerts

Alerts raised by Lacework, filtered by the time the potential threat started. Status changes on alerts older than the last synced window are only picked up on a full refresh

Incremental, Full refreshstartTime
audit_logs

Lacework console audit log entries. Syncs the last 90 days on first sync or full refresh

Append only, Full refreshcreatedTime
agent_info

Inventory of Lacework agents active in the last 7 days. Full refresh only

Full refresh
vulnerabilities_hosts

Host vulnerability assessment results (one row per CVE per machine per assessment). Syncs the last 30 days on first sync or full refresh

Append only, Full refreshstartTime
vulnerabilities_containers

Container image vulnerability assessment results (one row per CVE per image per assessment). Syncs the last 30 days on first sync or full refresh

Append only, Full refreshstartTime
compliance_evaluations_aws

AWS compliance evaluations. Syncs the last 90 days on first sync or full refresh

Append only, Full refreshreportTime
compliance_evaluations_azure

Azure compliance evaluations. Syncs the last 90 days on first sync or full refresh

Append only, Full refreshreportTime
compliance_evaluations_gcp

GCP compliance evaluations. Syncs the last 90 days on first sync or full refresh

Append only, Full refreshreportTime
compliance_evaluations_k8s

Kubernetes compliance evaluations. Syncs the last 90 days on first sync or full refresh

Append only, Full refreshreportTime
entities_machines

Machines observed online, one row per machine per activity segment. Syncs the last 30 days on first sync or full refresh

Append only, Full refreshstartTime

Troubleshooting

If your sync is failing or data looks wrong, see the Data warehouse troubleshooting guide. If that doesn't help, contact support – we're happy to help.

Community questions

Was this page useful?