Linking Lacework FortiCNAPP as a source
This source is currently in alpha. The interface and available tables may change.
The Lacework FortiCNAPP (Fortinet) connector syncs your cloud security data – alerts, host and container vulnerabilities, compliance evaluations, machines, agents, and console audit logs – into PostHog, so you can trend cloud risk, audit control coverage, and correlate security findings with the rest of your data.
Prerequisites
You need a Lacework FortiCNAPP account and an API key. Creating API keys requires an account admin role. In the FortiCNAPP Console, go to Settings > Configuration > API keys, click Add New, then download the generated key file to get the key ID and secret key.
Adding a data source
- In PostHog, go to the Sources tab of the data pipeline section.
- Click + New source and click Link next to this source.
- Enter your credentials (see Configuration below) and click Next.
- Select the tables you want to sync, choose a sync method and frequency, then click Import.
Once the syncs are complete, you can start querying this data in PostHog.
When linking Lacework FortiCNAPP, you'll need:
- Account name – the first part of your FortiCNAPP URL:
https://<account name>.lacework.net. - API key ID – the
keyIdvalue from the downloaded API key file. - Secret key – the
secretvalue from the downloaded API key file.
Sync modes
Each table can be synced in one of several modes, depending on what the source supports:
- Webhook (when available) – the source pushes changes to PostHog in real time. Fastest freshness, lowest ongoing cost, and the only mode that reliably captures updates and deletes.
- Incremental – only new or updated rows are synced on each run, using a cursor field (such as an
updated_attimestamp). Cheaper than a full refresh, but deletes aren't captured. - Append only – new rows are appended using a cursor field; existing rows are never updated. Ideal for immutable, append-only tables like event logs.
- Full refresh – the whole table is reloaded on every sync. Use it when a table has no reliable cursor or when you need deletions reflected.
See sync methods for a full explanation of how each mode works and how to choose between them.
Most tables (vulnerabilities, compliance evaluations, machines, audit logs) are append-only histories of time-windowed records without a unique row id, so they support append and full refresh syncs. The alerts table also supports incremental sync on startTime; note that incremental syncs filter by when an alert started, so status changes on older alerts are only picked up by a full refresh.
The Lacework API only serves recent history, so the first sync (and any full refresh) reaches back a bounded window: 90 days for alerts, audit logs, and compliance evaluations, 30 days for vulnerabilities and machines, and 7 days for the agent inventory.
Lacework rate-limits API access to 480 requests per hour. Large environments may need more than one sync run to complete the initial backfill; syncs pick up where they left off.
Configuration
| Option | Type | Required |
|---|---|---|
Account name | text | Yes |
API key ID | text | Yes |
Secret key | password | Yes |
Supported tables
| Table | Description | Sync method | Incremental field | Primary key |
|---|---|---|---|---|
alerts | Alerts raised by Lacework, filtered by the time the potential threat started. Status changes on alerts older than the last synced window are only picked up on a full refresh | Incremental, Full refresh | startTime | — |
audit_logs | Lacework console audit log entries. Syncs the last 90 days on first sync or full refresh | Append only, Full refresh | createdTime | — |
agent_info | Inventory of Lacework agents active in the last 7 days. Full refresh only | Full refresh | — | — |
vulnerabilities_hosts | Host vulnerability assessment results (one row per CVE per machine per assessment). Syncs the last 30 days on first sync or full refresh | Append only, Full refresh | startTime | — |
vulnerabilities_containers | Container image vulnerability assessment results (one row per CVE per image per assessment). Syncs the last 30 days on first sync or full refresh | Append only, Full refresh | startTime | — |
compliance_evaluations_aws | AWS compliance evaluations. Syncs the last 90 days on first sync or full refresh | Append only, Full refresh | reportTime | — |
compliance_evaluations_azure | Azure compliance evaluations. Syncs the last 90 days on first sync or full refresh | Append only, Full refresh | reportTime | — |
compliance_evaluations_gcp | GCP compliance evaluations. Syncs the last 90 days on first sync or full refresh | Append only, Full refresh | reportTime | — |
compliance_evaluations_k8s | Kubernetes compliance evaluations. Syncs the last 90 days on first sync or full refresh | Append only, Full refresh | reportTime | — |
entities_machines | Machines observed online, one row per machine per activity segment. Syncs the last 30 days on first sync or full refresh | Append only, Full refresh | startTime | — |
Troubleshooting
If your sync is failing or data looks wrong, see the Data warehouse troubleshooting guide. If that doesn't help, contact support – we're happy to help.