Getting Started with LQL (Lacework Query Language): Explore the existing LQL Queries

  • 13 September 2023
  • 0 replies
  • 371 views
J
Rank
Badge

In case you and your team want to explore the existing LQL (Lacework Query Language), the output from lacework query list --json, can be processed with a combination of grep and sed to output a single file that lists all of the Out-Of-The-Box LQL Queries (with the properly formatted LQL).

 

A single file will enable you to

  • Copy and Paste specific LQL queries into a file to run with lacework query run -f <FILENAME>.lql.
  • Search across ALL examples by
    • Data Source
    • Functions
    • Keywords
    • Operators 

 

% lacework query list --json | grep "queryId\|queryText" | sed 's/\\n}",/\n  }\n/g; s/\\n/\n/g; s/",$//g; s/^    "queryId": "/\n---\nqueryId: /; s/^    "queryText": "/queryText: |-\n  /g;' | less -O lacework.query.list.lql

---
queryId: LW_Global_AWS_CTA_AccessKeyDeleted
queryText: |-
  {
    source {
        CloudTrailRawEvents
    }
    filter {
        EVENT_SOURCE = 'iam.amazonaws.com'
        and EVENT_NAME = 'DeleteAccessKey'
        and ERROR_CODE is null
    }
    return distinct {
        INSERT_ID,
        INSERT_TIME,
        EVENT_TIME,
        EVENT
    }
  }

 . . .

 

Save a query in a separate file in order to run it locally.

% cat LW_Global_AWS_CTA_AccessKeyDeleted.lql 
---
queryId: LW_Global_AWS_CTA_AccessKeyDeleted
queryText: |-
  {
    source {
        CloudTrailRawEvents
    }
    filter {
        EVENT_SOURCE = 'iam.amazonaws.com'
        and EVENT_NAME = 'DeleteAccessKey'
        and ERROR_CODE is null
    }
    return distinct {
        INSERT_ID,
        INSERT_TIME,
        EVENT_TIME,
        EVENT
    }
  }

 

Run the query with lacework query run -f <FILENAME>.lql.

% lacework --profile tudor query run -f LW_Global_AWS_CTA_AccessKeyDeleted.lql | less -O LW_Global_AWS_CTA_AccessKeyDeleted.json

[
  {
    "EVENT": {
      "awsRegion": "us-east-1",
      "eventCategory": "Management",
      "eventID": "123ab456-7c89-12de-3f45-ab6cde7fa89b",
      "eventName": "DeleteAccessKey",
      "eventSource": "iam.amazonaws.com",
      "eventTime": "2023-09-13T08:23:54Z",
      "eventType": "AwsApiCall",
      "eventVersion": "1.08",
      "managementEvent": true,
      "readOnly": false,

 . . .

 

Documentation

Lacework CLI Reference : lacework policy list
https://docs.lacework.net/cli/commands/lacework_policy_list

Lacework CLI Reference : lacework query list
https://docs.lacework.net/cli/commands/lacework_query_list

Lacework CLI Reference : lacework query run
https://docs.lacework.net/cli/commands/lacework_query_run

Agent

N/A

Platform

Using Lacework/Operationalizing

Cloud

N/A

0 replies

Be the first to reply!

Reply


Terms of UseCookie settings