Getting Started with LQL (Lacework Query Language): LQL Overview (Documentation Highlights)

  • 13 September 2023
  • 1 reply


LQL Overview

The Lacework Query Language (LQL) is an SQL-like query language for specifying the selection, filtering, and manipulation of data. Queries let you interactively request information from curated datasources. Queries have a defined structure for authoring detections.

LQL enables you to find non-compliant resources or suspicious activity by querying data ingested from cloud providers, Kubernetes, CloudTrail activity logs, and the Lacework agent. Then you can associate queries with policies, which contain rich reporting metadata.


LQL Operators

LQL uses conventional SQL notation for arithmetic, comparisons, and logical operations.


LQL Functions

This topic lists all Lacework Query Language functions alphabetically.


Datasource Metadata

This topic lists the datasources and metadata supported by the Lacework Policy Platform.


Relative Time Specifiers for LQL Queries

Relative times allow you to represent time values dynamically, using specifiers that represent an offset from the current time. For instance, a relative time of -24h produces a date/time that is 24 hours less the current time. Relative times can also snap to a particular time. For instance, a relative time of @d would represent the start of the current day.




Using Lacework/Operationalizing



1 reply

Userlevel 3
Badge +1

To learn more about LQL, check out our Best Practice Guide on the Lacework Practitioner Tools: