Skip to main content

Create a Query

This topic describes how to create a query to use with the Lacework Console.

Configure the Query

This example query checks for unrestricted ingress to TCP port 445.

{
source {
LW_CFG_AWS_EC2_SECURITY_GROUPS a,
array_to_rows(a.RESOURCE_CONFIG:IpPermissions) as (ip_permissions),
array_to_rows(ip_permissions:IpRanges) as (ip_ranges)
}
filter {
ip_permissions:IpProtocol = 'tcp'
and ip_permissions:FromPort = 445
and ip_permissions:ToPort = 445
and ip_ranges:CidrIp = '0.0.0.0/0'
}
return distinct {
ACCOUNT_ALIAS,
ACCOUNT_ID,
ARN as RESOURCE_KEY,
RESOURCE_REGION,
RESOURCE_TYPE,
SERVICE
}
}

Query Clauses

Configure the example using the following guidelines:

  • source: Specify the datasource(s) where the query looks for data. The example specifies LW_CFG_AWS_EC2_SECURITY_GROUPS. To get a list of all available datasources, use the GET /api/v2/Datasources endpoint.
  • filter: Specify the query's records of interest. The example filters the records available in LW_CFG_AWS_EC2_SECURITY_GROUPS.
  • return: List the fields the query exposes. The example adds the distinct modifier, which returns deduplicated event details because there may be unwanted duplicates among result records.

Next Steps

Create a new custom policy in the Lacework Console. See Create a Custom Policy with the Lacework Console.