Create a Query
This topic describes how to create a query to use with the Lacework Console.
Configure the Query
This example query checks for unrestricted ingress to TCP port 445.
{
source {
LW_CFG_AWS_EC2_SECURITY_GROUPS a,
array_to_rows(a.RESOURCE_CONFIG:IpPermissions) as (ip_permissions),
array_to_rows(ip_permissions:IpRanges) as (ip_ranges)
}
filter {
ip_permissions:IpProtocol = 'tcp'
and ip_permissions:FromPort = 445
and ip_permissions:ToPort = 445
and ip_ranges:CidrIp = '0.0.0.0/0'
}
return distinct {
ACCOUNT_ALIAS,
ACCOUNT_ID,
ARN as RESOURCE_KEY,
RESOURCE_REGION,
RESOURCE_TYPE,
SERVICE
}
}
Query Clauses
Configure the example using the following guidelines:
source
: Specify the datasource(s) where the query looks for data. The example specifiesLW_CFG_AWS_EC2_SECURITY_GROUPS
. To get a list of all available datasources, use theGET /api/v2/Datasources
endpoint.filter
: Specify the query's records of interest. The example filters the records available inLW_CFG_AWS_EC2_SECURITY_GROUPS
.return
: List the fields the query exposes. The example adds thedistinct
modifier, which returns deduplicated event details because there may be unwanted duplicates among result records.
Next Steps
Create a new custom policy in the Lacework Console. See Create a Custom Policy with the Lacework Console.