Create a Query

This topic describes how to create a query to use with the Lacework Console.

Configure the Query

This example query checks for unrestricted ingress to TCP port 445.

{
   source {
       LW_CFG_AWS_EC2_SECURITY_GROUPS a,
       array_to_rows(a.RESOURCE_CONFIG:IpPermissions) as (ip_permissions),
       array_to_rows(ip_permissions:IpRanges) as (ip_ranges)
   }
   filter {
       ip_permissions:IpProtocol = 'tcp'
       and ip_permissions:FromPort = 445
       and ip_permissions:ToPort = 445
       and ip_ranges:CidrIp = '0.0.0.0/0'
   }
   return distinct {
       ACCOUNT_ALIAS,
       ACCOUNT_ID,
       ARN as RESOURCE_KEY,
       RESOURCE_REGION,
       RESOURCE_TYPE,
       SERVICE
   }
}

Query Clauses

Configure the example using the following guidelines:

source: Specify the datasource(s) where the query looks for data. The example specifies LW_CFG_AWS_EC2_SECURITY_GROUPS. To get a list of all available datasources, use the GET /api/v2/Datasources endpoint.
filter: Specify the query's records of interest. The example filters the records available in LW_CFG_AWS_EC2_SECURITY_GROUPS.
return: List the fields the query exposes. The example adds the distinct modifier, which returns deduplicated event details because there may be unwanted duplicates among result records.

Next Steps

Create a new custom policy in the Lacework Console. See Create a Custom Policy with the Lacework Console.

Configure the Query​

Query Clauses​

Next Steps​

Configure the Query

Query Clauses

Next Steps