Execute a Query by ID

This topic describes how to execute a query by ID. Execution by ID differs from on-demand execution in that the query you want to execute must already exist in your Lacework instance. Because the query already exists, you do not have to provide queryText to execute it.

All Lacework endpoints require an API access (bearer) token to be specified when you invoke the endpoint. If you already have a secret key, you can use the POST /api/v2/access/tokens endpoint to generate an access token. For details, see API Access Keys and Tokens.

Get the Query ID

To find the query you want to execute, use the following endpoint to list all registered queries in your Lacework instance:

GET https://YourLacework.lacework.net/api/v2/Queries

Execute the Query

When you know the query ID for the query you want to execute, use the following endpoint and replace {queryId} with the query ID:

POST https://YourLacework.lacework.net/api/v2/Queries/{queryId}/execute

Pass in the LQL query arguments (StartTimeRange and EndTimeRange) using the arguments JSON field of the body input parameter.

The request body would be similar to the following:

{
    "arguments": [
        {"name": "StartTimeRange", "value": "2022-07-10T00:00:00.000Z"},
        {"name": "EndTimeRange", "value": "2022-07-11T00:00:00.000Z"}
    ]
}

Here is some sample data that the query could return.

{
    "data": [
        {
            "ACCOUNT_ALIAS": "aaa-bb",
             "ACCOUNT_ID": "111",
            "RESOURCE_KEY": "arn:aws:ec2:sa-east-1:111:security-group/sg-222",
            "RESOURCE_REGION": "sa-east-1",
             "RESOURCE_TYPE": "ec2:security-group",
            "SERVICE": "ec2"
        }
    ]
}

You can use the information to refine the query to look for different behavior if necessary.

Next Steps

After you refine and execute the query to get the desired results, update the query in your Lacework instance. Use the PATCH https://YourLacework.lacework.net/api/v2/Queries/{queryId} endpoint to update the query.