Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    Home FortiCNAPP CLI Reference

    lacework query create

    lacework query create

    Create a query

    Synopsis

    There are multiple ways you can create a query:

    • Typing the query into your default editor (via $EDITOR)

    • Piping a query to the Lacework CLI command (via $STDIN)

    • From a local file on disk using the flag '--file'

    • From a URL using the flag '--url'

    There are also multiple formats you can use to define a query:

    • Javascript Object Notation (JSON)

    • YAML Ain't Markup Language (YAML)

    To launch your default editor and create a new query.

    lacework lql create

    The following example checks for unrestricted ingress to TCP port 445:

    A query is represented using JSON or YAML markup and must specify both 'queryId' and 'queryText' keys. The above query uses YAML, specifies an identifier of 'LW_Custom_UnrestrictedIngressToTCP445', and identifies AWS EC2 security groups with unrestricted access to TCP port 445. The queryText is expressed in Lacework Query Language (LQL) syntax which is delimited by '{ }' and contains three sections:

    • Source data is specified in the 'source' clause. The source of data is the 'LW_CFG_AWS_EC2_SECURITY_GROUPS' datasource. LQL queries generally refer to other datasources, and customizable policies always target a suitable datasource.

    • Records of interest are specified by the 'filter' clause. In the example, the records available in 'LW_CFG_AWS_EC2_SECURITY_GROUPS' are filtered for those whose IP protocol is 'tcp', whose from and to port is '445', and CidrIP is '0.0.0.0/0'. The syntax for this filtering expression strongly resembles SQL.

    • The fields this query exposes are listed in the 'return' clause. Because there may be unwanted duplicates among result records when Lacework composes them from just these four columns, the distinct modifier is added. This behaves like a SQL 'SELECT DISTINCT'. Each returned column in this case is just a field that is present in 'LW_CFG_AWS_EC2_SECURITY_GROUPS', but you can compose results by manipulating strings, dates, JSON and numbers as well.

    The resulting dataset is shaped like a table. The table's columns are named with the names of the columns selected. If desired, you could alias them to other names as well.

    For more information about LQL, visit:

    https://docs.lacework.com/lql-overview

    lacework query create [flags]

    Options

      -f, --file string   path to a query to create
  -h, --help          help for create
  -u, --url string    url to a query to create

    Options inherited from parent commands

      -a, --account string      account subdomain of URL (i.e. <ACCOUNT>.lacework.net)
  -k, --api_key string      access key id
  -s, --api_secret string   secret access key
      --api_token string    access token (replaces the use of api_key and api_secret)
      --debug               turn on debug logging
      --json                switch commands output from human-readable to json format
      --nocache             turn off caching
      --nocolor             turn off colors
      --noninteractive      turn off interactive mode (disable spinners, prompts, etc.)
      --organization        access organization level data sets (org admins only)
  -p, --profile string      switch between profiles configured at ~/.lacework.toml
      --subaccount string   sub-account name inside your organization (org admins only)

    See also

    Previous
    Next

    lacework query create

    lacework query create

    Create a query

    Synopsis

    There are multiple ways you can create a query:

    • Typing the query into your default editor (via $EDITOR)

    • Piping a query to the Lacework CLI command (via $STDIN)

    • From a local file on disk using the flag '--file'

    • From a URL using the flag '--url'

    There are also multiple formats you can use to define a query:

    • Javascript Object Notation (JSON)

    • YAML Ain't Markup Language (YAML)

    To launch your default editor and create a new query.

    lacework lql create

    The following example checks for unrestricted ingress to TCP port 445:

    A query is represented using JSON or YAML markup and must specify both 'queryId' and 'queryText' keys. The above query uses YAML, specifies an identifier of 'LW_Custom_UnrestrictedIngressToTCP445', and identifies AWS EC2 security groups with unrestricted access to TCP port 445. The queryText is expressed in Lacework Query Language (LQL) syntax which is delimited by '{ }' and contains three sections:

    • Source data is specified in the 'source' clause. The source of data is the 'LW_CFG_AWS_EC2_SECURITY_GROUPS' datasource. LQL queries generally refer to other datasources, and customizable policies always target a suitable datasource.

    • Records of interest are specified by the 'filter' clause. In the example, the records available in 'LW_CFG_AWS_EC2_SECURITY_GROUPS' are filtered for those whose IP protocol is 'tcp', whose from and to port is '445', and CidrIP is '0.0.0.0/0'. The syntax for this filtering expression strongly resembles SQL.

    • The fields this query exposes are listed in the 'return' clause. Because there may be unwanted duplicates among result records when Lacework composes them from just these four columns, the distinct modifier is added. This behaves like a SQL 'SELECT DISTINCT'. Each returned column in this case is just a field that is present in 'LW_CFG_AWS_EC2_SECURITY_GROUPS', but you can compose results by manipulating strings, dates, JSON and numbers as well.

    The resulting dataset is shaped like a table. The table's columns are named with the names of the columns selected. If desired, you could alias them to other names as well.

    For more information about LQL, visit:

    https://docs.lacework.com/lql-overview

    lacework query create [flags]

    Options

      -f, --file string   path to a query to create
  -h, --help          help for create
  -u, --url string    url to a query to create

    Options inherited from parent commands

      -a, --account string      account subdomain of URL (i.e. <ACCOUNT>.lacework.net)
  -k, --api_key string      access key id
  -s, --api_secret string   secret access key
      --api_token string    access token (replaces the use of api_key and api_secret)
      --debug               turn on debug logging
      --json                switch commands output from human-readable to json format
      --nocache             turn off caching
      --nocolor             turn off colors
      --noninteractive      turn off interactive mode (disable spinners, prompts, etc.)
      --organization        access organization level data sets (org admins only)
  -p, --profile string      switch between profiles configured at ~/.lacework.toml
      --subaccount string   sub-account name inside your organization (org admins only)

    See also

    Previous
    Next