Datasource Information

This topic describes how to use the Lacework CLI and API to get information about datasources that you can access through LQL. Then you can use the datasource information to configure queries.

For information on available datasources, see Datasource Metadata.

Use the Lacework CLI

If you are new to the Lacework CLI, see Get Started to learn about installing and configuring the CLI.

List All Datasources

The easiest way to learn about the LQL datasources is to discover the names of the datasources and then get details about the one you are interested in.

To list all datasources, run this command:

lacework query list-sources

For a specific cloud provider, run the command that corresponds to your cloud provider:

lacework query list-sources | grep AWS

lacework query list-sources | grep GCP

lacework query list-sources | grep AZURE

lacework query list-sources | grep OCI

List Datasource Details

To list the details for a specific datasource, run this command:

lacework query show-source <datasource>

The following command shows the details for the LW_CFG_AWS_EC2_SECURITY_GROUPS datasource.

lacework query show-source LW_CFG_AWS_EC2_SECURITY_GROUPS

           DATASOURCE            
----------------------------------
  LW_CFG_AWS_EC2_SECURITY_GROUPS  

                              DESCRIPTION                               
------------------------------------------------------------------------
  Results from Amazon Elastic Compute Cloud 'describe-security-groups'  

     FIELD NAME      DATA TYPE            DESCRIPTION            
-------------------+-----------+---------------------------------
  BATCH_START_TIME   Timestamp   Beginning of time interval      
  BATCH_END_TIME     Timestamp   End of time interval            
  QUERY_START_TIME   Timestamp   Start time of query for this    
                                 resource                        
  QUERY_END_TIME     Timestamp   End time of query for this      
                                 resource                        
  ARN                String      ARN for the resource            
  RESOURCE_KEY       String      Unique identifier for the       
                                 resource                        
  API_KEY            String      Key describing the API used to  
                                 fetch data for this resource    
  SERVICE            String      Service this resource belongs   
                                 to                              
  ACCOUNT_ID         String      AWS Account ID                  
  ACCOUNT_ALIAS      String      User friendly alias for AWS     
                                 Account                         
  RESOURCE_TYPE      String      Type of this resource           
  RESOURCE_ID        String      Identifier for this resource    
  RESOURCE_REGION    String      Region this resource belongs    
                                 to                              
  RESOURCE_CONFIG    JSON        JSON Definition of this         
                                 resource                        
  RESOURCE_TAGS      JSON        Tags associated with this       
                                 resource                        
  URN                String      Lacework URN for this resource  
  ORGANIZATION_ID    String      Organization id associated      
                                 with this resource              

  RELATIONSHIP NAME                FROM                        TO            CARDINALITY            DESCRIPTION            
--------------------+--------------------------------+---------------------+-------------+---------------------------------
  (default)           LW_CFG_AWS_EC2_SECURITY_GROUPS   LW_CFG_AWS_EC2_VPCS   1             VPC for the EC2 Security Group  

Use 'lacework query preview-source LW_CFG_AWS_EC2_SECURITY_GROUPS' to see an actual result from the datasource.

The RESOURCE_CONFIG field is frequently used in LQL. Because it is a JSON datasource, the LQL query must first convert the field using the array_to_rows() function. To know exactly which JSON fields you need, you can either read the cloud provider's API documentation, or write an LQL query to explore the full content before writing the actual policy.

The output also shows relationships between this datasource and any others and the cardinality of those relationships. In this case, LW_CFG_AWS_EC2_SECURITY_GROUPS relates to LW_CFG_AWS_EC2_VPCS. Specifically, a security group includes the ID of a VPC (VpcId) to which it belongs.

Preview a Datasource Result

For some datasources, you can run the following command to preview an instance of the datasource.

lacework query preview-source <datasource>

Use the Lacework API

All Lacework endpoints require an API access (bearer) token to be specified when you invoke the endpoint. If you already have a secret key, you can use the POST /api/v2/access/tokens endpoint to generate an access token. For details, see API Access Keys and Tokens.

List All Datasources

To list all available datasources and their metadata, use the following endpoint:

GET https://YourLacework.lacework.net/api/v2/Datasources

List Datasource Details

To list the metadata for a specific datasource based on the datasource name, use the following endpoint:

GET https://YourLacework.lacework.net/api/v2/Datasources/{datasource}