Datasource Information
This topic describes how to use the Lacework CLI and API to get information about datasources that you can access through LQL. Then you can use the datasource information to configure queries.
For information on available datasources, see Datasource Metadata (login required).
Use the Lacework CLI
If you are new to the Lacework CLI, see Get Started to learn about installing and configuring the CLI.
List All Datasources
The easiest way to learn about the LQL datasources is to discover the names of the datasources and then get details about the one you are interested in.
To list all datasources, run this command:
lacework query list-sources
For a specific cloud provider, run the command that corresponds to your cloud provider:
lacework query list-sources | grep AWS
lacework query list-sources | grep GCP
lacework query list-sources | grep AZURE
List Datasource Details
To list the details for a specific datasource, run this command:
lacework query show-source <datasource>
The following command shows the details for the LW_CFG_AWS_EC2_SECURITY_GROUPS datasource.
lacework query show-source LW_CFG_AWS_EC2_SECURITY_GROUPS
DATASOURCE DESCRIPTION
---------------------------------+---------------------------------
LW_CFG_AWS_EC2_SECURITY_GROUPS Results from AWS EC2
'describe-security-groups'
FIELD NAME DATA TYPE DESCRIPTION
-------------------+-----------+---------------------------------
BATCH_START_TIME Timestamp Beginning of time interval
BATCH_END_TIME Timestamp End of time interval
QUERY_START_TIME Timestamp Start time of query for this
resource
QUERY_END_TIME Timestamp End time of query for this
resource
ARN String ARN for the resource
RESOURCE_KEY String Unique identifier for the
resource
API_KEY String Key describing the API used to
fetch data for this resource
SERVICE String Service this resource belongs
to
ACCOUNT_ID String AWS Account ID
ACCOUNT_ALIAS String User friendly alias for AWS
Account
RESOURCE_TYPE String Type of this resource
RESOURCE_ID String Identifier for this resource
RESOURCE_REGION String Region this resource belongs
to
RESOURCE_CONFIG JSON JSON Definition of this
resource
RESOURCE_TAGS JSON Tags associated with this
resource
URN JSON Lacework URN for this resource
ORGANIZATION_ID String Organization ID associated
with this resource
The RESOURCE_CONFIG field is frequently used in LQL. Because it is a JSON datasource, the LQL query must first convert the field using the array_to_rows() function. To know exactly which JSON fields you need, you can either read the cloud provider's API documentation, or write an LQL query to explore the full content before writing the actual policy.
Preview Events for a Datasource
For some datasources, you can run the following command to show a preview of a sample event for the datasource.
lacework query preview-source <datasource>
Use the Lacework API
All Lacework endpoints require an API access (bearer) token to be specified when you invoke the endpoint. If you already have a secret key, you can use the POST /api/v2/access/tokens endpoint to generate an access token. For details, see API Access Keys and Tokens.
List All Datasources
To list all available datasources and their metadata, use the following endpoint:
GET https://YourLacework.lacework.net/api/v2/Datasources
List Datasource Details
To list the metadata for a specific datasource based on the datasource name, use the following endpoint:
GET https://YourLacework.lacework.net/api/v2/Datasources/{datasource}