Query Console¶
Query and analyze your security telemetry using LimaCharlie Query Language (LCQL).
Documentation¶
- LCQL Examples - Example queries for common use cases
- Query Console UI - Using the web-based query interface
- Query with CLI - Running queries from the command line
Running Queries Programmatically¶
Prerequisites
All API examples require an API key with the insight permission. See API Keys for setup.
Run an LCQL Query¶
# Start and end times are unix epoch seconds
START=$(date -d '1 hour ago' +%s)
END=$(date +%s)
curl -s -X POST \
"https://search.limacharlie.io/v1/search" \
-H "Authorization: Bearer $LC_JWT" \
-H "Content-Type: application/json" \
-d '{
"oid": "YOUR_OID",
"query": "event.FILE_PATH ends with .exe",
"startTime": "'"$START"'",
"endTime": "'"$END"'",
"stream": "event"
}'
import time
from limacharlie.client import Client
from limacharlie.sdk.organization import Organization
from limacharlie.sdk.search import Search
client = Client(oid="YOUR_OID", api_key="YOUR_API_KEY")
org = Organization(client)
end = int(time.time())
start = end - 3600 # 1 hour ago
for result in Search(org).execute(
query="event.FILE_PATH ends with .exe",
start_time=start,
end_time=end,
stream="event",
limit=100,
):
print(result)
package main
import (
"fmt"
limacharlie "github.com/refractionPOINT/go-limacharlie/limacharlie"
)
func main() {
client, _ := limacharlie.NewClient(limacharlie.ClientOptions{
OID: "YOUR_OID",
APIKey: "YOUR_API_KEY",
})
org := limacharlie.NewOrganization(client)
resp, _ := org.Query(limacharlie.QueryRequest{
Query: "-1h | * | * | event.FILE_PATH ends with '.exe'",
Stream: "event",
LimitEvent: 1000,
})
for _, r := range resp.Results {
fmt.Println(r)
}
}
Validate Query Syntax¶
There is no dedicated Go SDK method for query validation. Use the REST API directly.
Estimate Query Cost¶
START=$(date -d '1 hour ago' +%s)
END=$(date +%s)
curl -s -X POST \
"https://search.limacharlie.io/v1/search/validate" \
-H "Authorization: Bearer $LC_JWT" \
-H "Content-Type: application/json" \
-d '{
"oid": "YOUR_OID",
"query": "event.FILE_PATH ends with .exe",
"startTime": "'"$START"'",
"endTime": "'"$END"'"
}'
import time
from limacharlie.client import Client
from limacharlie.sdk.organization import Organization
from limacharlie.sdk.search import Search
client = Client(oid="YOUR_OID", api_key="YOUR_API_KEY")
org = Organization(client)
end = int(time.time())
start = end - 3600
result = Search(org).estimate(
query="event.FILE_PATH ends with .exe",
start_time=start,
end_time=end,
)
print(result)
There is no dedicated Go SDK method for query cost estimation. Use the REST API directly.
Saved Queries¶
List Saved Queries¶
package main
import (
"fmt"
limacharlie "github.com/refractionPOINT/go-limacharlie/limacharlie"
)
func main() {
client, _ := limacharlie.NewClient(limacharlie.ClientOptions{
OID: "YOUR_OID",
APIKey: "YOUR_API_KEY",
})
org := limacharlie.NewOrganization(client)
hive := limacharlie.NewHiveClient(org)
queries, _ := hive.List(limacharlie.HiveArgs{
HiveName: "query",
PartitionKey: "YOUR_OID",
})
fmt.Println(queries)
}
Create Saved Query¶
from limacharlie.client import Client
from limacharlie.sdk.organization import Organization
from limacharlie.sdk.hive import Hive, HiveRecord
client = Client(oid="YOUR_OID", api_key="YOUR_API_KEY")
org = Organization(client)
Hive(org, "query").set(HiveRecord(
name="my-saved-query",
data={
"query": "event.FILE_PATH ends with .exe",
"stream": "event",
},
enabled=True,
))
package main
import (
limacharlie "github.com/refractionPOINT/go-limacharlie/limacharlie"
)
func main() {
client, _ := limacharlie.NewClient(limacharlie.ClientOptions{
OID: "YOUR_OID",
APIKey: "YOUR_API_KEY",
})
org := limacharlie.NewOrganization(client)
hive := limacharlie.NewHiveClient(org)
enabled := true
hive.Add(limacharlie.HiveArgs{
HiveName: "query",
PartitionKey: "YOUR_OID",
Key: "my-saved-query",
Data: limacharlie.Dict{
"query": "event.FILE_PATH ends with .exe",
"stream": "event",
},
Enabled: &enabled,
})
}
Run Saved Query¶
import time
from limacharlie.client import Client
from limacharlie.sdk.organization import Organization
from limacharlie.sdk.hive import Hive
from limacharlie.sdk.search import Search
client = Client(oid="YOUR_OID", api_key="YOUR_API_KEY")
org = Organization(client)
saved = Hive(org, "query").get("my-saved-query")
end = int(time.time())
start = end - 3600
for result in Search(org).execute(
query=saved.data["query"],
start_time=start,
end_time=end,
stream=saved.data.get("stream", "event"),
):
print(result)
package main
import (
"fmt"
limacharlie "github.com/refractionPOINT/go-limacharlie/limacharlie"
)
func main() {
client, _ := limacharlie.NewClient(limacharlie.ClientOptions{
OID: "YOUR_OID",
APIKey: "YOUR_API_KEY",
})
org := limacharlie.NewOrganization(client)
hive := limacharlie.NewHiveClient(org)
saved, _ := hive.Get(limacharlie.HiveArgs{
HiveName: "query",
PartitionKey: "YOUR_OID",
Key: "my-saved-query",
})
query := saved.Data["query"].(string)
resp, _ := org.Query(limacharlie.QueryRequest{
Query: query,
Stream: "event",
})
for _, r := range resp.Results {
fmt.Println(r)
}
}
Delete Saved Query¶
package main
import (
limacharlie "github.com/refractionPOINT/go-limacharlie/limacharlie"
)
func main() {
client, _ := limacharlie.NewClient(limacharlie.ClientOptions{
OID: "YOUR_OID",
APIKey: "YOUR_API_KEY",
})
org := limacharlie.NewOrganization(client)
hive := limacharlie.NewHiveClient(org)
hive.Remove(limacharlie.HiveArgs{
HiveName: "query",
PartitionKey: "YOUR_OID",
Key: "my-saved-query",
})
}