User Guide
Developer Documentation
Integrations
Release Notes

Veza Query Language

Early Access: VQL is currently provided in Early Access, and we're excited for your feedback on what we hope will be a major stride forward for ease of use and flexibility for Veza search. Please contact our support team to enable the feature, and reach out with your input and questions.

Overview

Veza Query Language (VQL) is a powerful and flexible language designed for querying Veza's Identity Graph. It supplements the original Query Builder interface and Assessment Query API, and implements familiar SQL-like conventions for specifying source and destination entities, filters, and other query parameters.

VQL expressions aim to be intuitive and close to natural language, providing a bridge between everyday speech and the full functionality of Veza graph search. With VQL, you can construct complex queries to explore relationships, filter entities based on attributes, and analyze permissions within your identity and access data.

You can use VQL to:

  • Apply filters using a range of operators to refine your search results.

  • Query relationships between entities, including intermediate node requirements.

  • Customize how results appear by including destination nodes and path summaries.

  • Search by system permissions and effective permissions for full visibility into access and entitlements.

VQL queries follow consistent patterns for different types of operations:

-- Basic entity query
SHOW <entity_type>;

-- Query with filters
SHOW <entity_type>
WHERE <property>[operator]<value>;

-- Relationship query
SHOW <entity_type>
RELATED TO <entity_type>;

-- Complex query with multiple conditions
SHOW <entity_type>
WHERE <condition1> AND <condition2>
RELATED TO <entity_type>
WITH PATH <entity_type>
RESULT INCLUDE DESTINATION NODES;

Getting Started

To begin using VQL, first familiarize yourself with its basic syntax and components. A VQL query starts with a SHOW statement specifying the source entities.

Example:

SHOW S3Bucket;

This query retrieves all AWS S3 Buckets discovered by Veza.

You can then extend your queries by adding filters, relationships, and other options.

Example with Filters and Relationships:

SHOW AwsIamUser
WHERE is_active = true
RELATED TO S3Bucket
RESULT INCLUDE DESTINATION NODES;

This query retrieves all active AWS IAM Users and shows the S3 Buckets they are related to.

To learn more about how Veza search concepts can be expressed with VQL, see the examples queries below and the Quick Start Guide.

Concepts and Syntax

VQL queries are composed of several key elements:

  • Source Nodes: The entities you want to retrieve (e.g., AwsIamUser, S3Bucket).

  • Filters: Conditions applied to source or destination nodes in the WHERE clause.

  • Relationships: Related entity requirements, specified in the RELATED TO clause.

  • Intermediate Nodes: Include or exclude results with certain nodes in the path using WITH PATH or NOT WITH PATH.

  • Result Options: Customize the output to INCLUDE DESTINATION NODES or INCLUDE PATH SUMMARY.

  • Query Options: Additional options for query execution, such as filtering by over-provisioned score.

Basic query structure:

SHOW [SourceNodeSpec]
[ [NOT] RELATED TO [DestinationNodeSpec]]
[WHERE (filter conditions)]
[WITH | NOT WITH] PATH [IntermediateNodeSpec]
HAVING [ ENTITY_RESULT_COUNT | PERCENTAGE_OF_TOTAL_COUNT] [>|>=<|<=|!=] <numeric_value> ]
[RESULT INCLUDE [DESTINATION NODES | DESTINATION NODE COUNT | PATH SUMMARY]]
[WITH QUERY OPTIONS (options)];

VQL supports a variety of operators for filters, including:

  • Comparison Operators: =, !=, <, >, <=, >=

  • String Operators: STARTS_WITH, ENDS_WITH, CONTAINS, REGEX

  • List Operators: IN, LIST_CONTAINS, LIST_ANY_ELEMENT_EQ

  • Logical Operators: AND, OR

  • Date/Time Operators: created_at < CURRENT_DATE - 30, created_at < 2023-10-05 14:30:00.123

For details on operators and their usage, see VQL Syntax.

Example Queries

Query All S3 Buckets

Retrieve all AWS S3 Buckets:

SHOW S3Bucket;

Query IAM Users Related to S3 Buckets

List all AWS IAM Users who have access to S3 Buckets:

SHOW AwsIamUser
RELATED TO S3Bucket;

Apply Attribute Filters

List active AWS IAM Users in the Engineering department:

SHOW OktaUser
WHERE is_active = true AND department = 'Engineering';

Include Destination Nodes

Show AWS IAM Users and the S3 Buckets they can access:

SHOW AwsIamUser
RELATED TO S3Bucket
RESULT INCLUDE DESTINATION NODES;

Use Path Requirements

Find AWS IAM Users connected to S3 Buckets via an IAM Role:

SHOW AwsIamUser
RELATED TO S3Bucket
WITH PATH AwsIamRole;

Exclude Specific Paths

Find AWS IAM Users related to S3 Buckets but not through an IAM Group:

SHOW AwsIamUser
RELATED TO S3Bucket
NOT WITH PATH AwsIamRole;

Filter by Over-Provisioned Score

Retrieve AWS IAM Roles with an over-provisioned score greater than 85:

SHOW AwsIamRole
RELATED TO S3Bucket
WITH query options (over_provisioned_score > 85);

Filter by Related Entity Count

Find AWS IAM Users who have access to more than 10 S3 Buckets:

SHOW AwsIamUser
RELATED TO S3Bucket
HAVING entity_result_count > 10;

Query Using Time Functions

Retrieve users who have logged in within the last 30 days:

SHOW OktaUser
WHERE last_login_at >= CURRENT_DATE - 30;

Resources

To learn more about VQL capabilities, see the following resources:

PreviousAssumed AWS IAM RolesNextQuick Start

Last updated