VQL API

Overview

You can programmatically execute Veza Query Language (VQL) queries through Veza's Assessment Query API. This interface allows you to run VQL queries against Veza's Access Graph and retrieve results using standard REST API calls.

VQL vs. Traditional Approaches

VQL offers a simplified way to interact with Veza's Assessment Query APIs, enabling:

• Automated compliance monitoring

• Cross-platform integration

• Custom investigation and reporting tools built on top of the Veza graph

While Veza's traditional JSON-based interfaces provide robust programmatic functionality, they are developer-focused and require detailed specification of all query components. VQL, with its SQL-like syntax, is more accessible to security practitioners who may already be familiar with similar query languages.

Example Comparison

Here's how the same query appears in both formats:

Traditional JSON Format:

{
  "query_type": "SOURCE_TO_DESTINATION",
  "source_node_types": {
    "nodes": [
      {
        "node_type": "AwsIamUser",
        "condition_expression": {
          "specs": [
            {
              "fn": "EQ",
              "property": "is_active",
              "value": true
            }
          ]
        }
      }
    ]
  },
  "destination_node_types": {
    "nodes": [
      {
        "node_type": "S3Bucket"
      }
    ]
  }
}

Equivalent VQL:

SHOW AwsIamUser WHERE is_active = true RELATED_TO S3Bucket

VQL's concise syntax makes queries easier to write, review, and troubleshoot while maintaining the power of Veza's assessment capabilities.

Requirements

To use the VQL API, you will need:

• A valid API token. For details on obtaining and using API tokens, see Authentication.

• Basic understanding of VQL syntax (see VQL Syntax)

• VQL features enabled in your Veza instance

API Endpoints

The VQL API provides two primary endpoints for retrieving query results: Get Query Results (Count) and Get Query Results (Nodes).

Get Query Results (Count)

This endpoint retrieves result counts for a VQL query. These queries can execute faster and are optimal for metrics, reporting, and dashboard use cases where you need the total count rather than detailed node information.

Get Query Results (Nodes)

The vql:nodes endpoint retrieves detailed results for VQL queries, showing source nodes, their properties, and access relationship information. This format is useful for security analysis, access reviews, and permission auditing.

Example Request

POST /api/v1/assessments/vql:nodes
{
  "query": "SHOW OktaUser WHERE is_active = true RELATED TO S3Bucket RESULT INCLUDE DESTINATION NODES LIMIT 50;"
}

This example asks: "Show me all active Okta users who have access to AWS S3 buckets, include details about those buckets, and limit results to 50 entries."

Understanding the API Response

When you send a VQL query, Veza returns a structured JSON response with results based on the latest graph data. The response contains:

• Path Values: Each entry represents a connection between a source and destination node

• Source: Details about the source node, including properties and risk level

• Permissions: Both high-level ("abstract") permissions and specific ("concrete") permissions

• Destination: Information about the destination node the source can access

Example Response

{
  "path_values": [
    {
      "source": {
        "id": "00u5pqrs7xyP9uvw30z9",
        "type": "OktaUser",
        "properties": {
          "email": "[email protected]",
          "name": "[email protected]",
          "first_name": "John",
          "last_name": "Smith",
          "is_active": true,
          "identity_type": "HUMAN"
        },
        "risk_level": "CRITICAL"
      },
      "abstract_permissions": [
        "MetadataRead"
      ],
      "concrete_permissions": [
        "s3:ListBucket"
      ],
      "destination": {
        "id": "arn:aws:s3:::aws-cloudtrail-logs-123456789012-abcdef12",
        "type": "S3Bucket",
        "properties": {
          "name": "aws-cloudtrail-logs-123456789012-abcdef12",
          "region": "us-east-1",
          "block_public_access_enabled": true
        },
        "risk_level": "LOW"
      }
    }
  ],
  "cursor": "eyJsaW1pdCI6NTAsInN0YXJ0IjpbInNlcV9pZP...",
  "has_more": true
}

Pagination

For queries that return large result sets, use pagination to retrieve results in manageable chunks using the LIMIT and AFTER CURSOR keywords in your VQL query:

1. Make an initial request with a specified limit (e.g., LIMIT 50)

2. Check if has_more is true in the response

3. If more results exist, make subsequent requests using the cursor token from the previous response with AFTER CURSOR 'token'

Example initial request:

{
  "query": "SHOW SnowflakeUser RELATED TO SnowflakeTable WITH EFFECTIVE PERMISSIONS = ANY ('DATA_DELETE') LIMIT 50;"
}

For subsequent requests, use the cursor token from the previous response:

{
  "query": "SHOW SnowflakeUser RELATED TO SnowflakeTable WITH EFFECTIVE PERMISSIONS = ANY ('DATA_DELETE') AFTER CURSOR 'elcl9uYW1lIjoicjJkMiJ9fQ==' LIMIT 50;"
}

Related Documentation

• VQL Syntax Reference - Complete documentation of VQL query syntax

• VQL Quick Start Guide - Examples and usage patterns

• Assessment Query API Overview - General information about the Assessment Query API