Explore & VSS Query Language

Last updated on August 06, 2020

General Overview

VMware Secure State provides a state-of-the-art cloud security evaluation capability – Explore – that enables effective contextual search, visualization, and investigation of hidden cloud security risks. Combined with an expressive cloud-specific language called VMware Secure State Query Language (VQL) that models multi-cloud architecture, Explore can be used to clearly visualize and understand even the most topologically complex cloud environments. Users can now discover previously invisible security insights about their connected cloud assets. Furthermore, users can harness this incredible power of Explore to create their own custom rules suitable for their business needs. This document provides a walkthrough of the Explore UI, an introduction to the query language with example use cases, and best practices for using Explore to define Custom Rules.

Explore Walkthrough

The Explore page in the Secure State portal provides users the ability to easily search for cloud assets and metadata, investigate relationships between these configured resources, correlate security findings, and search for suspicious activity. Here’s how to get started with using Explore:

  1. First, logon to Secure State and choose Explore from the main navigation in the UI.

  2. Next, choose a Cloud Account that you’d like to start exploring the architecture for. Disabled and draft accounts will not be available in this list.

  3. Next, create an Explore query using VQL. Once you begin typing, an auto-complete dropdown will appear displaying all the supported values. A green tick box will appear to indicate the validity of the query. Try the below query example db_instance that returns all the database instances in the selected account.

  4. Next, view the results of the exploration query. On the righthand pane, you can find metadata and activity logs of the assets in the Graph view. You can click and inspect different assets to better understand your cloud environment.

  5. Finally, you can use your query to create a custom rule. By clicking on the options icon to the right of Run, you can begin converting your Explore query into a custom rule. For example, the query below can be used for a rule to find all database instances within the “us-east-1” region.

VMware Secure State Query Language

Overview

The VMware Secure State Query Language (VQL) expresses the multi-cloud asset relationships as a graph model, enabling retrieval of connected topological configurations through simple queries.

Terminology & Syntax

The VQL represents each asset in your multi-cloud infrastructure as a node type, and each node type is made up of a set of properties that represent the asset’s settings.

The following operators are supported for a node type:

A Property Statement is comprised of a node property, a relational operator, and a node property value.  The following operators are supported for node properties.

Examples

Even some of the most complex questions about your cloud configuration can be easily answered through the Explore VQL. For example, to find all the EC2 instances that can be accessed through a specific key-pair, you can quickly search like below.

Some other useful examples that you can use to get started are the following:

Best Practices

We recommend that you follow some of these best practices to extract the most value out of Explore, VQL, and custom rules.

  • No circular referencing: In certain cases, the VQL auto-complete might suggest users to reference back one of the nodes previously used in the query, but those queries are invalid and unsupported.

  • Avoid open-ended Custom Rules: When describing custom rules as queries, it is recommended to scope queries as much as possible with the use of HAS operators, especially in the case of a large environment, in order to generate only relevant violations and avoid noise. The added computation load to evaluate open-ended queries might slow down the VSS experience for the organization.

Conclusion

The Explore VQL provides a revolutionary way to effectively search, visualize, and investigate cloud security vulnerabilities in an increasingly complex multi-cloud world.