Smart Classes
Smart Classes are a mechanism to annotate assets with additional business and technical context, enabling you to enhance your IT management and security use cases. Some intended use cases for Smart Classes include annotating assets with:
- Criticality levels and business impact
- Accessibility information, such as whether they are publicly accessible
- SLAs, RPO, RTO, and other risk tracking metrics
Once assets have been assigned to a Smart Class, you can update your queries to filter on Smart Classes. This allows you to be more granular with the assets that form part of your posture management program, apply compliance control tests to a subset of all organizational assets, or use Smart Classes to inform your risk-based vulnerability management program.
Defining Smart Classes
Smart Classes are queryable by the name you provide them, which means you cannot change the name once set.
Smart Classes are evaluated when their configuration changes and then daily thereafter. You can manually click the Evaluate Now button under the Smart Class page if you need a one-off evaluation.
To access Smart Classes, navigate to the Assets application within JupiterOne. In the left-hand navbar you will find a Smart Classes sub-menu. Click on All Smart Classes and then click on New Smart Class. Give the Smart Class a name and detailed description. The choice of name is important as it defines how you refer to the Smart Class and you won't be able to change it. Once set, click Create.
Next you will need to add the queries that power the Smart Class. Click New query and then provide a description as well as the query for the Smart Class. Click Run Query and confirm the query is returning the results you expect before clicking Create. You can add up to 5 queries per Smart Class, if you need to annotate more data, it is suggested to write broader queries that cover multiple subsets.
Finally, add any other tags to power the use cases you are interested in. Examples of tags that could be useful could be businessImpact, RPO, owner, SLAs. Special tags that unlock further JupiterOne functionality are:
businessImpact- used to prioritise findings as part of our CTEM offeringattackPathTarget- used to build attack paths as part of our CTEM offeringowner- used to build relationships to the owner entities
Querying Smart Classes
Smart classes should be considered as a subgraph of your entire graph that only contains entities with additional context captured in the smart class. The additional context can be business-related, like asset criticality or owner group, or technical, like whether the assets are EOL or publicly accessible. When building your posture management, vulnerability management, or compliance use cases, you can use the following query patterns to only query for assets that are in your smart class.
Using Smart Class Instance
The first way to query smart classes is by directly referring to the smart class. Smart classes are queryable by using the hash character before the name of the smart class. Some example queries that follow this pattern include:
FIND #Sev1FIND Finding THAT HAS #Sev1
Using Smart Classes as a Filter
Beyond directly referencing the smart class as in the above example, it is also possible to use the smart class as a filter. For example, if you are only interested in your DataStores with a certain criticality, you could use the following queries:
FIND #Sev1 DataStoreFIND AccessRole THAT ALLOWS #Sev1 aws_s3_bucket
Using Smart Class Tags
Finally, smart classes can also be referenced by using tags. This is helpful if you want to find entities that belong to multiple smart classes. For example, if you want to find public entities that belong to a certain severity level, you can run the following queries:
FIND DataStore WITH tag.Sev1=true AND tag.Public=true