These examples, and same with all packaged queries provided in the JupiterOne web apps, are constructed in a way to de-emphasize the query keywords (they are case insensitive) but rather to highlight the relationships—the operational context and significance of each query.
Find any entity that is unencrypted
Find * with encrypted = false
Find all entities of class DataStore that are unencrypted
Find DataStore with encrypted = false
Find all entities of type aws_ebs_volume that are unencrypted
Find aws_ebs_volume with encrypted = false
Query with relationships
Return just the Firewall entities that protects public-facing hosts
Find Firewall that PROTECTS Host with public = true
Return Firewall and Host entities that matched query
Find Firewall as f that PROTECTS Host with public = true as h RETURN f, h
Return all the entities and relationships that were traversed as a tree
Find Firewall that PROTECTS Host with public = true RETURN tree
Find any and all entities with "127.0.0.1" in some property value
The FIND keyword is optional
Find all hosts that have "127.0.0.1" in some property value
Find "127.0.0.1" with _class='Host'
More complex queries
Find critical data stored outside of production environments.
This assumes you have the appropriate tags (Classification and Production) on your entities.
Find DataStore with tag.Classification='critical'
that HAS * with tag.Production='false'
Find all users and their devices without the required endpoint protection agent installed:
Find Person that has Device that !protects HostAgent
Find incorrectly tagged resources in AWS:
Find * as r
that RELATES TO Service
that RELATES TO aws_account
where r.tag.AccountName != r.tag.Environment
If your users sign on to AWS via single sign on, you can find out who has access to those AWS accounts via SSO:
Find User as U
that ASSIGNED Application as App
that CONNECTS aws_account as AWS
U.displayName as User,
App.tag.AccountName as IdP,
App.displayName as ssoApplication,
App.signOnMode as signOnMode,
AWS.name as awsAccount