Skip to main content

Basic queries

These examples, and same with all packaged queries provided in the JupiterOne web apps, are constructed in a way to de-emphasize the query keywords (they are case insensitive) but rather to highlight the relationships—the operational context and significance of each query.

Simple Examples

Find any entity that is unencrypted

FIND * WITH encrypted = false

Find all entities of class DataStore that are unencrypted

FIND DataStore WITH encrypted = false

Find all entities of type aws_ebs_volume that are unencrypted

FIND aws_ebs_volume WITH encrypted = false

Query with relationships

Return just the Firewall entities that protects public-facing hosts

FIND Firewall
  THAT PROTECTS Host WITH public = true

Return Firewall and Host entities that matched query

FIND Firewall AS f
  THAT PROTECTS Host WITH public = true AS h
RETURN f, h

Return all the entities and relationships that were traversed as a tree

FIND Firewall
  THAT PROTECTS Host WITH public = true
RETURN tree

Full-text search

Find any and all entities with "127.0.0.1" in some property value

FIND "127.0.0.1"

The FIND keyword is optional

"127.0.0.1"

Find all hosts that have "127.0.0.1" in some property value

FIND "127.0.0.1" WITH _class='Host'

More complex queries

Find critical data stored outside of production environments.

This assumes you have the appropriate tags (Classification and Production) on your entities.

FIND DataStore WITH tag.Classification = "critical"
  TAHT HAS * WITH tag.Production = "false"

Find all users and their devices without the required endpoint protection agent installed:

FIND Person
  THAT HAS Device
  THAT !PROTECTS HostAgent

Find incorrectly tagged resources in AWS:

FIND * AS r
  THAT RELATES TO Service
  THAT RELATES TO aws_account
WHERE r.tag.AccountName != r.tag.Environment

If your users sign on to AWS via single sign on, you can find out who has access to those AWS accounts via SSO:

FIND User AS u
  THAT ASSIGNED Application AS app
  THAT CONNECTS aws_account AS aws
RETURN u.displayName as User, app.tag.AccountName as IdP, app.displayName as ssoApplication,
  app.signOnMode as signOnMode, aws.name as awsAccount

Contents