Community
Questions Library
Docs
Blog
Events
Swag
Github
Slack
JupiterOne
Discussions
Release Notes
Query Resources Without Specific Tags - AskJ1 Community
<main> <article class="userContent"> <p>Tagging is highly recommended for resources in cloud environments such as AWS, Azure, and GCP. For example, it is common to use tags to track <code class="code codeInline" spellcheck="false" tabindex="0">cost-center</code> or <code class="code codeInline" spellcheck="false" tabindex="0">project</code>. And it is recommended to assign <code class="code codeInline" spellcheck="false" tabindex="0">classification</code> tag to all databases and data stores (e.g. buckets, blobs, disks).</p> <h2 data-id="tl-dr">TL;DR</h2> <p>Use this example query:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find (Host|Function|DataStore) with [tag.cost-center] = undefined </pre> <h2 data-id="more-detailed-walk-through">More detailed walk-through</h2> <p><strong>To find resources that do <em>not</em> have a certain tag, do the following:</strong></p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find * with _integrationType = 'aws' and tag.project = undefined </pre> <blockquote class="UserQuote blockquote"><div class="QuoteText blockquote-content"> <p class="blockquote-line">From the above, <code class="code codeInline" spellcheck="false" tabindex="0">undefined</code> means the property does not exist on the entity. And <code class="code codeInline" spellcheck="false" tabindex="0">_integrationType = 'aws'</code> filters only resources from AWS. Change it to <code class="code codeInline" spellcheck="false" tabindex="0">azure</code> or something else as appropriate.</p> </div></blockquote> <p><strong>For tags with special characters such as <code class="code codeInline" spellcheck="false" tabindex="0">-</code>, use <code class="code codeInline" spellcheck="false" tabindex="0">[ ]</code> around the tag property:</strong></p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find * with _integrationType = 'aws' and [tag.cost-center] = undefined </pre> <p><strong>Why not just use <code class="code codeInline" spellcheck="false" tabindex="0">Find *</code> to cover everything?</strong></p> <p><code class="code codeInline" spellcheck="false" tabindex="0">Find *</code> searches across all resources, including all integrations, mapped entities, and those pushed via API or created via the UI. This will return <em>many</em> false positives, and makes the query slow.</p> <p><strong>More fine tuning to reduce noise:</strong></p> <p>Many entities such as <code class="code codeInline" spellcheck="false" tabindex="0">Account</code>, <code class="code codeInline" spellcheck="false" tabindex="0">Service</code>, <code class="code codeInline" spellcheck="false" tabindex="0">AccessPolicy</code> (e.g. <code class="code codeInline" spellcheck="false" tabindex="0">aws_iam_policy</code>) etc. will likely not have these custom tags applied, so even querying with <code class="code codeInline" spellcheck="false" tabindex="0">_integrationType = 'aws'</code> will generate some noise. However, it will be painful to write a query for each resource type -- there could be 100 of them!</p> <p>This is where leveraging the <code class="code codeInline" spellcheck="false" tabindex="0">class</code> and combination syntax in the query becomes extremely helpful. For example:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find (Host|Function|DataStore) with [tag.cost-center] = undefined </pre> <p>Still a single query, without the noise. The three classes <code class="code codeInline" spellcheck="false" tabindex="0">Host</code>, <code class="code codeInline" spellcheck="false" tabindex="0">Function</code>, and <code class="code codeInline" spellcheck="false" tabindex="0">DataStore</code> in includes a couple dozens of types, and covers resources you are not using today but may start using in the future that are of those classes. You can add additional classes to the query as needed.</p> </article> </main>