Community
Questions Library
Docs
Blog
Events
Swag
Github
Slack
JupiterOne
Discussions
Release Notes
Contact Us
Get Started with the J1 Dashboard - AskJ1 Community
<main> <article class="userContent"> <p>You can quickly search and get insight across your entire digital environment integrated with JupiterOne, from the J1 Dashboard. There are three modes of search:</p> <ul><li><strong>Ask questions</strong> - you can enter any keywords to search across all packaged and saved questions.</li> <li><strong>Full-text search</strong> - an easy way to search across all assets based on their property values.</li> <li><strong>JupiterOne query language (J1QL)</strong> is best for detailed querying of assets and relationships.</li> </ul><p><strong>Note</strong>: For performance reasons, search results are limited to return a maximum 250 items. If you believe something is missing from a large result set, try fine-tuning the query to generate more precise results.</p> <p><img src="https://us.v-cdn.net/6035534/uploads/6MH08CE1YEJ6/search-home.png" alt="" class="embedImage-img importedEmbed-img"></img></p> <h2 data-id="ask-questions">Ask Questions</h2> <p>Enter any keyword or combination of keywords such as these (without quotations):</p> <ul><li>compliance</li> <li>access</li> <li>traffic</li> <li>ssh</li> <li>data encrypted</li> <li>production</li> </ul><p>Or ask a question like:</p> <ul><li>Who are my vendors?</li> <li>What lambda functions do I have in AWS?</li> <li>What is connected to the Internet?</li> <li>Who has access to ...?</li> </ul><h2 data-id="question-results">Question Results</h2> <p>After entering your question, a data table displays with the results. Click any of the assets in the _displayName column to open the detailed properties side panel. You can toggle results in four different display modes: <strong>Table</strong>, <strong>Graph</strong>, <strong>Raw JSON</strong>, or <strong>Pretty JSON</strong>.</p> <p><img src="https://us.v-cdn.net/6035534/uploads/B64D5DO28L5J/questions-data-table.png" alt="" class="embedImage-img importedEmbed-img"></img></p> <p>Use the icons in the top right of the data table to save the question, add the results to a <a rel="nofollow" href="https://jupiterone.vanillacommunities.com/kb/articles/812-getting-started-with-insights-dashboards">J1 Insights dashboard</a>, create an alert based on the results, share the results, copy the query to the clipboard, and download the results.</p> <h2 data-id="j1-questions-library">J1 Questions Library</h2> <p>The J1 Questions Library contains managed, prebuilt questions. You can duplicate any of these questions to customize it to your specific requirements. Click on any question and the detailed properties side panel open. Click the <img src="https://us.v-cdn.net/6035534/uploads/2Z0XGKISQO3Z/assets-more.png" alt="" class="embedImage-img importedEmbed-img"></img> menu and select <strong>Duplicate</strong>.</p> <p><img src="https://us.v-cdn.net/6035534/uploads/V467UY4DHXGS/questions-library-duplicate.png" alt="" class="embedImage-img importedEmbed-img"></img></p> <p>In the Duplicate Question window, edit any of the fields, add tags, or modify the query. In addition, you can edit the compliance mappings. When you map a framework and compliance requirement to a question, the next time that framework is imported, the question is added to the requirement</p> <p>By default, J1 adds <a rel="nofollow" href="https://jupiterone.vanillacommunities.com/kb/articles/1154-adding-compliance-frameworks">compliance frameworks</a> to which your question is mapped.</p> <p><img src="https://us.v-cdn.net/6035534/uploads/3A4ROWVCZ6RL/questions-duplicate.png" alt="" class="embedImage-img importedEmbed-img"></img></p> <p>For each of the mapped frameworks, you can add compliance requirement and control mappings. Click the <strong>Propagate changes to existing compliance frameworks</strong> checkbox if you want to apply your edits to existing frameworks.</p> <p>You can edit any question to enable daily polling on this question and see a trend chart in the results the next time you run the question. If you duplicate a question that has the option selected to enable daily trend collection, the historical data that populated the existing question is not removed. However, going forward, all the new data is populated by the new or modified query.</p> <p><img src="https://us.v-cdn.net/6035534/uploads/M9BTJKPLPBKX/time-trend-chart.png" alt="" class="embedImage-img importedEmbed-img"></img></p> <p><strong>Note</strong>: If you are editing the query, do not use <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">count()</code>because the daily polling counts the number of results (rows). Using <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">count()</code> results in a single count of 1.</p> <h2 data-id="full-text-search">Full-Text Search</h2> <p>Put your keywords in quotations (for example, "keyword") to start a full text search. Or simply enter your keywords and click <strong>Enter</strong>. For example:</p> <ul><li>"sg-123ab45c" finds an AWS EC2 security group with that group ID.</li> <li>"Charlie" finds a person and/or user with that first name, and potentially other resources related to that person/user.</li> <li>"jupiterone database" finds database entities with property values that include the keyword jupiterone".</li> </ul><h2 data-id="jupiterone-query-language-j1ql">JupiterOne Query Language (J1QL)</h2> <p>You can use the JupiterOne Query Language (J1QL) for searching for anything across all of your entities and relationships.</p> <p>The basic query structure is:</p> <ul><li><p>Start with an asset:</p> <p><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">FIND {class or type of an asset}</code></p></li> <li><p>Optionally, add some property filters:</p> <p><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">WITH {property}={value} AND|OR {property}={value}</code></p></li> <li><p>Get its relationships:</p> <p><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">THAT {relationship_verb}|RELATES TO {class/type of another asset}</code></p></li> </ul><p>For example:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">FIND * WITH tag.Production='true' </pre> <p>The wildcard <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">*</code> includes everything.</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">FIND User THAT IS Person </pre> <p>If you do not know the exact relationship, you can just use the keyword <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">RELATES TO</code> to cover any or all relationships:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">FIND User THAT RELATES TO Person </pre> <p>You can name an asset or relationship with an alias with the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">AS {something}</code>. You can then use the alias in <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">WHERE</code> for additional filtering or comparison, or in <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">RETURN</code> for returning specific properties.</p> <p>For example:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">FIND Firewall AS fw THAT ALLOWS AS rule (Network|Host) AS n WHERE rule.ingress=true and rule.fromPort=22 RETURN fw._type, fw.displayName, fw.tag.AccountName, n._type, n.displayName, n.tag.AccountName </pre> <p>The query language is case-insensitive except for the following:</p> <ul><li><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">TitleCase</code> asset keywords after <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">Find</code> and the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">{relationship verb}</code> search for entities of that class. (for example, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">CodeRepo</code>).</li> <li><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">lowercase</code> asset keywords after <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">Find</code> and the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">{relationship verb}</code> search for assets of that type. An asset type with more than one word is generally in <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">snake_case</code> (for example, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">github_repo</code>).</li> <li>Asset property names and values, and alias names defined as part of the query, are case-sensitive.</li> </ul><p>Read the <a rel="nofollow" href="https://jupiterone.vanillacommunities.com/kb/articles/844-jupiterone-query-language-tutorial">J1QL query tutorial</a> and the <a rel="nofollow" href="https://jupiterone.vanillacommunities.com/kb/articles/980-introduction-to-jupiterone-query-language-j1ql">complete J1QL documentation</a> for more advanced examples.</p> <h2 data-id="combining-full-text-search-with-j1ql">Combining Full-Text Search with J1QL</h2> <p>You can also start with a full text search and then use J1QL to further filter the results from the initial search. For example:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find "Administrator" with _class='AccessPolicy' that ASSIGNED (User|AccessRole) </pre> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find 'security officer' with _type='employee' </pre> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find 'roles responsibilities' with _class=('Policy' or 'Procedure') </pre> <p><strong>Note</strong>: Either single quotes (<code class="code codeInline code codeInline" spellcheck="false" tabindex="0">'</code>) or double quotes (<code class="code codeInline code codeInline" spellcheck="false" tabindex="0">"</code>) work for both full-text search keywords and property string values.</p> </article> </main>