Community
Questions Library
Docs
Blog
Events
Swag
Github
Slack
JupiterOne
Discussions
Release Notes
Contact Us
Identity, People and Privileged access - AskJ1 Community
<main> <article class="userContent"> <p><em>Most of these queries depend on proper mapping of custom properties or profile attributes from your HR system or identity provider to the Person/employee entities.</em></p> <h2 data-id="who-are-the-new-hires-within-the-last-12-months">Who are the new hires within the last 12 months?</h2> <p>If you have been using JupiterOne for more than a year:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find employee with _createdOn > date.now-12months </pre> <p>If your employee data source / user identity provider is Okta:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find okta_user with created > date.now-12months </pre> <h2 data-id="who-are-the-contractors">Who are the contractors?</h2> <p><em>Requires mapping from your HR system or IdP to capture the employment type.</em></p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find employee with employment = 'contractor' </pre> <p>If you have a user group called 'Contractors':</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find User that (has|assigned) UserGroup with displayName='Contractors' or name='Contractors' </pre> <h2 data-id="who-are-remote-workers">Who are remote workers?</h2> <p>If the user or employee entity has a remote flag:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find (User|employee) with remote=true </pre> <p>If you have a user group called 'Remote':</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find User that (has|assigned) UserGroup with displayName='Remote' or name='Remote' </pre> <h2 data-id="who-are-the-employees-missing-metadata-about-role">Who are the employees missing metadata about role?</h2> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find employee with role=undefined </pre> <h2 data-id="who-are-the-employees-missing-metadata-about-team-or-department">Who are the employees missing metadata about team or department?</h2> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find employee with department=undefined </pre> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find employee that !relates to Team </pre> <h2 data-id="who-are-the-employees-missing-metadata-about-team-or-department-with-access-to-environment">Who are the employees missing metadata about team or department with access to environment?</h2> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find employee with department=undefined that is User that relates to (Account|AccessRole|UserGroup|Service) with tag.AccountName = '{accountName}' </pre> <h2 data-id="who-are-the-employees-missing-metadata-about-team-or-department-with-privileged-access">Who are the employees missing metadata about team or department with privileged access?</h2> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find employee with department=undefined that is User that assigned (AccessPolicy|AccessRole) with admin=true </pre> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find employee with department=undefined that is User that assigned AccessRole that assigned AccessPolicy with admin=true </pre> <h2 data-id="who-or-what-service-has-been-assigned-permissions-with-administrator-privileged-access">Who or what service has been assigned permissions with administrator/privileged access?</h2> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find AccessPolicy with admin=true as policy that ASSIGNED * as e return policy.displayName, policy.webLink, e._type, e.displayName, e.webLink </pre> <h2 data-id="who-is-able-to-make-changes-in-a-production-data-connected-environment-and-what-changes-can-they-make">Who is able to make changes in a production data connected environment, and what changes can they make?</h2> <p><em>We plan to do more in-depth analysis of AWS IAM policies to determine access. In the meantime, we determine admin access based on policy name and you can run the following query to find them.</em></p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find AccessPolicy with admin=true as policy and tag.AccountName='{accountName}' that ASSIGNED (AccessRole|User) as e return policy.displayName, policy.webLink, e._type, e.displayName, e.webLink </pre> <h2 data-id="what-groups-are-an-employee-or-contractor-a-member-of">What groups are an employee or contractor a member of?</h2> <pre class="code codeBlock" spellcheck="false" tabindex="0">'Joe Adams' as employee that relates to (Team|Group) as group return employee._type, employee.displayName, employee.email, group._type, group.displayName </pre> <h2 data-id="what-service-accounts-have-been-granted-access-to-production-data-services-or-sources">What service accounts have been granted access to production data services or sources?</h2> <p><em>To be added.</em></p> <h2 data-id="what-uses-static-authentication-credentials-people-services-vs-grant-type-credentials-saml-oidc">What uses static authentication credentials (people, services) vs grant type credentials (saml, oidc)?</h2> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find (User|UserGroup) that assigned AccessPolicy </pre> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find AccessRole that assigned AccessPolicy </pre> </article> </main>