Community
Questions Library
Docs
Blog
Events
Swag
Github
Slack
JupiterOne
Discussions
Release Notes
Get Started with Search - AskJ1 Community
<main> <article class="userContent"> <p>You can quickly search and get insight across your entire digital environment integrated with JupiterOne, from the Search for Anything landing page. There are three modes of search:</p> <ul><li><strong>Ask questions</strong> - you can enter any keywords to search across all packaged and saved questions.</li> <li><strong>Full-text search</strong> - an easy way to search across all assets based on their property values.</li> <li><strong>JupiterOne query language (J1QL)</strong> is best for detailed querying of assets and relationships.</li> </ul><p>You can toggle results in four different display modes: <strong>Table</strong>, <strong>Graph</strong>, <strong>Raw JSON</strong>, or <strong>Pretty JSON</strong>.</p> <p><strong>Note</strong>: For performance reasons, search results are limited to return a maximum 250 items. If you believe something is missing from a large result set, try fine-tuning the query to generate more precise results.</p> <h2 data-id="ask-questions">Ask Questions</h2> <p>Enter any keyword or combination of keywords such as these (without quotations):</p> <ul><li>compliance</li> <li>access</li> <li>traffic</li> <li>ssh</li> <li>data encrypted</li> <li>production</li> </ul><p>Or ask a question like:</p> <ul><li>Who are my vendors?</li> <li>What lambda functions do I have in AWS?</li> <li>What is connected to the Internet?</li> <li>Who has access to ...?</li> </ul><h2 data-id="full-text-search">Full-Text Search</h2> <p>Put your keywords in quotations (for example, "keyword") to start a full text search. Or simply enter your keywords and click <strong>Enter</strong>. For example:</p> <ul><li>"sg-123ab45c" finds an AWS EC2 security group with that group ID.</li> <li>"Charlie" finds a person and/or user with that first name, and potentially other resources related to that person/user.</li> <li>"jupiterone database" finds database entities with property values that include the keyword jupiterone".</li> </ul><h2 data-id="jupiterone-query-language-j1ql">JupiterOne Query Language (J1QL)</h2> <p>You can use the JupiterOne Query Language (J1QL) for searching for anything across all of your entities and relationships.</p> <p>The basic query structure is:</p> <ul><li><p>Start with an asset:</p> <p><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">FIND {class or type of an asset}</code></p></li> <li><p>Optionally, add some property filters:</p> <p><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">WITH {property}={value} AND|OR {property}={value}</code></p></li> <li><p>Get its relationships:</p> <p><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">THAT {relationship_verb}|RELATES TO {class/type of another asset}</code></p></li> </ul><p>For example:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">FIND * WITH tag.Production='true' </pre> <p>The wildcard <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">*</code> includes everything.</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">FIND User THAT IS Person </pre> <p>If you do not know the exact relationship, you can just use the keyword <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">RELATES TO</code> to cover any or all relationships:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">FIND User THAT RELATES TO Person </pre> <p>You can name an asset or relationship with an alias with the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">AS {something}</code>. You can then use the alias in <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">WHERE</code> for additional filtering or comparison, or in <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">RETURN</code> for returning specific properties.</p> <p>For example:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">FIND Firewall AS fw THAT ALLOWS AS rule (Network|Host) AS n WHERE rule.ingress=true and rule.fromPort=22 RETURN fw._type, fw.displayName, fw.tag.AccountName, n._type, n.displayName, n.tag.AccountName </pre> <p>The query language is case-insensitive except for the following:</p> <ul><li><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">TitleCase</code> asset keywords after <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">Find</code> and the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">{relationship verb}</code> search for entities of that class. (for example, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">CodeRepo</code>).</li> <li><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">lowercase</code> asset keywords after <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">Find</code> and the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">{relationship verb}</code> search for assets of that type. An asset type with more than one word is generally in <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">snake_case</code> (for example, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">github_repo</code>).</li> <li>Asset property names and values, and alias names defined as part of the query, are case-sensitive.</li> </ul><p>Read the <a rel="nofollow" href="https://jupiterone.vanillacommunities.com/kb/articles/844-jupiterone-query-language-tutorial">J1QL query tutorial</a> and the <a rel="nofollow" href="https://jupiterone.vanillacommunities.com/kb/articles/980-introduction-to-jupiterone-query-language-j1ql">complete J1QL documentation</a> for more advanced examples.</p> <h2 data-id="combining-full-text-search-with-j1ql">Combining Full-Text Search with J1QL</h2> <p>You can also start with a full text search and then use J1QL to further filter the results from the initial search. For example:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find "Administrator" with _class='AccessPolicy' that ASSIGNED (User|AccessRole) </pre> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find 'security officer' with _type='employee' </pre> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find 'roles responsibilities' with _class=('Policy' or 'Procedure') </pre> <p><strong>Note</strong>: Either single quotes (<code class="code codeInline code codeInline" spellcheck="false" tabindex="0">'</code>) or double quotes (<code class="code codeInline code codeInline" spellcheck="false" tabindex="0">"</code>) work for both full-text search keywords and property string values.</p> </article> </main>