Community
Questions Library
Docs
Blog
Events
Swag
Github
Slack
JupiterOne
Discussions
Release Notes
Contact Us
Get Started with Search - AskJ1 Community
<main> <article class="userContent"> <p>You can quickly search and get insight across your entire digital environment integrated with JupiterOne, from the Search for Anything landing page. There are three modes of search:</p> <ul><li><strong>Ask questions</strong> - you can enter any keywords to search across all packaged and saved questions.</li> <li><strong>Full-text search</strong> - an easy way to search across all assets based on their property values.</li> <li><strong>JupiterOne query language (J1QL)</strong> is best for detailed querying of assets and relationships.</li> </ul><p>You can toggle results in four different display modes: <strong>Table</strong>, <strong>Graph</strong>, <strong>Raw JSON</strong>, or <strong>Pretty JSON</strong>.</p> <p><strong>Note</strong>: For performance reasons, search results are limited to return a maximum 250 items. If you believe something is missing from a large result set, try fine-tuning the query to generate more precise results.</p> <p><img src="https://us.v-cdn.net/6035534/uploads/Y5IIJCGAY13H/search-home.png" alt="" class="embedImage-img importedEmbed-img"></img></p> <h2 data-id="ask-questions">Ask Questions</h2> <p>Enter any keyword or combination of keywords such as these (without quotations):</p> <ul><li>compliance</li> <li>access</li> <li>traffic</li> <li>ssh</li> <li>data encrypted</li> <li>production</li> </ul><p>Or ask a question like:</p> <ul><li>Who are my vendors?</li> <li>What lambda functions do I have in AWS?</li> <li>What is connected to the Internet?</li> <li>Who has access to ...?</li> </ul><h2 data-id="edit-questions">Edit Questions</h2> <p>You can edit any of the questions in the J1 Questions Library to customize the question to your specific requirements. Click the pencil icon.</p> <p><img src="https://us.v-cdn.net/6035534/uploads/WLECJMH8AGXC/questions-edit.png" alt="" class="embedImage-img importedEmbed-img"></img></p> <p>Edit any of the fields, add tags, or modify the query. In addition, you can edit the compliance mappings. When you map a framework and compliance requirement to a question, the next time that framework is imported, the question is added to the requirement</p> <p>By default, J1 adds <a rel="nofollow" href="https://jupiterone.vanillacommunities.com/kb/articles/1154-adding-compliance-frameworks">compliance frameworks</a> to which your question is mapped.</p> <p><img src="https://us.v-cdn.net/6035534/uploads/VBZZDWR2WDNZ/questions-edit-compliance.png" alt="" class="embedImage-img importedEmbed-img"></img></p> <p>For each of the mapped frameworks, you can add compliance requirement and control mappings. Click the <strong>Propagate changes to existing compliance frameworks</strong> checkbox if you want to apply your edits to existing frameworks.</p> <p>You can edit any question to enable daily polling on this question and see a trend chart in the results the next time you run the question.</p> <p><img src="https://us.v-cdn.net/6035534/uploads/YWDC1073R6VE/polling-data.png" alt="" class="embedImage-img importedEmbed-img"></img></p> <p><img src="https://us.v-cdn.net/6035534/uploads/C16YOPENOE5C/time-trend-chart.png" alt="" class="embedImage-img importedEmbed-img"></img></p> <p><strong>Note</strong>: If you are editing the query, do not use <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">count()</code>because the daily polling counts the number of results (rows). Using <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">count()</code> results in a single count of 1.</p> <h2 data-id="full-text-search">Full-Text Search</h2> <p>Put your keywords in quotations (for example, "keyword") to start a full text search. Or simply enter your keywords and click <strong>Enter</strong>. For example:</p> <ul><li>"sg-123ab45c" finds an AWS EC2 security group with that group ID.</li> <li>"Charlie" finds a person and/or user with that first name, and potentially other resources related to that person/user.</li> <li>"jupiterone database" finds database entities with property values that include the keyword jupiterone".</li> </ul><h2 data-id="jupiterone-query-language-j1ql">JupiterOne Query Language (J1QL)</h2> <p>You can use the JupiterOne Query Language (J1QL) for searching for anything across all of your entities and relationships.</p> <p>The basic query structure is:</p> <ul><li><p>Start with an asset:</p> <p><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">FIND {class or type of an asset}</code></p></li> <li><p>Optionally, add some property filters:</p> <p><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">WITH {property}={value} AND|OR {property}={value}</code></p></li> <li><p>Get its relationships:</p> <p><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">THAT {relationship_verb}|RELATES TO {class/type of another asset}</code></p></li> </ul><p>For example:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">FIND * WITH tag.Production='true' </pre> <p>The wildcard <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">*</code> includes everything.</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">FIND User THAT IS Person </pre> <p>If you do not know the exact relationship, you can just use the keyword <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">RELATES TO</code> to cover any or all relationships:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">FIND User THAT RELATES TO Person </pre> <p>You can name an asset or relationship with an alias with the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">AS {something}</code>. You can then use the alias in <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">WHERE</code> for additional filtering or comparison, or in <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">RETURN</code> for returning specific properties.</p> <p>For example:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">FIND Firewall AS fw THAT ALLOWS AS rule (Network|Host) AS n WHERE rule.ingress=true and rule.fromPort=22 RETURN fw._type, fw.displayName, fw.tag.AccountName, n._type, n.displayName, n.tag.AccountName </pre> <p>The query language is case-insensitive except for the following:</p> <ul><li><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">TitleCase</code> asset keywords after <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">Find</code> and the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">{relationship verb}</code> search for entities of that class. (for example, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">CodeRepo</code>).</li> <li><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">lowercase</code> asset keywords after <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">Find</code> and the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">{relationship verb}</code> search for assets of that type. An asset type with more than one word is generally in <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">snake_case</code> (for example, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">github_repo</code>).</li> <li>Asset property names and values, and alias names defined as part of the query, are case-sensitive.</li> </ul><p>Read the <a rel="nofollow" href="https://jupiterone.vanillacommunities.com/kb/articles/844-jupiterone-query-language-tutorial">J1QL query tutorial</a> and the <a rel="nofollow" href="https://jupiterone.vanillacommunities.com/kb/articles/980-introduction-to-jupiterone-query-language-j1ql">complete J1QL documentation</a> for more advanced examples.</p> <h2 data-id="combining-full-text-search-with-j1ql">Combining Full-Text Search with J1QL</h2> <p>You can also start with a full text search and then use J1QL to further filter the results from the initial search. For example:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find "Administrator" with _class='AccessPolicy' that ASSIGNED (User|AccessRole) </pre> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find 'security officer' with _type='employee' </pre> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find 'roles responsibilities' with _class=('Policy' or 'Procedure') </pre> <p><strong>Note</strong>: Either single quotes (<code class="code codeInline code codeInline" spellcheck="false" tabindex="0">'</code>) or double quotes (<code class="code codeInline code codeInline" spellcheck="false" tabindex="0">"</code>) work for both full-text search keywords and property string values.</p> </article> </main>