Community
Questions Library
Docs
Blog
Events
Swag
Github
Slack
JupiterOne
Discussions
Release Notes
Contact Us
JupiterOne Query Language Tutorial - AskJ1 Community
<main> <article class="userContent"> <p>Querying can be the most challenging yet the most rewarding part of the JupiterOne experience. After you become familiar with the query language, you will uncover numerous previously undiscovered insights into your data.</p> <p>The JupiterOne Query Language (J1QL) is a query language for finding the assets and relationships within your digital environment. J1QL blends together the capabilities of asking questions, performing full text search, or querying the complex entity-relationship graph.</p> <p>There are several prepackaged queries you can use in the <strong>Search</strong> app or browse for in <strong>Query Library</strong>. This tutorial focuses on helping you construct custom queries yourself.</p> <p>This tutorial builds on the [full J1QL documentation][../j1ql-doc.md] using some common use cases.</p> <p>The queries in this tutorial and other JupiterOne documentation are examples that work in most cases, but may require fine-tuning based on the specific structure of your data sources.</p> <h2 data-id="part-1-simple-root-query">Part 1: Simple Root Query</h2> <p>Try this query:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find Account that relates to Root return tree </pre> <p>The noun that immediately follows the verb is case-sensitive:</p> <ul><li>A <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">TitleCase</code> word tells the query to search for assets of that <strong>class</strong> (such as <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">Account</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">Firewall</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">Gateway</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">Host</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">User</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">Root</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">Internet</code>).</li> <li>A <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">snake_case</code> word tells the query to search for assets of that <strong>type</strong> (such as <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">aws_account</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">aws_security_group</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">aws_internet_gateway</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">aws_instance</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">aws_iam_user</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">okta_user</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">user_endpoint</code>)</li> </ul><p>You get a result similar to this (the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">return tree</code> part of the query tells it to show the graph view by default):</p> <p><img src="https://us.v-cdn.net/6035534/uploads/PXJNXIC3U686/j1ql-tutorial-root-accounts-graph.png" alt="" class="embedImage-img importedEmbed-img"></img></p> <p>The selected asset in the above example is the special <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">Root</code> asset node, which represents your organization. Depending on the number of integration configurations you have, you see a different number of connected accounts, showing that the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">Root</code> entity <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">OWNS</code> these <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">Account</code>assets.</p> <p>There are three sets of controls in the result panel. Starting from top-right to bottom-left of the graph:</p> <p>The first set of controls (next to the query) allows you to:</p> <ul><li><p>Switch views between <strong>Table</strong>, <strong>Graph</strong>, <strong>Raw JSON</strong>, and <strong>Pretty JSON</strong>.</p></li> <li><p>Share the query, using a provided weblink to copy and share.</p></li> <li><p>Save the query, where you give it a title, description and, optionally, some tags to save it to your own query library.</p></li> <li><p>Close or remove this results panel from the page.</p></li> </ul><p>The second set of controls (above the selected asset node) allows you to:</p> <ul><li>Show the detailed properties, tags, and metadata of the selected asset.</li> <li><p>Expand the asset to see more of its connected neighbors, which shows additional data that the original query may not have returned, allowing you to further the search and analysis.</p></li> <li><p>Hide the selected asset node from the graph view. After you have hidden an asset, an unhide button appears in the third set of controls at the bottom-left of the graph, allowing you to unhide all currently hidden assets.</p></li> </ul><p>The last set of controls (in the bottom-left corner) allows you to:</p> <ul><li><p>Toggle the full screen mode.</p></li> <li><p>Opens the filter panel to show/hide assets in the graph by account or asset type.</p></li> <li><p>Unhide all currently hidden assets (not shown in the above image as it only shows when there is at least one hidden asset).</p></li> </ul><p>See more details on the graph controls in this [documentation][../quickstart-graph.md].</p> <h2 data-id="part-2-infrastructure-analysis">Part 2: Infrastructure Analysis</h2> <p><em>Examples in this section require at least one AWS integration configuration.</em></p> <p>If you have configured an AWS integration, you are now ready to try something more <br> advanced.</p> <h3 data-id="ssh-key-usage-examples">SSH Key Usage Examples</h3> <p>Enter this query:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find AccessKey with usage='ssh' </pre> <p>This query finds a set of <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">aws_access_key</code> assets used for SSH access into your EC2 instances, assuming you have some of those and they are configured to allow SSH access.</p> <p>You can also query by the asset type instead of its class. The following query returns the same result unless you also have SSH keys you have added from other non-AWS integrations or from the UI or API.</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find aws_key_pair </pre> <p>You can expand the search using the following:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find Host as h that uses AccessKey with usage='ssh' as k return h.tag.AccountName, h._type, h.displayName, h.instanceId, h.region, h.availabilityZone, h.publicIpAddress, h.privateIpAddress, h.platform, h.instanceType, h.state, k._type, k.displayName </pre> <p>This query finds the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">Host</code> asset that <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">USES</code> each <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">AccessKey</code> and returns a set of specific properties. You can add or remove the returned properties, if necessary. The keyword <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">that</code> is what tells the query to traverse the graph to find connections/relationships between assets, followed by a <em>verb</em> that represents the relationship class. Also, you can switch to the <strong>Graph</strong> view to get a more visual result, and continue to drill down interactively.</p> <p>Again, you can query using the more specific asset types. For example:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find aws_instance that uses aws_key_pair </pre> <p>Or mix and match them:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find Host that uses aws_key_pair </pre> <p>The relationship keyword/verb is <em>not</em> case-sensitive.</p> <h3 data-id="ebs-volume-examples">EBS Volume Examples</h3> <p>First, to see if there are any unencrypted EBS volumes, use this query:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find aws_ebs_volume with encrypted != true </pre> <p>In the above query the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">with</code> keyword binds to the asset noun immediately to its left, and allows you to filter results on the property values of that entity.</p> <p>If the above query finds some unencrypted EBS volumes, you can see what is using them by entering:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find Host that uses aws_ebs_volume with encrypted != true </pre> <p>You can view the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">aws_ebs_volume</code> assets and their relationships in the <strong>Graph</strong> mode, and further inspect the properties on each asset node or relationship edge. You can also expand to see more connected assets and relationships.</p> <p>To see which volumes are active and in production, enter:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find Host with active = true and tag.Production = true that uses aws_ebs_volume with encrypted != true </pre> <p>To determine which subnets these instances are in and to only return a few key properties from type of assets related to this search, enter:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find Network as n that has Host as h that uses aws_ebs_volume with encrypted != true and tag.Production = true as e return n.displayName, h._type, h.displayName, e.displayName, e.encrypted </pre> <p>To remove any unused EBS volumes, enter:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find aws_ebs_volume that !uses Host </pre> <p>The above query may seem backwards. The query works the same way regardless of the direction of the relationship. Because the query, by default, returns all properties from the initial set of assets, it is sometimes easier to reverse the query direction so that you can more easily get the data you are searching.</p> <p>Technically, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">Find Host that !uses aws_ebs_volume as v return v.*</code> may seem more correct, but it is a more lengthy query to enter.</p> <h3 data-id="unencrypted-data">Unencrypted Data</h3> <p>There are many types of data stores you can have in AWS, such as EBS Volumes, S3 Buckets, RDS Clusters and Instances, DynamoDB Tables, and Redshift Clusters. You should ensure they are encrypted if they store <br> confidential data.</p> <p>To know if the data stores are encryped, enter:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find (aws_s3_bucket|aws_rds_cluster|aws_db_instance|aws_dynamodb_table|aws_redshift_cluster) with encrypted!=true </pre> <p>The above query is complex. The abstract class labeling automatically assigned by J1 can help by querying by class:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find DataStore with encrypted != true </pre> <p>Add a few property filters to make the results more focused, to help reduce the noise, or to prioritize remediation:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find DataStore with encrypted != true and tag.Production = true and (classification = 'confidential' or classification = 'restricted') </pre> <h3 data-id="tagging-resources">Tagging Resources</h3> <p>As shown in the earlier examples, tagging resources is useful. It is recommended that you tag your resources at the source. J1 ingests these tags and you can use them in custom queries.</p> <p>By default, the packaged queries provided by J1, as seen in the Query Library from the Search app and used in the Compliance app, rely on the following tags:</p> <ul><li><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">Classification</code></li> <li><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">Owner</code></li> <li><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">PII</code> or <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">PHI</code> or <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">PCI</code> (<code class="code codeInline code codeInline" spellcheck="false" tabindex="0">boolean</code> tags to indicate data type)</li> <li><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">AccountName</code></li> <li><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">Production</code></li> </ul><p>All custom tags ingested by J1 integrations are prefixed with <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">tag.<TagName></code>, therefore. you must use the tags this way in the query.</p> <p>The <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">Classification</code> and <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">Owner</code> tags are automatically captured as properties so J1 can use them directly in the query without the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">tag.</code> prefix, in all lower case: <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">classification = '...'</code> or <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">owner= '...'</code>.</p> <p>J1 can add the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">tag.AccountName</code> (<code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code>) and <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">tag.Production</code> (<code class="code codeInline code codeInline" spellcheck="false" tabindex="0">boolean</code>) tags as part of the advanced options in each integration configuration.</p> <p>More information about tagging resources is in:</p> <ul><li><a rel="nofollow" href="https://jupiterone.vanillacommunities.com/kb/articles/1039-add-enriched-or-modified-properties">Add Enriched or Modified Properties</a></li> <li><a rel="nofollow" href="https://jupiterone.vanillacommunities.com/kb/articles/1038-query-for-enriched-and-modified-properties">Query for Enriched or Modified Properties</a></li> <li><a rel="nofollow" href="https://jupiterone.vanillacommunities.com/kb/articles/1040-query-resources-without-specific-tags">Query Resources Without Specific Tags</a></li> </ul><h3 data-id="network-resources-and-configurations">Network Resources and Configurations</h3> <p>You can use queries to ask questions or confirm information about your network resources and their configurations.</p> <p>For example, to find network resources and their connections:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find (Gateway|Firewall) with category='network' that relates to * return tree </pre> <p>Remember that you can toggle the result back to <strong>Table</strong> view.</p> <p>To find networks and subnets:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find Network that contains Network return tree </pre> <p>Or resources in a VPC:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find Network that has (Host|Cluster|Database) return tree </pre> <p>This is a basic result. Your environment may look more complex:</p> <p><img src="https://us.v-cdn.net/6035534/uploads/7EP0STAF0VDG/j1ql-tutorial-network-has-resources.png" alt="" class="embedImage-img importedEmbed-img"></img></p> <p>The properties side panel for the selected <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">aws_subnet</code> has a <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">webLink</code> that enables you to quickly get to the source directly in the AWS web console.</p> <p>In AWS, you may have set up CloudFront distributions to distribute traffic to your API gateways or static websites hosted in S3, such as this example:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find aws_cloudfront_distribution that relates to * return tree </pre> <p>The following is a J1 account with multiple AWS integration configurations and several <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">aws_cloudfront_distribution</code> assets and relationships.</p> <p><img src="https://us.v-cdn.net/6035534/uploads/8URCXX6HG1T4/j1ql-tutorial-cloudfront.png" alt="" class="embedImage-img importedEmbed-img"></img></p> <p>This graph shows you the origins connected to the distributions: both S3 buckets (for static website/contents) and API gateways. Additionally, the graph shows you the ACM certificate they use and the WAF ACL, if any, configured to protect them.</p> <p>You can select any asset node in the graph to inspect its detailed properties, or find a web link to get to the source in the AWS web console.</p> <p>If you use AWS Transfer for SFTP, you can find the transfer servers, users, which IAM roles are assigned to them, and to which S3 buckets the users have access.</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find aws_account that HAS aws_transfer that HAS Host that HAS User that RELATES TO * return tree </pre> <p>You get a visual similar to this:</p> <p><img src="https://us.v-cdn.net/6035534/uploads/Q2X9CECW9MNB/j1ql-aws-transfer-servers-users.png" alt="" class="embedImage-img importedEmbed-img"></img></p> <h3 data-id="serverless-functions">Serverless Functions</h3> <p>If you are using serverless (Lambda) functions) there are a few things to help you see how they are configured.</p> <p>To see a listing of your lambda functions:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find aws_lambda_function </pre> <p>To see what triggers each function:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">find aws_lambda_function as function that TRIGGERS * as trigger return trigger._type, trigger.displayName, trigger.arn, trigger.webLink, function.functionName, function.arn, function.webLink </pre> <p>To see if there are Lambda functions with access to resources in a VPC:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find aws_lambda_function that has aws_vpc return tree </pre> <p>The above query gives you a visual graph of the Lambda functions and the VPC they are configured to run inside.</p> <p>It is a best practice to <strong>not</strong> run Lambda functions without access to a VPC unless they need direct access to resources within one, such as EC2 instances, RDS databases, or ElasticSearch/ElastiCache.</p> <p>To see if inbound SSH is allowed directly from an external host or network:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find Firewall as fw that ALLOWS as rule (Host|Network) with internal=false or internal=undefined as src where rule.ingress=true and (rule.fromPort<=22 and rule.toPort>=22) return fw._type, fw.displayName, rule.fromPort, rule.toPort, src.displayName, src.ipAddress, src.CIDR </pre> <p>The above query uses <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">where</code> to filter the property values of the relationship. You can use both <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">with</code> and <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">where</code> to filter property values of assets. See the [full J1QL documentation][../j1ql-doc.md] for more details.</p> <p>Also, you can toggle to the <strong>Graph</strong> view to see the above results more visually and interactively.</p> <p>To see which production resources are directly connected/exposed to the internet/everyone:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find (Internet|Everyone) that relates to * with tag.Production=true and _class!='Firewall' and _class!='Gateway' return tree </pre> <p>To see your network layer resources:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find (Firewall | Gateway) with category='network' </pre> <p>To learn about security group protection:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find aws_security_group that PROTECTS aws_instance return tree </pre> <p><strong>TIP</strong>: Select a relationship edge in the graph to see the security group rule details, such as the properties on the relationship edge.</p> <h2 data-id="part-3-user-and-access-analysis">Part 3: User and Access Analysis</h2> <p>After you have configured an Okta or OneLogin integration, you can use these queries.</p> <h3 data-id="idp-users-and-access">IdP users and access</h3> <p><em>Examples in this section require an identity provider integration (Okta or OneLogin)</em>.</p> <p>To find out if there are system accounts that do not belong to an individual employee/user:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find User that !is Person </pre> <p><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">User</code> entities in J1 are automatically mapped to a corresponding <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">Person</code> (<code class="code codeInline code codeInline" spellcheck="false" tabindex="0">_type: 'employee'</code>) asset when there is at least one Identity Provider (IdP) integration configuration such as Okta or OneLogin.</p> <p><strong>TIP</strong>: Set the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">userType</code> property of the user profile in your IdP account to <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">'system' or 'generic' or 'bot'</code> to prevent J1 from creating a <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">Person</code> entity for that user.</p> <p><strong>TIP:</strong> Setting the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">username</code> of your <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">aws_iam_user</code> or other non-IdP users to be the email address of a person / employee enables J1 to automatically map that user to its corresponding person. Alternatively, you can add an <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">email</code> tag to your <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">aws_iam_user</code> for the mapping to work.</p> <p>To see which active user accounts do not have multi-factor authentication enabled:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find User with active = true and mfaEnabled != true that !(ASSIGNED|USES|HAS) mfa_device </pre> <p>Depending on the specific IdP integration, a <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">User</code> asset may have a relationship mapping to an <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">mfa_device</code> instead of the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">mfaEnabled</code> flag directly as a property. Therefore, the above query finds all <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">User</code> assets with the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">active</code> flag but not the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">mfaEnabled</code> flag set to true on its properties and, additionally, checks for the existence of an relationship between that <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">User</code> and any <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">mfa_device</code> assigned or in use.</p> <p>To find out if there are users accessing my AWS application without using MFA:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find User with active = true and mfaEnabled != true that ASSIGNED Application with displayName = 'Amazon Web Services' </pre> <p>Replace the string value of the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">displayName</code> to check for another application.</p> <p>You can also use <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">shortName = 'aws'</code>, which checks for all AWS application instances, if you have more than one AWS SAML app configured with your IdP.</p> <p><strong>Find all contractors and external users in the environment.</strong></p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find User that IS Person that !EMPLOYS Root </pre> <p>The above query finds user accounts belong to any individual not directly employed by your organization (<code class="code codeInline code codeInline" spellcheck="false" tabindex="0">Root</code> entity).</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find User as u that IS Person as p where u.userType='contractor' or p.employeeType='contractor' </pre> <p>The above query finds contractor users.</p> <h3 data-id="cloud-users-and-access">Cloud users and access</h3> <p><em>Examples in this section require at least one AWS integration configuration.</em></p> <p>To see who has been assigned full administrator access in AWS:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">find (aws_iam_role|aws_iam_user|aws_iam_group) that ASSIGNED AccessPolicy with policyName='AdministratorAccess' </pre> <p>To find which IAM roles are assigned which IAM policies:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">find aws_iam_role as role that ASSIGNED AccessPolicy as policy return role._type as RoleType, role.roleName as RoleName, policy._type as PolicyType, policy.policyName as PolicyName </pre> <h3 data-id="combined-users-and-access-across-all-environments">Combined users and access across all environments</h3> <p><em>Examples in this section work best when there are both IdP and AWS integration configurations enabled in JupiterOne.</em></p> <p>To see who has access to what systems/resources:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find (User|Person) as u that (ASSIGNED|TRUSTS|HAS|OWNS) (Application|AccessPolicy|AccessRole|Account|Device|Host) as a return u.displayName, u._type, u.username, u.email, a._type, a.displayName, a.tag.AccountName order by u.displayName </pre> <h2 data-id="part-4-cross-account-analysis">Part 4 - Cross Account Analysis</h2> <p><em>Many examples in this section requires both Okta and AWS integration configurations in JupiterOne, as well as an AWS SAML app configured in your Okta account. Some queries work best when you have multiple AWS configurations.</em></p> <p>To see who has access to your AWS accounts via single sign on (SSO):</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find User as U that ASSIGNED Application as App that CONNECTS aws_account as AWS return U.displayName as User, App.tag.AccountName as IdP, App.displayName as ssoApplication, App.signOnMode as signOnMode, AWS.name as awsAccount </pre> <p>To know if there are assume role trusts from one AWS account to other external entities:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find aws_account that HAS aws_iam that HAS aws_iam_role that TRUSTS (Account|AccessRole|User|UserGroup) with _source='system-mapper' return tree </pre> <p>In the above query, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">_source='system-mapper'</code> is an indicator that the trusted asset is not one ingested by an integration configuration. Instead, it is mapped and created by J1 during the analysis of Assume Role policies of the IAM roles in your accounts. Therefore, these entities are most likely external.</p> <p>For example, you can see the JupiterOne integration IAM role with a <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">TRUSTS</code> relationship to the JupiterOne AWS account.</p> <h2 data-id="part-5-endpoint-compliance">Part 5 - Endpoint Compliance</h2> <p><em>Examples in this section require the activation of at least one JupiterOne Endpoint Compliance Agent - powered by Stethoscope app.</em></p> <p>To see if the local firewall is enabled on end-user devices:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find HostAgent as agent that MONITORS user_endpoint as device return device.displayName, device.platform, device.osVersion, device.hardwareModel, device.owner, agent.firewall, agent.compliant, agent._type, agent.displayName </pre> <p>To see which endpoints are non-compliant:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find Person as person that OWNS (Host|Device) as device that MONITORS HostAgent with compliant!=true as agent return person.displayName, person.email, device.displayName, device.platform, device.osVersion, device.hardwareModel, device.owner, agent.compliant, agent._type, agent.displayName </pre> <p>To know which applications those users have access to:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find HostAgent with compliant!=true that MONITORS (Host|Device) that OWNS Person that IS User that Assigned Application return tree </pre> <p>To see if any of those above have access to AWS:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find HostAgent with compliant!=true that MONITORS (Host|Device) that OWNS Person that IS User that (ASSIGNED|HAS) (aws_iam_role|aws_iam_policy|aws_iam_user_policy|aws_iam_group) return tree </pre> <p>The resulting graph looks similar this:</p> <p><img src="https://us.v-cdn.net/6035534/uploads/28O0WU8AGCNV/graph-noncompliant-user-endpoint-aws-access.png" alt="noncompliance-device-aws-access" class="embedImage-img importedEmbed-img"></img></p> </article> </main>