AMA: Search for security groups by tag

circle
circle

AMA is an ongoing series published each Thursday, highlighting questions the community has asked in our support and how-to channels on Slack. If you haven't already done so, please join us on Slack 

"How could I change the following query to only search for security groups which are applied to instances that have a specific tag?"

FIND Firewall AS row
THAT allows AS rel
Network with public!=true AS col
RETURN
row.displayName AS x,
col.displayName AS y,
rel.egress AS egress,
rel.ingress AS ingress,
rel.fromPort as fromPort,
rel.toPort as toPort,
rel.ipProtocol AS label

--Question from Jason on the J1 Community Slack

 

Answer from J1 Community Member,
Adam Youngberg

Something like the following will work (in this example, I'm using tag.AccountName, but you can use any tag(s) - if you want just the presence of a tag you can use tag.name_of_tag != undefined):

FIND aws_instance
WITH tag.AccountName = "some-accoount-tag"
THAT HAS aws_security_group AS row
THAT ALLOWS AS rel aws_vpc
WITH public != true AS col
RETURN
row.displayName AS x,
col.displayName AS y,
rel.egress AS egress,
rel.ingress AS ingress,
rel.fromPort as fromPort,
rel.toPort as toPort,
rel.ipProtocol AS label

 

If you prefer the more generalized version using classes instead of types, you can use:
 
FIND Host
WITH tag.AccountName = "some-account-tag"
THAT HAS Firewall AS row
THAT ALLOWS AS rel Network
WITH public != true AS col
RETURN
row.displayName AS x,
col.displayName AS y,
rel.egress AS egress,
rel.ingress AS ingress,
rel.fromPort as fromPort,
rel.toPort as toPort,
rel.ipProtocol AS label

 

Generically, you can add a WITH condition to any of the classes/types in your query. So, for example, if you want to find only instances tagged a certain way on security groups tagged a certain way, you could add a WITH condition to the THAT HAS aws_security_group before the AS row alias.

Response from Jason: "Thank you!. That worked."

Articles in this Series

  1. AMA: JupiterOne and PagerDuty WebHooks
  2. AMA: Export YAML Files for Vendors Pulled from SSO Providers
  3. AMA: Map Controls and Frameworks Relationships
  4. AMA: How to Track Professional Associations, Security Forums, and Threat Intel Sources
  5. AMA: Find AWS Instances by their Private IP Address
  6. AMA: SSO Integrated Authentication, Move to Another Role
  7. AMA: send-mail action to map two properties
  8. AMA: Setup the Policy Accept Button
  9. AMA: Match a blank field in J1QL
  10. AMA: Track and Alert Using Firewall Rules Matrix
  11. AMA: AWS Roles not used for 90 days, and date related queries
  12. AMA: Manage Alerts for Jira through J1 Terraform Provider
  13. AMA: Filter Results from Specific AWS Accounts
  14. AMA: Iterate and return total count of iam users per account
  15. AMA: Search for security groups by tag
  16. AMA: Identify S3 Buckets Open to Cross-Account Attacks

Resources for this AMA

 

Modern Visibility in Cyberseccurity

 

 

avatar

Posted By JupiterOne Team

The JupiterOne Team is a diverse set of engineers and developers who are working on the next generation of cyber asset visibility and monitoring.

To hear more from the JupiterOne Team, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.

PREVIOUS ARTICLE

Take-aways

You can manage alerts from Jira in the J1 platform

There are 7 properties that can be included

Other properties can be passed directly to the JIRA API

cyber-security 1

Ad Title Placeholder

Lorem ipsum dolor sit amet, consectetur adipiscing elit.