Workspace and Queries
The Workspace is used for building queries, which can then be used to create widgets and dashboards and power insights into your Attack Surface. Queries can also interact with Reference Lists.
Building queries
Queries can be built using the interface (Query Builder) or using Cypher, a complex, powerful query language. You can add queries to your Workspace indefinitely and they will never be deleted until you remove the query or clear your Workspace. However, if you don't use the Workspace page for a while, you may need to re-execute your queries upon return.
Using Query Builder
Query Builder is a graphical tool that you use to build queries which require the most common Cypher capabilities. You can build a query for ad-hoc exploration or save the query for reuse, to generate widgets for dashboards, or even to schedule to automate some action. When you build a query, you start by choosing the primary asset type you’re interested in and then specify the search pattern, which can consist of property filters and relationships to other asset types.
Understand the unified asset model first
Before you build a query, you should understand the unified model and the difference between unified asset types and the asset types from information sources. Visit Assets for details.
To use the Query Builder (basic query example):
- Log in to the Command Platform.
- Navigate Surface Command > Workspace. Any recently-used queries are displayed.
- Click + Query. The Query Builder opens within the Workspace page.
- Optionally, to see all asset types (including source-specific types), toggle on Show all types. By default, only the unified asset types are available to be selected.
- Select an asset type you’re interested in querying for. You can scroll through the asset types listed in the Query Builder or use the search field to find a specific type.
- Click Execute query. All assets of the selected type are returned.
By default, the whole asset objects are returned, including all of their properties, although column settings for the table determine which properties are displayed in the results table. This is configurable by clicking Manage table columns. You can continue to build your query by specifying which properties to return, adding relationships to other asset types, filtering on property values, and saving the query as described in the following sections.
Add or edit query results
The Return section of the Query Builder lists what is returned by your query. By default, entire asset objects, such as an Asset, User, or Vulnerability, are returned. When entire assets objects are returned, you can inspect all of the contained properties by clicking an asset in the results.
However, sometimes you have a very specific intention and are only interested in specific properties. Rather than returning the entire object and having to drill into them or adjust the columns of the results table to show specific properties, you can simply return individual properties explicitly. When you do this the returned properties are displayed as columns in the results table.
You can return any combination of specific properties and entire objects which is helpful when you want to focus on specific properties but still want to be able to drill into the corresponding asset objects to examine all properties and relationships.
Returning specific properties?
If you are only returning specific properties, you won’t be able see all of the other properties and relationships and you won’t be able to generate a graph.
To change what is returned by a query:
- Click the query name to open the Query Builder interface.
- Click Edit return properties or Edit for an item in the Return section.
- Select or de-select any asset types using the checkboxes.
- Expand the Add properties drop-down menu and select or de-select any checkboxes.
- Optionally, provide an alias for each property you added.
- Click Apply.
- Click Execute query.
If you've added multiple asset types to the Query Builder using relationships, you can also add the type or property to the Return list using the Menu next to the desired type or property.
Order query results
You can control the ordering of returned query results using the Sort control within the Return section of the query builder. Alternatively, you can click the Set sort order button if an order is not yet specified and provide an order using the asset type and property drop-down menus.
Add relationships to a query
Cybersecurity posture is a matter of how various entities relate to each other across your cyber estate. For example, which compute devices (Assets) are subject to which vulnerabilities or other exposures and how do those devices relate to your critical business services or network topology. Surface Command models all of these relationships in a graph. This helps organizations understand the state of their posture and be able to assess where their most significant risk exists.
An asset can have several relationships to another asset type through different properties. For example, an Asset might have several relationships to a User asset, such as Business Owners and Technical Owners. You can have the query match on any relationship or you can limit it to a specific relationship between two asset types.
You can leverage relationships in a query to look for undesirable conditions such as Machines which have relationships to Vulnerabilities with certain characteristics or to users without MFA enabled.
To add a relationship to a query:
- Click Add relationship on the asset type.
- Select an asset type from the Relationship to dropdown menu. The Query Builder displays all possible asset types to which the current asset might have a relationship based on the unified model.
- Optionally, select a path for the relationship. By default, the first and most direct path is selected.
- Optionally, specify the relationship of interest and condition.
- In the first field, select any or a supported property name. The property name specifies the type of relationship.
- Choose any to get matches for any relationship between the asset types, regardless of the type of relationship. For example, the any setting would match any relationship between a Machine and User, regardless of whether the relationship is business owner, technical owner, or last logged in user, etc.
- Choose a relationship property to specify the specific relationship you’re interested in. For example, where there is a relationship between Asset and User, you can select Business Owner to match only where the User asset is related through the Business Owner property/relationship.
- In the second field, select the relationship condition. Choose exists (default) to match only when the specified relationship is present. Choose optional to not require that a relationship exists but to be able to reference the related asset when it does exist.
- In the first field, select any or a supported property name. The property name specifies the type of relationship.
- Click Apply to add the relationship constraint to the query.
- Repeat these steps as necessary to add more relationships to the query.
- Click Execute query.
You can also adjust the relationship and condition or remove the relationship at any time from the Query Builder.
Filter query results
You can limit your results to specific properties and values. For example, you might want to see all Assets with a Windows operating system.
To add a filter:
- Next to any asset or property in the Query Builder, click the Filter result. The Filter asset type window opens.
- Select whether you want filter on properties of the Unified model or on properties from a specific Connector that has been correlated with the asset.
- Select the property you want to filter on.
- Select the condition and if required, a value. For example, an
is equal to
condition requires a value while anis true
condition does not. Only assets that meet the specified conditions will match the query. - Optionally, click + to add additional filters.
If you have multiple filters, you can also decide on the logic for the filters:
- All (default) - matches assets that meet every filter (an AND)
- Any - matches assets that meet any one of the filters (an OR).
- Advanced - allows you to construct arbitrary Boolean logic across any number of filter conditions.
To construct Advanced filter expressions, start by clicking on the Advanced tab of the filter dialog, which shows the Advanced condition field. Provide your filter expression using the numbers that correspond to the added filters, parentheses, and Boolean operators (AND
, OR
, and NOT
). The field will inform you if your expression is invalid for some reason.
Filters can be edited at any time by clicking the Filter result next to the respective asset type.
Remove duplicate results
When you query in Surface Command, the system search for a graph pattern not individual graph nodes. For example, if you query for all Asset and Vulnerabilities relationships, the results contain all unique combinations of Asset-to-Vulnerability relationships. This means if there was only 1 Asset but it had relationships to 10 vulnerabilities, the results would contain 10 rows. If your query only returned Assets, all 10 rows would be identical. If your query returned Assets and Vulnerabilities, each row would contain the same Asset but a different Vulnerability, which can create confusion. Because of this, you may want to ensure distinct results.
To remove duplicate results from a query:
- In the Query Builder, toggle on Distinct.
- Click Execute query.
Save a query
You can save a query to reuse it or allow other users to use it.
To save a query:
- In the Query Builder, click Execute query.
- In the results table, click Save query.
- Provide a name and description for the query.
- Optionally, add tags.
- Optionally, toggle on Create widgets. This allows the query to be used for Widgets. You can always turn this off or on later.
- Click Save.
Using Cypher (Advanced Query)
Surface Command is built on a graph database and supports the standards-based openCypher query language, including a majority of its expressions, clauses, and functions. These include scalar functions, like size()
and length()
, and aggregating functions, like avg()
and collect()
. Surface Command, however, does not support using queries to update or modify data.
Understand the unified asset model first
Before you build a query, you should understand the unified model and the difference between unified asset types and the asset types from information sources. Visit Assets for details.
To use Advanced Query (basic query example):
Log in to the Command Platform.
Navigate Surface Command > Workspace. Any recently-used queries are displayed.
Click + Query. The Query Builder opens within the Workspace page.
Click Advanced Query. After switching to Advanced Query, you cannot switch back. You must remove the query and start over in Query Builder if you need to switch back.
Begin typing a Cypher query. The basic structure of the most common Cypher queries in Surface Command take the form of:
sql1MATCH <relationship_pattern> WHERE <property_filter_conditions> RETURN <return_values>Click Execute query.
Detailed Cypher information
For details on openCypher and Cypher syntax, visit the openCypher website or the Cypher documentation.
Example Cypher queries
A simple example when looking for Assets running Windows would look like this:
sql
1MATCH (m:Machine)2WHERE m.os_family ICONTAINS 'Windows'3RETURN m
You can also incorporate relationships between assets. For example, a query for Assets running Windows with Vulnerabilities exceeding a CVSS score of 7.0 would look like this:
sql
1MATCH (m:Machine)--(v:Vulnerability)2WHERE m.os_family ICONTAINS 'Windows' AND v.cvss > 73RETURN m
Finding a property name
When want to know the technical name of a property so you can add it to your Cypher query’s WHERE or RETURN clause, you can find it in a couple ways:
- If it’s a column being displayed in the query results table, you can hover on the column header and click Copy.
- If it’s not being displayed as a column in the results table, you can either add it as a column or access it from the associated object’s details page.
To find the technical name of a property from the details view of the associated object:
- Click a row in the query results table to display the asset properties panel.
- Next to a property's name, hover on the Information to display details about the property.
- Click Copy next to the technical property name.
Tips for using Cypher
Auto-complete relationships:
As you start to type out a query, the editor uses its understanding of asset types and the relationship model to offer auto-complete options. For example, if you start your query by typing MATCH (m:Machine)—(vuln
the editor knows that the Machine type has a relationship to the Vulnerability type and offers an auto-complete option. Click the relationship you want and then keep typing. The editor provides auto-complete options for property names and when specifying a WHERE
clause filter or RETURN
value.
Case sensitivity:
Some things in Cypher are case sensitive, including asset types, relationship labels, and property names. Cypher keywords and functions, like MATCH
and COUNT()
are case insensitive but it improves readability to provide them in uppercase.
Comments:
Adding comments helps document the intent of the query and lessens maintenance. You can add comments on a single line using //
. Multi-line or inline comments start with /*
and end with */
.
New lines:
When using the Advanced Query editor, use Shift + Enter to add a new line without submitting the query. Adding new lines improves readability.
Quoting strings containing spaces:
Use single or double quotes for strings containing spaces. In this example, the operating_system
value is a string. However, the encrypted
property is a Boolean, which does not require quotes:
sql
1MATCH (m:Machine)--(s:Storage)2WHERE m.operating_system = 'Ubuntu Linux 18.04'3AND NOT s.encrypted = true4RETURN m
Previous queries:
When starting a new Cypher query, use the up and down arrow keys to step through recent Cypher queries.
Working with queries
Any queries that have been saved are viewable from Saved Queries in the Surface Command navigation menu. From this page, you can edit the query, execute the query with or without actions (Workflows), copy the query, or delete the query.
Edit a saved query
You can edit the following things for a saved query:
- The query itself using the Query Builder or the Advanced Query editor
- Saved query details, for example, its name and description
- Actions (Workflows) associated with the query
- You can only add Workflows that already exist. You can also schedule the workflow to run at a specified frequency.
- Widgets
- You can toggle on or off the ability to use the query for widgets as well as create widgets. Visit Dashboards and Widgets for details.
Working with reference lists
A reference list is data loaded from a Microsoft Excel (.xlsx
) or .csv
file instead of a Connector and used as lookup data in queries. To view all reference lists, click Reference Lists in the Surface Command navigation menu. From this page, you can:
- Upload a new reference list
- View the contents of a reference list
- Edit the reference list configuration (tags and a description)
- Upload new data to an existing reference list
- Delete a reference list
To upload a reference list:
- Click + List.
- Provide a name and type. The type is used in queries and cannot be changed once the reference list is created.
- Optionally, provide a description and tags.
- Optionally, toggle off Use first row as column header.
- Provide the field separator for the list.
- Upload the file.
- Click Submit.