De Morgan's Law in JupiterOne

by

If you recently read about the breaking fix JupiterOne introduced to maintain J1QL language correctness as defined by De Morgan's Law you may have found yourself in need of a refresher of the operations available in J1QL queries. The JupiterOne platform has several methods available to leverage operators to filter your query results.

Selecting multiple entities or relationships:
( class/type_1 | class/type_2 ) 

Comparing properties:
AND OR  

Why did JupiterOne introduce this change?

JupiterOne strives to align with standard mathematical theory in our query language. J1 has updated J1QL to adhere to De Morgan's Law, which explains that the complement of the product of all the terms is equal to the sum of the complement of each term. The laws are named after Augustus De Morgan who formally defined the law.

How does this change impact J1QL?

This update to J1QL means customers may notice a difference in their query results when using a != followed by a set of arguments offset by parenthesis. 

Prior behavior:

`!= (A and B and C)` is equivalent to `!= A and !=B and != C`

Updated behavior following De Morgan's Law

`!= (A and B and C)` is equivalent to the expression`!= A or != B or != C'

Examples for string, boolean, number, and date operations"

~=  : Contains
Snyk findings with titles containing "Code Execution" (Remote Code Execution, Arbitrary Code Execution, etc.)

FIND snyk_finding WITH displayName~="Code Execution"

 

^=  : Starts with
Endpoints or instances with IPs in the 10.15.0.0/16 range

FIND (Host|Device) WITH ipAddress^='10.50'

 

$=  : Ends with
Certificates that have a SAN with the "jupiterone.com" domain

FIND Certificate with subject$="jupiterone.com"

 

!=  : Does not equal
Data Storage entities without data-at-rest encryption enabled

FIND DataStore WITH encrypted!=true

 

!~= : Does not contain
Hosts without demo in their AccountName Tag

FIND Host WITH tag.AccountName!~='demo'

 

!^= : Does not start with
Lambda functions not use "nodejs" runtimes  

FIND aws_lambda_function WITH runtime!^="nodejs"

 

!$= : Does not end with
Employees with emails not using the jupiterone.com domain

€‹ €‹FIND employee WITH email!$="jupiterone.com"

 

Examples for number and date operations:

> < >= <=

Date Comparison:

date.now : today
Date Units:

  • hour, hr, hours, hrs
  • day, days
  • month, mo, months, mos
  • year, yr, years, yrs
  • + or - for date comparison 

Example: New hires over the last 12 months

FIND employee WITH _createdOn > date.now-12months

 

Conclusion

There are many to precisely filter within your query, so be sure your query leverages the right operation for the right question. If you have any questions, please feel free to pose them in the J1 Community Slack or reach out to your CSM directly.

Tony Ramirez and Jayson Jensen
CSM Team, JupiterOne

Tony Ramirez
Tony Ramirez

Tony is a Senior Customer Success Engineer at JupiterOne. Prior to joining JupiterOne, Tony consulted in the AppSec space, pentesting and training security practitioners in how to perform security assessments. He regularly attends and speaks at OWASP, DevSecOps and other security events across the country. He is also the creator of Cybrary’s “Mobile Application Security” series.

Keep Reading

‘Type and go’ - New JupiterOne search bar enhancements
October 30, 2023
Blog
‘Type and go’ - New JupiterOne search bar enhancements

JupiterOne aggregates and normalizes data from hundreds of different sources so you can identify and triage security risks easily.

Identify and eliminate endpoint device security gaps using the new JupiterOne Unified Device Matrix
October 6, 2023
Blog
Identify and eliminate endpoint device security gaps using the new JupiterOne Unified Device Matrix

It seems like a simple question. “Are any of our deployed user endpoint devices missing an endpoint detection and response agent?”

Why Better Asset Visibility Matters in Cybersecurity | JupiterOne
August 30, 2023
Blog
Back to basics: Why better asset visibility matters in your security program

At the most basic level of the Incident Response Hierarchy, security teams must know the assets they are defending.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.