De Morgan's Law in JupiterOne

By

If you recently read about the breaking fix JupiterOne introduced to maintain J1QL language correctness as defined by De Morgan's Law you may have found yourself in need of a refresher of the operations available in J1QL queries. The JupiterOne platform has several methods available to leverage operators to filter your query results.

Selecting multiple entities or relationships:
( class/type_1 | class/type_2 ) 

Comparing properties:
AND OR  

Why did JupiterOne introduce this change?

JupiterOne strives to align with standard mathematical theory in our query language. J1 has updated J1QL to adhere to De Morgan's Law, which explains that the complement of the product of all the terms is equal to the sum of the complement of each term. The laws are named after Augustus De Morgan who formally defined the law.

How does this change impact J1QL?

This update to J1QL means customers may notice a difference in their query results when using a != followed by a set of arguments offset by parenthesis. 

Prior behavior:

`!= (A and B and C)` is equivalent to `!= A and !=B and != C`

Updated behavior following De Morgan's Law

`!= (A and B and C)` is equivalent to the expression`!= A or != B or != C'

Examples for string, boolean, number, and date operations"

~=  : Contains
Snyk findings with titles containing "Code Execution" (Remote Code Execution, Arbitrary Code Execution, etc.)

FIND snyk_finding WITH displayName~="Code Execution"

 

^=  : Starts with
Endpoints or instances with IPs in the 10.15.0.0/16 range

FIND (Host|Device) WITH ipAddress^='10.50'

 

$=  : Ends with
Certificates that have a SAN with the "jupiterone.com" domain

FIND Certificate with subject$="jupiterone.com"

 

!=  : Does not equal
Data Storage entities without data-at-rest encryption enabled

FIND DataStore WITH encrypted!=true

 

!~= : Does not contain
Hosts without demo in their AccountName Tag

FIND Host WITH tag.AccountName!~='demo'

 

!^= : Does not start with
Lambda functions not use "nodejs" runtimes  

FIND aws_lambda_function WITH runtime!^="nodejs"

 

!$= : Does not end with
Employees with emails not using the jupiterone.com domain

€‹ €‹FIND employee WITH email!$="jupiterone.com"

 

Examples for number and date operations:

> < >= <=

Date Comparison:

date.now : today
Date Units:

  • hour, hr, hours, hrs
  • day, days
  • month, mo, months, mos
  • year, yr, years, yrs
  • + or - for date comparison 

Example: New hires over the last 12 months

FIND employee WITH _createdOn > date.now-12months

 

Conclusion

There are many to precisely filter within your query, so be sure your query leverages the right operation for the right question. If you have any questions, please feel free to pose them in the J1 Community Slack or reach out to your CSM directly.

Tony Ramirez and Jayson Jensen
CSM Team, JupiterOne

Tony Ramirez
Tony Ramirez

Tony is a Senior Customer Success Engineer at JupiterOne. Prior to joining JupiterOne, Tony consulted in the AppSec space, pentesting and training security practitioners in how to perform security assessments. He regularly attends and speaks at OWASP, DevSecOps and other security events across the country. He is also the creator of Cybrary’s “Mobile Application Security” series.

To hear more from Tony, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.

Keep Reading

What’s new in JupiterOne: Reducing time to value with the new Query Builder (Part 2)
February 6, 2023
Blog
What’s new in JupiterOne: Reducing time to value with the new Query Builder (Part 2)

The new JupiterOne Query Builder streamlines your querying experience by eliminating errors, simplifying query builds, and reducing time to value.

The top 10 questions that every engineering leader should be able to answer
February 2, 2023
Blog
The top 10 questions that every engineering leader should be able to answer

We polled some of our engineering leaders to see what it takes to succeed. In part two, we see if their answers align with the CISOs we talked to.

Identify compromised versions of Github using JupiterOne
January 31, 2023
Blog
Identify compromised versions of GitHub apps using JupiterOne

As a preventative measure, Github will be deprecating the Mac and Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.