If you recently read about the breaking fix JupiterOne introduced to maintain J1QL language correctness as defined by De Morgan's Law you may have found yourself in need of a refresher of the operations available in J1QL queries. The JupiterOne platform has several methods available to leverage operators to filter your query results.
Selecting multiple entities or relationships:
( class/type_1 | class/type_2 )
Comparing properties:
AND OR
Why did JupiterOne introduce this change?
JupiterOne strives to align with standard mathematical theory in our query language. J1 has updated J1QL to adhere to De Morgan's Law, which explains that the complement of the product of all the terms is equal to the sum of the complement of each term. The laws are named after Augustus De Morgan who formally defined the law.
How does this change impact J1QL?
This update to J1QL means customers may notice a difference in their query results when using a != followed by a set of arguments offset by parenthesis.
Prior behavior:
`!= (A and B and C)` is equivalent to `!= A and !=B and != C`
Updated behavior following De Morgan's Law
`!= (A and B and C)` is equivalent to the expression`!= A or != B or != C'
Examples for string, boolean, number, and date operations"
~= : Contains
Snyk findings with titles containing "Code Execution" (Remote Code Execution, Arbitrary Code Execution, etc.)
FIND snyk_finding WITH displayName~="Code Execution"
^= : Starts with
Endpoints or instances with IPs in the 10.15.0.0/16 range
FIND (Host|Device) WITH ipAddress^='10.50'
$= : Ends with
Certificates that have a SAN with the "jupiterone.com" domain
FIND Certificate with subject$="jupiterone.com"
!= : Does not equal
Data Storage entities without data-at-rest encryption enabled
FIND DataStore WITH encrypted!=true
!~= : Does not contain
Hosts without demo in their AccountName Tag
FIND Host WITH tag.AccountName!~='demo'
!^= : Does not start with
Lambda functions not use "nodejs" runtimes
FIND aws_lambda_function WITH runtime!^="nodejs"
!$= : Does not end with
Employees with emails not using the jupiterone.com domain
€‹ €‹FIND employee WITH email!$="jupiterone.com"
Examples for number and date operations:
> < >= <=
Date Comparison:
date.now : today
Date Units:
- hour, hr, hours, hrs
- day, days
- month, mo, months, mos
- year, yr, years, yrs
- + or - for date comparison
Example: New hires over the last 12 months
FIND employee WITH _createdOn > date.now-12months
Conclusion
There are many to precisely filter within your query, so be sure your query leverages the right operation for the right question. If you have any questions, please feel free to pose them in the J1 Community Slack or reach out to your CSM directly.
Tony Ramirez and Jayson Jensen
CSM Team, JupiterOne
