-
-
Save chppppp/577779b688cb3fc77e818556de7d44ed to your computer and use it in GitHub Desktop.
bloodhound custom queries - there may be dupes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "queries": [ | |
| { | |
| "name": "Find all Domain Admins", | |
| "queryList": [ | |
| { | |
| "final": true, | |
| "query": | |
| "MATCH (n:Group) WHERE n.objectsid =~ {name} WITH n MATCH p=(n)<-[r:MemberOf*1..]-(m) RETURN p", | |
| "props": { | |
| "name": "(?i)S-1-5-.*-512" | |
| }, | |
| "allowCollapse": false | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Find Shortest Paths to Domain Admins", | |
| "queryList": [ | |
| { | |
| "final": false, | |
| "title": "Select a Domain Admin group...", | |
| "query": | |
| "MATCH (n:Group) WHERE n.objectsid =~ {name} RETURN n.name ORDER BY n.name DESC", | |
| "props": { | |
| "name": "(?i)S-1-5-.*-512" | |
| } | |
| }, | |
| { | |
| "final": true, | |
| "query": | |
| "MATCH (n:User),(m:Group {name:{result}}),p=shortestPath((n)-[r:MemberOf|AdminTo|HasSession|Contains|GpLink|Owns|DCSync|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM*1..]->(m)) RETURN p", | |
| "allowCollapse": true, | |
| "endNode": "{}" | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Find DCSyncers", | |
| "queryList": [ | |
| { | |
| "final": false, | |
| "title": "Select a Domain...", | |
| "query": | |
| "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
| }, | |
| { | |
| "final": true, | |
| "query": | |
| "MATCH p=(n1)-[:MemberOf|GetChanges*1..]->(u:Domain {name: {result}}) WITH p,n1 MATCH p2=(n1)-[:MemberOf|GetChangesAll*1..]->(u:Domain {name: {result}}) WITH p,p2 MATCH p3=(n2)-[:MemberOf|GenericAll|AllExtendedRights*1..]->(u:Domain {name: {result}}) RETURN p,p2,p3", | |
| "allowCollapse": true, | |
| "endNode": "{}" | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Find logged in Admins", | |
| "queryList": [ | |
| { | |
| "final": true, | |
| "query": | |
| "MATCH p=(a:Computer)-[r:HasSession]->(b:User) WITH a,b,r MATCH p=shortestPath((b)-[:AdminTo|MemberOf*1..]->(a)) RETURN p", | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Top Ten Users with Most Sessions", | |
| "queryList": [ | |
| { | |
| "final": true, | |
| "query": | |
| "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p", | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Top Ten Computers with Most Sessions", | |
| "queryList": [ | |
| { | |
| "final": true, | |
| "query": | |
| "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN n,r,m", | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Top Ten Users with Most Local Admin Rights", | |
| "queryList": [ | |
| { | |
| "final": true, | |
| "query": | |
| "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p", | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Top Ten Computers with Most Admins", | |
| "queryList": [ | |
| { | |
| "final": true, | |
| "query": | |
| "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p", | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Users with Foreign Domain Group Membership", | |
| "queryList": [ | |
| { | |
| "final": false, | |
| "title": "Select source domain...", | |
| "query": | |
| "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
| }, | |
| { | |
| "final": true, | |
| "query": | |
| "MATCH (n:User) WITH n MATCH (m:Group) WITH n,m MATCH p=(n)-[r:MemberOf]->(m) WHERE n.domain={result} AND NOT m.domain=n.domain RETURN p", | |
| "startNode": "{}", | |
| "allowCollapse": false | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Groups with Foreign Domain Group Membership", | |
| "queryList": [ | |
| { | |
| "final": false, | |
| "title": "Select source domain...", | |
| "query": | |
| "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
| }, | |
| { | |
| "final": true, | |
| "query": | |
| "MATCH (n:Group) WITH n MATCH (m:Group) WITH n,m MATCH p=(n)-[r:MemberOf]->(m) WHERE n.domain={result} AND NOT m.domain=n.domain AND NOT n.name=m.name RETURN p", | |
| "startNode": "{}", | |
| "allowCollapse": false | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Map Domain Trusts", | |
| "queryList": [ | |
| { | |
| "final": true, | |
| "query": "MATCH p=(n:Domain)-[r]-(m:Domain) RETURN p", | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Shortest Path from SPN User", | |
| "queryList": [ | |
| { | |
| "final": false, | |
| "title": "Select a domain...", | |
| "query": | |
| "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
| }, | |
| { | |
| "final": false, | |
| "title": "Select a user", | |
| "query": | |
| "MATCH (n:User) WHERE n.domain={result} AND n.HasSPN=true RETURN n.name, n.PwdLastSet ORDER BY n.PwdLastSet ASC" | |
| }, | |
| { | |
| "final": true, | |
| "query": | |
| "MATCH n=shortestPath((a:User {name:{result}})-[r:MemberOf|AdminTo|HasSession|Contains|GpLink|Owns|DCSync|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner*1..]->(b:Computer)) RETURN n", | |
| "startNode": "{}", | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Shortest Paths to Domain Admins from SPN Users", | |
| "queryList": [ | |
| { | |
| "final": false, | |
| "title": "Select a Domain Admin group...", | |
| "query": | |
| "MATCH (n:Group) WHERE n.name =~ {name} RETURN n.name ORDER BY n.name DESC", | |
| "props": { | |
| "name": "(?i).*DOMAIN ADMINS.*" | |
| } | |
| }, | |
| { | |
| "final": true, | |
| "query": | |
| "MATCH (n:User),(m:Group {name:{result}}),p=shortestPath((n)-[r:MemberOf|AdminTo|HasSession|Contains|GpLink|Owns|DCSync|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner*1..]->(m)) WHERE n.HasSPN=true RETURN p", | |
| "allowCollapse": true, | |
| "endNode": "{}" | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Find all owned Domain Admins", | |
| "requireNodeSelect": false, | |
| "query": "MATCH (n:Group) WHERE n.name =~ {name} WITH n MATCH p=(n)<-[r:MemberOf*1..]-(m) WHERE exists(m.owned) AND NONE (x IN nodes(p) WHERE exists(x.blacklist)) AND NONE (x in relationships(p) WHERE exists(x.blacklist)) RETURN nodes(p),relationships(p)", | |
| "allowCollapse": false, | |
| "props": {"name": "(?i).*DOMAIN ADMINS.*"} | |
| }, | |
| { | |
| "name": "Find Shortest Paths from owned node to Domain Admins", | |
| "requireNodeSelect": true, | |
| "nodeSelectQuery": { | |
| "query":"MATCH (n:Group) WHERE n.name =~ {name} RETURN n.name", | |
| "queryProps": {"name":"(?i).*DOMAIN ADMINS.*"}, | |
| "onFinish": "MATCH (n),(m:Group {name:{result}}),p=shortestPath((n)-[*1..12]->(m)) WHERE exists(n.owned) AND NONE (x IN nodes(p) WHERE exists(x.blacklist)) AND NONE (x in relationships(p) WHERE exists(x.blacklist)) RETURN p", | |
| "start":"", | |
| "end": "{}", | |
| "allowCollapse": true, | |
| "boxTitle": "Select domain to map..." | |
| } | |
| }, | |
| { | |
| "name": "Show Wave", | |
| "requireNodeSelect": true, | |
| "nodeSelectQuery": { | |
| "query":"MATCH (n) WHERE exists(n.wave) WITH DISTINCT n.wave as d RETURN toString(d) ORDER BY d", | |
| "queryProps": {}, | |
| "onFinish": "OPTIONAL MATCH (n1:User {wave:toInt({result})}) WITH collect(distinct n1) as c1 OPTIONAL MATCH (n2:Computer {wave:toInt({result})}) WITH collect(distinct n2) + c1 as c2 OPTIONAL MATCH (n3:Group {wave:toInt({result})}) WITH c2, collect(distinct n3) + c2 as c3 UNWIND c2 as n UNWIND c3 as m MATCH (n)-[r]->(m) WHERE not(exists(n.blacklist)) AND not(exists(m.blacklist)) AND not(exists(r.blacklist)) RETURN n,r,m", | |
| "start": "", | |
| "end": "", | |
| "allowCollapse": true, | |
| "boxTitle": "Select wave..." | |
| } | |
| }, | |
| { | |
| "name": "Highlight Delta for Wave", | |
| "requireNodeSelect": true, | |
| "nodeSelectQuery": { | |
| "query":"MATCH (n) WHERE exists(n.wave) WITH DISTINCT n.wave as d RETURN toString(d) ORDER BY d", | |
| "queryProps": {}, | |
| "onFinish": "MATCH (n)-[r]->(m) WHERE n.wave<=toInt({result}) AND not(exists(n.blacklist)) AND not(exists(m.blacklist)) AND not(exists(r.blacklist)) RETURN n,r,m", | |
| "start": "", | |
| "end": "", | |
| "allowCollapse": true, | |
| "boxTitle": "Select wave to show deltas..." | |
| } | |
| }, | |
| { | |
| "name": "Find Clusters of Password Reuse", | |
| "requireNodeSelect": false, | |
| "query": "MATCH p=(n)-[r:SharesPasswordWith]->(m) WHERE not(exists(n.blacklist)) AND not(exists(m.blacklist)) RETURN p", | |
| "allowCollapse": true, | |
| "props": {} | |
| }, | |
| { | |
| "name": "Show Blacklisted Nodes", | |
| "requireNodeSelect": false, | |
| "query": "MATCH (n) WHERE exists(n.blacklist) RETURN n", | |
| "allowCollapse": true, | |
| "props": {} | |
| }, | |
| { | |
| "name": "Show Blacklisted Relationships", | |
| "requireNodeSelect": false, | |
| "query": "MATCH (n)-[r]->(m) WHERE exists(r.blacklist) RETURN n,r,m", | |
| "allowCollapse": true, | |
| "props": {} | |
| }, | |
| { | |
| "name": "Show Blacklist", | |
| "requireNodeSelect": false, | |
| "query": "OPTIONAL MATCH (n {blacklist:true}) WITH n OPTIONAL MATCH p=(()-[{blacklist:true}]->()) RETURN n,p", | |
| "allowCollapse": true, | |
| "props": {} | |
| }, | |
| { | |
| "name": "Show owned Nodes", | |
| "requireNodeSelect": false, | |
| "query": "MATCH (n) WHERE exists(n.owned) RETURN n", | |
| "allowCollapse": true, | |
| "props": {} | |
| }, | |
| { | |
| "name": "Find Shortest Paths to DA Equivalency", | |
| "requireNodeSelect": true, | |
| "nodeSelectQuery": { | |
| "query":"MATCH (n:Group) WHERE n.name =~ {name} RETURN n.name", | |
| "queryProps": {"name":"(?i).*DOMAIN CONTROLLERS.*"}, | |
| "onFinish": "MATCH (n:User),(m:Group {name:{result}}),p=shortestPath((n)-[*1..]->(m)) RETURN p", | |
| "start":"", | |
| "end": "{}", | |
| "allowCollapse": true, | |
| "boxTitle": "Select domain to map..." | |
| } | |
| }, | |
| { | |
| "name": "Find Shortest Paths to Domain Admins from Foreign User", | |
| "requireNodeSelect": true, | |
| "nodeSelectQuery": { | |
| "query": "MATCH (n:Domain) RETURN n.name", | |
| "queryProps":{}, | |
| "onFinish": "MATCH (n:User) WHERE NOT n.name ENDS WITH ('@' + {result}) WITH n MATCH (m:Group {name:('DOMAIN ADMINS@' + {result})}) WITH n,m MATCH p=shortestPath((n)-[*1..]->(m)) RETURN p", | |
| "start": "{}", | |
| "end": "", | |
| "allowCollapse": true, | |
| "boxTitle": "Select target domain..." | |
| } | |
| }, | |
| { | |
| "name": "Show Connections over 22/tcp", | |
| "requireNodeSelect": false, | |
| "query": "MATCH p=((s:Computer)-[:Connected_22]->(d:Computer)) RETURN p", | |
| "allowCollapse": true, | |
| "props": {} | |
| }, | |
| { | |
| "name": "Show Connections over 80/tcp", | |
| "requireNodeSelect": false, | |
| "query": "MATCH p=((s:Computer)-[:Connected_80]->(d:Computer)) RETURN p", | |
| "allowCollapse": true, | |
| "props": {} | |
| }, | |
| { | |
| "name": "Show Connections over 135/tcp", | |
| "requireNodeSelect": false, | |
| "query": "MATCH p=((s:Computer)-[:Connected_135]->(d:Computer)) RETURN p", | |
| "allowCollapse": true, | |
| "props": {} | |
| }, | |
| { | |
| "name": "Show Connections over 139/tcp", | |
| "requireNodeSelect": false, | |
| "query": "MATCH p=((s:Computer)-[:Connected_139]->(d:Computer)) RETURN p", | |
| "allowCollapse": true, | |
| "props": {} | |
| }, | |
| { | |
| "name": "Show Connections over 389/tcp", | |
| "requireNodeSelect": false, | |
| "query": "MATCH p=((s:Computer)-[:Connected_389]->(d:Computer)) RETURN p", | |
| "allowCollapse": true, | |
| "props": {} | |
| }, | |
| { | |
| "name": "Show Connections over 443/tcp", | |
| "requireNodeSelect": false, | |
| "query": "MATCH p=((s:Computer)-[:Connected_443]->(d:Computer)) RETURN p", | |
| "allowCollapse": true, | |
| "props": {} | |
| }, | |
| { | |
| "name": "Show Connections over 445/tcp", | |
| "requireNodeSelect": false, | |
| "query": "MATCH p=((s:Computer)-[:Connected_445]->(d:Computer)) RETURN p", | |
| "allowCollapse": true, | |
| "props": {} | |
| }, | |
| { | |
| "name": "Show Connections over 1433/tcp", | |
| "requireNodeSelect": false, | |
| "query": "MATCH p=((s:Computer)-[:Connected_1433]->(d:Computer)) RETURN p", | |
| "allowCollapse": true, | |
| "props": {} | |
| }, | |
| { | |
| "name": "Show Connections over 1521/tcp", | |
| "requireNodeSelect": false, | |
| "query": "MATCH p=((s:Computer)-[:Connected_1521]->(d:Computer)) RETURN p", | |
| "allowCollapse": true, | |
| "props": {} | |
| }, | |
| { | |
| "name": "Show Connections over 3306/tcp", | |
| "requireNodeSelect": false, | |
| "query": "MATCH p=((s:Computer)-[:Connected_3306]->(d:Computer)) RETURN p", | |
| "allowCollapse": true, | |
| "props": {} | |
| }, | |
| { | |
| "name": "Show Connections over 3389/tcp", | |
| "requireNodeSelect": false, | |
| "query": "MATCH p=((s:Computer)-[:Connected_3389]->(d:Computer)) RETURN p", | |
| "allowCollapse": true, | |
| "props": {} | |
| }, | |
| { | |
| "name": "Show Connections over 5432/tcp", | |
| "requireNodeSelect": false, | |
| "query": "MATCH p=((s:Computer)-[:Connected_5432]->(d:Computer)) RETURN p", | |
| "allowCollapse": true, | |
| "props": {} | |
| }, | |
| { | |
| "name": "Show Database Connections", | |
| "requireNodeSelect": false, | |
| "query": "MATCH p=((s:Computer)-[:Connected_1433|Connected_1521|Connected_3306|Connected_5432]->(d:Computer)) RETURN p", | |
| "allowCollapse": true, | |
| "props": {} | |
| }, | |
| { | |
| "name": "Show Web App Connections", | |
| "requireNodeSelect": false, | |
| "query": "MATCH p=((s:Computer)-[:Connected_80|Connected_443]->(d:Computer)) RETURN p", | |
| "allowCollapse": true, | |
| "props": {} | |
| }, | |
| { | |
| "name": "Find Top 10 RDP Servers", | |
| "requireNodeSelect": false, | |
| "query": "MATCH (n:Computer)-[r:Connected_3389]->(m:Computer) WHERE NOT m.name STARTS WITH 'ANONYMOUS LOGON' AND NOT m.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH (n)-[r:Connected_3389]->(m) RETURN n,r,m", | |
| "allowCollapse": true, | |
| "props": {} | |
| }, | |
| { | |
| "name": "Find Top 10 SSH Servers", | |
| "requireNodeSelect": false, | |
| "query": "MATCH (n:Computer)-[r:Connected_22]->(m:Computer) WHERE NOT m.name STARTS WITH 'ANONYMOUS LOGON' AND NOT m.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH (n)-[r:Connected_22]->(m) RETURN n,r,m", | |
| "allowCollapse": true, | |
| "props": {} | |
| }, | |
| { | |
| "name": "Find Top 10 Web Apps with most Connections", | |
| "requireNodeSelect": false, | |
| "query": "MATCH (n:Computer)-[r:Connected_80|Connected_443]->(m:Computer) WHERE NOT m.name STARTS WITH 'ANONYMOUS LOGON' AND NOT m.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH (n)-[r:Connected_80|Connected_443]->(m) RETURN n,r,m", | |
| "allowCollapse": true, | |
| "props": {} | |
| }, | |
| { | |
| "name": "List Computers where DOMAIN USERS are Local Admin", | |
| "queryList": [ | |
| { | |
| "final": true, | |
| "query": | |
| "MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) WHERE m.name STARTS WITH 'DOMAIN USERS' RETURN p", | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Shortest Path from DOMAIN USERS to High Value Targets", | |
| "queryList": [ | |
| { | |
| "final": true, | |
| "query": | |
| "MATCH (g:Group),(n {highvalue:true}),p=shortestPath((g)-[r*1..]->(n)) WHERE g.name STARTS WITH 'DOMAIN USERS' return p", | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "ALL Path from DOMAIN USERS to High Value Targets", | |
| "queryList": [ | |
| { | |
| "final": true, | |
| "query": | |
| "MATCH (g:Group) WHERE g.name STARTS WITH 'DOMAIN USERS' MATCH (n {highvalue:true}),p=shortestPath((g)-[r*1..]->(n)) return p", | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Find Workstations where DOMAIN USERS can RDP To", | |
| "queryList": [ | |
| { | |
| "final": true, | |
| "query": | |
| "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.name STARTS WITH 'DOMAIN USERS' AND NOT c.operatingsystem CONTAINS 'Server' return p", | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Find Servers where DOMAIN USERS can RDP To", | |
| "queryList": [ | |
| { | |
| "final": true, | |
| "query": | |
| "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.name STARTS WITH 'DOMAIN USERS' AND c.operatingsystem CONTAINS 'Server' return p", | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Find all other Rights DOMAIN USERS shouldn’t have", | |
| "queryList": [ | |
| { | |
| "final": true, | |
| "query": | |
| "MATCH p=(m:Group)-[r:Owns|:WriteDacl|:GenericAll|:WriteOwner|:ExecuteDCOM|:GenericWrite|:AllowedToDelegate|:ForceChangePassword]->(n:Computer) WHERE m.name STARTS WITH 'DOMAIN USERS' RETURN p", | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Kerberoastable Accounts member of High Value Group", | |
| "queryList": [ | |
| { | |
| "final": true, | |
| "query": | |
| "MATCH (n:User)-[r:MemberOf]->(g:Group) WHERE g.highvalue=true AND n.hasspn=true RETURN n, g, r", | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "List all Kerberoastable Accounts", | |
| "queryList": [ | |
| { | |
| "final": true, | |
| "query": | |
| "MATCH (n:User)WHERE n.hasspn=true RETURN n", | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Top Ten Users with Most Sessions", | |
| "queryList": [ | |
| { | |
| "final": true, | |
| "query": | |
| "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p", | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Top Ten Computers with Most Admins", | |
| "queryList": [ | |
| { | |
| "final": true, | |
| "query": | |
| "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p", | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, { | |
| "name": "Top Ten Computers with Most Sessions", | |
| "queryList": [ | |
| { | |
| "final": true, | |
| "query": | |
| "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN n,r,m", | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Top Ten Users with Most Local Admin Rights", | |
| "queryList": [ | |
| { | |
| "final": true, | |
| "query": | |
| "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p", | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "All Shortest Path - Owned to HighValue", | |
| "queryList": [ | |
| { | |
| "final": true, | |
| "query": | |
| "MATCH p=allShortestPaths((O {owned: True})-[r:{}*1..]->(H {highvalue: True})) RETURN p", | |
| "props": {}, | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "All Shortest Path - Owned to HighValue - Exclude Blacklist", | |
| "queryList": [ | |
| { | |
| "final": true, | |
| "query": | |
| "MATCH p=allShortestPaths((O {owned: True})-[r:{}*1..]->(H {highvalue: True})) WHERE NONE(x IN NODES(p) WHERE x:Blacklist) RETURN p", | |
| "props": {}, | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Owned - View All", | |
| "queryList": [ | |
| { | |
| "final": true, | |
| "query": | |
| "MATCH (x {owned: True}) RETURN x", | |
| "props": {}, | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Owned - Clear All", | |
| "queryList": [ | |
| { | |
| "final": true, | |
| "query": | |
| "MATCH (x {owned: True}) SET x.owned=False", | |
| "props": {}, | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "HighValue - View All", | |
| "queryList": [ | |
| { | |
| "final": true, | |
| "query": | |
| "MATCH (x {highvalue: True}) RETURN x", | |
| "props": {}, | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "HighValue - Clear All", | |
| "queryList": [ | |
| { | |
| "final": true, | |
| "query": | |
| "MATCH (x {highvalue: True}) SET x.highvalue=False", | |
| "props": {}, | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Blacklist - View All", | |
| "queryList": [ | |
| { | |
| "final": true, | |
| "query": | |
| "MATCH (x:Blacklist) RETURN x", | |
| "props": {}, | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Blacklist - Add User", | |
| "queryList": [ | |
| { | |
| "final": false, | |
| "query": | |
| "MATCH (x:User) RETURN x.name ORDER BY x.name", | |
| "props": {}, | |
| "allowCollapse": true | |
| }, | |
| { | |
| "final": true, | |
| "query": "MATCH (x:User) WHERE x.name={result} SET x:Blacklist", | |
| "props": {}, | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Blacklist - Add Group", | |
| "queryList": [ | |
| { | |
| "final": false, | |
| "query": | |
| "MATCH (x:Group) RETURN x.name ORDER BY x.name", | |
| "props": {}, | |
| "allowCollapse": true | |
| }, | |
| { | |
| "final": true, | |
| "query": "MATCH (x:Group) WHERE x.name={result} SET x:Blacklist", | |
| "props": {}, | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Blacklist - Add Computer", | |
| "queryList": [ | |
| { | |
| "final": false, | |
| "query": | |
| "MATCH (x:Computer) RETURN x.name ORDER BY x.name", | |
| "props": {}, | |
| "allowCollapse": true | |
| }, | |
| { | |
| "final": true, | |
| "query": "MATCH (x:Computer) WHERE x.name={result} SET x:Blacklist", | |
| "props": {}, | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Blacklist - Remove User", | |
| "queryList": [ | |
| { | |
| "final": false, | |
| "query": | |
| "MATCH (x:User:Blacklist) RETURN x.name ORDER BY x.name", | |
| "props": {}, | |
| "allowCollapse": true | |
| }, | |
| { | |
| "final": true, | |
| "query": "MATCH (x:User) WHERE x.name={result} REMOVE x:Blacklist", | |
| "props": {}, | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Blacklist - Remove Group", | |
| "queryList": [ | |
| { | |
| "final": false, | |
| "query": | |
| "MATCH (x:Group:Blacklist) RETURN x.name ORDER BY x.name", | |
| "props": {}, | |
| "allowCollapse": true | |
| }, | |
| { | |
| "final": true, | |
| "query": "MATCH (x:Group) WHERE x.name={result} REMOVE x:Blacklist", | |
| "props": {}, | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Blacklist - Remove Computer", | |
| "queryList": [ | |
| { | |
| "final": false, | |
| "query": | |
| "MATCH (x:Computer:Blacklist) RETURN x.name ORDER BY x.name", | |
| "props": {}, | |
| "allowCollapse": true | |
| }, | |
| { | |
| "final": true, | |
| "query": "MATCH (x:Computer) WHERE x.name={result} REMOVE x:Blacklist", | |
| "props": {}, | |
| "allowCollapse": true | |
| } | |
| ] | |
| }, | |
| { | |
| "name": "Blacklist - Clear All", | |
| "queryList": [ | |
| { | |
| "final": true, | |
| "query": | |
| "MATCH (x:Blacklist) REMOVE x:Blacklist", | |
| "props": {}, | |
| "allowCollapse": true | |
| } | |
| ] | |
| } | |
| ] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment