From a4ea6f1aadee05df9df1272247a3a9b80a2e4399 Mon Sep 17 00:00:00 2001 From: Stephen Hinck Date: Fri, 27 Oct 2023 00:19:24 -0700 Subject: [PATCH] BED-3845 - Improve and fix Azure saved queries (#169) * Update default queries for accuracy * Update saved searches for accuracy * fix: remove NOT from pre-defined query --------- Co-authored-by: jknudsen --- .../javascript/bh-shared-ui/src/commonSearches.tsx | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/packages/javascript/bh-shared-ui/src/commonSearches.tsx b/packages/javascript/bh-shared-ui/src/commonSearches.tsx index 365d810d9e..b51c0a3743 100644 --- a/packages/javascript/bh-shared-ui/src/commonSearches.tsx +++ b/packages/javascript/bh-shared-ui/src/commonSearches.tsx @@ -25,8 +25,8 @@ const azureTransitEdgeTypes = AzurePathfindingEdges().slice(0, -1).join('|') + A const adTransitEdgeTypes = ActiveDirectoryPathfindingEdges().slice(0, -1).join('|') + '|' + ActiveDirectoryPathfindingEdges().slice(-1); -const highPrivilegedRoleDisplayNames = - 'Global Administrator|User Administrator|Cloud Application Administrator|Authentication Policy Administrator|Exchange Administrator|Helpdesk Administrator|PRIVILEGED AUTHENTICATION ADMINISTRATOR'; +const highPrivilegedRoleDisplayNameRegex = + 'Global Administrator.*|User Administrator.*|Cloud Application Administrator.*|Authentication Policy Administrator.*|Exchange Administrator.*|Helpdesk Administrator.*|Privileged Authentication Administrator.*'; export type CommonSearchType = { subheader: string; @@ -168,7 +168,7 @@ export const CommonSearches: CommonSearchType[] = [ }, { description: 'All members of high privileged roles', - cypher: `MATCH p=(n)-[:AZHasRole|AZMemberOf*1..2]->(r:AZRole)\nWHERE r.name =~ '(?i)${highPrivilegedRoleDisplayNames}'\nRETURN p`, + cypher: `MATCH p=(n)-[:AZHasRole|AZMemberOf*1..2]->(r:AZRole)\nWHERE r.name =~ '(?i)${highPrivilegedRoleDisplayNameRegex}'\nRETURN p`, }, ], }, @@ -178,11 +178,11 @@ export const CommonSearches: CommonSearchType[] = [ queries: [ { description: 'Shortest paths to high value/Tier Zero targets', - cypher: `MATCH p=shortestPath((m:AZUser)-[r:${azureTransitEdgeTypes}*1..]->(n))\nWHERE n.system_tags = "admin_tier_0" AND n.name =~ '(?i)${highPrivilegedRoleDisplayNames}' AND NOT m=n\nRETURN p`, + cypher: `MATCH p=shortestPath((m:AZUser)-[r:${azureTransitEdgeTypes}*1..]->(n))\nWHERE n.system_tags = "admin_tier_0" AND n.name =~ '(?i)${highPrivilegedRoleDisplayNameRegex}' AND m<>n\nRETURN p`, }, { description: 'Shortest paths to privileged roles', - cypher: `MATCH p=shortestPath((m)-[r:${azureTransitEdgeTypes}*1..]->(n:AZRole))\nWHERE n.name =~ '(?i)${highPrivilegedRoleDisplayNames}' AND NOT m=n\nRETURN p`, + cypher: `MATCH p=shortestPath((m)-[r:${azureTransitEdgeTypes}*1..]->(n:AZRole))\nWHERE n.name =~ '(?i)${highPrivilegedRoleDisplayNameRegex}' AND m<>n\nRETURN p`, }, { description: 'Shortest paths from Azure Applications to high value/Tier Zero targets', @@ -190,7 +190,7 @@ export const CommonSearches: CommonSearchType[] = [ }, { description: 'Shortest paths to Azure Subscriptions', - cypher: `MATCH p=shortestPath((m)-[r:${azureTransitEdgeTypes}*1..]->(n:AZSubscription))\nWHERE NOT m<>>n\nRETURN p`, + cypher: `MATCH p=shortestPath((m)-[r:${azureTransitEdgeTypes}*1..]->(n:AZSubscription))\nWHERE m<>n\nRETURN p`, }, ], },