Cybersecurity Cookbook

Secure your infrastructure with graph-powered threat hunting.

1. Network Intrusion

Lateral Movement Detection

gsqlterminal
Copy
// Find RDP or SSH connections moving from a compromised host through multiple internal servers
CREATE QUERY lateral_movement(VERTEX<Host> source_host, DATETIME compromise_time) FOR GRAPH SecurityGraph {
  OrAccum @is_compromised = false;
  SumAccum<INT> @depth;

  Start = {source_host};
  Start = SELECT s FROM Start:s ACCUM s.@is_compromised = true;
  
  FOR i IN 1..5 DO
    Start = SELECT t FROM Start:s -(CONNECTION:e)-> Host:t
            WHERE e.timestamp > compromise_time AND t.@is_compromised == false
            ACCUM t.@is_compromised = true, t.@depth = i;
  END;
  
  PRINT Start;
}

Beaconing Behavior

gsqlterminal
Copy
// Detect hosts communicating with an external IP at regular intervals (e.g., every 60s +/- 5s)
CREATE QUERY detect_beaconing(VERTEX<Host> h, VERTEX<IP> external_ip) FOR GRAPH SecurityGraph {
  ListAccum<DATETIME> @@timestamps;
  SumAccum<INT> @@consistent_intervals;

  Start = {h};
  
  Events = SELECT t FROM Start:s -(COMMUNICATED_WITH:e)-> IP:t
           WHERE t == external_ip
           ACCUM @@timestamps += e.timestamp;
           
  // Analyze timing between consecutive events
  // (Pseudo-code logic for snippet)
  // iterate through @@timestamps, calculate diff, check variance < 5s
  
  PRINT "Beaconing analysis for", h.id, "to", external_ip.id;
}

2. Identity & Access (IAM)

Privileged Account Path

gsqlterminal
Copy
// Find the shortest path from a regular user to a Domain Admin group
CREATE QUERY user_to_admin_path(VERTEX<User> u) FOR GRAPH SecurityGraph {
  MinAccum<INT> @dist = 999;
  ListAccum<VERTEX> @path;
  
  Start = {u};
  Start = SELECT s FROM Start:s ACCUM s.@dist = 0;
  
  WHILE Start.size() > 0 DO
    Start = SELECT t FROM Start:s -(MEMBER_OF|HAS_PERMISSION:e)-> :t
            WHERE s.@dist + 1 < t.@dist
            ACCUM t.@dist = s.@dist + 1, t.@path = s.@path + [s];
            
    Admins = SELECT s FROM Start:s WHERE s.is_admin == true;
    IF Admins.size() > 0 THEN
      PRINT Admins;
      BREAK;
    END;
  END;
}

3. Attack Surface Mapping

Internet-Facing Exposed Services

gsqlterminal
Copy
// Find all sensitive databases accessible from an Internet-facing web server
CREATE QUERY exposed_databases() FOR GRAPH SecurityGraph {
  SetAccum<VERTEX<Database>> @@exposed_db;
  
  WebServers = {Host.*};
  WebServers = SELECT s FROM WebServers:s WHERE s.is_internet_facing == true;
  
  WHILE WebServers.size() > 0 DO
    WebServers = SELECT t FROM WebServers:s -(ACCESSES|TALKS_TO:e)-> :t;
    IF t.type == "Database" THEN
      Result = SELECT s FROM WebServers:s ACCUM @@exposed_db += s;
    END;
  END;
  
  PRINT @@exposed_db;
}

4. Email Analysis

Phishing Spreader

gsqlterminal
Copy
// Find users who received an email with a specific malicious attachment and forwarded it
CREATE QUERY phishing_propagation(VERTEX<Attachment> malicious_file) FOR GRAPH SecurityGraph {
  SetAccum<VERTEX<User>> @@recipients;
  
  Start = {malicious_file};
  
  Emails = SELECT t FROM Start:s -(ATTACHED_TO:e)- Email:t;
  
  Recipients = SELECT t FROM Emails:s -(RECEIVED_BY:e)- User:t
               ACCUM @@recipients += t;
               
  // Find those who then sent the same attachment
  Forwarders = SELECT t FROM Recipients:s -(SENT:e)- Email:em -(ATTACHED_TO:e)- Attachment:at
               WHERE at == malicious_file;
               
  PRINT Forwarders;
}

[!IMPORTANT] Cybersecurity graphs often involve millions of small events. Use Time-based Filtering on your edges to keep traversals focused and performant.