Search

Search lets you explore and access data on GraphDB, by querying entities and relationships with SysQL. You can build and save your own or use the out-of-the-box queries provided by Sysdig.

Search provides a powerful, in-depth view of your cloud and container environments. This holistic approach helps security teams gain visibility into how connected cloud resources can be impacted during an attack by identifying potential security risks, such as attack paths, hidden threats, and vulnerabilities. With Search, teams can uncover these threats and respond faster.

Choose Inventory > Search to access the Search feature.

Use the Search query window to create custom queries to search for security risks in their environment. Search is grouped by Risk, Posture, and Vulnerabilities based on fields and relationships using the following:

Form-Based Query Builder

Lets you define an initial simplified SysQL query by selecting the primary entity and a set of relationships or conditions for it.

Form-based query builder is classified by categories.

The left window contains:

Entity selector
Suggestions library
Favorite Queries

Entity Selector

Use the search interface to set the primary entity to search and select a set of fields or relationship conditions for it. From left to right, displayed as three columns, you select a category, the entity, and optionally a set of entity conditions.

Categories: The first column shows a list of categories. Categories group the following entities:
- Application: User-facing software components and services
- Compute: Virtual machines, containers, and other resources that provide processing power to run workloads and applications.
- Environment: Cloud accounts, regions, zones, and other cloud-environment related entities.
- Findings: Security issues that have been identified, such as a misconfigurations or a vulnerability.
- Identity: Entities such as Users, Roles, Service Accounts, or Access Policies.
- Kubernetes: Kubernetes-specific entities, such as Cluster, Node, or Deployment.
- Secrets: Entities such as Encryption Keys or Managed Certificates.
- Storage: Storage-related entities such as databases or buckets.
Entities: The second column shows the entities that are grouped by the selected category.
Entity Conditions: This third column lets you select the fields associated with the chosen entity, or relationships between the selected entity to another. For instance, you can select the Name field of an entity or the relationship, “With Zone”.

Suggestions Library

The Suggestions Library contains a list of suggested Search queries.

Favorite Queries

You can favorite a query to use later. Once you have created a simplified SysQL string, click the icon. Your list of favorite queries is available in the query builder window under the Favorite queries tab.

Building a Search Query

To build a search query using the form-based query builder:

Click the Start building your query… box.
A form-based query builder window appears.
Click the icon and select a Category. A second column appears showing the list of entities for that category.
Select the entity that you want to search.
Another column appears showing the available field and relationship conditions for the entity.
In the third column, click a single or multiple checkboxes to select relationships or field conditions.
Select Go.

The search query is created.

Editing a Query

Once you create a query, you can add, remove, or mark certain parameters as optional. For every query you build, hover over the query on each line and you will see the following options:

Delete entity or condition.
Mark condition as optional. For example, marking the condition THAT IS AFFECTED BY Vulnerability as Optional, will show also the results that do not match that condition.
You cannot mark the primary entity or a field-condition (WHERE clause) as optional.
Hide entity. You can hide an entity from appearing in the results.
Add a condition to this Entity. You can add nested conditions to the entity defined in that row.

Saving the Query as Custom Risk

When creating custom risks from queries, consider the following:

Risks on Resources

Resource entities represent the foundational nodes that are interconnected in your infrastructure, and Finding entitites represent security related detections on the resources, such as events or vulnerabilities. To save as Risk, the primary entity must be a Resource.

Risks with Query Conditions

The query must include at least one filter to be considered a risk query. You can apply filter in the following two ways:

A WHERE clause that refines the resource selection.
A relation that matches entities connected to the primary resource.

This ensures the query yields meaningful results, rather than a plain list of resources, by applying logical filtering.

From Resources to Findings

The query should only use outgoing relationships from resource entities. For example, the following query cannot be considered a valid risk query because it uses a vulnerability as a “bridge” to connect unrelated workloads:

MATCH (EC2Instance)
  -[:AFFECTED_BY]->(Vulnerability)
  -[:THAT_AFFECTS]->(KubeWorkload)

This constraint ensures that the identified risks represent valid attack surfaces, not accidental relationships between unconnected resources.

For more information, see Custom Risks

Restricted Outgoing Connections

The following entities cannot have outgoing connections to prevent invalid queries:

Metadata
- Label
- Zone
- Region
Policy
- Policy
Vuln
- Vulnerability
- CriticalVulnerability
Controls
- Control
- PrivilegedControl
- S3AcceptsHTTP
- S3VersioningDisabled
- ContainsAIPackage
IAM Findings
- RiskFinding
- CompromisedState
Runtime Events
- RuntimeEvent

Resource Details

When you click on any of the search queries, a resource drawer displays. To know more about the resource drawer, see Resource Details.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.