Search

The Search feature lets you explore and access data on GraphDB, by querying entities and relationships with SysQL. You can build and save your own queries or use the out-of-the-box queries provided by Sysdig.

Search provides a powerful, in-depth view of your cloud and container environments. This holistic approach helps security teams gain visibility into how connected cloud resources can be impacted during an attack by identifying potential security risks, such as attack paths, hidden threats, and vulnerabilities. With the Search feature, teams can uncover these threats and respond faster.

Choose Inventory > Search to access the Search feature.

Use the Search query window to create custom queries to search for security risks in their environment. Search is grouped by Risk, Posture, and Vulnerabilities based on fields and relationships using the following:

Form-Based Query Builder

This lets you define an initial simplified SysQL query by selecting the primary entity and a set of relationships or conditions for it.

The form-based query builder is classified by categories.

The left window contains:

  • Library Icon Entity selector
  • Library Icon Suggestions library
  • Library Icon Favorite Queries

Entity Selector

Use the search interface to set the primary entity to search and select a set of fields or relationship conditions for it. From left to right, displayed as three columns, you select a category, the entity, and optionally a set of entity conditions.

  • Categories: The first column shows a list of categories. Categories group the following entities:

    • Application: User-facing software components and services
    • Compute: Virtual machines, containers, and other resources that provide processing power to run workloads and applications.
    • Environment: Cloud accounts, regions, zones, and other cloud-environment related entities.
    • Findings: Security issues that have been identified, such as a misconfigurations or a vulnerability.
    • Identity: Entities such as Users, Roles, Service Accounts, or Access Policies.
    • Kubernetes: Kubernetes-specific entities, such as Cluster, Node, or Deployment.
    • Secrets: Entities such as Encryption Keys or Managed Certificates.
    • Storage: Storage-related entities such as databases or buckets.

  • Entities: The second column shows the entities that are grouped by the selected category.

  • Entity Conditions: The third column lets you select the fields associated with the chosen entity, or relationships between the selected entity to another. For instance, you can select the Name field of an entity or the relationship, “With Zone”.

Suggestions Library

The Suggestions Library contains a list of suggested Search queries.

Favorite Queries

You can add a query as a favorite to use later. Once you have created a simplified SysQL string, click the Library Icon icon. Your list of favorite queries is available in the query builder window under the Favorite queries tab.

Build a Search Query

To build a search query using the form-based query builder:

  1. Click the Start building your query… box.
    A form-based query builder window appears.

  2. Click the Library Icon icon and select a Category. A second column appears showing the list of entities for that category.

  3. Select the entity that you want to search.

    Another column appears showing the available field and relationship conditions for the entity.

  4. In the third column, click a single or multiple checkboxes to select relationships or field conditions.

  5. Select Go.

The search query is created.

Search Query Examples

  • To find all S3 buckets in EU regions:  Resource Type contains S3 AND Region startsWith eu

  • To search for all Workloads of type host with names starting with prod: Resource Type is host AND Name startsWith prod

  • To view all resources that are not labeled: Labels not exists

Edit a Query

After you create a query, you can add, remove, or mark certain parameters as optional. For every query you build, hover over the query on each line to view the following options:

  • Delete Icon Delete entity or condition.
  • Optional Icon Mark condition as optional. For example, marking the condition THAT IS AFFECTED BY Vulnerability as Optional, will show also the results that do not match that condition.

    You cannot mark the primary entity or a field-condition (WHERE clause) as optional.
  • Hide Icon Hide entity. You can hide an entity from appearing in the results.
  • Add Icon Add a condition to this Entity. You can add nested conditions to the entity defined in that row.

Write Your Query with SysQL Editor

To write your own SysQL query, use the SysQL editor. To access it, do one of the following:

  • SysQL Editor icon on the Search page.

    1. Navigate to Inventory > Search.

    2. Click the SysQL Editor icon.

    3. Enter your query and click Run.

  • Edit in Code Editor option on the Query builder.

    1. Select the three-dots menu on the Query builder to access the SysQL Editor.

    2. Edit the query and click Run.

Save the Query as Custom Risk

When creating custom risks from queries, consider the following:

Risks on Resources

Resource entities represent the foundational nodes that are interconnected in your infrastructure, and Finding entitites represent security related detections on the resources, such as events or vulnerabilities. To save as Risk, the primary entity must be a Resource.

Risks with Query Conditions

The query must include at least one filter to be considered a risk query. You can apply filter in the following two ways:

  • A WHERE clause that refines the resource selection.
  • A relation that matches entities connected to the primary resource.

This ensures the query yields meaningful results, rather than a plain list of resources, by applying logical filtering.

From Resources to Findings

The query should only use outgoing relationships from resource entities. For example, the following query cannot be considered a valid risk query because it uses a vulnerability as a “bridge” to connect unrelated workloads:

MATCH (EC2Instance)
  -[:AFFECTED_BY]->(Vulnerability)
  -[:THAT_AFFECTS]->(KubeWorkload)

This constraint ensures that the identified risks represent valid attack surfaces, not accidental relationships between unconnected resources.

For more information, see Custom Risks

Restricted Outgoing Connections

The following entities cannot have outgoing connections to prevent invalid queries:

  • Metadata
    • Label
    • Zone
    • Region
  • Policy
    • Policy
  • Vuln
    • Vulnerability
    • CriticalVulnerability
  • Controls
    • Control
    • PrivilegedControl
    • S3AcceptsHTTP
    • S3VersioningDisabled
    • ContainsAIPackage
  • IAM Findings
    • RiskFinding
    • CompromisedState
  • Runtime Events
    • RuntimeEvent

Resource Details

When you click on any of the search queries, the Resource Details drawer appears. To learn more about the resource drawer, see View Resource Details.

Download Search Data

You can download the results of a Search query as a file in CSV format from the Search table. To download:

  1. Run a Search query or navigate to the Search result.

  2. On the Search results page, click the three-dot menu at the top-right corner of the search results table.

  3. Click Download CSV.

    The default number of lines in the CSV will be 10,000, after which the search results will be cut off.

  4. To view the Download history, click Download History.

    You can view the name of the file, completion status, and the date when the CSV file is generated.

    Hover over any of the rows in the table to reveal a Download button that you can use to download the file.