JupiterOne
Create `FirewallRule` entity class
Historically, Firewall Rules have been created as edges between Firewalls and "The Internet". Properties such as Allow/Deny, startIp/endIp, protocol, etc. have been properties on these edges, and to query in J1QL, one must build a query like FIND Firewall THAT (ALLOWS|DENIES) as firewallRule * return firewallRule.*.
Firewall rules aren't always related to Firewalls, though, as is the case with Azure SQL Servers (who have firewall rules with fewer properties, omitting Allows/Denies, Protocol, and other typical properties). I think it would be best to create a FirewallRule entity class.
@ndowmon I'd like to clarify goals and non goals:
- Non-goal: Avoid relationships for obtaining properties in a query/question.
- Goal: Support ingesting rules for host-based firewalls, where there is no entity to represent the
Firewall. That is, there is only the entity representing the host/service where the rules are evaluated, but it doesn't makes sense to add the classFirewallto that entity. - Goal: Support a J1 query that shows which cloud services, hosts, or the Internet can access the protected host/service.
do you think we could accomplish this by expanding or changing Rules and RuleSets instead?
Those do seem like they could be a good fit for 2 above. What would the J1QL look like, do you think @ndowmon, to accomplish 3 (assuming that is a goal)?
I want to bump this one again. Lots of entities in Azure support host-based firewall rules, and a lot of queries of security importance rely on being able to ID these firewall rules.