Skip to main content

Common Query Examples

By leveraging Cypher queries on SlashID’s graph database, security and identity teams can analyze, detect, and respond to identity-related risks efficiently. Below are 10 common use cases that can be solved by querying nodes (entities) and edges (relationships).

1. Identify overprivileged identities

Use Case: Find users or non-human identities (NHIs) with excessive permissions.
Why? Helps enforce least privilege and reduce attack surfaces. 

MATCH (i:Identity)-[:CAN_ACCESS]->(r:Resource)
WITH i, COUNT(r) AS accessCount
WHERE accessCount > 10  // Adjust based on security policy
RETURN i.name, accessCount
ORDER BY accessCount DESC;

2. Detect privilege escalation attempts

Use Case: Identify users who recently gained highly privileged roles.
Why? Spot unauthorized role changes that may indicate an insider threat or compromise. 

MATCH (i:Identity)-[r:IS_ASSIGNED]->(p:Policy)
WHERE p.name CONTAINS "admin"  // Detect assignments of admin-like policies
AND r.timestamp > timestamp() - 86400000  // Changes in the last 24 hours
RETURN i.name, p.name, r.timestamp;

3. Find identities with stale or unused credentials

Use Case: List identities with credentials that haven't been used for 90+ days.
Why? Helps clean up unused access and prevent credential-based attacks. 

MATCH (c:Credential)-[:IS_CREDENTIAL_OF]->(i:Identity)
WHERE c.last_used < timestamp() - (90 * 24 * 60 * 60 * 1000)  // 90 days
RETURN i.name, c.identifier_from_source, c.last_used;

4. Discover NHIs with unrestricted access to resources

Use Case: Find NHIs that have direct admin access to multiple resources.
Why? Unmonitored NHIs can be exploited for lateral movement. 

MATCH (nhi:Identity {entity_type: "NHI"})-[:ALLOWS_ACCESS_TO]->(r:Resource)
WITH nhi, COUNT(r) AS accessCount
WHERE accessCount > 5  // Adjust based on security policy
RETURN nhi.name, accessCount;

5. Identify federated access risks

Use Case: Detect external identities (from Okta, Google, etc.) with sensitive access.
Why? External identities may be harder to monitor and revoke access for. 

MATCH (i:Identity)-[:FEDERATES_TO]->(e:Identity)
RETURN i.name, e.source_identifier, e.entity_type;

6. Track new high-privilege identities

Use Case: Identify new admin identities created in the last 7 days.
Why? Attackers often create new privileged accounts for privilege escalation and persistence. 

MATCH (i:Identity)-[:CREATED]->(newIdentity:Identity)
WHERE newIdentity.status = "active"
AND newIdentity.created_at > timestamp() - (7 * 24 * 60 * 60 * 1000)  // Last 7 days
RETURN i.name AS creator, newIdentity.name AS newAdmin;

7. Find resources exposed to too many identities

Use Case: List resources that have excessive access permissions.
Why? Helps identify high-risk assets with overly broad access. 

MATCH (r:Resource)<-[:ALLOWS_ACCESS_TO]-(i:Identity)
WITH r, COUNT(i) AS userCount
WHERE userCount > 50  // Adjust based on security policy
RETURN r.name, userCount
ORDER BY userCount DESC;

8. Detect orphaned credentials

Use Case: Find credentials that belong to inactive accounts.
Why? Prevent exploitable orphaned credentials from being used by attackers. 

MATCH (c:Credential)-[:IS_CREDENTIAL_OF]->(i:Identity)
WHERE i.status = "inactive"
RETURN c.identifier_from_source, i.name;

9. Investigate potential insider threats

Use Case: Track identities that suddenly access new critical resources.
Why? Detect suspicious role changes or data access spikes. 

MATCH (i:Identity)-[a:ALLOWS_ACCESS_TO]->(r:Resource)
WHERE r.sensitivity_level = "high"
AND a.timestamp > timestamp() - (7 * 24 * 60 * 60 * 1000)  // Last 7 days
RETURN i.name, r.name, a.timestamp;

10. Audit group membership for compliance

Use Case: List all users assigned to sensitive groups (e.g., admins, finance).
Why? Ensures compliance with access governance policies. 

MATCH (i:Identity)-[:IS_MEMBER_OF]->(g:Identity {entity_type: "Group"})
WHERE g.name CONTAINS "admin" OR g.name CONTAINS "finance"
RETURN i.name, g.name;