search

cyberdyne-ventures / skynet-web

Skynet Web User Interface
Other
0 stars 0 forks source link

Queries: Everything View #1

Open randomuserid opened 2 months ago

randomuserid commented 2 months ago

The everything view is an optional sort of hello world view where we show all the detections with little or no prioritization. The original query was this:

MATCH (n:ENTITY)-[r]->(m) where n.view = 1 and m.view = 1 return n,r,m

Somewhere around 6k alerts and 100 entities this stops working. It returns in neo4j but not in the web ui.

For now I changed it to to this: MATCH (h:ENTITY)-[r]->() WHERE NOT type(r) IN ['AS_SOURCE', 'AS_DEST'] WITH h MATCH p=(h)-[r]->() RETURN p

Questions

  1. Why does it work in neo but not in our web ui?
  2. While this works, it is not making use of the views, and so may not be optimal.
  3. For some reason the source / dest relations are still there and I'm not sure if we need them or can prune them..we are precomputing entities prior to ingest now because this is hard in neo and simpler in Python
  4. With around 300 entities and 6k alerts the page is too crowded to read
randomuserid commented 2 months ago

After some r&d we're using this query: MATCH p=(h:SEVERITY_CLUSTER)-[r]->() RETURN p