This is a living document that captures notes related to anything and all neo4j and cypher queries.
Below is a sample CSV file with 3 columns, that represents Windows authentication information between different endpoints (think lateral movement detection/investigation/threat hunting):
复制 lateral-movement.csv"SourceComputer","DestinationComputer","DestinationUserName""WS01","WS02","administrator""WS01","WS03","administrator""WS02","WS03","administrator""WS03","WS04","administrator""WS04","WS05","administrator""WS05","WS06","administrator""WS06","WS07","administrator""WS07","DB01","administrator""DB01","FS05","administrator""FS05","DC01","da-james""WS01","WS04","billy""WS02","WS04","sally""WS03","WS02","fred""WS03","WS02","james""WS01","WS02","james"
复制 LOAD CSV WITH HEADERS FROM 'file:///lateral-movement.csv' AS lineMERGE (a:Computer {Computer:line.SourceComputer} )MERGE (b:Computer {Computer:line.DestinationComputer} )MERGE (a) -[:LOGGED_IN {loggedAs:line.DestinationUserName}]-> (b)
复制 match (a) -[r] -> () delete a, r; match (a) delete a
复制 MATCH p=()-[r:LOGGED_IN]->(m:Computer) where m.Computer CONTAINS "WS" RETURN p LIMIT 25
复制 MATCH p=()-[r:LOGGED_IN]->() where (r.loggedAs contains "james") RETURN p LIMIT 25
复制 MATCH p=()-[r:LOGGED_IN*3]->() RETURN p LIMIT 25