Security Analysis with JupiterOne’s Starbase and Memgraph
Matea Pesic
Posted on August 22, 2023
Starbase is an open-source graph-based security analysis tool that unifies all of JupiterOne’s integrations into one. It collects assets and relationships from services and systems, including cloud infrastructure, SaaS applications, security controls, and more, into an intuitive graph visualization. With over 115 open-source graph integrations, Starbase collaborates with your existing toolkit enabling easy and insightful cyber security analysis.
In this article, we’ll dig into Starbase, guiding you through the setup of two example integrations and enabling Starbase to work with Memgraph for easy ingestion and visualization of your graph data.
Prerequisites
- Installed Yarn package manager.
- Installed Node.js.
- A running Memgraph instance—visit Memgraph’s docs for instructions on how to install and connect to Memgraph.
Setting up Starbase
- To kick-start your Starbase setup, first, you need to clone the JupiterOne/Starbase repo into your local directory and ensure you have Yarn and Node.js installed.
- Once you’ve successfully cloned the repository and installed the prerequisites, place yourself in the terminal in the directory where you cloned the repo and run the
yarn
command. The command installs all of the necessary project dependencies. - The next step is setting up configurations for your integration of choice. You can find a list of all integrations on JupiterOne’s GitHub repo. Moving forward, we are going to explore two options for possible integration, Zoom, and GitHub.
Setting up integrations
In order to set up an integration, you need to register an account in the system the integration targets for ingestion and obtain the necessary API credentials. Starbase leverages credentials from external services to authenticate and collect data. When Starbase is started, it reads configuration data from a single configuration file named config.yaml
at the root of the project.
Zoom integration
In order to configure the Zoom integration, we need to create a Zoom app to retrieve the needed credentials:
- Go to the Zoom App Marketplace and sign into your Zoom account.
- In the top right corner, go to the Develop dropdown menu and select Build App.
- Choose to create an OAuth type of app.
- Take note of your Account ID, Client ID, and Client secret which we’ll need for the configuration file later on.
- In the Scopes section, add
group:read:admin
,role:read:admin
,user:read:admin
, andaccount:read:admin
.
After you’ve successfully created your Zoom App, open up the starbase repo in your editor of choice and create your config.yaml
file. This is an example of a config.yaml
file for Zoom integration:
integrations:
-
name: graph-zoom
instanceId: testInstanceId
directory: ./.integrations/graph-zoom
gitRemoteUrl: <https://github.com/JupiterOne/graph-zoom.git>
config:
ACCOUNT_ID: <ACCOUNT_ID>
CLIENT_ID: <CLIENT_ID>
CLIENT_SECRET: <CLIENT_SECRET>
SCOPES: 'read:admin role:read:admin user:read:admin account:read:admin'
GitHub integration
In order to configure GitHub integration, we need to create a GitHub app to retrieve the needed credentials:
- Go to the GitHub Apps and select to create a new GitHub App
- Name your app, and enter a homepage URL (in this case, you can use the JupiterOne’s Starbase repo URL), uncheck the webhook and adjust the repository permissions. The following permissions need to be set to read-only: -Repository Permissions: Actions, Environments, Issues, Pull Requests and Secrets -Organization Permissions: Administration, Members, Secrets. The rest of the permissions are No access by default.
Read-only access for secrets repo doesn’t give read-only access to actual secret content, it only gives read-only info to the existence of the metadata about the secrets.
- Select Any account and create your GitHub App.
After you’ve successfully created your GitHub App, open up the cloned Starbase repository in your editor of choice and create your config.yaml
file. Generate your private key and retrieve other needed credentials from the GitHub App you previously created. Below is an example of a config.yaml
file for a GitHub integration:
integrations:
-
name: graph-github
instanceId: testInstanceId
directory: ./.integrations/graph-github
gitRemoteUrl: <https://github.com/JupiterOne/graph-github.git>
config:
GITHUB_APP_ID = <GITHUB_APP_ID>
GITHUB_APP_LOCAL_PRIVATE_KEY_PATH={YOURPATH}/{YOURFILENAME}.private-key.pem
INSTALLATION_ID=<INSTALLATION_ID>
GITHUB_API_BASE_URL=https://api.github.com
Use Starbase with Memgraph
After you’ve successfully created your config.yaml
file, the last step is to adjust your queries to work with Memgraph. In order to do that, run the following steps:
- First, you need to place yourself in the terminal in the folder you cloned your Starbase repo and run yarn starbase setup command to clone or update all integrations listed in the config.yaml file, as well as install all dependencies for each integration.
Run your Memgraph instance. Follow the instructions from Memgraph’s docs on how to connect to Memgraph, or if you are using Docker, simply run the following command:
docker run -it -p 3000:3000 -p 7444:7444 -p 7687:7687 memgraph/memgraph-platform
By modifying just a single line of code, you are ready to use Starbase with Memgraph. Inside the neo4jGraphStore.js file, locate the addEntities() function. To enable compatibility with Memgraph, simply update the following line:
await this.runCypherCommand(`CREATE INDEX index_${entity._type} IF NOT EXISTS FOR (n:${entity._type}) ON (n._key, n._integrationInstanceID);`);
With:
await this.runCypherCommand(`CREATE INDEX index_${entity._type} IF NOT EXISTS FOR (n:${entity._type}) ON (n._key, n._integrationInstanceID);`);
await this.runCypherCommand
- You are all set to utilize Starbase with Memgraph. The instance is actively listening to port 7687, as defined in the code.
The final step is to run the yarn starbase run
command. Afterward, launch your browser and go to localhost:3000
to access Memgraph Lab or open your desktop version to explore and visualize your graph data.
Explore your dataset
Below, we’ve provided a few query examples that demonstrate how you can dig into your dataset and extract valuable insights. The following examples assume the use of GitHub integration.
With the following query, you are retrieving the information of all of the extracted GitHub users from a certain organization:
MATCH (n:github_user) RETURN n LIMIT 3;
If you also want to determine which code owners of organization repositories grant access to outside contributors, execute the following query:
MATCH (account:github_account) - [e:OWNS] -> (repo:github_repo) -> [f:ALLOWS] -> (user:github_user {role: ‘OUTSIDE’})
RETURN account, repo, user, e, f;
Takeaways
Starbase is a powerful tool that simplifies security analysis by unifying integrations into a user-friendly graph view, enhancing cybersecurity insights. Incorporating Memgraph for data ingestion adds another dimension by enhancing its capabilities and visualizing your data. If you are curious about graphs and would like to learn more, make sure to check out our blog and join our community on Discord.
Posted on August 22, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.