cartography 0.104.0rc2__py3-none-any.whl → 0.123.0__py3-none-any.whl

cartography/config.py

@@ -31,6 +31,8 @@ class Config:
     :type aws_best_effort_mode: bool
     :param aws_best_effort_mode: If True, AWS sync will not raise any exceptions, just log. If False (default),
         exceptions will be raised.
+    :type aws_cloudtrail_management_events_lookback_hours: int
+    :param aws_cloudtrail_management_events_lookback_hours: Number of hours back to retrieve CloudTrail management events from. Optional.
     :type azure_sync_all_subscriptions: bool
     :param azure_sync_all_subscriptions: If True, Azure sync will run for all profiles in azureProfile.json. If
         False (default), Azure sync will run using current user session via CLI credentials. Optional.
@@ -43,6 +45,8 @@ class Config:
     :param azure_client_id: Client Id for connecting in a Service Principal Authentication approach. Optional.
     :type azure_client_secret: str
     :param azure_client_secret: Client Secret for connecting in a Service Principal Authentication approach. Optional.
+    :type azure_subscription_id: str | None
+    :param azure_subscription_id: The Azure Subscription ID to sync.
     :type entra_tenant_id: str
     :param entra_tenant_id: Tenant Id for connecting in a Service Principal Authentication approach. Optional.
     :type entra_client_id: str
@@ -51,6 +55,12 @@ class Config:
     :param entra_client_secret: Client Secret for connecting in a Service Principal Authentication approach. Optional.
     :type aws_requested_syncs: str
     :param aws_requested_syncs: Comma-separated list of AWS resources to sync. Optional.
+    :type aws_guardduty_severity_threshold: str
+    :param aws_guardduty_severity_threshold: GuardDuty severity threshold filter. Only findings at or above this
+        severity level will be synced. Valid values: LOW, MEDIUM, HIGH, CRITICAL. Optional.
+    :type experimental_aws_inspector_batch: int
+    :param experimental_aws_inspector_batch: EXPERIMENTAL: Batch size for AWS Inspector findings sync. Controls how
+        many findings are fetched, processed and cleaned up at a time. Default is 1000. Optional.
     :type analysis_job_directory: str
     :param analysis_job_directory: Path to a directory tree containing analysis jobs to run. Optional.
     :type oci_sync_all_profiles: bool
@@ -63,10 +73,16 @@ class Config:
     :param okta_saml_role_regex: The regex used to map okta groups to AWS roles. Optional.
     :type github_config: str
     :param github_config: Base64 encoded config object for GitHub ingestion. Optional.
+    :type github_commit_lookback_days: int
+    :param github_commit_lookback_days: Number of days to look back for GitHub commit tracking. Optional.
     :type digitalocean_token: str
     :param digitalocean_token: DigitalOcean access token. Optional.
     :type permission_relationships_file: str
     :param permission_relationships_file: File path for the resource permission relationships file. Optional.
+    :type azure_permission_relationships_file: str
+    :param azure_permission_relationships_file: File path for the Azure permission relationships file. Optional.
+    :type gcp_permission_relationships_file: str
+    :param gcp_permission_relationships_file: File path for the GCP resource permission relationships file. Optional.
     :type jamf_base_uri: string
     :param jamf_base_uri: Jamf data provider base URI, e.g. https://example.com/JSSResource. Optional.
     :type jamf_user: string
@@ -87,6 +103,8 @@ class Config:
     :param statsd_port: If statsd_enabled is True, send metrics to this port on statsd_host. Optional.
     :type: k8s_kubeconfig: str
     :param k8s_kubeconfig: Path to kubeconfig file for kubernetes cluster(s). Optional
+    :type: managed_kubernetes: str
+    :param managed_kubernetes: Type of managed Kubernetes service (e.g., "eks"). Optional.
     :type: pagerduty_api_key: str
     :param pagerduty_api_key: API authentication key for pagerduty. Optional.
     :type: pagerduty_request_timeout: int
@@ -97,6 +115,10 @@ class Config:
     :param gsuite_auth_method: Auth method (delegated, oauth) used for Google Workspace. Optional.
     :type gsuite_config: str
     :param gsuite_config: Base64 encoded config object or config file path for Google Workspace. Optional.
+    :type googleworkspace_auth_method: str
+    :param googleworkspace_auth_method: Auth method (delegated, oauth, default) used for Google Workspace. Optional.
+    :type googleworkspace_config: str
+    :param googleworkspace_config: Base64 encoded config object or config file path for Google Workspace. Optional.
     :type lastpass_cid: str
     :param lastpass_cid: Lastpass account ID. Optional.
     :type lastpass_provhash: str
@@ -137,6 +159,61 @@ class Config:
     :param openai_org_id: OpenAI organization id. Optional.
     :type anthropic_apikey: string
     :param anthropic_apikey: Anthropic API key. Optional.
+    :type airbyte_client_id: str
+    :param airbyte_client_id: Airbyte client ID for API authentication. Optional.
+    :type airbyte_client_secret: str
+    :param airbyte_client_secret: Airbyte client secret for API authentication. Optional.
+    :type airbyte_api_url: str
+    :param airbyte_api_url: Airbyte API base URL, e.g. https://api.airbyte.com/v1. Optional.
+    :type trivy_s3_bucket: str
+    :param trivy_s3_bucket: The S3 bucket name containing Trivy scan results. Optional.
+    :type trivy_s3_prefix: str
+    :param trivy_s3_prefix: The S3 prefix path containing Trivy scan results. Optional.
+    :type ontology_users_source: str
+    :param ontology_users_source: Comma-separated list of sources of truth for user data in the ontology. Optional.
+    :type ontology_devices_source: str
+    :param ontology_devices_source: Comma-separated list of sources of truth for client computers data in the ontology.
+        Optional.
+    :type trivy_results_dir: str
+    :param trivy_results_dir: Local directory containing Trivy scan results. Optional.
+    :type scaleway_access_key: str
+    :param scaleway_access_key: Scaleway access key. Optional.
+    :type scaleway_secret_key: str
+    :param scaleway_secret_key: Scaleway secret key. Optional.
+    :type scaleway_org: str
+    :param scaleway_org: Scaleway organization id. Optional.
+    :type sentinelone_api_url: string
+    :param sentinelone_api_url: SentinelOne API URL. Optional.
+    :type sentinelone_api_token: string
+    :param sentinelone_api_token: SentinelOne API token for authentication. Optional.
+    :type sentinelone_account_ids: list[str]
+    :param sentinelone_account_ids: List of SentinelOne account IDs to sync. Optional.
+    :type spacelift_api_endpoint: string
+    :param spacelift_api_endpoint: Spacelift GraphQL API endpoint. Optional.
+    :type spacelift_api_token: string
+    :param spacelift_api_token: Spacelift API token for authentication. Optional (can use API key instead).
+    :type spacelift_api_key_id: string
+    :param spacelift_api_key_id: Spacelift API key ID for token exchange authentication. Optional (alternative to token).
+    :type spacelift_api_key_secret: string
+    :param spacelift_api_key_secret: Spacelift API key secret for token exchange authentication. Optional (alternative to token).
+    :type spacelift_ec2_ownership_s3_bucket: string
+    :param spacelift_ec2_ownership_s3_bucket: S3 bucket name containing EC2 ownership data from Athena. Optional.
+    :type spacelift_ec2_ownership_s3_prefix: string
+    :param spacelift_ec2_ownership_s3_prefix: S3 prefix for EC2 ownership data from Athena. All JSON files under this prefix will be processed. Optional.
+    :type keycloak_client_id: str
+    :param keycloak_client_id: Keycloak client ID for API authentication. Optional.
+    :type keycloak_client_secret: str
+    :param keycloak_client_secret: Keycloak client secret for API authentication. Optional.
+    :type keycloak_realm: str
+    :param keycloak_realm: Keycloak realm for authentication (all realms will be synced). Optional.
+    :type keycloak_url: str
+    :param keycloak_url: Keycloak base URL, e.g. https://keycloak.example.com. Optional.
+    :type slack_token: str
+    :param slack_token: Slack API token. Optional.
+    :type slack_teams: list[str]
+    :param slack_teams: List of Slack team IDs to sync. Optional.
+    :type slack_channels_memberships: bool
+    :param slack_channels_memberships: If True, sync Slack channel membership data. Optional.
     """
 
     def __init__(
@@ -151,23 +228,30 @@ class Config:
         aws_sync_all_profiles=False,
         aws_regions=None,
         aws_best_effort_mode=False,
+        aws_cloudtrail_management_events_lookback_hours=None,
+        experimental_aws_inspector_batch=1000,
         azure_sync_all_subscriptions=False,
         azure_sp_auth=None,
         azure_tenant_id=None,
         azure_client_id=None,
         azure_client_secret=None,
+        azure_subscription_id: str | None = None,
         entra_tenant_id=None,
         entra_client_id=None,
         entra_client_secret=None,
         aws_requested_syncs=None,
+        aws_guardduty_severity_threshold=None,
         analysis_job_directory=None,
         oci_sync_all_profiles=None,
         okta_org_id=None,
         okta_api_key=None,
         okta_saml_role_regex=None,
         github_config=None,
+        github_commit_lookback_days=30,
         digitalocean_token=None,
         permission_relationships_file=None,
+        azure_permission_relationships_file=None,
+        gcp_permission_relationships_file=None,
         jamf_base_uri=None,
         jamf_user=None,
         jamf_password=None,
@@ -175,6 +259,7 @@ class Config:
         kandji_tenant_id=None,
         kandji_token=None,
         k8s_kubeconfig=None,
+        managed_kubernetes=None,
         statsd_enabled=False,
         statsd_prefix=None,
         statsd_host=None,
@@ -189,6 +274,8 @@ class Config:
         crowdstrike_api_url=None,
         gsuite_auth_method=None,
         gsuite_config=None,
+        googleworkspace_auth_method=None,
+        googleworkspace_config=None,
         lastpass_cid=None,
         lastpass_provhash=None,
         bigfix_username=None,
@@ -209,6 +296,33 @@ class Config:
         openai_apikey=None,
         openai_org_id=None,
         anthropic_apikey=None,
+        airbyte_client_id=None,
+        airbyte_client_secret=None,
+        airbyte_api_url=None,
+        trivy_s3_bucket=None,
+        trivy_s3_prefix=None,
+        ontology_users_source=None,
+        ontology_devices_source=None,
+        trivy_results_dir=None,
+        scaleway_access_key=None,
+        scaleway_secret_key=None,
+        scaleway_org=None,
+        sentinelone_api_url=None,
+        sentinelone_api_token=None,
+        sentinelone_account_ids=None,
+        spacelift_api_endpoint=None,
+        spacelift_api_token=None,
+        spacelift_api_key_id=None,
+        spacelift_api_key_secret=None,
+        spacelift_ec2_ownership_s3_bucket=None,
+        spacelift_ec2_ownership_s3_prefix=None,
+        keycloak_client_id=None,
+        keycloak_client_secret=None,
+        keycloak_realm=None,
+        keycloak_url=None,
+        slack_token=None,
+        slack_teams=None,
+        slack_channels_memberships=False,
     ):
         self.neo4j_uri = neo4j_uri
         self.neo4j_user = neo4j_user
@@ -220,23 +334,32 @@ class Config:
         self.aws_sync_all_profiles = aws_sync_all_profiles
         self.aws_regions = aws_regions
         self.aws_best_effort_mode = aws_best_effort_mode
+        self.aws_cloudtrail_management_events_lookback_hours = (
+            aws_cloudtrail_management_events_lookback_hours
+        )
+        self.experimental_aws_inspector_batch = experimental_aws_inspector_batch
         self.azure_sync_all_subscriptions = azure_sync_all_subscriptions
         self.azure_sp_auth = azure_sp_auth
         self.azure_tenant_id = azure_tenant_id
         self.azure_client_id = azure_client_id
         self.azure_client_secret = azure_client_secret
+        self.azure_subscription_id = azure_subscription_id
         self.entra_tenant_id = entra_tenant_id
         self.entra_client_id = entra_client_id
         self.entra_client_secret = entra_client_secret
         self.aws_requested_syncs = aws_requested_syncs
+        self.aws_guardduty_severity_threshold = aws_guardduty_severity_threshold
         self.analysis_job_directory = analysis_job_directory
         self.oci_sync_all_profiles = oci_sync_all_profiles
         self.okta_org_id = okta_org_id
         self.okta_api_key = okta_api_key
         self.okta_saml_role_regex = okta_saml_role_regex
         self.github_config = github_config
+        self.github_commit_lookback_days = github_commit_lookback_days
         self.digitalocean_token = digitalocean_token
         self.permission_relationships_file = permission_relationships_file
+        self.azure_permission_relationships_file = azure_permission_relationships_file
+        self.gcp_permission_relationships_file = gcp_permission_relationships_file
         self.jamf_base_uri = jamf_base_uri
         self.jamf_user = jamf_user
         self.jamf_password = jamf_password
@@ -244,6 +367,7 @@ class Config:
         self.kandji_tenant_id = kandji_tenant_id
         self.kandji_token = kandji_token
         self.k8s_kubeconfig = k8s_kubeconfig
+        self.managed_kubernetes = managed_kubernetes
         self.statsd_enabled = statsd_enabled
         self.statsd_prefix = statsd_prefix
         self.statsd_host = statsd_host
@@ -258,6 +382,8 @@ class Config:
         self.crowdstrike_api_url = crowdstrike_api_url
         self.gsuite_auth_method = gsuite_auth_method
         self.gsuite_config = gsuite_config
+        self.googleworkspace_auth_method = googleworkspace_auth_method
+        self.googleworkspace_config = googleworkspace_config
         self.lastpass_cid = lastpass_cid
         self.lastpass_provhash = lastpass_provhash
         self.bigfix_username = bigfix_username
@@ -278,3 +404,30 @@ class Config:
         self.openai_apikey = openai_apikey
         self.openai_org_id = openai_org_id
         self.anthropic_apikey = anthropic_apikey
+        self.airbyte_client_id = airbyte_client_id
+        self.airbyte_client_secret = airbyte_client_secret
+        self.airbyte_api_url = airbyte_api_url
+        self.trivy_s3_bucket = trivy_s3_bucket
+        self.trivy_s3_prefix = trivy_s3_prefix
+        self.ontology_users_source = ontology_users_source
+        self.ontology_devices_source = ontology_devices_source
+        self.trivy_results_dir = trivy_results_dir
+        self.scaleway_access_key = scaleway_access_key
+        self.scaleway_secret_key = scaleway_secret_key
+        self.scaleway_org = scaleway_org
+        self.sentinelone_api_url = sentinelone_api_url
+        self.sentinelone_api_token = sentinelone_api_token
+        self.sentinelone_account_ids = sentinelone_account_ids
+        self.spacelift_api_endpoint = spacelift_api_endpoint
+        self.spacelift_api_token = spacelift_api_token
+        self.spacelift_api_key_id = spacelift_api_key_id
+        self.spacelift_api_key_secret = spacelift_api_key_secret
+        self.spacelift_ec2_ownership_s3_bucket = spacelift_ec2_ownership_s3_bucket
+        self.spacelift_ec2_ownership_s3_prefix = spacelift_ec2_ownership_s3_prefix
+        self.keycloak_client_id = keycloak_client_id
+        self.keycloak_client_secret = keycloak_client_secret
+        self.keycloak_realm = keycloak_realm
+        self.keycloak_url = keycloak_url
+        self.slack_token = slack_token
+        self.slack_teams = slack_teams
+        self.slack_channels_memberships = slack_channels_memberships

cartography/data/azure_permission_relationships.yaml

@@ -0,0 +1,20 @@
+# Map principals that can manage Azure SQL Servers. Specifically,
+# create an (:EntraUser|EntraGroup|EntraServicePrincipal)-[:CAN_MANAGE]->(:AzureSQLServer) relationship
+# for principals that have a role assignment with _any_ of the below
+# permissions. Similar logic applies for the other entries in this file.
+- target_label: AzureSQLServer
+  permissions:
+  - Microsoft.Sql/servers/delete
+  relationship_name: CAN_MANAGE
+
+# Map principals that can read Azure SQL Servers.
+- target_label: AzureSQLServer
+  permissions:
+  - Microsoft.Sql/servers/read
+  relationship_name: CAN_READ
+
+# Map principals that can write to Azure SQL Servers.
+- target_label: AzureSQLServer
+  permissions:
+  - Microsoft.Sql/servers/write
+  relationship_name: CAN_WRITE

cartography/data/gcp_permission_relationships.yaml

@@ -0,0 +1,21 @@
+# Map principals that can read objects from a GCPBucket. Specifically,
+# create an (:GCPPrincipal)-[:CAN_READ]->(:GCPBucket) relationship
+# for principals that have a policy attached with _any_ of the below
+# permissions. Similar logic applies for the other entries in this file.
+- target_label: GCPBucket
+  permissions:
+  - storage.objects.get
+  relationship_name: CAN_READ
+
+# Map principals that can write objects to a GCPBucket.
+- target_label: GCPBucket
+  permissions:
+  - storage.objects.create
+  - storage.objects.update
+  relationship_name: CAN_WRITE
+
+# Map principals that can delete objects from a GCPBucket.
+- target_label: GCPBucket
+  permissions:
+  - storage.objects.delete
+  relationship_name: CAN_DELETE

cartography/data/indexes.cypher

@@ -21,33 +21,12 @@ CREATE INDEX IF NOT EXISTS FOR (n:AWSDNSRecord) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:AWSDNSZone) ON (n.name);
 CREATE INDEX IF NOT EXISTS FOR (n:AWSDNSZone) ON (n.zoneid);
 CREATE INDEX IF NOT EXISTS FOR (n:AWSDNSZone) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSGroup) ON (n.arn);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSGroup) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:AWSInternetGateway) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:AWSInternetGateway) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:AWSIpv4CidrBlock) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:AWSIpv4CidrBlock) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:AWSIpv6CidrBlock) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:AWSIpv6CidrBlock) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSLambda) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSLambda) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSLambdaEventSourceMapping) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSLambdaEventSourceMapping) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSLambdaFunctionAlias) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSLambdaFunctionAlias) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSLambdaLayer) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSLambdaLayer) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSPeeringConnection) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSPeeringConnection) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSPolicy) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSPolicy) ON (n.name);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSPolicy) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSPolicyStatement) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSPolicyStatement) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSPrincipal) ON (n.arn);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSPrincipal) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSRole) ON (n.arn);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSRole) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:AWSTag) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:AWSTag) ON (n.key);
 CREATE INDEX IF NOT EXISTS FOR (n:AWSTag) ON (n.lastupdated);
@@ -56,13 +35,6 @@ CREATE INDEX IF NOT EXISTS FOR (n:AWSTransitGateway) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:AWSTransitGateway) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:AWSTransitGatewayAttachment) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:AWSTransitGatewayAttachment) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSUser) ON (n.arn);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSUser) ON (n.name);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSUser) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSVpc) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSVpc) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AccountAccessKey) ON (n.accesskeyid);
-CREATE INDEX IF NOT EXISTS FOR (n:AccountAccessKey) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:AutoScalingGroup) ON (n.arn);
 CREATE INDEX IF NOT EXISTS FOR (n:AutoScalingGroup) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:CVE) ON (n.id);
@@ -81,14 +53,9 @@ CREATE INDEX IF NOT EXISTS FOR (n:DODroplet) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:DODroplet) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:DOProject) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:DOProject) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:EBSSnapshot) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:EBSSnapshot) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:EC2KeyPair) ON (n.keyfingerprint);
 CREATE INDEX IF NOT EXISTS FOR (n:EC2ReservedInstance) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:EC2ReservedInstance) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:ECRImage) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:ECRImage) ON (n.digest);
-CREATE INDEX IF NOT EXISTS FOR (n:ECRImage) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:ECRRepository) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:ECRRepository) ON (n.name);
 CREATE INDEX IF NOT EXISTS FOR (n:ECRRepository) ON (n.uri);
@@ -99,21 +66,6 @@ CREATE INDEX IF NOT EXISTS FOR (n:ECRRepositoryImage) ON (n.tag);
 CREATE INDEX IF NOT EXISTS FOR (n:ECRRepositoryImage) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:ECRScanFinding) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:ECRScanFinding) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:ECSCluster) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:ECSCluster) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:ECSContainerInstance) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:ECSContainerInstance) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:ECSService) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:ECSService) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:ECSTaskDefinition) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:ECSTaskDefinition) ON (n.arn);
-CREATE INDEX IF NOT EXISTS FOR (n:ECSTaskDefinition) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:ECSTask) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:ECSTask) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:ECSContainerDefinition) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:ECSContainerDefinition) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:ECSContainer) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:ECSContainer) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:ElasticacheCluster) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:ElasticacheCluster) ON (n.arn);
 CREATE INDEX IF NOT EXISTS FOR (n:ElasticacheCluster) ON (n.lastupdated);
@@ -129,12 +81,6 @@ CREATE INDEX IF NOT EXISTS FOR (n:ESDomain) ON (n.arn);
 CREATE INDEX IF NOT EXISTS FOR (n:ESDomain) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:ESDomain) ON (n.name);
 CREATE INDEX IF NOT EXISTS FOR (n:ESDomain) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:GCPDNSZone) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:GCPDNSZone) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:GCPRecordSet) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:GCPRecordSet) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:GCPFolder) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:GCPFolder) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:GCPForwardingRule) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:GCPForwardingRule) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:GCPInstance) ON (n.id);
@@ -145,49 +91,21 @@ CREATE INDEX IF NOT EXISTS FOR (n:GCPNetworkTag) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:GCPNetworkTag) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:GCPNicAccessConfig) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:GCPNicAccessConfig) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:GCPOrganization) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:GCPOrganization) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:GCPProject) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:GCPProject) ON (n.projectnumber);
-CREATE INDEX IF NOT EXISTS FOR (n:GCPProject) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:GCPBucket) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:GCPBucket) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:GCPBucketLabel) ON (n.key);
 CREATE INDEX IF NOT EXISTS FOR (n:GCPBucketLabel) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:GCPSubnet) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:GCPSubnet) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:GCPVpc) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:GCPVpc) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:GitHubRepository) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:GitHubRepository) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:GKECluster) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:GKECluster) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:GSuiteGroup) ON (n.email);
-CREATE INDEX IF NOT EXISTS FOR (n:GSuiteGroup) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:GSuiteGroup) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:GSuiteUser) ON (n.email);
-CREATE INDEX IF NOT EXISTS FOR (n:GSuiteUser) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:GSuiteUser) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:Ip) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:Ip) ON (n.ip);
 CREATE INDEX IF NOT EXISTS FOR (n:Ip) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:IpPermissionInbound) ON (n.ruleid);
-CREATE INDEX IF NOT EXISTS FOR (n:IpPermissionInbound) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:IpPermissionsEgress) ON (n.ruleid);
-CREATE INDEX IF NOT EXISTS FOR (n:IpPermissionsEgress) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:IpRange) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:IpRange) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:IpRule) ON (n.ruleid);
-CREATE INDEX IF NOT EXISTS FOR (n:IpRule) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:JamfComputerGroup) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:JamfComputerGroup) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:KMSKey) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:KMSKey) ON (n.arn);
-CREATE INDEX IF NOT EXISTS FOR (n:KMSKey) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:KMSAlias) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:KMSAlias) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:KMSGrant) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:KMSGrant) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:LaunchConfiguration) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:LaunchConfiguration) ON (n.name);
 CREATE INDEX IF NOT EXISTS FOR (n:LaunchConfiguration) ON (n.lastupdated);
@@ -227,9 +145,6 @@ CREATE INDEX IF NOT EXISTS FOR (n:OCITenancy) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:OCIUser) ON (n.ocid);
 CREATE INDEX IF NOT EXISTS FOR (n:OCIUser) ON (n.name);
 CREATE INDEX IF NOT EXISTS FOR (n:OCIUser) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:Package) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:Package) ON (n.name);
-CREATE INDEX IF NOT EXISTS FOR (n:Package) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:PagerDutyEscalationPolicy) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:PagerDutyEscalationPolicy) ON (n.name);
 CREATE INDEX IF NOT EXISTS FOR (n:PagerDutyEscalationPolicy) ON (n.lastupdated);
@@ -285,8 +200,6 @@ CREATE INDEX IF NOT EXISTS FOR (n:S3Bucket) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:S3Bucket) ON (n.name);
 CREATE INDEX IF NOT EXISTS FOR (n:S3Bucket) ON (n.arn);
 CREATE INDEX IF NOT EXISTS FOR (n:S3Bucket) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:SecretsManagerSecret) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:SecretsManagerSecret) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:SecurityHub) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:SecurityHub) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:SpotlightVulnerability) ON (n.id);
@@ -296,104 +209,5 @@ CREATE INDEX IF NOT EXISTS FOR (n:SpotlightVulnerability) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:SQSQueue) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:SQSQueue) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:UserAccount) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureTenant) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureTenant) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzurePrincipal) ON (n.email);
-CREATE INDEX IF NOT EXISTS FOR (n:AzurePrincipal) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureSubscription) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureSubscription) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBAccount) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBAccount) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBLocation) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBLocation) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBCorsPolicy) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBCorsPolicy) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBAccountFailoverPolicy) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBAccountFailoverPolicy) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCDBPrivateEndpointConnection) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCDBPrivateEndpointConnection) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBVirtualNetworkRule) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBVirtualNetworkRule) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBSqlDatabase) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBSqlDatabase) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBCassandraKeyspace) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBCassandraKeyspace) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBMongoDBDatabase) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBMongoDBDatabase) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBTableResource) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBTableResource) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBSqlContainer) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBSqlContainer) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBCassandraTable) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBCassandraTable) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBMongoDBCollection) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBMongoDBCollection) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageAccount) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageAccount) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageQueueService) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageQueueService) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageTableService) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageTableService) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageFileService) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageFileService) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageBlobService) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageBlobService) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageQueue) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageQueue) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageTable) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageTable) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageFileShare) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageFileShare) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageBlobContainer) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageBlobContainer) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureSQLServer) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureSQLServer) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureServerDNSAlias) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureServerDNSAlias) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureServerADAdministrator) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureServerADAdministrator) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureRecoverableDatabase) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureRecoverableDatabase) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureRestorableDroppedDatabase) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureRestorableDroppedDatabase) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureFailoverGroup) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureFailoverGroup) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureElasticPool) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureElasticPool) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureSQLDatabase) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureSQLDatabase) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureReplicationLink) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureReplicationLink) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureDatabaseThreatDetectionPolicy) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureDatabaseThreatDetectionPolicy) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureRestorePoint) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureRestorePoint) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureTransparentDataEncryption) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureTransparentDataEncryption) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureVirtualMachine) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureVirtualMachine) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureDataDisk) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureDataDisk) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureDisk) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureDisk) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:AzureSnapshot) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:AzureSnapshot) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesCluster) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesCluster) ON (n.name);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesCluster) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesNamespace) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesNamespace) ON (n.name);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesNamespace) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesPod) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesPod) ON (n.name);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesPod) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesContainer) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesContainer) ON (n.name);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesContainer) ON (n.image);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesContainer) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesSecret) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesSecret) ON (n.name);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesSecret) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesService) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesService) ON (n.name);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesService) ON (n.lastupdated);

cartography/data/jobs/analysis/aws_ec2_keypair_analysis.json

@@ -22,8 +22,8 @@
             "iterative": false
         },
         {
-            "__comment__": "Attach EC2KeyPairs with matching fingerprints to eachother and set duplicate_keyfingerprint = True",
-            "query": "MATCH (k1:EC2KeyPair), (k2:EC2KeyPair) WHERE k1.id <> k2.id AND k1.keyfingerprint = k2.keyfingerprint SET k1.duplicate_keyfingerprint = True, k2.duplicate_keyfingerprint = True MERGE (k1)-[r:MATCHING_FINGERPRINT]-(k2) ON CREATE SET r.firstseen = $UPDATE_TAG SET r.lastupdated = $UPDATE_TAG return COUNT(*) as TotalCompleted",
+            "__comment__": "Attach EC2KeyPairs with matching fingerprints to each other and set duplicate_keyfingerprint = True. Use id(k1) < id(k2) to avoid Cartesian product warning and ensure O(1) comparison.",
+            "query": "MATCH (k1:EC2KeyPair) MATCH (k2:EC2KeyPair) WHERE id(k1) < id(k2) AND k1.keyfingerprint = k2.keyfingerprint SET k1.duplicate_keyfingerprint = True, k2.duplicate_keyfingerprint = True MERGE (k1)-[r:MATCHING_FINGERPRINT]-(k2) ON CREATE SET r.firstseen = $UPDATE_TAG SET r.lastupdated = $UPDATE_TAG RETURN COUNT(*) as TotalCompleted",
             "iterative": false
         }
     ]

cartography/data/jobs/analysis/keycloak_inheritance.json

@@ -0,0 +1,30 @@
+{
+  "statements": [
+    {
+        "__comment__": "Inherit group memberships from subgroups to parent groups",
+        "query": "MATCH (u:KeycloakUser)-[:MEMBER_OF]->(g:KeycloakGroup)-[:SUBGROUP_OF*1..5]->(pg:KeycloakGroup) MERGE (u)-[r:INHERITED_MEMBER_OF]->(pg) ON CREATE SET r.firstseen = $UPDATE_TAG SET r.lastupdated = $UPDATE_TAG",
+        "iterative": false
+    },
+    {
+        "__comment__": "Assign roles to users based on group memberships",
+        "query": "MATCH (u:KeycloakUser)-[:MEMBER_OF|INHERITED_MEMBER_OR]->(g:KeycloakGroup)-[:GRANTS]->(r:KeycloakRole) MERGE (u)-[r0:ASSUME_ROLE]-(r) ON CREATE SET r0.firstseen = $UPDATE_TAG SET r0.lastupdated = $UPDATE_TAG",
+        "iterative": false
+    },
+    {
+        "__comment__": "Propagate role grants to composite roles",
+        "query": "MATCH (r:KeycloakRole)-[:INCLUDES*1..5]->(c:KeycloakRole)-[:GRANTS]->(s:KeycloakScope) MERGE (r)-[r0:INDIRECT_GRANTS]-(s) ON CREATE SET r0.firstseen = $UPDATE_TAG SET r0.lastupdated = $UPDATE_TAG",
+        "iterative": false
+    },
+    {
+        "__comment__": "Identify legitimate scopes for users based on assumed roles",
+        "query": "MATCH (u:KeycloakUser)-[:ASSUME_ROLE]-(:KeycloakRole)-[:GRANTS|INDIRECT_GRANTS]->(s:KeycloakScope) MERGE (u)-[r:ASSUME_SCOPE]->(s) ON CREATE SET r.firstseen = $UPDATE_TAG SET r.lastupdated = $UPDATE_TAG",
+        "iterative": false
+    },
+    {
+        "__comment__": "Assign assumed scopes to users for orphan scopes (scopes not granted by any role)",
+        "query": "MATCH (s:KeycloakScope)<-[:RESOURCE]-(r:KeycloakRealm) MATCH (u:KeycloakUser)<-[:RESOURCE]-(r) WHERE NOT (s)<-[:GRANTS|INDIRECT_GRANTS]-(:KeycloakRole) MERGE (u)-[r0:ASSUME_SCOPE]->(s) SET r0.firstseen = $UPDATE_TAG SET r0.lastupdated = $UPDATE_TAG",
+        "iterative": false
+    }
+  ],
+  "name": "Keycloak inheritance analysis"
+}

cartography/data/jobs/cleanup/gcp_compute_vpc_cleanup.json

@@ -1,17 +1,5 @@
 {
   "statements": [
-    {
-      "query": "MATCH (n:GCPVpc) WHERE n.lastupdated <> $UPDATE_TAG WITH n LIMIT $LIMIT_SIZE DETACH DELETE (n)",
-      "iterative": true,
-      "iterationsize": 100,
-      "__comment__": "Delete GCP VPCs that no longer exist and detach them from all previously connected nodes."
-    },
-    {
-      "query": "MATCH (:GCPVpc)<-[r:RESOURCE]-(:GCPProject) WHERE r.lastupdated <> $UPDATE_TAG WITH r LIMIT $LIMIT_SIZE DELETE (r)",
-      "iterative": true,
-      "iterationsize": 100,
-      "__comment__": "Remove GCP VPC-to-Project relationships that are out of date."
-    },
     {
       "query": "MATCH (:GCPInstance)-[r:MEMBER_OF_GCP_VPC]->(:GCPVpc) WHERE r.lastupdated <> $UPDATE_TAG WITH r LIMIT $LIMIT_SIZE DELETE (r)",
       "iterative": true,