cartography 0.118.0__py3-none-any.whl → 0.119.0__py3-none-any.whl

cartography/intel/gsuite/users.py

@@ -0,0 +1,142 @@
+import logging
+from collections import defaultdict
+from typing import Any
+
+import neo4j
+from googleapiclient.discovery import Resource
+
+from cartography.client.core.tx import load
+from cartography.graph.job import GraphJob
+from cartography.models.gsuite.tenant import GSuiteTenantSchema
+from cartography.models.gsuite.user import GSuiteUserSchema
+from cartography.util import timeit
+
+logger = logging.getLogger(__name__)
+
+GOOGLE_API_NUM_RETRIES = 5
+
+
+@timeit
+def get_all_users(admin: Resource) -> list[dict]:
+    """
+    Return list of Google Users in your organization
+    Returns empty list if we are unable to enumerate the users for any reasons
+    https://developers.google.com/admin-sdk/directory/v1/guides/manage-users
+
+    :param admin: apiclient discovery resource object
+    :return: list of Google users in domain
+    see https://developers.google.com/admin-sdk/directory/v1/guides/manage-users#get_all_domain_users
+    """
+    request = admin.users().list(
+        customer="my_customer",
+        maxResults=500,
+        orderBy="email",
+    )
+    response_objects = []
+    while request is not None:
+        resp = request.execute(num_retries=GOOGLE_API_NUM_RETRIES)
+        response_objects.append(resp)
+        request = admin.users().list_next(request, resp)
+    return response_objects
+
+
+@timeit
+def transform_users(response_objects: list[dict]) -> dict[str, list[dict[str, Any]]]:
+    """Transform list of API response objects to return list of user objects with flattened structure grouped by customerId
+    :param response_objects: Raw API response objects
+    :return: list of dictionary objects for data model consumption
+    """
+    results = defaultdict(list)
+    for response_object in response_objects:
+        for user in response_object["users"]:
+            # Flatten the nested name structure
+            transformed_user = user.copy()
+            if "name" in user and isinstance(user["name"], dict):
+                transformed_user["name"] = user["name"].get("fullName")
+                transformed_user["family_name"] = user["name"].get("familyName")
+                transformed_user["given_name"] = user["name"].get("givenName")
+            results[transformed_user["customerId"]].append(transformed_user)
+    return results
+
+
+@timeit
+def load_gsuite_users(
+    neo4j_session: neo4j.Session,
+    users_by_customer: dict[str, list[dict]],
+    gsuite_update_tag: int,
+) -> None:
+    """
+    Load GSuite users using the modern data model
+    """
+    logger.info("Ingesting %s gsuite tenants", len(users_by_customer))
+    tenant_data = [{"id": customer_id} for customer_id in users_by_customer.keys()]
+    load(
+        neo4j_session,
+        GSuiteTenantSchema(),
+        tenant_data,
+        lastupdated=gsuite_update_tag,
+    )
+
+    for customer_id, users in users_by_customer.items():
+        logger.info(
+            "Ingesting %s gsuite users for customer %s", len(users), customer_id
+        )
+        # Load users with relationship to tenant
+        load(
+            neo4j_session,
+            GSuiteUserSchema(),
+            users,
+            lastupdated=gsuite_update_tag,
+            CUSTOMER_ID=customer_id,
+        )
+
+
+@timeit
+def cleanup_gsuite_users(
+    neo4j_session: neo4j.Session,
+    common_job_parameters: dict[str, Any],
+) -> None:
+    """
+    Clean up GSuite users using the modern data model
+    """
+    logger.debug("Running GSuite users cleanup job")
+    GraphJob.from_node_schema(GSuiteUserSchema(), common_job_parameters).run(
+        neo4j_session
+    )
+
+
+@timeit
+def sync_gsuite_users(
+    neo4j_session: neo4j.Session,
+    admin: Resource,
+    gsuite_update_tag: int,
+    common_job_parameters: dict[str, Any],
+) -> list[str]:
+    """
+    GET GSuite user objects using the google admin api resource, load the data into Neo4j and clean up stale nodes.
+
+    :param neo4j_session: The Neo4j session
+    :param admin: Google admin resource object created by `googleapiclient.discovery.build()`.
+    See https://googleapis.github.io/google-api-python-client/docs/epy/googleapiclient.discovery-module.html#build.
+    :param gsuite_update_tag: The timestamp value to set our new Neo4j nodes with
+    :param common_job_parameters: Parameters to carry to the Neo4j jobs
+    :return: list of customer IDs
+    """
+    logger.debug("Syncing GSuite Users")
+
+    # 1. GET - Fetch data from API
+    resp_objs = get_all_users(admin)
+
+    # 2. TRANSFORM - Shape data for ingestion
+    users_by_customers = transform_users(resp_objs)
+
+    # 3. LOAD - Ingest to Neo4j using data model
+    load_gsuite_users(neo4j_session, users_by_customers, gsuite_update_tag)
+
+    # 4. CLEANUP - Remove stale data
+    for customer_id in users_by_customers.keys():
+        cleanup_params = {**common_job_parameters, "CUSTOMER_ID": customer_id}
+        cleanup_gsuite_users(neo4j_session, cleanup_params)
+
+    # Return the list of customer IDs
+    return list(users_by_customers.keys())

cartography/intel/okta/awssaml.py

@@ -248,7 +248,7 @@ def _load_awssso_tx(
         ingest_statement,
         GROUP_TO_ROLE=[g._asdict() for g in group_to_role],
         okta_update_tag=okta_update_tag,
-    )
+    ).consume()
 
 
 def _load_okta_group_to_awssso_roles(

cartography/intel/okta/users.py

@@ -161,7 +161,7 @@ def _load_okta_users(
     new_user.password_changed = user_data.password_changed,
     new_user.transition_to_status = user_data.transition_to_status,
     new_user.lastupdated = $okta_update_tag,
-    new_user :UserAccount
+    new_user:UserAccount
     WITH new_user, org
     MERGE (org)-[org_r:RESOURCE]->(new_user)
     ON CREATE SET org_r.firstseen = timestamp()

cartography/intel/ontology/__init__.py

@@ -0,0 +1,44 @@
+import logging
+
+import neo4j
+
+import cartography.intel.ontology.devices
+import cartography.intel.ontology.users
+from cartography.config import Config
+from cartography.util import timeit
+
+logger = logging.getLogger(__name__)
+
+
+@timeit
+def run(neo4j_session: neo4j.Session, config: Config) -> None:
+    common_job_parameters = {
+        "UPDATE_TAG": config.update_tag,
+    }
+
+    # Get source of truth from config
+    if config.ontology_users_source:
+        users_source_of_truth = [
+            source.strip() for source in config.ontology_users_source.split(",")
+        ]
+    else:
+        users_source_of_truth = []
+    if config.ontology_devices_source:
+        computers_source_of_truth = [
+            source.strip() for source in config.ontology_devices_source.split(",")
+        ]
+    else:
+        computers_source_of_truth = []
+
+    cartography.intel.ontology.users.sync(
+        neo4j_session,
+        users_source_of_truth,
+        config.update_tag,
+        common_job_parameters,
+    )
+    cartography.intel.ontology.devices.sync(
+        neo4j_session,
+        computers_source_of_truth,
+        config.update_tag,
+        common_job_parameters,
+    )

cartography/intel/ontology/devices.py

@@ -0,0 +1,54 @@
+import logging
+from typing import Any
+
+import neo4j
+
+from cartography.client.core.tx import load
+from cartography.graph.job import GraphJob
+from cartography.intel.ontology.utils import get_source_nodes_from_graph
+from cartography.intel.ontology.utils import link_ontology_nodes
+from cartography.models.ontology.device import DeviceSchema
+from cartography.util import timeit
+
+logger = logging.getLogger(__name__)
+
+
+@timeit
+def sync(
+    neo4j_session: neo4j.Session,
+    source_of_truth: list[str],
+    update_tag: int,
+    common_job_parameters: dict[str, Any],
+) -> None:
+    data = get_source_nodes_from_graph(neo4j_session, source_of_truth, "devices")
+    load_devices(
+        neo4j_session,
+        data,
+        update_tag,
+    )
+    link_ontology_nodes(neo4j_session, "devices", update_tag)
+    cleanup(neo4j_session, common_job_parameters)
+
+
+@timeit
+def load_devices(
+    neo4j_session: neo4j.Session,
+    data: list[dict[str, Any]],
+    update_tag: int,
+) -> None:
+    load(
+        neo4j_session,
+        DeviceSchema(),
+        data,
+        lastupdated=update_tag,
+    )
+
+
+@timeit
+def cleanup(
+    neo4j_session: neo4j.Session,
+    common_job_parameters: dict[str, Any],
+) -> None:
+    GraphJob.from_node_schema(DeviceSchema(), common_job_parameters).run(
+        neo4j_session,
+    )

cartography/intel/ontology/users.py

@@ -0,0 +1,54 @@
+import logging
+from typing import Any
+
+import neo4j
+
+from cartography.client.core.tx import load
+from cartography.graph.job import GraphJob
+from cartography.intel.ontology.utils import get_source_nodes_from_graph
+from cartography.intel.ontology.utils import link_ontology_nodes
+from cartography.models.ontology.user import UserSchema
+from cartography.util import timeit
+
+logger = logging.getLogger(__name__)
+
+
+@timeit
+def sync(
+    neo4j_session: neo4j.Session,
+    source_of_truth: list[str],
+    update_tag: int,
+    common_job_parameters: dict[str, Any],
+) -> None:
+    data = get_source_nodes_from_graph(neo4j_session, source_of_truth, "users")
+    load_users(
+        neo4j_session,
+        data,
+        update_tag,
+    )
+    link_ontology_nodes(neo4j_session, "users", update_tag)
+    cleanup(neo4j_session, common_job_parameters)
+
+
+@timeit
+def load_users(
+    neo4j_session: neo4j.Session,
+    data: list[dict[str, Any]],
+    update_tag: int,
+) -> None:
+    load(
+        neo4j_session,
+        UserSchema(),
+        data,
+        lastupdated=update_tag,
+    )
+
+
+@timeit
+def cleanup(
+    neo4j_session: neo4j.Session,
+    common_job_parameters: dict[str, Any],
+) -> None:
+    GraphJob.from_node_schema(UserSchema(), common_job_parameters).run(
+        neo4j_session,
+    )

cartography/intel/ontology/utils.py

@@ -0,0 +1,121 @@
+import logging
+from dataclasses import asdict
+from typing import Any
+
+import neo4j
+
+from cartography.client.core.tx import read_list_of_dicts_tx
+from cartography.graph.job import GraphJob
+from cartography.models.ontology.mapping import ONTOLOGY_MAPPING
+from cartography.models.ontology.mapping import ONTOLOGY_MODELS
+from cartography.util import timeit
+
+logger = logging.getLogger(__name__)
+
+
+@timeit
+def get_source_nodes_from_graph(
+    neo4j_session: neo4j.Session,
+    source_of_truth: list[str],
+    module_name: str,
+) -> list[dict[str, Any]]:
+    """Retrieve source nodes from the Neo4j graph database based on the ontology mapping.
+
+    This function queries the Neo4j database for nodes that match the labels
+    defined in the ontology mapping for the specified module and source of truth.
+    It returns a list of dictionaries containing the relevant fields for each node.
+
+    If no source of truth is provided, default to all sources defined in the mapping.
+
+    Args:
+        neo4j_session (neo4j.Session): The Neo4j session to use for querying the database.
+        source_of_truth (list[str]): A list of source of truth identifiers to filter the modules.
+        module_name (str): The name of the ontology module to use for the mapping (eg. users, devices, etc.).
+
+    Returns:
+        list[dict[str, Any]]: A list of dictionaries, each containing a node details formatted according to the ontology mapping.
+    """
+    results: dict[str, dict[str, Any]] = {}
+    modules_mapping = ONTOLOGY_MAPPING[module_name]
+    if len(source_of_truth) == 0:
+        source_of_truth = list(modules_mapping.keys())
+    for source in source_of_truth:
+        if source not in modules_mapping:
+            logger.warning(
+                "Source of truth '%s' is not supported for '%s'.", source, module_name
+            )
+            continue
+        for node in modules_mapping[source].nodes:
+            query = f"MATCH (n:{node.node_label}) RETURN n"
+            for row in neo4j_session.execute_read(read_list_of_dicts_tx, query):
+                node_data = row["n"]
+                result: dict[str, Any] = {}
+                skip_node: bool = False
+
+                # Extract only the fields defined in the ontology mapping
+                for field in node.fields:
+                    value = node_data.get(field.node_field)
+                    # Skip nodes missing required fields
+                    if field.required and value is None:
+                        logger.debug(
+                            "Skipping node with label '%s' due to missing required field '%s'.",
+                            node.node_label,
+                            field.node_field,
+                        )
+                        skip_node = True
+                        break
+                    result[field.ontology_field] = value
+                if skip_node:
+                    continue
+
+                # Merge results based on the node's id field to avoid duplicates
+                id_field = ONTOLOGY_MODELS[module_name]().properties.id.name
+                existing = results.get(result[id_field])
+                if existing:
+                    logger.debug(
+                        "Merging node: %s to %s", result[id_field], existing[id_field]
+                    )
+                    # Merge existing data with new data, prioritizing non-None values
+                    for key, value in result.items():
+                        if existing.get(key) is None and value is not None:
+                            existing[key] = value
+                else:
+                    logger.debug("Adding new node: %s", result[id_field])
+                    results[result[id_field]] = result
+    return list(results.values())
+
+
+@timeit
+def link_ontology_nodes(
+    neo4j_session: neo4j.Session,
+    module_name: str,
+    update_tag: int,
+) -> None:
+    """Link ontology nodes in the Neo4j graph database based on the ontology mapping.
+
+    This function retrieves the ontology mapping for the specified module and
+    executes the relationship statements defined in the mapping to link nodes
+    in the Neo4j graph database.
+
+    Args:
+        neo4j_session (neo4j.Session): The Neo4j session to use for executing the relationship statements.
+        module_name (str): The name of the ontology module for which to link nodes (eg. users, devices, etc.).
+        update_tag (int): The update tag of the current run, used to tag the changes in the graph.
+    """
+    modules_mapping = ONTOLOGY_MAPPING.get(module_name)
+    if modules_mapping is None:
+        logger.warning("No ontology mapping found for module '%s'.", module_name)
+        return
+    for source, mapping in modules_mapping.items():
+        if len(mapping.rels) == 0:
+            continue
+        formated_json = {
+            "name": f"Linking ontology nodes for {module_name} for source {source}",
+            "statements": [asdict(rel) for rel in mapping.rels],
+        }
+        GraphJob.run_from_json(
+            neo4j_session,
+            formated_json,
+            {"UPDATE_TAG": update_tag},
+            short_name=f"ontology.{module_name}.{source}.linking",
+        )

cartography/models/airbyte/user.py

@@ -3,6 +3,7 @@ from dataclasses import dataclass
 from cartography.models.core.common import PropertyRef
 from cartography.models.core.nodes import CartographyNodeProperties
 from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.nodes import ExtraNodeLabels
 from cartography.models.core.relationships import CartographyRelProperties
 from cartography.models.core.relationships import CartographyRelSchema
 from cartography.models.core.relationships import LinkDirection
@@ -98,6 +99,9 @@ class AirbyteUserToWorkspaceMemberRel(CartographyRelSchema):
 @dataclass(frozen=True)
 class AirbyteUserSchema(CartographyNodeSchema):
     label: str = "AirbyteUser"
+    extra_node_labels: ExtraNodeLabels = ExtraNodeLabels(
+        ["UserAccount"]
+    )  # UserAccount label is used for ontology mapping
     properties: AirbyteUserNodeProperties = AirbyteUserNodeProperties()
     sub_resource_relationship: AirbyteUserToOrganizationRel = (
         AirbyteUserToOrganizationRel()

cartography/models/anthropic/user.py

@@ -3,6 +3,7 @@ from dataclasses import dataclass
 from cartography.models.core.common import PropertyRef
 from cartography.models.core.nodes import CartographyNodeProperties
 from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.nodes import ExtraNodeLabels
 from cartography.models.core.relationships import CartographyRelProperties
 from cartography.models.core.relationships import CartographyRelSchema
 from cartography.models.core.relationships import LinkDirection
@@ -42,6 +43,9 @@ class AnthropicUserToOrganizationRel(CartographyRelSchema):
 @dataclass(frozen=True)
 class AnthropicUserSchema(CartographyNodeSchema):
     label: str = "AnthropicUser"
+    extra_node_labels: ExtraNodeLabels = ExtraNodeLabels(
+        ["UserAccount"]
+    )  # UserAccount label is used for ontology mapping
     properties: AnthropicUserNodeProperties = AnthropicUserNodeProperties()
     sub_resource_relationship: AnthropicUserToOrganizationRel = (
         AnthropicUserToOrganizationRel()

cartography/models/aws/ecr/image.py

@@ -26,6 +26,7 @@ class ECRImageNodeProperties(CartographyNodeProperties):
     attests_digest: PropertyRef = PropertyRef("attests_digest")
     media_type: PropertyRef = PropertyRef("media_type")
     artifact_media_type: PropertyRef = PropertyRef("artifact_media_type")
+    child_image_digests: PropertyRef = PropertyRef("child_image_digests")
 
 
 @dataclass(frozen=True)
@@ -86,6 +87,50 @@ class ECRImageToParentImageRel(CartographyRelSchema):
     )
 
 
+@dataclass(frozen=True)
+class ECRImageContainsImageRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class ECRImageContainsImageRel(CartographyRelSchema):
+    """
+    Relationship from a manifest list ECRImage to platform-specific ECRImages it contains.
+    Only applies to ECRImage nodes with type="manifest_list".
+    """
+
+    target_node_label: str = "ECRImage"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"digest": PropertyRef("child_image_digests", one_to_many=True)},
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "CONTAINS_IMAGE"
+    properties: ECRImageContainsImageRelProperties = (
+        ECRImageContainsImageRelProperties()
+    )
+
+
+@dataclass(frozen=True)
+class ECRImageAttestsRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class ECRImageAttestsRel(CartographyRelSchema):
+    """
+    Relationship from an attestation ECRImage to the ECRImage it attests/validates.
+    Only applies to ECRImage nodes with type="attestation".
+    """
+
+    target_node_label: str = "ECRImage"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"digest": PropertyRef("attests_digest")},
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "ATTESTS"
+    properties: ECRImageAttestsRelProperties = ECRImageAttestsRelProperties()
+
+
 @dataclass(frozen=True)
 class ECRImageSchema(CartographyNodeSchema):
     label: str = "ECRImage"
@@ -95,5 +140,7 @@ class ECRImageSchema(CartographyNodeSchema):
         [
             ECRImageHasLayerRel(),
             ECRImageToParentImageRel(),
+            ECRImageContainsImageRel(),
+            ECRImageAttestsRel(),
         ],
     )

cartography/models/aws/iam/group_membership.py

@@ -15,12 +15,13 @@ class AWSGroupToAWSUserRelProperties(CartographyRelProperties):
 
 @dataclass(frozen=True)
 class AWSGroupToAWSUserRel(CartographyRelSchema):
+    # AWSUser -MEMBER_AWS_GROUP-> AWSGroup
     target_node_label: str = "AWSUser"
     target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
         {
-            "arn": PropertyRef("user_arn"),
+            "arn": PropertyRef("user_arns", one_to_many=True),
         }
     )
-    direction: LinkDirection = LinkDirection.OUTWARD
+    direction: LinkDirection = LinkDirection.INWARD
     rel_label: str = "MEMBER_AWS_GROUP"
     properties: AWSGroupToAWSUserRelProperties = AWSGroupToAWSUserRelProperties()

cartography/models/aws/identitycenter/awsssouser.py

@@ -95,7 +95,9 @@ class AWSSSOUserToPermissionSetRel(CartographyRelSchema):
 class AWSSSOUserSchema(CartographyNodeSchema):
     label: str = "AWSSSOUser"
     properties: SSOUserProperties = SSOUserProperties()
-    extra_node_labels: ExtraNodeLabels = ExtraNodeLabels(["UserAccount"])
+    extra_node_labels: ExtraNodeLabels = ExtraNodeLabels(
+        ["UserAccount"]
+    )  # UserAccount label is used for ontology mapping
     sub_resource_relationship: AWSSSOUserToAWSAccountRel = AWSSSOUserToAWSAccountRel()
     other_relationships: OtherRelationships = OtherRelationships(
         [

cartography/models/bigfix/bigfix_computer.py

@@ -22,7 +22,7 @@ class BigfixComputerNodeProperties(CartographyNodeProperties):
     besrootserver: PropertyRef = PropertyRef("BESRootServer")
     bios: PropertyRef = PropertyRef("BIOS")
     computertype: PropertyRef = PropertyRef("ComputerType")
-    computername: PropertyRef = PropertyRef("ComputerName")
+    computername: PropertyRef = PropertyRef("ComputerName", extra_index=True)
     cpu: PropertyRef = PropertyRef("CPU")
     devicetype: PropertyRef = PropertyRef("DeviceType")
     distancetobesrelay: PropertyRef = PropertyRef("DistanceToBESRelay")

cartography/models/cloudflare/member.py

@@ -3,6 +3,7 @@ from dataclasses import dataclass
 from cartography.models.core.common import PropertyRef
 from cartography.models.core.nodes import CartographyNodeProperties
 from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.nodes import ExtraNodeLabels
 from cartography.models.core.relationships import CartographyRelProperties
 from cartography.models.core.relationships import CartographyRelSchema
 from cartography.models.core.relationships import LinkDirection
@@ -71,6 +72,9 @@ class CloudflareMemberToCloudflareRoleRel(CartographyRelSchema):
 @dataclass(frozen=True)
 class CloudflareMemberSchema(CartographyNodeSchema):
     label: str = "CloudflareMember"
+    extra_node_labels: ExtraNodeLabels = ExtraNodeLabels(
+        ["UserAccount"]
+    )  # UserAccount label is used for ontology mapping
     properties: CloudflareMemberNodeProperties = CloudflareMemberNodeProperties()
     sub_resource_relationship: CloudflareMemberToAccountRel = (
         CloudflareMemberToAccountRel()

cartography/models/crowdstrike/hosts.py

@@ -12,7 +12,7 @@ class CrowdstrikeHostNodeProperties(CartographyNodeProperties):
     instance_id: PropertyRef = PropertyRef("instance_id", extra_index=True)
     serial_number: PropertyRef = PropertyRef("serial_number", extra_index=True)
     status: PropertyRef = PropertyRef("status")
-    hostname: PropertyRef = PropertyRef("hostname")
+    hostname: PropertyRef = PropertyRef("hostname", extra_index=True)
     machine_domain: PropertyRef = PropertyRef("machine_domain")
     crowdstrike_first_seen: PropertyRef = PropertyRef("first_seen")
     crowdstrike_last_seen: PropertyRef = PropertyRef("last_seen")

cartography/models/duo/endpoint.py

@@ -21,7 +21,7 @@ class DuoEndpointNodeProperties(CartographyNodeProperties):
     device_id: PropertyRef = PropertyRef("device_id")
     device_identifier: PropertyRef = PropertyRef("device_identifier")
     device_identifier_type: PropertyRef = PropertyRef("device_identifier_type")
-    device_name: PropertyRef = PropertyRef("device_name")
+    device_name: PropertyRef = PropertyRef("device_name", extra_index=True)
     device_udid: PropertyRef = PropertyRef("device_udid")
     device_username: PropertyRef = PropertyRef("device_username")
     device_username_type: PropertyRef = PropertyRef("device_username_type")

cartography/models/duo/phone.py

@@ -22,8 +22,8 @@ class DuoPhoneNodeProperties(CartographyNodeProperties):
     fingerprint: PropertyRef = PropertyRef("fingerprint")
     last_seen: PropertyRef = PropertyRef("last_seen")
     model: PropertyRef = PropertyRef("model")
-    name: PropertyRef = PropertyRef("name")
-    phone_id: PropertyRef = PropertyRef("phone_id", extra_index=True)
+    name: PropertyRef = PropertyRef("name", extra_index=True)
+    phone_id: PropertyRef = PropertyRef("phone_id")
     platform: PropertyRef = PropertyRef("platform")
     postdelay: PropertyRef = PropertyRef("postdelay")
     predelay: PropertyRef = PropertyRef("predelay")

cartography/models/duo/user.py

@@ -3,6 +3,7 @@ from dataclasses import dataclass
 from cartography.models.core.common import PropertyRef
 from cartography.models.core.nodes import CartographyNodeProperties
 from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.nodes import ExtraNodeLabels
 from cartography.models.core.relationships import CartographyRelProperties
 from cartography.models.core.relationships import CartographyRelSchema
 from cartography.models.core.relationships import LinkDirection
@@ -149,6 +150,9 @@ class DuoUserToHumanRel(CartographyRelSchema):
 @dataclass(frozen=True)
 class DuoUserSchema(CartographyNodeSchema):
     label: str = "DuoUser"
+    extra_node_labels: ExtraNodeLabels = ExtraNodeLabels(
+        ["UserAccount"]
+    )  # UserAccount label is used for ontology mapping
     properties: DuoUserNodeProperties = DuoUserNodeProperties()
     sub_resource_relationship: DuoUserToDuoApiHostRel = DuoUserToDuoApiHostRel()
     other_relationships: OtherRelationships = OtherRelationships(

cartography/models/entra/user.py

@@ -85,5 +85,6 @@ class EntraUserSchema(CartographyNodeSchema):
     extra_node_labels: ExtraNodeLabels = ExtraNodeLabels(
         [
             "EntraIdentity",
-        ]
+            "UserAccount",
+        ]  # UserAccount label is used for ontology mapping
     )