# Autoloading

Loading graph visualisation settings.

In [None]:
%%graph_notebook_vis_options
{
  "edges": {
    "smooth": {
      "enabled": true,
      "type": "dynamic"
    },
    "arrows": {
      "to": {
        "enabled": true,
        "type": "arrow"
      }
    }
  }
}

# Initial Setup

## Get a view of all Ingested Cluster

Retrieve all the current cluster ingested in KubeHound with the associated runID with the number of nodes. This numbers can be used to get a clue of the size of the cluster and also identify if an ingestion did not complete.

In [None]:
%%gremlin -d class -g critical -le 50 -p inv,oute

kh.nodes()
    .groupCount()
    .by(project('cluster','runID')
         .by('cluster').by('runID'))
    .unfold()
    .limit(100)  // Limit the number of results for large clusters

## Setting your run_id/cluster

Set which runID you want to use. The variable are being shared with the user, so we advise to make a uniq string for your user `runID_yourid` to avoid any conflict.

In [None]:
%%gremlin -d class -g critical -le 50 -p inv,oute

graph.variables()
    .set('runID_yourid',' 01htdgjj34mcmrrksw4bjy2e94')

# Endpoints

Identify attack path from endpoints. Get a view of all endpoints leading to a critical path (full take over on the cluster).

## Identify the vulnerable app/namespace

The list here is exhaustive by port which means an `app` or `namespace` can be listed multiple times.

In [None]:
%%gremlin -d class -g critical -le 50 -p inv,oute

kh.endpoints()
    .has("runID", graph.variables().get('runID_yourid').get())
    .hasCriticalPath()
    .dedup()
    .by("namespace")
    .by("port")
    .valueMap("namespace","app","team","portName","port","serviceDns","exposure")
    .limit(100)  // Limit the number of results for large clusters

The following list give a more abstract view to get deduplicated list of vulnerable `app`/`namespace`.

The goal here is to extact a list of apps to whitelist. If the flags are not set properly, you scope it by `namespace`.

In [None]:
%%gremlin -d class -g critical -le 50 -p inv,oute

kh.endpoints()
    .has("runID", graph.variables().get('runID_yourid').get())
    .hasCriticalPath()
    .dedup()
    .by("namespace")
    .by("app")
    .valueMap("namespace","app")
    .limit(100)  // Limit the number of results for large clusters

## Manual investigation for each app/namespace

From the above list, you can iterate manual investigation by scoping by each vulnerable `app`/`namespace`. To process the investigation, just copy/paste the name of the vulnerable app (replace `VULNERABLE_APP` by the targetted app).

### Listing all attack paths from a particular app

The following gremlin request will **list all attack paths**. We add a limit(1000) to avoid having huge graph.

In [None]:
%%gremlin -d class -g critical -le 50 -p inv,oute

kh.endpoints()
    .has("runID", graph.variables().get('runID_jtdd').get())
    .has("app","VULNERABLE_APP")
    .criticalPaths()
    .by(elementMap())
    .limit(1000)  // Limit the number of results for large clusters

The last view can be quite overwhelming. Also the last view can be capped with the limit(1000), so we dont have an exhaustive view. Increasing the limit will not solve the issue as, it will become non human readable.  

### Listing all attack path deduplicated by app from a particular app 

One wau to solve it is to general an **overall view to understand the attack path**. This view will strip any specific information (IP, name, ...). For instance, this will remove any replicatset duplication.

In [None]:
%%gremlin -d class -g critical -le 50 -p inv,oute

kh.endpoints()
    .has("runID", graph.variables().get('runID_yourid').get())
    .has("app","VULNERABLE_APP")
    .criticalPaths()
    .by(valueMap("app", "class","critical").with(WithOptions.tokens,WithOptions.labels))
    .limit(10000)
    .dedup()
    .limit(1000)  // Limit the number of results for large clusters

Something, this view is still too big and return too many elements to be easily processable. 

### Listing all attack path deduplicated by label/type from a particular app 

To get an even widder picture, we can deduplicate the attack paths by label. This show the interaction from one type (endpoints/containers/nodes/...) to try to understand the bigger picture.

In [None]:
%%gremlin -d class -g critical -le 50 -p inv,oute

kh.endpoints()
    .has("runID", graph.variables().get('runID_yourid').get())
    .has("app","VULNERABLE_APP")
    .criticalPaths()
    .by(label())
    .dedup()
    .limit(1000)  // Limit the number of results for large clusters