## Preparation

Install the required packages with `pip install "neo4j-graphrag[openai]"`.

In [None]:
import os
from neo4j import GraphDatabase
from neo4j_graphrag.indexes import upsert_vectors
from neo4j_graphrag.embeddings import OpenAIEmbeddings
from neo4j_graphrag.types import EntityType
from neo4j_graphrag.retrievers import VectorRetriever
import json
import ast
from typing import Any

# Insert path to your STIX ATT&CK file
with open("enterprise-attack-17.1.json", "r") as file:
    data = json.load(file)

# Insert your OpenAI API key
os.environ["OPENAI_API_KEY"] = (
    "sk-proj-Qlq_pOwi-Zz_fon5Q8zLfTx-XXXXXuP2Mw_rti-9tlIFP9-1S7O5A1lFIHMjYyK3sAcEmW1V7_T3BlbkFJ6OmFl-ptdSUSx9tiwI8_tZVJtXmhf6CNSk0XWiuRgXuTIe0rVb4mrBUexPW7XA-qlgjMKxZoMA"
)

# Insert your Neo4j instance URL and credentials
URI = "neo4j+s://6224f1f3.databases.neo4j.io"
AUTH = ("neo4j", "DBy7vuJuvsbib8F3FRhIXzIFu5vsgPxs31gJoANwMlo")

driver = GraphDatabase.driver(URI, auth=AUTH)
embedder = OpenAIEmbeddings(model="text-embedding-3-large")

## KG Construction

In [None]:
def flatten_dict(d) -> dict[Any, str]:
    return {k: str(v) for k, v in d.items()}


def create_sdo_node(tx, props) -> None:
    query = "CREATE (n:SDO $props)"
    tx.run(query, props=props)


def create_relation(tx, src, tgt, rel_type, props) -> None:
    query = f"""
    MATCH (a {{id: $source_id}})
    MATCH (b {{id: $target_id}})
    MERGE (a)-[r:{rel_type}]->(b)
    SET r += $props
    """
    tx.run(query, source_id=src, target_id=tgt, props=props)


with driver.session() as session:
    for obj in data["objects"]:
        flat_obj = flatten_dict(obj)
        if flat_obj["type"] == "relationship":
            rel_type = flat_obj["relationship_type"].replace("-", "_")
            props = {
                k: v
                for k, v in flat_obj.items()
                if k not in ("source_ref", "target_ref", "relationship_type")
            }
            session.execute_write(
                create_relation,
                flat_obj["source_ref"],
                flat_obj["target_ref"],
                rel_type,
                props,
            )
        else:
            session.execute_write(create_sdo_node, flat_obj)

## Create and populate Vector Index

Run this Cypher query on your instance: 


```Cypher
CREATE VECTOR INDEX nodes IF NOT EXISTS
FOR (e:SDO)
ON e.embedding
OPTIONS { indexConfig: {
    `vector.dimensions`: 3072,
    `vector.similarity_function`: 'cosine',
    `vector.quantization.enabled`: false
}}
```

In [None]:
with driver.session() as session:
    nodes = session.run("MATCH (n) RETURN n")
    for record in nodes:
        node = record["n"]
        if node["description"] is not None:
            vector = embedder.embed_query(node["description"])
            upsert_vectors(
                driver,
                ids=[node.element_id],
                embedding_property="embedding",
                embeddings=[vector],
                entity_type=EntityType.NODE,
            )

## Similarity Search

In [3]:
retriever = VectorRetriever(driver, "nodes", embedder)
query_text = "In a Linux environment, what is recommended to monitor for detecting privilege escalation via sudo?"
result = retriever.search(query_text=query_text, top_k=3)
for item in result.items:
    dict_item = ast.literal_eval(item.content)
    print(dict_item["name"])
    print(dict_item["type"])
    print(dict_item["description"])
    print("---------------------")

Sudo and Sudo Caching
attack-pattern
Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.

Within Linux and MacOS systems, sudo (sometimes referred to as "superuser do") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The <code>sudo</code> command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments."(Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a <code>timestamp_timeout</code>, which is the amount of time in minutes between instances of <code>sudo</code> before it will re-prompt for a password. This is because