Cartography Rules¶

Cartography Rules is a query library for your Cartography graph.

With the cartography-rules CLI, you can:

Run pre-defined queries based on frameworks like MITRE ATT&CK
Explore and contribute community rules
Build custom queries for your own environment

Design¶

These rules are designed from an attacker’s perspective. For each framework technique, we ask: “What does an attacker actually need to execute this technique?”

The queries surface opportunities across the entire kill chain: initial access, lateral movement, privilege escalation, data exfiltration, persistence.

We don’t impose arbitrary thresholds like “no more than 5 admins” because every organization has different risk tolerances. Instead, we surface facts:

If a query returns no results, you’ve eliminated obvious attack paths for that technique.
If it returns findings, you now have a clear list of potential attacker targets.

Rationale¶

Security isn’t one-size-fits-all. For example, an EC2 security group open to the internet may be risky for some orgs even if it isn’t attached to an instance (someone could attach one later). For other orgs, that’s irrelevant noise.

Similarly, IAM roles trusted across multiple accounts or S3 buckets with public access may or may not be material risks depending on your use case.

Our goal is to surface facts in context so you can decide what matters for your environment.

Supported Rules¶

Currently rules cover:

MITRE ATT&CK

You can list all available frameworks and techniques from the CLI, see below.

.. note:: Rules query against the existing Cartography graph. They don’t write data; they return findings you can view in text, JSON, or the Neo4j Browser.

Setup¶

Make sure you’ve run Cartography and have data in Neo4j.

Then configure your Neo4j connection:

export NEO4J_URI=bolt://localhost:7687 # or your Neo4j URI
export NEO4J_USER=neo4j # or your username
export NEO4J_DATABASE=neo4j # or your database name

# Store the Neo4j password in an environment variable. You can name this anything you want.

set +o history # avoid storing the password in the shell history; can also use something like 1password CLI.
export NEO4J_PASSWORD=password
set -o history # turn shell history back on

Quick start¶

List all frameworks
```
cartography-rules list
```
List techniques for MITRE ATT&CK
```
cartography-rules list mitre-attack
```

Run a specific technique

cartography-rules run mitre-attack t1190

Sample output:

Fact 1/4: Internet-Exposed EC2 Instances on Common Management Ports
Framework:   MITRE ATT&CK
Requirement: t1190 - Exploit Public-Facing Application
Fact ID:     aws_ec2_instance_internet_exposed
Description: EC2 instances exposed to the internet on ports 22, 3389, 3306, 5432, 6379, 9200, 27017
Provider:    AWS
Neo4j Query: Click to run visual query
Results:     No items found

Fact 2/4: Internet-Accessible S3 Storage Attack Surface
Framework:   MITRE ATT&CK
Requirement: t1190 - Exploit Public-Facing Application
Fact ID:     aws_s3_public
Description: AWS S3 buckets accessible from the internet
Provider:    AWS
Neo4j Query: Click to run visual query
Results:     7 item(s) found
    Sample results:
    1. bucket=cdn.example.com, region=us-east-1, public_access=True, public_actions=['s3:ListBucket']
    2. bucket=mybucket.example.com, region=us-east-1, public_access=True, public_actions=['s3:ListBucket', 's3:ListBucketVersions', 's3:...
    3. bucket=static.example.com, region=us-east-1, public_access=True, public_actions=['s3:GetBucketAcl', 's3:GetBucketAcl', 's3:GetO...
    ... and 4 more (use --output json to see all)
...

Usage¶

`list`¶

See available frameworks¶

cartography-rules list

See available requirements for a framework¶

cartography-rules list mitre-attack

See available facts for a requirement¶

cartography-rules list mitre-attack t1190

`run`¶

Run all frameworks in text mode¶

cartography-rules run all
# or
cartography-rules run all --output text

Run all frameworks in JSON mode¶

cartography-rules run all --output json

Run a specific framework¶

cartography-rules run mitre-attack

Run a specific requirement on a framework¶

cartography-rules run mitre-attack t1190

Run a specific fact on a requirement¶

cartography-rules run mitre-attack t1190 aws_rds_public_access

Authentication Options¶

Use a custom environment variable for the password:¶

cartography-rules run mitre-attack --neo4j-password-env-var MY_NEO4J_PASSWORD

Use interactive password prompt:¶

cartography-rules run mitre-attack --neo4j-password-prompt

Tab completion¶

Note that you can TAB complete. Install it with

cartography-rules --install-completion

and then restart your shell and then you can get TAB completion like:

cartography-rules run <TAB>

and then it will show you all the available frameworks.

Next steps¶

Explore the rules against your graph
Submit a pull request to contribute your own rules to the community; PRs welcome ❤️
Use JSON output to integrate this with your existing tools