Security Analysis with JupiterOne’s Starbase and Memgraph

Security Analysis with JupiterOne’s Starbase and Memgraph

·

5 min read

Starbase is an open-source graph-based security analysis tool that unifies all of JupiterOne’s integrations into one. It collects assets and relationships from services and systems, including cloud infrastructure, SaaS applications, security controls, and more, into an intuitive graph visualization. With over 115 open-source graph integrations, Starbase collaborates with your existing toolkit enabling easy and insightful cyber security analysis.

In this article, we’ll dig into Starbase, guiding you through the setup of two example integrations and enabling Starbase to work with Memgraph for easy ingestion and visualization of your graph data.

starbase logo

Prerequisites

  1. Installed Yarn package manager.
  2. Installed Node.js.
  3. A running Memgraph instance—visit Memgraph’s docs for instructions on how to install and connect to Memgraph.

Setting up Starbase

  1. To kick-start your Starbase setup, first, you need to clone the JupiterOne/Starbase repo into your local directory and ensure you have Yarn and Node.js installed.
  2. Once you’ve successfully cloned the repository and installed the prerequisites, place yourself in the terminal in the directory where you cloned the repo and run the yarn command. The command installs all of the necessary project dependencies.
  3. The next step is setting up configurations for your integration of choice. You can find a list of all integrations on JupiterOne’s GitHub repo. Moving forward, we are going to explore two options for possible integration, Zoom, and GitHub.

Setting up integrations

In order to set up an integration, you need to register an account in the system the integration targets for ingestion and obtain the necessary API credentials. Starbase leverages credentials from external services to authenticate and collect data. When Starbase is started, it reads configuration data from a single configuration file named config.yaml at the root of the project.

Zoom integration

In order to configure the Zoom integration, we need to create a Zoom app to retrieve the needed credentials:

  1. Go to the Zoom App Marketplace and sign into your Zoom account.
  2. In the top right corner, go to the Develop dropdown menu and select Build App.
  3. Choose to create an OAuth type of app.
  4. Take note of your Account ID, Client ID, and Client secret which we’ll need for the configuration file later on.
  5. In the Scopes section, add group:read:admin, role:read:admin, user:read:admin, and account:read:admin.

After you’ve successfully created your Zoom App, open up the starbase repo in your editor of choice and create your config.yaml file. This is an example of a config.yaml file for Zoom integration:

integrations:
  -
    name: graph-zoom
    instanceId: testInstanceId
    directory: ./.integrations/graph-zoom
    gitRemoteUrl: <https://github.com/JupiterOne/graph-zoom.git>
    config:
      ACCOUNT_ID: <ACCOUNT_ID>
      CLIENT_ID: <CLIENT_ID>
      CLIENT_SECRET: <CLIENT_SECRET>
      SCOPES: 'read:admin role:read:admin user:read:admin account:read:admin'

GitHub integration

In order to configure GitHub integration, we need to create a GitHub app to retrieve the needed credentials:

  1. Go to the GitHub Apps and select to create a new GitHub App
  2. Name your app, and enter a homepage URL (in this case, you can use the JupiterOne’s Starbase repo URL), uncheck the webhook and adjust the repository permissions. The following permissions need to be set to read-only: -Repository Permissions: Actions, Environments, Issues, Pull Requests and Secrets -Organization Permissions: Administration, Members, Secrets. The rest of the permissions are No access by default.

Read-only access for secrets repo doesn’t give read-only access to actual secret content, it only gives read-only info to the existence of the metadata about the secrets.

  1. Select Any account and create your GitHub App.

After you’ve successfully created your GitHub App, open up the cloned Starbase repository in your editor of choice and create your config.yaml file. Generate your private key and retrieve other needed credentials from the GitHub App you previously created. Below is an example of a config.yaml file for a GitHub integration:

integrations:
    -
     name: graph-github
     instanceId: testInstanceId
     directory: ./.integrations/graph-github
     gitRemoteUrl: <https://github.com/JupiterOne/graph-github.git>
     config:
        GITHUB_APP_ID = <GITHUB_APP_ID>
GITHUB_APP_LOCAL_PRIVATE_KEY_PATH={YOURPATH}/{YOURFILENAME}.private-key.pem
        INSTALLATION_ID=<INSTALLATION_ID>
        GITHUB_API_BASE_URL=https://api.github.com

Use Starbase with Memgraph

After you’ve successfully created your config.yaml file, the last step is to adjust your queries to work with Memgraph. In order to do that, run the following steps:

  1. First, you need to place yourself in the terminal in the folder you cloned your Starbase repo and run yarn starbase setup command to clone or update all integrations listed in the config.yaml file, as well as install all dependencies for each integration.
  2. Run your Memgraph instance. Follow the instructions from Memgraph’s docs on how to connect to Memgraph, or if you are using Docker, simply run the following command: docker run -it -p 3000:3000 -p 7444:7444 -p 7687:7687 memgraph/memgraph-platform

  3. By modifying just a single line of code, you are ready to use Starbase with Memgraph. Inside the neo4jGraphStore.js file, locate the addEntities() function. To enable compatibility with Memgraph, simply update the following line:

await this.runCypherCommand(`CREATE INDEX index_${entity._type} IF NOT EXISTS FOR (n:${entity._type}) ON (n._key, n._integrationInstanceID);`);

With:

await this.runCypherCommand(`CREATE INDEX index_${entity._type} IF NOT EXISTS FOR (n:${entity._type}) ON (n._key, n._integrationInstanceID);`);
await this.runCypherCommand
  1. You are all set to utilize Starbase with Memgraph. The instance is actively listening to port 7687, as defined in the code.

The final step is to run the yarn starbase run command. Afterward, launch your browser and go to localhost:3000 to access Memgraph Lab or open your desktop version to explore and visualize your graph data.

Explore your dataset

Below, we’ve provided a few query examples that demonstrate how you can dig into your dataset and extract valuable insights. The following examples assume the use of GitHub integration.

With the following query, you are retrieving the information of all of the extracted GitHub users from a certain organization:

MATCH (n:github_user) RETURN n LIMIT 3;

github user

If you also want to determine which code owners of organization repositories grant access to outside contributors, execute the following query:

MATCH (account:github_account) - [e:OWNS] -> (repo:github_repo) -> [f:ALLOWS] -> (user:github_user {role: ‘OUTSIDE’}) RETURN account, repo, user, e, f;

github user awesome code

Takeaways

Starbase is a powerful tool that simplifies security analysis by unifying integrations into a user-friendly graph view, enhancing cybersecurity insights. Incorporating Memgraph for data ingestion adds another dimension by enhancing its capabilities and visualizing your data. If you are curious about graphs and would like to learn more, make sure to check out our blog and join our community on Discord.