Feat/agile operations#75
Conversation
mohammad-ashraf-187
requested review from
abrahamchandy95 and
jim-limprasert-tigergraph
There was a problem hiding this comment.
I think it may be more readable if we split up this big queries.gsql file into smaller query files so that it's more manageable to take a look at those.
| /* | ||
| Query Name: | ||
| device_failure_impact_radius_visualization | ||
|
|
||
| Purpose: | ||
| 1. Find devices that do NOT have an alternative communication path. | ||
| 2. Determine devices that will be impacted if the input device fails. | ||
| 3. Display impacted devices and their interconnections. | ||
|
|
||
| Concept: | ||
| - If a device has an alternative path (redundant connectivity), it won't fail. | ||
| - Devices without alternative paths are marked as 'impacted'. | ||
|
|
||
| Inputs: | ||
| - device: The device whose failure we are analyzing. | ||
|
|
||
| Outputs: | ||
| - impacted_devices: Devices that will fail if the input device fails. | ||
| - @@edges_to_display: Edges between impacted devices for visual impact analysis. | ||
| */ |
There was a problem hiding this comment.
I like this detailed query description format - reminds me of some coding style guide!
It would be a bit tedious if we were to apply this towards ALL the solution kits though, so maybe we might need Robert's or other Solution Engineer's opinion around that.
For query outputs... I think it's fine to mention it out like this (could be helpful for those who run the query and see the different JSON keys). Some queries may have a lot of objects in the output, which made it harder to list out all the outputs explicitly. So, I would say that for those queries, it could be fine to not list all those outputs (or only mention the outputs abstractly without explicitly saying which variables are returned).
| Router → Firewall → Switch → Server | ||
| Also explores multiple downstream Switch layers (k-hop depth traversal). | ||
|
|
||
| Key Features: | ||
| ✔ Identifies all downstream devices classified by device type. | ||
| ✔ Follows device hierarchy dynamically based on input device type. | ||
| ✔ Limits multi-hop Switch traversal using k_hop_switch_limit. | ||
| ✔ Returns devices and connecting edges for visualization. |
There was a problem hiding this comment.
comment: I generally would try using standard non-extended ASCII characters (e.g. stuff you can write out using keyboards) for things in query comments.
So, I'd change the above to be like this so that standard characters are used
| Router → Firewall → Switch → Server | |
| Also explores multiple downstream Switch layers (k-hop depth traversal). | |
| Key Features: | |
| ✔ Identifies all downstream devices classified by device type. | |
| ✔ Follows device hierarchy dynamically based on input device type. | |
| ✔ Limits multi-hop Switch traversal using k_hop_switch_limit. | |
| ✔ Returns devices and connecting edges for visualization. | |
| Router -> Firewall -> Switch -> Server | |
| Also explores multiple downstream Switch layers (k-hop depth traversal). | |
| Key Features: | |
| - Identifies all downstream devices classified by device type. | |
| - Follows device hierarchy dynamically based on input device type. | |
| - Limits multi-hop Switch traversal using k_hop_switch_limit. | |
| - Returns devices and connecting edges for visualization. |
This is pretty small stuff though and probably depends on personal preference.
| ADD VERTEX Time_Date_Hour(PRIMARY_ID id DATETIME) WITH STATS="OUTDEGREE_BY_EDGETYPE", PRIMARY_ID_AS_ATTRIBUTE="true"; | ||
| ADD VERTEX Time_Date_Month(PRIMARY_ID id STRING) WITH STATS="OUTDEGREE_BY_EDGETYPE", PRIMARY_ID_AS_ATTRIBUTE="true"; | ||
| ADD VERTEX Time_Date_Minute(PRIMARY_ID id DATETIME) WITH STATS="OUTDEGREE_BY_EDGETYPE", PRIMARY_ID_AS_ATTRIBUTE="true"; | ||
| ADD VERTEX Time_Date_Minute(PRIMARY_ID id STRING) WITH STATS="OUTDEGREE_BY_EDGETYPE", PRIMARY_ID_AS_ATTRIBUTE="true"; |
There was a problem hiding this comment.
Question - why do we change the type here from DATETIME to STRING - are there issues when the id type here is a DATETIME?
There was a problem hiding this comment.
Yes, there is issue if we try to load the datetime datatype it loads default datetime value,
| Purpose: | ||
| Visualize the entire network topology by: | ||
| - Retrieving all devices in the graph | ||
| - Exploring all connected edges using Connect_To | ||
| - Displaying both devices and their connections |
There was a problem hiding this comment.
Thanks for including the purpose for some of these queries that detail out how the query works!
I don't think you need to put in detail how the query works for all the queries (for, say, future solution kits) as it will take some more time to do that. If there's a pretty complicated queries and you want to put in those details - I'll try restricting it to just a few lines/bullet points.
| • event_id — Event identifier | ||
| • event_time — Timestamp of the event | ||
| • event_type — Type classification (Security, System, Network, etc.) | ||
| • event_alert_type — Enriched alert type data (if any) | ||
| • event_incident_type — Enriched incident type data (if any) | ||
| • impacted_devices_list — Devices affected by this event |
There was a problem hiding this comment.
You can see the comments around using the "keyboard characters" around those - hence the suggestion below
| • event_id — Event identifier | |
| • event_time — Timestamp of the event | |
| • event_type — Type classification (Security, System, Network, etc.) | |
| • event_alert_type — Enriched alert type data (if any) | |
| • event_incident_type — Enriched incident type data (if any) | |
| • impacted_devices_list — Devices affected by this event | |
| > event_id — Event identifier | |
| > event_time — Timestamp of the event | |
| > event_type — Type classification (Security, System, Network, etc.) | |
| > event_alert_type — Enriched alert type data (if any) | |
| > event_incident_type — Enriched incident type data (if any) | |
| > impacted_devices_list — Devices affected by this event |
| • Searching for events (Alerts, Incidents) that occurred within a time window | ||
| starting from the incident occurrence time |
There was a problem hiding this comment.
Not all the events are linked to Alerts and Incidents (e.g. Event with type Server Back Online wouldn't be an Incident or Alert).
So, for the current solution kit schema:
- not all events are incidents or alerts.
- All alerts are events.
- All incidents are events.
I guessed you can mention it like this:
| • Searching for events (Alerts, Incidents) that occurred within a time window | |
| starting from the incident occurrence time | |
| • Searching for events (which also includes alerts and incidents) that occurred within a time window | |
| starting from the incident occurrence time |
| Key Outputs: | ||
| - routers_to_display → Starting routers | ||
| - switches_to_display → Switches on the unsecured path | ||
| - servers_to_display → Potentially unsecured servers | ||
| - edges_to_display → All traversal edges for graph visualization | ||
|
|
||
| Parameter: | ||
| k_hop_switch_limit → Maximum number of Switch-to-Switch traversal hops (default: 3) |
There was a problem hiding this comment.
Suggest: To make it more consistent with the other works in the other queries here, I would recommend:
- Changing the order here (e.g.
Parametershould appear before theOutputdescription) - Maybe change the names too (e.g.
Inputsinstead ofParameter)
This also applies to other query descriptions with the parameter happening
| Key Outputs: | |
| - routers_to_display → Starting routers | |
| - switches_to_display → Switches on the unsecured path | |
| - servers_to_display → Potentially unsecured servers | |
| - edges_to_display → All traversal edges for graph visualization | |
| Parameter: | |
| k_hop_switch_limit → Maximum number of Switch-to-Switch traversal hops (default: 3) | |
| Inputs: | |
| - k_hop_switch_limit → Maximum number of Switch-to-Switch traversal hops (default: 3) | |
| Outputs: | |
| - routers_to_display: Starting routers | |
| - switches_to_display: Switches on the unsecured path | |
| - servers_to_display: Potentially unsecured servers | |
| - edges_to_display: All traversal edges for graph visualization |
jim-limprasert-tigergraph
force-pushed
the
documentation
branch
from
adb2fbe to
14a8bc8
Compare
2 participants
In this Branch i have worked on Supply Chain,Network Infrastructure and entity resolution kyc