Step: Query Knowledge Base

This step allows you to perform queries on any registered RDF graph database Data Sources (e.g., Working Memory, Contextual Memory) that take actions such as extracting values to store as variables in the package table, creating new connections in the graph, deleting sections of the graph, and asking the graph if a specific connection exists. Common uses for this step include finding and attaching related graph objects from contextual memory and comparing the current event with previous events already published to working memory.

Operates on a reified package graph

Uses SPARQL Query syntax

  • Query Type: Choose which kind of action the query will be taking. Values are ASK, CONSTRUCT, SELECT, UPDATE (for DELETE and INSERT)
    • What's the difference?

  • Graph(s) to query: Choose one of the RDF Data Sources (graph databases), for example, Working Memory or Contextual Memory
  • Output Graph Name: (CONSTRUCT) Any results returned by the query will be placed in the specified graph. In most cases you'll want to leave it in _default_ as this is the graph that will be published.
  • Output Variable: (SELECT) Any results returned by the query will be stored in the specified package variable.
    • Note that for ASK and UPDATE options, this field is disabled. ASK queries return either a True or False answer (and exit the step accordingly) and an UPDATE query takes an action (like INSERT or DELETE) on triples in the database then exits the step on the True side.
  • SPARQL Query: Use this space to enter in a SPARQL Query. Line returns, spaces, and tabs are all allowed and stored after saving. Syntax coloring is applied as you type or paste, so if you don't see colored text there may be a syntax issue.

Find other "ProcessOfConcern" events in Working Memory in the Last 5 Minutes

Note: Many of these examples use FreeMarker Expressions, like ${userName[0][0]} to reference a value from the package graph. These values were created using the Query Package step.

CONSTRUCT { ?s ?p ?o } WHERE {
	GRAPH ?g {
		?s <tag:champtc:core#hasEventTime> ?time .
		BIND( ("${eTime[0][0]}"^^xsd:dateTime - "PT5M"^^xsd:dayTimeDuration) AS ?beginTime ) .
		?s winevent:hasHost "${hostName[0][0]}" .
		?s winevent:hasSubjectUserName "${userName[0][0]}" .
		?s a dlwin:ProcessOfConcern .
		FILTER( ?time >= ?beginTime ) .
		?s ?p ?o .

Find the Employee graph in Contextual Memory that Matches the Event's user

CONSTRUCT { ?s ?p ?o }
	GRAPH ?g {
		?s a ent:Employee .
		?s ent:hasAccountName "${username[0][0]}"^^xsd:string .
		?s ?p ?o

Delete a Specific Type of Data from Working Memory

  • Query Type: UPDATE
  • Graphs to Query: Working Memory (can be used for Contextual, too)
  • SPARQL Query:
	GRAPH ?g {
	           ?s a attack:T1060 .
	           ?s ?p ?o