Step: Reason

Use selected ontology rules to apply reasoning to one or more graphs in the package. A Construct query will (if available) add classes and properties to the graph. A Select query will return values from the ontology items.


Operates on a reified package graph

Uses SPARQL Query syntax

  • Query Type: Choose which kind of action the query will be taking. Values are SELECT, CONSTRUCT, UPDATE, ASK
    • What's the difference?

  • Graph(s) to Query: Enter the name of one or more graphs. The default graph in the package is called _default_. Separate multiple graph names with a comma.
  • Ontologies to Use: Select any Ontologies that will be used during the SPARQL Query.
  • Output Graph/Variable Name:
    • CONSTRUCT/DELETE: Any results returned by the query will be placed in/deleted from the specified graph. In most cases you'll want to leave it in _default_ as this is the graph that will be published.
    • SELECT/ASK: Any results returned will be stored in a package variable. The value(s) of that variable can later be recalled using FreeMarker syntax.
  • Disable Reasoner: Although it may seem strange to disable the reasoner in a reasoning step, sometimes you want to query the ontologies to pull out data from them.
  • SPARQL Query: Use this space to enter in a SPARQL Query. Line returns, spaces, and tabs are all allowed and stored after saving.

Adding Sub-Classes to the Incoming Event

This Construct query operates on the incoming event and is used when it is the only object you wish the reasoner to consider. It uses the FreeMarker shorthand of ${trigger} to refer to the primary object and basically says, "Consider any of the types (classes) on the object and add any super-class or sub-class types from the selected ontologies."

CONSTRUCT {
     <${trigger}> a ?type.
}
WHERE {
     <${trigger}> a ?type.
}

Extracting information from an ontology

This example shows a Reason step searching the graph that resulted from a previous query that used a Construct query to collect Technique objects. This step then extracts (selects) the "label" and "seeAlso" details for each of those Techniques from the "attack.owl" ontology (MITRE ATT&CK). This allows a future step to print out that information or use it in a query.

${PREFIX("owl")}
${PREFIX("rdfs")}
 
SELECT DISTINCT ?type ?name ?seeAlso
 
WHERE {
 ?t a ?type .
 ?type rdfs:label ?name . 
 ?type rdfs:seeAlso ?seeAlso .
}