Skip to main content
Applies to BloodHound Enterprise and CE The following custom Cypher queries can be imported into BloodHound to enhance visibility. Each query is defined in a JSON file located in the Queries directory of the JamfHound repository.
This file is automatically generated from the JSON query files that are bundled with the JamfHound collector.

Account Access by Name

Filter to view access of a Jamf Account named or starting with ‘LC’ - increase the maximum edges to see more relationships (i.e. change 5 to 6 to see 1 more) 
MATCH p=(s:jamf_Account)-[*1..5]->(t)
WHERE s.name STARTS WITH 'LC'
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the Jamf_Account_Access_by_Name.json file.

Account to Account Attack Paths

Display Jamf Accounts with Attack-Paths impacting other Jamf Accounts - increase the maximum edges to see more relationships (i.e. change 5 to 6 to see 1 more) 
MATCH p=(s:jamf_Account)-[*1..5]->(t:jamf_Account)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the Jamf_Account_to_Account_Attack_Paths.json file.

Account to Tenant Edges

Show edges from Jamf Accounts to the Jamf Tenant 
MATCH p=(s:jamf_Account)-[]->(t:jamf_Tenant)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the Jamf_Account_to_Tenant_Edges.json file.

All Account Paths

View paths originating from Jamf Accounts with up to 4 edges - increase edges to see more 
MATCH p=(s:jamf_Account)-[*1..4]->(t)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the Jamf_All_Account_Paths.json file.

All Computers

Get all Computers 
MATCH p=(s:jamf_Computer)
RETURN p
This query can be imported into BloodHound from the Jamf_All_Computers.json file.

All Groups

Get Jamf Groups 
MATCH p=(s:jamf_Group)
RETURN p
This query can be imported into BloodHound from the Jamf_All_Groups.json file.

All Nodes and Edges

Retrieve all nodes and edges where either a JamfHound node has an inbound or outbound relationship, limits results to 1000 
MATCH p=(s)-[]->(t)
WHERE s.primarykind STARTS WITH 'jamf' OR t.primarykind STARTS WITH 'jamf'
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the Jamf_All_Nodes_and_Edges.json file.

API Client Attack Paths to Tenant

Display up to 4 edges in attack paths originating from Jamf API Clients with a matching name or name starting with DEMO targeting the tenant 
MATCH p=(s:jamf_ApiClient)-[*1..4]->(t:jamf_Tenant)
WHERE s.name STARTS WITH 'DEMO'
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the Jamf_API_Client_Attack_Paths_to_Tenant.json file.

API Client Immediate Edges

View immediate edges and impacted principals for Jamf API Clients 
MATCH p=(s:jamf_ApiClient)- [] ->(t)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the Jamf_API_Client_Immediate_Edges.json file.

Chained Targeted Filtering

An example of chained targeted filtering with multiple conditions in series that creates multiple proprety filters such as restricting to nodes with specific strings in their name, kinds of nodes, and types of edge relationships existing between the nodes 
MATCH p=(s)-[r]->(t)
WHERE s.name STARTS WITH 'TENANT_ADMIN'
AND (t.name STARTS WITH 'UPDATE' OR t.name STARTS WITH 'SOL' OR t.name STARTS WITH 'JVM')
AND (type(r) = 'jamf_UpdateAccounts' OR type(r) = 'jamf_CreateAccounts' OR type(r) = 'jamf_CreatePolicies' OR type(r) = 'jamf_AdminTo')
OR
s.primarykind = 'jamf_Account' AND (s.name IN ['EXAMPLE', 'REG', 'LCAIN'])
AND type(r) = 'jamf_AdminTo'
OR
t.primarykind STARTS WITH 'jamf_Computer' AND s.primarykind = 'jamf_Account'
AND s.name STARTS WITH 'AZURE'
OR
s.primarykind = 'jamf_Tenant'
AND type(r) = 'jamf_Contains'
AND (t.primarykind = 'jamf_Site' OR t.primarykind = 'jamf_Computer')
OR
(s.primarykind = 'jamf_Site' AND t.primarykind = 'jamf_Computer')
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the Jamf_Chained_Targeted_Filtering.json file.

Expanded Tier 1 to Tier 0 Paths

Expand the graph by one edge showing nodes with edges to Tier 1 nodes with edges to Tier 0 nodes 
MATCH p=(a) - [] -> (s)-[r]->(t)
WHERE s.Tier = 1 AND t.Tier = 0
AND type(r) <> 'jamf_Contains'
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the Jamf_Expanded_Tier_1_to_Tier_0_Paths.json file.

Group Administrators Filtered Relationships

Targeted Filtering that limits results to starting jamf_Group nodes starting with ‘TENANT’ in the name and only show edges/relationships specified by r that are one of the three specified edges 
MATCH p=(s)-[r]->(t)
WHERE s.name STARTS WITH 'TENANT'
AND s.primarykind = 'jamf_Group'
AND (t.name STARTS WITH 'UPDATE' OR t.name STARTS WITH 'SOL')
AND (type(r) = 'jamf_UpdateAccounts' OR type(r) = 'jamf_CreateAccounts' OR type(r) = 'jamf_AdminTo')
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the Jamf_Group_Administrators_Filtered_Relationships.json file.

Group Administrators Targeted Edges

Targeted Filtering Query, display nodes with edges between ‘GROUP_ADMINISTRATORS’ and ‘UPDATE’ or ‘GROUP_ADMINISTRATORS’ and other nodes that start with ‘SOL’ 
MATCH p=(s)-[]->(t)
WHERE s.name STARTS WITH 'GROUP_ADMINISTRATORS' AND t.name STARTS WITH 'UPDATE' OR s.name STARTS WITH 'GROUP_ADMINISTRATORS' AND t.name STARTS WITH 'SOL'
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the Jamf_Group_Administrators_Targeted_Edges.json file.

Group Edges to Accounts

Get immediate edges impacting Jamf Accounts originating from Jamf Groups, swap jamfGroup for jamfTenant to see impact edges to the tenant from groups 
MATCH p=(s)-[]->(t:jamf_Account)
WHERE s.primarykind ENDS WITH 'jamf_Group'
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the Jamf_Group_Edges_to_Accounts.json file.

Matched Email Edges

Show nodes with the edge jamfMatchedEdmail 
MATCH p=(s)-[:jamf_MatchedEmail]->(t)
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the Jamf_Matched_Email_Edges.json file.

Tier 1 to Tier 0 Attack Paths

Retrieve attack paths between Tier 1 nodes and Tier 0 nodes that are fully traversable - excludes tenant and site nodes as starting points 
MATCH p=(s)-[r*1..5]->(t)
WHERE s.Tier = 1 AND t.Tier = 0
AND s.primarykind <> 'jamf_Tenant'
AND s.primarykind <> 'jamf_Site'
AND r.traversable = True
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the Jamf_Tier_1_to_Tier_0_Attack_Paths.json file.

Tier 1 to Tier 0 Direct Edges

Retrieve direct edges between Tier 1 nodes and Tier 0 nodes 
MATCH p=(s)-[]->(t)
WHERE s.Tier = 1 AND t.Tier = 0
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the Jamf_Tier_1_to_Tier_0_Direct_Edges.json file.

Tier 1 to Tier 0 Without Contains

Filter out jamf_Contains edges from Tiered node query 
MATCH p=(s)-[r]->(t)
WHERE s.Tier = 1 AND t.Tier = 0
AND type(r) <> 'jamf_Contains'
RETURN p
LIMIT 1000
This query can be imported into BloodHound from the Jamf_Tier_1_to_Tier_0_Without_Contains.json file.