Neo4j
This is a living document that captures notes related to anything and all neo4j and cypher queries.
List Databases
show databases 
Create New Database
create database spotless
Switch Database
:use spotless
Import Data from CSV and Define Relationships Between Nodes
Sample Data
Below is a sample CSV file with 3 columns, that represents Windows authentication information between different endpoints (think lateral movement detection/investigation/threat hunting):
Column
Meaning
SourceComputer
A computer that successfully authenticated to a DestinationComputer
DestinationComputer
A computer that SourceComputer authenticated to
DestinationUserName
A user name that was used to logon from SourceComputer to DestinationComputer
"SourceComputer","DestinationComputer","DestinationUserName"
"WS01","WS02","administrator"
"WS01","WS03","administrator"
"WS02","WS03","administrator"
"WS03","WS04","administrator"
"WS04","WS05","administrator"
"WS05","WS06","administrator"
"WS06","WS07","administrator"
"WS07","DB01","administrator"
"DB01","FS05","administrator"
"FS05","DC01","da-james"
"WS01","WS04","billy"
"WS02","WS04","sally"
"WS03","WS02","fred"
"WS03","WS02","james"
"WS01","WS02","james"Importing Nodes from CSV and Creating Relationships
LOAD CSV WITH HEADERS FROM 'file:///lateral-movement.csv' AS line
MERGE (a:Computer {Computer:line.SourceComputer} )
MERGE (b:Computer {Computer:line.DestinationComputer} )
MERGE (a) -[:LOGGED_IN {loggedAs:line.DestinationUserName}]-> (b)
Clean Database
match (a) -[r] -> () delete a, r; match (a) delete aMatch Nodes WHERE DestinationComputer Contains "WS"
MATCH p=()-[r:LOGGED_IN]->(m:Computer) where m.Computer CONTAINS "WS" RETURN p LIMIT 25
Match Nodes WHERE Relationship Contains "james"
MATCH p=()-[r:LOGGED_IN]->() where (r.loggedAs contains "james") RETURN p LIMIT 25
Match Nodes with 3 Hops Between Them
MATCH p=()-[r:LOGGED_IN*3]->() RETURN p LIMIT 25
Last updated