[Queries] Primary View

[randomuserid]

The primary view is where we start to show scored or priortized detection sets. the original query was this:

MATCH (n:ENTITY)-[r]->(m) where n.view = 1 and m.view = 1 return n,r,m

Somewhere around 6k alerts and 100 entities this stops scaling very well. I changed it to this:

MATCH (h:ENTITY)-[r]->() WHERE NOT type(r) IN ['AS_SOURCE', 'AS_DEST'] WITH h, collect(DISTINCT type(r)) AS relationshipTypes WHERE size(relationshipTypes) >= 2 MATCH p=(h)-[r]->() RETURN p

This returns only sets with two or more relationships, which gives us sets with two or more classes of detections. This distills our 6k alerts down to three sets which looks good.

Questions

1. While this works, it is not making use of the views, and so may not be optimal.
2. For some reason the source / dest relations are still there and I'm not sure if we need them or can prune them..we are precomputing entities prior to ingest now because this is hard in neo and simpler in Python.

[randomuserid]

maybe this;
MATCH (n:ENTITY)-[r]->(m) WHERE n.view = 1 AND m.view = 1 WITH n, collect(DISTINCT type(r)) AS relTypes, collect(r) AS relationships, collect(m) AS relatedNodes WHERE size(relTypes) >= 2 UNWIND relationships AS rel UNWIND relatedNodes AS relatedNode RETURN n, rel, relatedNode, relTypes LIMIT 100