Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.

Why Cartography?

Cartography aims to enable a broad set of exploration and automation scenarios. It is particularly good at exposing otherwise hidden dependency relationships between your service's assets so that you may validate assumptions about security risks.

Service owners can generate asset reports, Red Teamers can discover attack paths, and Blue Teamers can identify areas for security improvement. All can benefit from using the graph for manual exploration through a web frontend interface, or in an automated fashion by calling the APIs.

Cartography is not the only security graph tool out there, but it differentiates itself by being fully-featured yet generic and extensible enough to help make anyone better understand their risk exposure, regardless of what platforms they use. Rather than being focused on one core scenario or attack vector like the other linked tools, Cartography focuses on flexibility and exploration.

You can learn more about the story behind Cartography in our presentation at BSidesSF 2019.

Supported platforms

• Amazon Web Services - API Gateway, Config, EC2, ECS, ECR, Elasticsearch, Elastic Kubernetes Service (EKS), DynamoDB, IAM, Inspector, KMS, Lambda, RDS, Redshift, Route53, S3, Secrets Manager, Security Hub, SQS, SSM, STS, Tags
• Google Cloud Platform - Cloud Resource Manager, Compute, DNS, Storage, Google Kubernetes Engine
• Google GSuite - users, groups
• Oracle Cloud Infrastructure - IAM
• Okta - users, groups, organizations, roles, applications, factors, trusted origins, reply URIs
• GitHub - repos, branches, users, teams
• DigitalOcean
• Microsoft Azure - CosmosDB, SQL, Storage, Virtual Machine
• Kubernetes - Cluster, Namespace, Service, Pod, Container
• PagerDuty - Users, teams, services, schedules, escalation policies, integrations, vendors
• Crowdstrike Falcon - Hosts, Spotlight vulnerabilities, CVEs
• NIST CVE - Common Vulnerabilities and Exposures (CVE) data from NIST database
• Lastpass - users
• BigFix - Computers
• Duo - Users, Groups, Endpoints
• Kandji - Devices
• SnipeIT - Users, Assets

Philosophy

Here are some points that can help you decide if adopting Cartography is a good fit for your problem.

What Cartography is

• A simple Python script that pulls data from multiple providers and writes it to a Neo4j graph database in batches.
• A powerful analysis tool that captures the current snapshot of the environment, building a uniquely useful inventory where you can ask complex questions such as:
  • Which identities have access to which datastores?
  • What are the cross-tenant permission relationships in the environment?
  • What are the network paths in and out of the environment?
  • What are the backup policies for my datastores?
• Battle-tested in production by many companies.
• Straightforward to extend with your own custom plugins.
• Provides a useful data-plane that you can build automation and CSPM (Cloud Security Posture Management) applications on top of.

What Cartography is not

• A near-real time capability.
  • Cartography is not designed for very fast updates. Cartography writes to the database in a batches (not streamed).
  • Cartography is also limited by how most upstream sources only provide APIs to retrieve assets in a batched manner.
• By itself, Cartography does not capture data changes over time.
  • Although we do include a drift detection feature.
  • It's also possible to implement other processes in your Cartography installation to make this happen.

Install and configure

Trying out Cartography on a test machine

Start here to set up a test graph and get data into it.

Setting up Cartography in production

When you are ready to try it in production, read here for recommendations on getting cartography spun up in your environment.

Usage

Querying the database directly

Now that data is in the graph, you can quickly start with our querying tutorial. Our data schema is a helpful reference when you get stuck.

Building applications around Cartography

Directly querying Neo4j is already very useful as a sort of "swiss army knife" for security data problems, but you can also build applications and data pipelines around Cartography. View this doc on applications.

Community

• Join us on #cartography on the Lyft OSS Slack.
• Talk to us and see what we're working on at our monthly community meeting.
  • Meeting minutes are here.
  • Recorded videos are posted here.
• Our current project roadmap is here.

License

This project is licensed under the Apache 2.0 License.

Contributing

Thank you for considering contributing to Cartography!

Code of conduct

All contributors and participants of this project must follow the CNCF code of conduct.

Bug reports and feature requests and discussions

Submit a GitHub issue to report a bug or request a new feature. If we decide that the issue needs more discussion - usually because the scope is too large or we need to make careful decision - we will convert the issue to a GitHub Discussion.

Developing Cartography

Get started with our developer documentation. Please feel free to submit your own PRs to update documentation if you've found a better way to explain something.

Who uses Cartography?

1. Lyft
2. Thought Machine
3. MessageBird
4. Cloudanix
5. Corelight
6. {Your company here} :-)

If your organization uses Cartography, please file a PR and update this list. Say hi on Slack too!

---

Cartography is a Cloud Native Computing Foundation sandbox project.