-
Can I extract raw data collected on IAM roles?
Specifically, AssumeRolePolicyDocument->Statement->Condition->StringEquals->sts:ExternalId: I want to grab a list of all the externalIds in use to make sure there aren’t any “guessable” or weak externalIds in use. How doable is that?
-
How do we query for security groups and their attached resources?
Also, a query to show security groups not assigned to any resources?
-
AMA: Which of my Mac hosts don’t have SentinelOne installed?
I’m trying to find which of my Mac hosts don’t have SentinelOne installed. I made this query which finds all the hosts that DO have it installed. FIND (Host|Device) THAT INSTALLED Application WITH displayName = "SentinelOne Extensions.app" Can I get some assistance on flipping it to find the hosts without the application…
-
AMA: How do I query for security policy acceptance status?
How do I query for security policy acceptance status? Where can I establish 'background checks'?
-
AMA: Is there a query you can help me with to pull AWS firewall rules?
Is there a query you can help me with to pull AWS firewall rules?
-
How to determine which AWS IAM roles are allowed AWS Cloudwatch permissions?
How to determine which AWS IAM roles are allowed AWS Cloudwatch permissions?
-
How to check external trusts that haven't been validated?
How to check external trusts that haven't been validated?
-
How to change the polling interval for a JupiterOne alert?
How do I change the polling interval for a JupiterOne alert?
-
How to track IAM user access keys with milliseconds creation date differences?
How do I track IAM User access keys with creation date differences that are within milliseconds?
-
How to validate that terminated user access has been disabled or removed?
I am trying to verify that we have followed our access termination policy within our Github account. How so I validate that user access that has been disabled or removed?
-
How to search for all EC2 workloads and security groups, and sort?
I would like to understand the distribution of the security groups of my EC2 workloads. How do I search for results of all of my EC2 workloads and Security Groups, and sort these results by the highest to lowest assignment on security group name?
-
How to filter a query for active Google users?
How do I filter a query for users to only see my "active" Google users?
-
How to Create a Local Service Account for API Access Purposes?
How to create a “local account,” meaning an account that does not authenticate via Okta but is a service account on JupiterOne for API access purposes only? I'm not sure how to create this type of account without authentication using Okta.
-
Azure Group Members not accurate
Current Query used: FIND azure_group_member THAT HAS azure_user_group WITH email ~= “name@company.com" This group has more than three members
-
Azure user group alerts
I’m looking to put an alert on Azure user group membership to monitor changes in users with access to our Azure resources. I can see the entities of azure_user_group and azure_group_member, but don’t see any links between the two. From what I can tell, azure_group_member doesn’t have a property or metadata that includes…
-
How do I use JupiterOne to better understand the scope of our AWS Inspector coverage?
How do I use JupiterOne to better understand the scope of our AWS Inspector coverage? I am interested in understanding the AWS accounts that use AWS Inspector, or the AWS accounts that have already had an Inspector assessment.
-
MFA for Azure Accounts provisioned by SSO showing not enabled
Our Azure accounts are provisioned using single sign-on (SSO). But, about 5 out of 22 of our Azure accounts are displaying in JupiterOne as "multi-factor authentication not enabled." This is weird, since they should all have MFA enabled due to SSO configurations. Query: Find azure_user with active=true that ASSIGNED…
-
I am trying to understand my JupiterOne query results for Azure users with MFA
I am trying to understand my JupiterOne query results for Azure users with multi-factor authentication (MFA). Specifically, we are trying to understand whether JupiterOne is reporting a false value for Azure users with MFA when our Azure accounts are provisioned with single sign-on (SSO).
-
User termination review
How do I use JupiterOne to identify a user who is terminated with active user accounts?
-
How do I find all users with an account to access our Azure resources?
I have tried creating JupiterOne queries, but I am getting errors so I must be doing something wrong.
-
I need help finding the "biggest" child accounts.
I want to search all the assets in each child account, and then count them and sort them in descending order, but I'm struggling to build the right query based on that relationship. Here are a few of my dead end attempts.FIND * WITH _source!^='system-' AS x THAT RELATES TO aws_account WITH accountId=( "1111111" OR…
-
Querying Results for Amazon SNS - Can I Filter on Policy Conditionals
I am trying to use JupiterOne to query results for Amazon Simple Notification Service (SNS) messaging service, specifically with a goal of identifying all AWS SNS topics without conditionals. But, I seem to have identified a false positive in J1, unless I can filter on policy conditionals. Here is the query I am using Find…
-
I am trying to understand the relationships between IAM policies to AWS cloud assets.
I am trying to understand the relationships between IAM policies to AWS cloud assets, and I see that permission relationships are normalized in JupiterOne. I'm trying to understand this better. Can you please provide me with some examples of normalizedActions ?
-
Is it possible to view billable entity count by integration?
I need to view billable entity count by integration
-
How do I purge data from the system?
How do I purge data from the system? We are no longer using Qualys, and I want to remove all Qualys information from my instance of JupiterOne. I have already removed the integration, but the data remains.
-
IAM Policy Question
Where can I find the IAM policy needed for your AWS Integration role in JupiterOne?
-
Log4Shell Remediation Visibility with JupiterOne and Log4Shell_Sentinel
If you’re neck-deep in Log4Shell remediation and wanting the assurance of an automated process to ensure your hosts are patched and stay patched, the following approach may be helpful to you. Identify Vulnerable Hosts We found that ossie-git/log4shell_sentinel is a fast and accurate file-based scanner for vulnerable Log4J…
-
J1 Query showing 2FA not Enabled?
Is there a JupiterOne query that will show which accounts do not have 2fA enabled?
-
Pull all 'Critical' findings, all 'High' findings?
Is there an API or JupiterOne query that will pull all 'Critical' findings, all 'High' findings etc?
-
How does JupiterOne handle date comparisons?
"Are 'WHERE' and 'WITH' clauses always supposed to be of the syntactic form (PROPERTY) (OP) (EXPRESSION)? Clearly find aws_iam_access_key as k where k.createdOn > date.now - 90 days return count(k) as value parses, but is find aws_iam_access_key as k where date.now - k.createdOn < 90 days return count(k) as value 'illegal'…
.png)