Pull all 'Critical' findings, all 'High' findings?

JSONJ
JSONJ mod
in Security Operations
Is there an API or JupiterOne query that will pull all 'Critical' findings, all 'High' findings etc?

Best Answer

  • [Deleted User]
    [Deleted User] admin
    Answer ✓
    Response from Adam, J1 Community Champion

    Hi Jason.

    If you want to actually use the words "critical" and "high", you can use something like this (where you should account for the different possible versions:

    FIND Finding
      WITH
        severity = (
          "critical" OR
          "high" OR
          "Critical" OR
          "High" OR
          "CRITICAL" OR
          "HIGH"
        )

     

    However, many entities in the Finding class have a numericSeverity property that you can use instead, like:

    FIND Finding WITH numericSeverity >= 2
     
    But be aware that not all types in theFinding class support this. Depending on your use case, instead of searching by class (i.e. Finding) you can search by type (e.g. hackerone_report or aws_guardduty_finding). Since the properties of those entities are more uniform, you are more likely to be able customize your query better.
     
    -- Adam

    View the original post on the JupiterOne blog

This Month's Leaders

Categories