Community
Questions Library
Docs
Blog
Events
Swag
Github
Slack
JupiterOne
Discussions
Release Notes
Contact Us
JupiterOne Alert Rule Schema - AskJ1 Community
<main> <article class="userContent"> <p>A rule uses the results of one or more queries to execute one or more actions. The basic alert workflows are described here: <a rel="nofollow" href="https://support.jupiterone.io/hc/en-us/articles/360022720474-6-9-Alerts-and-Alert-Rules">JupiterOne Alert Rule configuration documentation</a>. You can also directly edit the JSON that defines a rule for more advanced workflow execution.</p> <h2 data-id="configuring-a-rule">Configuring a Rule</h2> <ol><li>Navigate to the JupiterOne alert rule configuration page (<a href="https://apps.us.jupiterone.io/alerts/edit)" rel="nofollow">https://apps.us.jupiterone.io/alerts/edit)</a></li> <li>Click <strong>Create Rule</strong></li> <li>Click <strong>Show Advanced</strong> to open the advanced rule editor.</li> </ol><p>JSON Example:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "id": "552b2f27-67e2-4351-97f3-083a040350c1", "name": "unencrypted-critical-data-stores", "description": "Unencrypted data store with classification label of 'critical' or 'sensitive' or 'confidential' or 'restricted'", "version": 1, "specVersion": 1, "pollingInterval": "ONE_DAY", "question": { "queries": [ { "name": "query0", "query": "Find DataStore with classification=('critical' or 'sensitive' or 'confidential' or 'restricted') and encrypted!=true", "version": "v1" } ] }, "operations": [ { "when": { "type": "FILTER", "condition": "{{queries.query0.total > 0}}" }, "actions": [ { "type": "CREATE_ALERT" } ] } ], "outputs": ["queries.query0.total", "alertLevel"] } </pre> <p>You can also configure rules to include deleted data in the results. For example:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "id": "...", "question": { "queries": [ { "name": "query0", "query": "Find DataStore with classification='critical' and encrypted=false as d return d.tag.AccountName as Account, d.displayName as UnencryptedDataStores, d._type as Type, d.encrypted as Encrypted", "version": "v1", "includeDeleted": true }, { "name": "query1", "query": "...", "version": "v1", "includeDeleted": false }, { "name": "query2", "query": "...", "version": "v1" } ] }, ... } </pre> <h2 data-id="rule-properties">Rule Properties</h2> <table><thead><tr><th>Property</th> <th>Type</th> <th>Description</th> </tr></thead><tbody><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">id</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>Auto-generated, globally unique ID of each rule.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">version</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">number</code></td> <td>Current version of the rule. Incremented each time the rule is updated.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">name</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>Name of the rule, which is unique to each account.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">description?</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>A description of the rule.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">specVersion</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">number</code></td> <td>Rule evaluation version in the case of breaking changes.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">pollingInterval?</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">PollingInterval</code></td> <td>Frequency of automated rule evaluation. Options are <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">DISABLED</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">THIRTY_MINUTES</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">ONE_HOUR</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">FOUR_HOURS</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">EIGHT_HOURS</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">TWELVE_HOURS</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">ONE_DAY</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">ONE_WEEK</code>. Defaults to <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">ONE_DAY</code>.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">question</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">Question</code></td> <td>Contains properties related to queries used in the rule evaluation.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">operations</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">RuleOperation[]</code></td> <td>Actions that are executed when a corresponding condition is met.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">templates?</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">object</code></td> <td>Optional key/value pairs of template name to template.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">outputs</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string[]</code></td> <td>Names of properties that can be used throughout the rule evaluation process and will be included in each record of a rule evaluation (for example, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">queries.query0.total</code>).</td> </tr></tbody></table><h3 data-id="type-pollinginterval">Type: PollingInterval</h3> <p>Enumeration of the scheduled frequencies on which rules can <br> automatically be evaluated. Possible values:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">ONE_DAY ONE_HOUR THIRTY_MINUTES DISABLED </pre> <h3 data-id="type-ruleoperation">Type: RuleOperation</h3> <p>A <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">RuleOperation</code> is a single <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">condition</code> and series of <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">action</code>s that are <br> executed when the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">condition</code> is met.</p> <table><thead><tr><th>Property</th> <th>Type</th> <th>Description</th> </tr></thead><tbody><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">when?</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">RuleOperationCondition\|RuleOperationCondition[]</code></td> <td>Type of conditional used to determine whether the associated actions should be executed.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">actions</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">RuleOperationAction[]</code></td> <td>Actions that should be executed when the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">when</code> conditions have been met.</td> </tr></tbody></table><h3 data-id="type-question">Type: Question</h3> <p>A Question contains a collection of named queries that should be executed <br> during the rule evaluation process and whose responses can be used in any <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">RuleOperation</code>.</p> <table><thead><tr><th>Property</th> <th>Type</th> <th>Description</th> </tr></thead><tbody><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">queries</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">QuestionQuery[]</code></td> <td>The collection of queries that are used during the rule evaluation.</td> </tr></tbody></table><h3 data-id="type-questionquery">Type: QuestionQuery</h3> <p>A named query that should be executed during the rule evaluation process and <br> whose responses can be used in any <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">RuleOperation</code>.</p> <table><thead><tr><th>Property</th> <th>Type</th> <th>Description</th> </tr></thead><tbody><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">name?</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>Optional name to assign the query that will be used when referencing query data in <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">RuleOperation</code>s. If not provided, the query name is automatically assigned based on the index in the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">queries</code> array (for example, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">query0</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">query1</code>).</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">query</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>JupiterOne query to execute.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">version</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>JupiterOne query language execution version (for example, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">v1</code>).</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">includeDeleted</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">boolean</code></td> <td>Whether deleted data should be considered for the specific query (defaults to <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">false</code>).</td> </tr></tbody></table><h3 data-id="type-ruleoperationcondition">Type: RuleOperationCondition</h3> <p>The condition that determines whether the associated actions should be executed. <br> The type of <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">RuleOperationCondition</code> is determined using the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">type</code> property.</p> <h4 data-id="type-filterruleoperationcondition">Type: FilterRuleOperationCondition</h4> <table><thead><tr><th>Property</th> <th>Type</th> <th>Description</th> </tr></thead><tbody><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">type</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>Rule operation condition type: <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">FILTER</code>.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">condition</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>Template condition (for example, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">{{queries.query0.total > 0}}</code>).</td> </tr></tbody></table><h3 data-id="type-ruleoperationaction">Type: RuleOperationAction</h3> <p>Action that is executed when a corresponding condition is met. <br> The type of <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">RuleOperationAction</code> is determined using the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">type</code> property.</p> <hr></hr><p></p> <h4 data-id="action-set-property">Action: <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">SET_PROPERTY</code></h4> <blockquote class="UserQuote blockquote"><div class="QuoteText blockquote-content"> <p class="blockquote-line">Includes a property that can be used in rule evaluation input.</p> </div></blockquote> <table><thead><tr><th>Property</th> <th>Type</th> <th>Description</th> </tr></thead><tbody><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">type</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>Rule operation action type: <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">SET_PROPERTY.</code></td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">targetProperty</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>Property to include in the evaluation input.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">targetValue</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">number|string|boolean</code></td> <td>Property to include in the evaluation input.</td> </tr></tbody></table><p>Example:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "type": "SET_PROPERTY", "targetProperty": "alertLevel", "targetValue": "CRITICAL" } </pre> <hr></hr><p></p> <h4 data-id="action-create-alert">Action: <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">CREATE_ALERT</code></h4> <blockquote class="UserQuote blockquote"><div class="QuoteText blockquote-content"> <p class="blockquote-line">Creates a JupiterOne alert that is visible on the alerts app.</p> </div></blockquote> <table><thead><tr><th>Property</th> <th>Type</th> <th>Description</th> </tr></thead><tbody><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">type</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>Rule operation action type: <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">CREATE_ALERT</code></td> </tr></tbody></table><p>Example:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "type": "CREATE_ALERT" } </pre> <hr></hr><p></p> <h4 data-id="action-send-email">Action: <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">SEND_EMAIL</code></h4> <blockquote class="UserQuote blockquote"><div class="QuoteText blockquote-content"> <p class="blockquote-line">Sends an email to a list of recipients with details related to alerts that are<br> created during the rule evaluation.</p> </div></blockquote> <table><thead><tr><th>Property</th> <th>Type</th> <th>Description</th> </tr></thead><tbody><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">type</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>Rule operation action type: <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">SEND_EMAIL</code>.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">recipients</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string[]</code></td> <td>Email addresses of the recipients of this alert.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">body?</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>Optional additional body information of the email.</td> </tr></tbody></table><p>Example:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "type": "SEND_EMAIL", "recipients": ["no-reply@jupiterone.io"] } </pre> <hr></hr><p></p> <h4 data-id="action-create-jira-ticket">Action <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">CREATE_JIRA_TICKET</code></h4> <blockquote class="UserQuote blockquote"><div class="QuoteText blockquote-content"> <p class="blockquote-line">Creates a Jira ticket using a specific JupiterOne Jira integration configuration.</p> </div></blockquote> <table><thead><tr><th>Property</th> <th>Type</th> <th>Description</th> </tr></thead><tbody><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">type</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>Rule operation action type: <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">CREATE_JIRA_TICKET.</code></td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">integrationInstanceId</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>The <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">id</code> of the JupiterOne Jira integration that should be used to create the ticket.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">entityClass</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>The <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">class</code> of the new ticket entity that should be created in JupiterOne. (for example,<code class="code codeInline code codeInline" spellcheck="false" tabindex="0">Vulnerability</code>)</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">project</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>The unique Jira project ID that the ticket is created in.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">summary</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>Summary of the Jira ticket. Used as the ticket title.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">issueType</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>The Jira issue type (for example, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">Task</code>).</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">additionalFields?</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">object</code></td> <td>Optional additional fields that are passed directly to the Jira API.</td> </tr></tbody></table><p>Example:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "type": "CREATE_JIRA_TICKET", "integrationInstanceId": "b59cfa95-2201-4173-bea4-be9b26661553", "entityClass": "Vulnerability", "project": "81198", "summary": "Ticket summary", "issueType": "Task", "additionalFields": { "description": { "type": "doc", "version": 1, "content": [ { "type": "paragraph", "content": [ { "type": "text", "text": "Jira description here!" } ] } ] } } } </pre> <hr></hr><p></p> <h4 data-id="action-send-slack-message">Action: <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">SEND_SLACK_MESSAGE</code></h4> <blockquote class="UserQuote blockquote"><div class="QuoteText blockquote-content"> <p class="blockquote-line">Sends a Slack message to a given Slack webhook URL.</p> </div></blockquote> <table><thead><tr><th>Property</th> <th>Type</th> <th>Description</th> </tr></thead><tbody><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">integrationInstanceId</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>The <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">id</code> of the JupiterOne Jira integration used to create the ticket.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">type</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>Rule operation action type: <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">SEND_SLACK_MESSAGE</code>.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">channels</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>A string or list of strings beginning with a <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">#</code> to denote Slack channels to send to.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">webhookUrl</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>Webhook URL for the account/channel that this message should be delivered to.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">severity</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>Optional severity of this alert that determined the color of the message shown in Slack.</td> </tr></tbody></table><p><strong>NOTE</strong>: By default, the color of the alert in Slack is derived from the <br> value of the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">alertLevel</code> that is created in a <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">SET_PROPERTY</code> action. <br> You can override the color of the alert using the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">severity</code> property.</p> <p>Example:</p> <p>After you have configured the integration, copy the integration ID from the<br> integration instance page, which looks similar to <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">d1549f40-b9fd-447a-bec5-4360c9ca7e8c</code>.</p> <ol><li>Configure a rule with the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">SEND_SLACK_MESSAGE</code> action and specify the<br><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">integrationInstanceId</code> with the unique identifier of the integration and <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">channels</code><br> denoting the destinations. The following is an example alert rule configuration with the<br><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">SEND_SLACK_MESSAGE</code> action:</li> </ol><p><strong>NOTE</strong>: For the JupiterOne Slack bot to deliver messages to a private Slack channel, <br> the JupiterOne Slack bot must be a member of that private channel.</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "name": "slack-alert-test", "description": "Testing Slack Messages", "specVersion": 1, "pollingInterval": "ONE_DAY", "templates": { "slackBody": "JupiterOne Account: {{item.displayName}}\n\n" }, "question": { "queries": [ { "name": "query0", "query": "Find DataStore with classification=('critical' or 'sensitive' or 'confidential' or 'restricted') and encrypted!=true", "version": "v1" } ] }, "operations": [ { "when": { "type": "FILTER", "specVersion": 1, "condition": "{{queries.query0.total > 0}}" }, "actions": [ { "targetValue": "HIGH", "type": "SET_PROPERTY", "targetProperty": "alertLevel" }, { "type": "CREATE_ALERT" }, { "integrationInstanceId": "d1549f40-b9fd-447a-bec5-4360c9ca7e8c", "channels": ["#random"], "type": "SEND_SLACK_MESSAGE", "body": "{{queries.query0.data|mapTemplate('slackBody')|join(' ')}}" } ] } ], "outputs": ["queries.query0.total", "alertLevel"] } </pre> <hr></hr><p></p> <h4 data-id="action-webhook">Action: <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">WEBHOOK</code></h4> <blockquote class="UserQuote blockquote"><div class="QuoteText blockquote-content"> <p class="blockquote-line">Sends an HTTP request to a given endpoint.</p> </div></blockquote> <table><thead><tr><th>Property</th> <th>Type</th> <th>Description</th> </tr></thead><tbody><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">type</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>Rule operation action type: <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">WEBHOOK</code></td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">endpoint</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>Webhook endpoint to send the request to.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">method</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>HTTP method to use when making the request Allowed values: <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">POST</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">PUT</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">GET</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">HEAD</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">PATCH</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">DELETE</code>.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">body?</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">object</code></td> <td>Body data to include in the request. Can only be used with <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">POST</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">PUT</code>, and <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">PATCH</code>.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">headers?</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">object</code></td> <td>HTTP headers to include in the request.</td> </tr></tbody></table><p>Example:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "type": "WEBHOOK", "method": "POST", "body": { "name": "Jon" }, "headers": { "Authorization": "Bearer abc123" } } </pre> <hr></hr><p></p> <h4 data-id="action-publish-sns-message">Action: <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">PUBLISH_SNS_MESSAGE</code></h4> <blockquote class="UserQuote blockquote"><div class="QuoteText blockquote-content"> <p class="blockquote-line">Publishes a message to the specified SNS topic.</p> </div></blockquote> <table><thead><tr><th>Property</th> <th>Type</th> <th>Description</th> </tr></thead><tbody><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">type</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>Rule operation action type: <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">PUBLISH_SNS_MESSAGE</code>.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">integrationInstanceId</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>The ID of the AWS integration instance to use. The integration role must have <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">sns:Publish</code> permission.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">topicArn</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>The ARN of the SNS topic to publish the message to.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">data</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">object</code></td> <td>User-provided data to include in the message. See <a rel="nofollow" href="#operationtemplating">Operation Templating</a> for details on using variable data.</td> </tr></tbody></table><p>Example:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "type": "PUBLISH_SNS_MESSAGE", "integrationInstanceId": "...", "topicArn": "arn:aws:sns:<REGION>:arn:aws:sns:<ACCOUNT_ID>:<SNS_TOPIC_NAME>", "data": { "query0Data": "{{queries.query0.data}}", "anotherCustomProperty": true } } </pre> <pre class="code codeBlock" spellcheck="false" tabindex="0">!!! Note: </pre> <p><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">data</code> is stringified in the payload. For example:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ Sns: { Message: '{"data":{"query0Data": ..., "anotherCustomProperty": true}}' } } </pre> <hr></hr><p></p> <h4 data-id="action-send-sqs-message">Action: <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">SEND_SQS_MESSAGE</code></h4> <blockquote class="UserQuote blockquote"><div class="QuoteText blockquote-content"> <p class="blockquote-line">Publishes a message to the specified SQS queue.</p> </div></blockquote> <table><thead><tr><th>Property</th> <th>Type</th> <th>Description</th> </tr></thead><tbody><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">type</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>Rule operation action type: <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">SEND_SQS_MESSAGE</code>.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">integrationInstanceId</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>The ID of the AWS integration instance to use. The integration role must have <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">sqs:SendMessage</code> permission.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">queueUrl</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">string</code></td> <td>The URL of the SQS queue to publish the message to.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">data</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">object</code></td> <td>User-provided data to include in the message. See <a rel="nofollow" href="#operationtemplating">Operation Templating</a> for details on using variable data.</td> </tr></tbody></table><p>Example:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "type": "SEND_SQS_MESSAGE", "integrationInstanceId": "...", "queueUrl": "<a href="https://sqs.<REGION>.amazonaws.com/<ACCOUNT_ID>/<SQS_QUEUE_NAME&gt" rel="nofollow">https://sqs.<REGION>.amazonaws.com/<ACCOUNT_ID>/<SQS_QUEUE_NAME&gt</a>;", "data": { "query0Data": "{{queries.query0.data}}", "anotherCustomProperty": true } } </pre> <p>!!! warning<br><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">data</code> is stringified in the payload. For example:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ body: '{"data":{"query0Data": ..., "anotherCustomProperty": true}}' } </pre> <h2 data-id="operation-templating">Operation Templating</h2> <p>You can use templates inside any property under the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">operations</code> property on a rule. <br> The templates can contain a JavaScript-like syntax that automatically <br> have input variables injected for usage.</p> <p>For example, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">FilterRuleOperationCondition</code>s are often used with rules as the <br> condition for whether rule actions should be executed. <br> You can use query response data inside of the rule conditions:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "operations": [ { "when": { "type": "FILTER", // Use the `.total` property from query named `query0`. "condition": "{{queries.query0.total > 0}}" }, "actions": [ { "type": "CREATE_ALERT" } ] } ] } </pre> <p>You can use data from query results inside of rule operations by referencing the <br><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">query.query0.data</code> property and custom templating transforms. For example:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "name": "lambda-function-settings-check-runtime-nodejs610", "description": "Node.js 6.10 is end of life (EOL) and should no longer be used.", "specVersion": 1, "pollingInterval": "ONE_DAY", "templates": { // The email template that we will use later "emailBody": "({{itemIndex+1}} of {{itemCount}}) [{{item.account}}] Function Name: {{item.functionName}}<br>" }, "question": { "queries": [ { "name": "query0", "query": "Find aws_lambda_function with runtime='nodejs6.10' as f return f.name as functionName, f.version as version, f.tag.AccountName as account, f.tag.Project as project order by account", "version": "v1" } ] }, "operations": [ { "when": { "type": "FILTER", "specVersion": 1, "condition": "{{queries.query0.total > 0}}" }, "actions": [ { "targetValue": "HIGH", "type": "SET_PROPERTY", "targetProperty": "alertLevel" }, { "type": "CREATE_ALERT" }, { "type": "SEND_EMAIL", // Reference the `query0` data and include it in a template "body": "Affected Functions: <br><br>{{queries.query0.data|mapTemplate('emailBody')|join(' ')}}", "recipients": ["no-reply@jupiterone.io"] } ] } ], "outputs": ["queries.query0.total", "alertLevel"] } </pre> <h2 data-id="rule-evaluation-templating-language">Rule Evaluation Templating Language</h2> <p>You can create a template in any <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">RuleOperation</code> using the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">{{...}}</code> syntax. <br> Inside the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">{{...}}</code> is a JavaScript-like language that allows for powerful <br> rule evaluation functionality. Additionally, if the template contains exactly <br> one expression and nothing else, the original type of the computed value is <br> preserved. If multiple expressions are used, the entire value is casted to a string.</p> <p>The following is an example where the type <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">boolean</code> is preserved because <br> there is only a single expression:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{{true}} </pre> <p>The following is an example where the entire value would be cast to a <br> string because it contains multiple expressions:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{{age + 10}} is my age and my name is {{firstName + " " + lastName}} </pre> <p>All templating expressions support references to <a rel="nofollow" href="#parametersinrules">account parameters</a>:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">My name is {{param.myFirstName}} and I am {{age}} </pre> <h3 data-id="unary-operators">Unary Operators</h3> <table><thead><tr><th>Operation</th> <th align="center">Symbol</th> </tr></thead><tbody><tr><td>Negate</td> <td align="center"><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">!</code></td> </tr></tbody></table><h3 data-id="binary-operators">Binary Operators</h3> <table><thead><tr><th>Operation</th> <th align="center">Symbol</th> </tr></thead><tbody><tr><td>Add, Concat</td> <td align="center"><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">+</code></td> </tr><tr><td>Subtract</td> <td align="center"><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">-</code></td> </tr><tr><td>Multiply</td> <td align="center"><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">*</code></td> </tr><tr><td>Divide</td> <td align="center"><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">/</code></td> </tr><tr><td>Divide and floor</td> <td align="center"><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">//</code></td> </tr><tr><td>Modulus</td> <td align="center"><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">%</code></td> </tr><tr><td>Power of</td> <td align="center"><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">^</code></td> </tr><tr><td>Logical AND</td> <td align="center"><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">&&</code></td> </tr><tr><td>Logical OR</td> <td align="center"><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">||</code></td> </tr></tbody></table><h3 data-id="comparisons">Comparisons</h3> <table><thead><tr><th>Comparison</th> <th align="center">Symbol</th> </tr></thead><tbody><tr><td>Equal</td> <td align="center"><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">==</code></td> </tr><tr><td>Not equal</td> <td align="center"><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">!=</code></td> </tr><tr><td>Greater than</td> <td align="center"><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">></code></td> </tr><tr><td>Greater than or equal</td> <td align="center"><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">>=</code></td> </tr><tr><td>Less than</td> <td align="center"><code class="code codeInline code codeInline" spellcheck="false" tabindex="0"><</code></td> </tr><tr><td>Less than or equal</td> <td align="center"><code class="code codeInline code codeInline" spellcheck="false" tabindex="0"><=</code></td> </tr><tr><td>Element in array or string</td> <td align="center"><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">in</code></td> </tr></tbody></table><h3 data-id="ternary-operator">Ternary operator</h3> <table><thead><tr><th>Expression</th> <th>Result</th> </tr></thead><tbody><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">"" ? "Full" : "Empty"</code></td> <td>Empty</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">"foo" in "foobar" ? "Yes" : "No"</code></td> <td>Yes</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">{agent: "Archer"}.agent ?: "Kane"</code></td> <td>Archer</td> </tr></tbody></table><h3 data-id="native-types">Native Types</h3> <table><thead><tr><th>Type</th> <th align="center">Examples</th> </tr></thead><tbody><tr><td>Booleans</td> <td align="center"><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">true</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">false</code></td> </tr><tr><td>Strings</td> <td align="center"><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">"Hello \"user\""</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">'Hey there!'</code></td> </tr><tr><td>Numerics</td> <td align="center"><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">6</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">-7.2</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">5</code>, <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">-3.14159</code></td> </tr><tr><td>Objects</td> <td align="center"><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">{hello: "world!"}</code></td> </tr><tr><td>Arrays</td> <td align="center"><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">['hello', 'world!']</code></td> </tr></tbody></table><h3 data-id="groups">Groups</h3> <p>Grouping operations with parentheses:</p> <table><thead><tr><th>Expression</th> <th align="left">Result</th> </tr></thead><tbody><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">(83 + 1) / 2</code></td> <td align="left">42</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">1 < 3 && (4 > 2 || 2 > 4)</code></td> <td align="left">true</td> </tr></tbody></table><h3 data-id="custom-transforms">Custom Transforms</h3> <p>Some custom transforms are exposed in the rule templating language.</p> <h4 data-id="maptemplate-templatename-string-custom-transform"><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">mapTemplate(templateName: string)</code> Custom Transform</h4> <p><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">mapTemplate</code> is separates and reuses templates inside of a rule. <br> The transform expects a single array and the first argument should <br> be a string whose value matches a template in rule <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">templates</code> object.</p> <p>The <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">mapTemplate</code> transform exposes additional input variable to the template:</p> <table><thead><tr><th>Property</th> <th>Type</th> <th>Description</th> </tr></thead><tbody><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">item</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">any</code></td> <td>The individual item of this iteration.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">itemCount</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">number</code></td> <td>The total count of items in the array.</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">itemIndex</code></td> <td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">number</code></td> <td>The index of the current <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">item</code> in the array</td> </tr></tbody></table><p>!!! note <br> The properties that are accessible on the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">item</code> property are pulled <br> from the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">properties</code> object and the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">entity</code> object if the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">item</code> matches the schema for an entity.</p> <p>Example operation:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "type": "SEND_EMAIL", // Reference the `query0` data and include it in a template "body": "{{queries.query0.data|mapTemplate('emailBody')|join(' ')}}", "recipients": ["no-reply@jupiterone.io"] } </pre> <p>Example <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">templates</code>:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "emailBody": "({{itemIndex+1}} of {{itemCount}}) [{{item.account}}] Function Name: {{item.somePropertyOnItem}}<br>" } </pre> <h4 data-id="mapproperty-properties-string-custom-transform"><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">mapProperty(...properties: string)</code> Custom Transform</h4> <p>Allows for mapping individual properties from an array. You can supply <br> a single or multiple properties. The properties that are<br> accessible are pulled from the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">properties</code> object and the <br><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">entity</code> object if the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">item</code> matches the schema for an entity.<br> If the array that is being evaluated with <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">mapProperty</code> matches the <br> schema of an entity, the the rule evaluator attempts to pull <br> properties passed to <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">mapProperty</code> from the entity properties.</p> <p>Example query data:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "query": "FIND Person", "data": [ { "id": "", "entity": { "_createdOn": 1234 // ... }, "properties": { "firstName": "Jon" // ... } }, { "id": "", "entity": { "_createdOn": 12345 // ... }, "properties": { "firstName": "Jane" // ... } } ] } </pre> <p>This is an example of accessing <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">properties</code> data using <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">mapProperty</code> and the above data:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "type": "SEND_EMAIL", // This would return: `Jon,Jane` "body": "{{queries.query0.data|mapProperty('firstName')|join}}", "recipients": ["no-reply@jupiterone.io"] } </pre> <p>This is an example accessing <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">entity</code> data using <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">mapProperty</code> and the above data:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "type": "SEND_EMAIL", // This would return: `1234,12345` "body": "{{queries.query0.data|mapProperty('_createdOn')|join}}", "recipients": ["no-reply@jupiterone.io"] } </pre> <h4 data-id="join-separator-string-custom-transform"><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">join(separator?: string)</code> Custom Transform</h4> <p>This function is similar to the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">Array.prototype.join</code> function in JavaScript. <br> It returns a new string by concatenating all of the elements in an array. <br> If the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">separator</code>argument is not passed to <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">join</code>, the array elements <br> are separated by a comma, by default.</p> <p>This transform is often used with <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">mapTemplate</code> or <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">mapProperty</code>.</p> <p>Example:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "type": "SEND_EMAIL", "body": "{{queries.query0.data|mapTemplate('emailBody')|join(' ')}}", "recipients": ["no-reply@jupiterone.io"] } </pre> <p>Example of default if no <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">separator</code> is passed to <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">join</code>:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "type": "SEND_EMAIL", "body": "{{queries.query0.data|mapTemplate('emailBody')|join}}", "recipients": ["no-reply@jupiterone.io"] } </pre> <h2 data-id="parameters-in-rules">Parameters in Rules</h2> <p>Rules support reference to parameter values stored at the account-level.<br> These parameters simplify the task of referencing long, sensitive, or <br> widely reused values in rules or queries. For example, the following <br> action trigger is nearly identical to <a rel="nofollow" href="#actionwebhook">the slack webhook</a> example:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "type": "WEBHOOK", "method": "POST", "body": { "name": "Jon" }, "headers": { "Authorization": "Bearer {{param.SlackAuthToken}}" } } </pre> <p>This showcases a primary use case of parameter storage: a value that is <br> long, not human-readable, and may represent a sensitive value which <br> should not be leaked in the configuration.</p> <p><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">param.SlackAuthToken</code> invokes a parameter stored at the account level, <br> which is referenced when the rule is evaluated. These parameters are <br> always referenced with the preceding token <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">param.</code>. The subsequent <br> string (without special characters) identifies the name of a parameter.</p> <p>Parameters are supported anywhere that <a rel="nofollow" href="#operationtemplating">Operation Templating</a> <br> is supported, and the value of a parameter can be any type of <br><a rel="nofollow" href="#nativetypes">native type</a> with the <strong>exclusion of objects</strong>, <br> which support comparison <em>against</em> parameters but cannot be the <br> contents of a parameter. Additionally, parameters can store <br> lists of native types, and template expressions can invoke <br> parameter lists similarly to examples above. For example, <br><a rel="nofollow" href="#actionsend_email">using the email example</a>, we can parameterize the recipient list:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "type": "SEND_EMAIL", "body": "{{queries.query0.data|mapTemplate('emailBody')|join(' ')}}", // a stored list of email strings: "recipients": "{{param.alertEmailRecipientList}}" } </pre> <p>For more info on JupiterOne parameters, <a rel="nofollow" href="https://jupiterone.vanillacommunities.com/kb/articles/850-jupiterone-parameter-service">reference the documentation</a>.</p> </article> </main>