Community
Questions Library
Docs
Blog
Events
Swag
Github
Slack
JupiterOne
Discussions
Release Notes
Contact Us
Security Findings - AskJ1 Community
<main> <article class="userContent"> <p>JupiterOne provides a centralized repository and dashboard to enable you to manage security findings from different sources, including:</p> <ul><li>AWS Inspector findings</li> <li>AWS GuardDuty findings</li> <li>Veracode static and dynamic analysis findings</li> <li>WhiteHat application security findings</li> <li>Tenable.io scanning findings</li> <li>HackerOne report findings</li> <li>CVEs and other vulnerability findings</li> <li>Manual penetration testing findings imported via <a rel="nofollow" href="https://jupiterone.vanillacommunities.com/kb/articles/943-using-jupiterone-as-a-central-repository-for-secops-and-compliance-artifacts">the J1 API</a>.</li> </ul><p>J1 is adding more vulnerability scanner integrations on a regular basis.</p> <h2 data-id="managing-findings">Managing Findings</h2> <p>You can access the consolidated findings using the Alerts app, under the <strong>Findings</strong> tab. The header tab shows a total count of currently open findings. Selecting it will bring you to the detailed findings view:</p> <p><img src="https://us.v-cdn.net/6035534/uploads/47XHBMXFAL4R/alerts-findings-grid.png" alt="" class="embedImage-img importedEmbed-img"></img></p> <p>J1 automatically maps resources impacted by or related to each finding, based on the available attributes from the finding source.</p> <p>Selecting a finding from the list shows you a graph of those relationships. This view enables you to visualize the context to further analyze the impact of the finding and determine the type of remediation.</p> <p><img src="https://us.v-cdn.net/6035534/uploads/TCBYC2HWFEEA/alerts-findings-graph.png" alt="" class="embedImage-img importedEmbed-img"></img></p> <h2 data-id="creating-alerts-for-findings">Creating Alerts for Findings</h2> <p>You can create custom alert rules to notify you on specific findings, using J1QL to filter and correlate.</p> <h3 data-id="examples">Examples</h3> <p>The following three rules are included in the J1 Common Alerts Rule Pack:</p> <ul><li><p><strong>high-severity-finding</strong></p> <p>Alerts on findings with a severity of High or a numeric severity rating higher than 7 that were new within the last 24 hours.</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find Finding with (severity='High' or severity='high' or numericSeverity>7) and _createdOn > date.now-24hours </pre></li> <li><p><strong>prod-resources-with-high-severity-finding</strong></p> <p>Alerts when production resources are impacted by high-severity findings.</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find (Host|DataStore|Application|CodeRepo|Account|Service|Network) with tag.Production=true that has Finding with severity=('High' or 'high') or numericSeverity=(7 or 8) </pre></li> <li><p><strong>prod-resources-with-critical-finding</strong></p> <p>Alerts when production resources are impacted by critical findings.</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find (Host|DataStore|Application|CodeRepo|Account|Service|Network) with tag.Production=true that has Finding with severity=('Critical' or 'critical') or numericSeverity=(9 or 10) </pre></li> </ul><p>The following rule is included in the J1 AWS Threat Rule Pack:</p> <ul><li><p><strong>aws-guardduty-inspector-finding-instance-correlation</strong></p> <p>Identifies vulnerable EC2 instances (such as with medium or higher rated, open Inspector finding) that are also targets of suspicious activities (such as with medium or higher rated open GuardDuty finding).</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find aws_guardduty_finding with numericSeverity>5 and open=true as guardduty that relates to aws_instance as i that has aws_inspector_finding with numericSeverity>5 and open=true as inspector return i.*, guardduty.*, inspector.* </pre></li> </ul><h2 data-id="visualizing-findings-with-j1-query-and-graph">Visualizing Findings with J1 Query and Graph</h2> <p>You can execute J1QL queries to generate graph visualizations that help you analyze the relationships among findings, the agents/scanners/services that identified them, and the resources they impact.</p> <h3 data-id="example">Example</h3> <p><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">Find cve that relates to (Host|HostAgent) with active=true return tree</code></p> <p>This query displays a visual similar to this. You may have to move the nodes around to adjust their positioning.</p> <p><img src="https://us.v-cdn.net/6035534/uploads/TFQG8JLA5KCM/graph-cve-agents.png" alt="graph-cve" class="embedImage-img importedEmbed-img"></img></p> </article> </main>