Community
Questions Library
Docs
Blog
Events
Swag
Github
Slack
JupiterOne
Discussions
Release Notes
Contact Us
Alerts and Alert Rules - AskJ1 Community
<main> <article class="userContent"> <p>JupiterOne allows you to configure alert rules using any J1QL query for continuous auditing and threat monitoring. You do this in the <strong>Alerts</strong> app.</p> <h2 data-id="import-alert-rules-from-rule-pack">Import Alert Rules from Rule Pack</h2> <p>You must have at least one active alert rule to trigger any alert. The easiest way to add some rules is to import rule packs.</p> <ol><li><p>From the apps menu <img src="https://us.v-cdn.net/6035534/uploads/IWY95Q7TCTY6/apps.png" alt="apps" class="embedImage-img importedEmbed-img"></img>, select <strong>Alerts</strong>.</p> <p></p> <p><img src="https://us.v-cdn.net/6035534/uploads/PLW6V0YMUE7E/alerts-header.png" alt="" class="embedImage-img importedEmbed-img"></img></p></li> <li><p>Click <strong>MANAGE RULES</strong>.<br> <br><img src="https://us.v-cdn.net/6035534/uploads/C6HTIKT7PQE0/alerts-manage-rules.png" alt="" class="embedImage-img importedEmbed-img"></img></p> <p></p></li> <li><p>Click <strong>IMPORT RULES PACK</strong>.<br><img src="https://us.v-cdn.net/6035534/uploads/MOA1UTUJ0A7V/alerts-import-pack.png" alt="alerts-import-pack" class="embedImage-img importedEmbed-img"></img><br> </p></li> <li><p>From the Import Rules from Rule Pack window, select the rule packs or individual rules within a rule pack, and click <strong>Save</strong>.</p> <p></p> <p><img src="https://us.v-cdn.net/6035534/uploads/YVLPMQ0OWKYP/alerts-import-rule-pack.png" alt="" class="embedImage-img importedEmbed-img"></img></p></li> </ol><h2 data-id="create-custom-alert-rules">Create Custom Alert Rules</h2> <p>To create your own custom alert rule:</p> <ol><li><p>From the apps menu <img src="https://us.v-cdn.net/6035534/uploads/IWY95Q7TCTY6/apps.png" alt="apps" class="embedImage-img importedEmbed-img"></img>, select <strong>Alerts</strong>.</p></li> <li><p>Click <strong>MANAGE RULES</strong>.</p></li> <li><p>Click <strong>CREATE RULE</strong>.</p></li> <li><p>Enter the following details for the custom rule and click <strong>SAVE</strong>:</p></li> </ol><ul><li>Name</li> <li>Severity (select from drop-down list)</li> <li>Description</li> <li>Tags</li> <li><p>Query (any J1QL query)<br> </p> <p><img src="https://us.v-cdn.net/6035534/uploads/PGZ999PANLIK/alerts-create-rule.png" alt="" class="embedImage-img importedEmbed-img"></img></p></li> </ul><p>The custom rule you have added is evaluated daily, hourly, or with streaming evaluation for Enterprise customers. If the query you have specified in the rule returns at least one match, it triggers an alert.</p> <h2 data-id="additional-alert-options">Additional Alert Options</h2> <p>J1 provides the ability to trigger the following workflows from alerts:</p> <ul><li>Slack: You must configure the Slack integration for JupiterOne by <a rel="nofollow" href="https://jupiterone.vanillacommunities.com/kb/articles/1022-slack-integration-with-jupiterone">following these instructions</a>. Ensure that you specify the channel in the format <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">#channel</code>.</li> <li>JIRA: You must configure the JIRA integration for JupiterOne by <a rel="nofollow" href="https://jupiterone.vanillacommunities.com/kb/articles/1009-jira-integration-with-jupiterone">following these instructions</a></li> <li>SNS: The AWS account you want to send to must be configured as an AWS Integration, and the J1 IAM role for the AWS account you want to publish to must have the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">SNS:Publish</code> permission.</li> <li>SQS: The AWS account you want to send to must be configured as an AWS Integration, and the J1 IAM role for the AWS account you want to publish to must have the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">SQS:SendMessage</code> permission.</li> <li>Tag Entities: The tag name and tag value, including multiple tag names and values, as well as the option to add the critical asset tag.</li> </ul><p>To trigger any of these workflows, when creating a custom rule, scroll down to the Additional Alerts section. Select the one you want and provide the required information.</p> <p><img src="https://us.v-cdn.net/6035534/uploads/39MUQ2DI2GMT/alerts-additional-options-1.png" alt="" class="embedImage-img importedEmbed-img"></img></p> <h2 data-id="managing-alerts">Managing Alerts</h2> <p>J1 evaluates the alert rules you create each day, or at the custom interval of every 30 or 60 minutes, if specified.</p> <p>Active alerts that match the evaluation criteria of the alert rules appear in the <strong>Alerts</strong> app in a data grid.</p> <p><img src="https://us.v-cdn.net/6035534/uploads/X1DCJ7VGXRF4/alerts-grid.png" alt="" class="embedImage-img importedEmbed-img"></img></p> <p>Use the icons in the rows to edit, run, delete, or disable a rule.</p> <h2 data-id="configure-daily-notification-email">Configure Daily Notification Email</h2> <p>To receive daily notification of new and active alerts:</p> <ol><li>In the Alerts app, go to <strong>MANAGE ALERTS > EMAIL REPORTS</strong>.</li> <li>Enter the email addresses of the users or teams in the daily and weekly recipients fields, with one address per line.</li> <li>Ensure that <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">@jupiterone.io</code> and<code class="code codeInline code codeInline" spellcheck="false" tabindex="0">@us.jupiterone.io</code> are in the allowlist in your email configuration.</li> </ol><blockquote class="UserQuote blockquote"><div class="QuoteText blockquote-content"> <p class="blockquote-line"><img src="https://us.v-cdn.net/6035534/uploads/VBVCEZ1CDNI9/alerts-daily-email.png" alt="" class="embedImage-img importedEmbed-img"></img></p> </div></blockquote> </article> </main>