Community
Questions Library
Docs
Blog
Events
Swag
Github
Slack
JupiterOne
Discussions
Release Notes
Contact Us
Alerts and Alert Rules - AskJ1 Community
<main> <article class="userContent"> <p>JupiterOne allows you to configure rules using any J1QL query for continuous auditing and threat monitoring. You do this in J1 <strong>Alerts</strong>.</p> <h2 data-id="import-alert-rules-from-rule-pack">Import Alert Rules from Rule Pack</h2> <p>You must have at least one active rule to trigger any alert. The easiest way to add some rules is to import rule packs.</p> <ol><li><p>From the top navigation of the J1 Search homepage, select <strong>Alerts</strong>.</p></li> <li><p>Click <strong>Manage Rules</strong>.<br> <br><img src="https://us.v-cdn.net/6035534/uploads/XVPHK6FK8Y07/alerts-manage-rules.png" alt="" class="embedImage-img importedEmbed-img"></img></p></li> <li><p>Click <strong>Import Rules</strong>.</p> <p><img src="https://us.v-cdn.net/6035534/uploads/OP5NPCSUHB17/alerts-import-pack.png" alt="alerts-import-pack" class="embedImage-img importedEmbed-img"></img><br> </p></li> <li><p>From the Import Rules window, select the rule packs or individual rules within a rule pack, and click <strong>Import</strong>.</p> <p><img src="https://us.v-cdn.net/6035534/uploads/FPMPLCSSN96H/alerts-import-rule-pack.png" alt="" class="embedImage-img importedEmbed-img"></img></p></li> </ol><h2 data-id="create-custom-alert-rules">Create Custom Alert Rules</h2> <p>To create your own custom rule:</p> <ol><li><p>From the top navigation of the J1 Search homepage, select <strong>Alerts</strong>.</p></li> <li><p>Click <strong>Manage Rules</strong>.</p></li> <li><p>Click <strong>New Rule</strong>.</p></li> <li><p>Enter/select the following details for the custom rule and click Create:</p></li> </ol><ul><li>Name</li> <li>Description</li> <li>Severity</li> <li>Polling interval</li> <li>Tags</li> <li><p>Query (any J1QL query)<br> </p> <p><img src="https://us.v-cdn.net/6035534/uploads/QGHMR38RW4FT/alerts-create-rule.png" alt="" class="embedImage-img importedEmbed-img"></img></p></li> </ul><p>The custom rule you have added is evaluated daily, hourly, or with streaming evaluation for Enterprise customers. If the query you have specified in the rule returns at least one match, it triggers an alert.</p> <h2 data-id="additional-alert-options">Additional Alert Options</h2> <p>J1 provides the ability to trigger the following actions when the query evaluation returns at least one match:</p> <ul><li><p>Email: You provide the email addresses to alert and what you want in the email message.</p></li> <li><p>Slack: You must configure the Slack integration for JupiterOne by <a rel="nofollow" href="https://jupiterone.vanillacommunities.com/kb/articles/1281-slack">following these instructions</a>. Ensure that you specify the channel in the format <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">#channel</code>.</p></li> <li><p>JIRA: You must configure the JIRA integration for JupiterOne by <a rel="nofollow" href="https://jupiterone.vanillacommunities.com/kb/articles/1009-jira-integration-with-jupiterone">following these instructions</a>. When you create a rule that triggers the creation of a Jira ticket, you provide the following:</p> <ul><li>Summary: title of the Jira ticket</li> <li>Description: J1 automatically lists the affected entities and the associated query, but you can edit this field to contain other information.</li> <li>Project: ID of the Jira project to which you want to assign the ticket.</li> <li>Issue Type: type of issue you want the Jira ticket to be, such as task or bug.</li> <li>Entity Class: (mandatory field) the class of the new ticket entity that you want to assign to the ticket, such as vulnerability or policy.</li> <li>Integrations Instance: select the Jira instance from the dropdown menu.</li> <li>Additional Fields: you can add any other of the Jira ticket fields if you want to return that information.</li> </ul><p>Read more about the <a rel="nofollow" href="https://jupiterone.vanillacommunities.com/kb/articles/784-jupiterone-alert-rule-schema">J1 alert rule schema</a>.</p></li> <li><p>ServiceNow: Select the integration instance from the dropdown menu and enter the content for the request body. The message body is sent to the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">/api/now/table</code> incident endpoint. Go to the REST API Explorer page in your ServiceNow deployment to learn about additional fields. The request automatically assigns the number property to be <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">j1:{rule-instance-id}</code>.</p></li> <li><p>SNS: The AWS account you want to send to must be configured as an AWS Integration, and the J1 IAM role for the AWS account you want to publish to must have the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">SNS:Publish</code> permission.</p></li> <li><p>SQS: The AWS account you want to send to must be configured as an AWS Integration, and the J1 IAM role for the AWS account you want to publish to must have the <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">SQS:SendMessage</code> permission.</p></li> <li><p>Webhook: Sends a message to the specified webhook URL.</p></li> <li><p>Tines Trigger: Pushes data from a J1 query to a Tines action workflow.</p></li> </ul><p>To trigger any of these workflows, when creating a custom rule, scroll down to the Additional Alerts section. Select the one you want and provide the required information.</p> <p><img src="https://us.v-cdn.net/6035534/uploads/HXQN8DZS74B0/alerts-additional-options-1.png" alt="" class="embedImage-img importedEmbed-img"></img></p> <p>You can also use templates when adding rules. The template goes inside any property under the operations property for a rule. Templates can contain JavaScript-like syntax that have input variables automatically inserted for usage. See the <a rel="nofollow" href="https://jupiterone.vanillacommunities.com/kb/articles/784-jupiterone-alert-rule-schema">alert rule schema</a> for more information about the templates property.</p> <p><img src="https://us.v-cdn.net/6035534/uploads/QACWNP29PPW6/alerts-templates.png" alt="" class="embedImage-img importedEmbed-img"></img></p> <h2 data-id="managing-alerts">Managing Alerts</h2> <p>J1 evaluates the rules you create each day, or at the custom interval of every 30 or 60 minutes, if specified.</p> <p>To see a list of the active alerts that match the evaluation criteria of the alert rules, go to <strong>Alerts</strong>/Manage Rules.</p> <p><img src="https://us.v-cdn.net/6035534/uploads/Q993BVCA3239/alerts-grid.png" alt="" class="embedImage-img importedEmbed-img"></img></p> <p>Use the icons in the rows to edit, run, evaluate, toggle status, delete, or disable a rule.</p> <h2 data-id="configure-daily-notification-email">Configure Daily Notification Email</h2> <p>To receive daily notification of new and active alerts:</p> <ol><li>In J1 Alerts, go to <strong>Manage Rules > Email Reports</strong>.</li> <li>Enter the email addresses of the users or teams in the daily and weekly recipients fields, with one address per line.</li> <li>Ensure that <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">@jupiterone.io</code> and<code class="code codeInline code codeInline" spellcheck="false" tabindex="0">@us.jupiterone.io</code> are in the allowlist in your email configuration.</li> </ol> </article> </main>