Community
Questions Library
Docs
Blog
Events
Swag
Github
Slack
JupiterOne
Discussions
Release Notes
Contact Us
JupiterOne Resource Allowlist - AskJ1 Community
<main> <article class="userContent"> <p>JupiterOne provides a resource allowlisting tool as a Power Up for all<br> Enterprise customers and all Premium customers who have added the <br> Power Up Pack.</p> <p>This Power Up enables you to list the applications, internal IP addresses, <br> and external IP addresses that are approved, in use, and trusted<br> by the organization. When an asset is created by the System Mapper, <br> during the analysis of roles and policies in your account, or uploaded <br> via API, the asset is checked against the allowlist. When a match is found, <br> the asset is updated with an additional property for querying purposes.</p> <h2 data-id="configuration">Configuration</h2> <p>To configure the resource allowlist:</p> <ol><li>Click the settings icon <img src="https://us.v-cdn.net/6035534/uploads/CD6187SW2CWQ/gear.png" alt="gear" class="embedImage-img importedEmbed-img"></img>and select <strong>Power Ups</strong>.</li> <li>Select <strong>Configure Resource Allowlist</strong>.</li> <li>Populate each allowlist, following the instructions in the corresponding section.</li> </ol><p><img src="https://us.v-cdn.net/6035534/uploads/FDP3SAPTLF39/resource-whitelist-setup.png" alt="resource-whitelist-setup" class="embedImage-img importedEmbed-img"></img></p> <h3 data-id="configure-the-approved-applications-allowlist">Configure the Approved Applications Allowlist</h3> <p>When you create an <code class="code codeInline" spellcheck="false" tabindex="0">Application</code> asset in J1, the property <code class="code codeInline" spellcheck="false" tabindex="0">approved</code><br> is set equal to <code class="code codeInline" spellcheck="false" tabindex="0">true</code> if the <code class="code codeInline" spellcheck="false" tabindex="0">name</code> of the application matches a value listed<br> under the allowlist <strong>Approved Applications</strong>.</p> <p>You should add applications you approve to the list by name, for example:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Google Chrome.app zoom.us.app </pre> <p>After you have configured the allowlist, your application data is automatically <br> enriched, and you can run useful queries such as the following to find <br> non-approved applications installed on any device:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find Device that installed Application with approved=false </pre> <h3 data-id="configure-the-internal-ip-addresses-allowlist">Configure the Internal IP Addresses Allowlist</h3> <p>When you create a <code class="code codeInline" spellcheck="false" tabindex="0">Host</code> or <code class="code codeInline" spellcheck="false" tabindex="0">Network</code> asset in J1, the property <code class="code codeInline" spellcheck="false" tabindex="0">internal</code> <br> is set equal to <code class="code codeInline" spellcheck="false" tabindex="0">true</code> if the <code class="code codeInline" spellcheck="false" tabindex="0">ipAddress</code> or <code class="code codeInline" spellcheck="false" tabindex="0">privateIpAddress</code> of the host or <br> network matches a value listed under the <strong>Internal IP Addresses</strong> allowlist.</p> <p>You should add internal IP addresses that you own to the list in CIDR notation,<br> for example:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">16.5.4.3/32 16.5.4.0/24 </pre> <p>After you have configured the allowlist, your application data is automatically <br> enriched, and you can run useful queries to find a list of external IP hosts and <br> networks in your account, such as the following:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">FIND (Host|Network) with _source!='integration-managed' and internal!=true </pre> <h3 data-id="configure-the-trusted-external-ip-addresses-allowlist">Configure the Trusted External IP Addresses Allowlist</h3> <p>When you create a <code class="code codeInline" spellcheck="false" tabindex="0">Host</code> or <code class="code codeInline" spellcheck="false" tabindex="0">Network</code> asset in J1, the property <code class="code codeInline" spellcheck="false" tabindex="0">trusted</code> is set <br> equal to <code class="code codeInline" spellcheck="false" tabindex="0">true</code> if the <code class="code codeInline" spellcheck="false" tabindex="0">ipAddress</code> or <code class="code codeInline" spellcheck="false" tabindex="0">privateIpAddress</code> of the host or network <br> matches a value listed under the <strong>Trusted External IP Addresses</strong> allowlist.</p> <p>You should add the external IP addresses you trust to the list in CIDR notation,<br> for example:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">16.5.4.3/32 16.5.4.0/24 </pre> <p>After you configure the list, your application data is automatically enriched, and you<br> can run useful queries to see a graph of untrusted sources that have inbound SSH <br> access to your environment, such as the following:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">FIND Firewall that ALLOWS as rule (Host|Network) with _source!='integration-managed' and trusted!=true WHERE rule.ingress=true and rule.fromPort <= 22 and rule.toPort >=22 RETURN TREE </pre> </article> </main>