Alert rules API
An alert rule runs one or more J1QL queries on a schedule, evaluates the results against a filter, and runs a configured set of actions when the filter matches. Actions can create alerts, send email or Slack, open Jira tickets, call webhooks, publish to AWS messaging services, and more.
This page covers two things:
- API operations — the GraphQL mutations and queries for managing rules programmatically.
- Rule definition reference — the full schema of a rule's body: properties, operations, every action type, the templating language, parameters, and filtering.
For the conceptual product overview, see Alerts and rules.
API operations
List alert instances
Returns the active, inactive, or dismissed alerts produced by your rules.
query ListAlertInstances(
$alertStatus: AlertStatus
$limit: Int
$cursor: String
) {
listAlertInstances(
alertStatus: $alertStatus
limit: $limit
cursor: $cursor
) {
instances {
id
accountId
ruleId
level
status
lastUpdatedOn
lastEvaluationBeginOn
lastEvaluationEndOn
createdOn
dismissedOn
lastEvaluationResult {
rawDataDescriptors {
recordCount
}
}
questionRuleInstance {
id
name
description
question {
queries {
query
name
}
}
}
}
pageInfo {
endCursor
hasNextPage
}
}
}
Variables:
{
"alertStatus": "ACTIVE",
}
{
"alertStatus": "INACTIVE",
}
{
"alertStatus": "DISMISSED",
}
{
"limit": 10
}
To paginate through the results, pass the endCursor received in the response
as the cursor variable in the request. If endCursor is null then there are no more results to retrieve.
Create an inline alert rule from J1QL
This operation was formerly named createQuestionRuleInstance. That name is
now deprecated, and you should update all usages.
mutation CreateInlineQuestionRuleInstance(
$instance: CreateInlineQuestionRuleInstanceInput!
) {
createInlineQuestionRuleInstance(instance: $instance) {
id
name
description
version
pollingInterval
question {
queries {
query
version
}
}
operations {
when
actions
}
outputs
}
}
Variables:
{
"instance": {
"name": "unencrypted-prod-data",
"description": "Data stores in production tagged critical and unencrypted",
"version": "v1",
"pollingInterval": "ONE_DAY",
"outputs": ["alertLevel"],
"operations": [
{
"when": {
"type": "FILTER",
"version": 1,
"condition": [
"AND",
["queries.unencryptedCriticalData.total", "!=", 0]
]
},
"actions": [
{
"type": "SET_PROPERTY",
"targetProperty": "alertLevel",
"targetValue": "CRITICAL"
},
{
"type": "CREATE_ALERT"
}
]
}
],
"question": {
"queries": [
{
"query": "Find DataStore with (production=true or tag.Production=true) and classification='critical' and encrypted!=true as d return d.tag.AccountName as Account, d.displayName as UnencryptedDataStores, d._type as Type, d.encrypted as Encrypted",
"version": "v1",
"name": "unencryptedCriticalData"
}
]
}
}
}
Note that the recommended interval for query based alert rules (aka a question) is ONE_DAY. \
Supported intervals for enterprise customers are:
DISABLED, THIRTY_MINUTES, ONE_HOUR, FOUR_HOURS, EIGHT_HOURS,
TWELVE_HOURS, ONE_DAY, and ONE_WEEK.
Free accounts only have access to the ONE_WEEK interval by default, but
any upgrades to Compliance, Security, or Integrations will provide access
to the ONE_DAY polling interval too.
Update an inline alert rule
This operation was formerly named updateQuestionRuleInstance. That name is
now deprecated, and you should update all usages.
mutation UpdateInlineQuestionRuleInstance(
$instance: UpdateInlineQuestionRuleInstanceInput!
) {
updateInlineQuestionRuleInstance(instance: $instance) {
id
name
description
version
pollingInterval
question {
queries {
query
version
}
}
operations {
when
actions
}
outputs
}
}
Variables:
{
"instance": {
"id": "b1c0f75d-770d-432a-95f5-6f59b4239c72",
"name": "unencrypted-prod-data",
"description": "Data stores in production tagged critical and unencrypted",
"version": "v1",
"pollingInterval": "ONE_DAY",
"outputs": ["alertLevel"],
"operations": [
{
"when": {
"type": "FILTER",
"version": 1,
"condition": [
"AND",
["queries.unencryptedCriticalData.total", "!=", 0]
]
},
"actions": [
{
"type": "SET_PROPERTY",
"targetProperty": "alertLevel",
"targetValue": "CRITICAL"
},
{
"type": "CREATE_ALERT"
}
]
}
],
"question": {
"queries": [
{
"query": "Find DataStore with (production=true or tag.Production=true) and classification='critical' and encrypted!=true as d return d.tag.AccountName as Account, d.displayName as UnencryptedDataStores, d._type as Type, d.encrypted as Encrypted",
"version": "v1",
"name": "unencryptedCriticalData"
}
]
}
}
}
Note that the only difference for update is the "id" property
associated with the rule instance. You can modify all settings of a rule instance.
Create an alert rule by referencing a saved question
mutation CreateReferencedQuestionRuleInstance(
$instance: CreateReferencedQuestionRuleInstanceInput!
) {
createReferencedQuestionRuleInstance(instance: $instance) {
id
name
description
version
pollingInterval
questionId
questionName
operations {
when
actions
}
outputs
}
}
Variables:
{
"instance": {
"name": "unencrypted-prod-data",
"description": "Data stores in production tagged critical and unencrypted",
"version": "v1",
"pollingInterval": "ONE_DAY",
"outputs": ["alertLevel"],
"operations": [
{
"when": {
"type": "FILTER",
"version": 1,
"condition": [
"AND",
["queries.unencryptedCriticalData.total", "!=", 0]
]
},
"actions": [
{
"type": "SET_PROPERTY",
"targetProperty": "alertLevel",
"targetValue": "CRITICAL"
},
{
"type": "CREATE_ALERT"
}
]
}
],
"questionId": "uuid-of-saved-question",
"questionName": "name-of-saved-question" // either questionId or questionName must be specified
}
}
Note that you must specify either questionName or questionId in the instance for creation.
If you specify both, they must refer to the same question. After the rule is saved, subsequent requests will return both questionId and questionName.
Update an alert rule with a referenced question
mutation UpdateReferencedQuestionRuleInstance(
$instance: UpdateReferencedQuestionRuleInstanceInput!
) {
updateReferencedQuestionRuleInstance(instance: $instance) {
id
name
description
version
pollingInterval
questionId
questionName
operations {
when
actions
}
outputs
}
}
Variables:
{
"instance": {
"id": "b1c0f75d-770d-432a-95f5-6f59b4239c72",
"name": "unencrypted-prod-data",
"description": "Data stores in production tagged critical and unencrypted",
"version": "v1",
"pollingInterval": "ONE_DAY",
"outputs": ["alertLevel"],
"operations": [
{
"when": {
"type": "FILTER",
"version": 1,
"condition": [
"AND",
["queries.unencryptedCriticalData.total", "!=", 0]
]
},
"actions": [
{
"type": "SET_PROPERTY",
"targetProperty": "alertLevel",
"targetValue": "CRITICAL"
},
{
"type": "CREATE_ALERT"
}
]
}
],
"questionId": "uuid-of-saved-question",
"questionName": "name-of-saved-question"
}
}
Note that the only difference in update is the "id" property
associated with the rule instance. You can modify any of the settings of
a rule instance. Updates are not required to specify questionId or questionName, but you can specify either for update, and if you specify both they must refer to the same saved question.
Delete an alert rule
You can use this operation to delete any rule instance, regardless of whether it uses an inline question or a referenced question.
mutation DeleteRuleInstance($id: ID!) {
deleteRuleInstance(id: $id) {
id
}
}
Variables:
{
"id": "b1c0f75d-770d-432a-95f5-6f59b4239c72"
}
Deleting an alert rule this way does not dismiss active alerts already triggered by this rule. It is recommended that you Disable the rule from the Rules page instead of deleting one.
Trigger an alert rule on demand
mutation EvaluateRuleInstance($id: ID!) {
evaluateRuleInstance(id: $id) {
outputs {
name
value
}
}
}
Variables:
{
"id": "b1c0f75d-770d-432a-95f5-6f59b4239c72"
}
Rule definition reference
A rule uses the results of one or more queries to execute one or more actions. You can author the rule body in the JupiterOne UI, or pass it directly into the API operations above.
Configuring a rule
- Navigate to the JupiterOne Rules page (https://apps.us.jupiterone.io/rules)
- Click New rule
- Click Advanced editor (JSON) to open the advanced rule editor.
JSON Example:
{
"name": "unencrypted-critical-data-stores",
"description": "Unencrypted data store with classification label of 'critical' or 'sensitive' or 'confidential' or 'restricted'",
"version": 1,
"specVersion": 1,
"pollingInterval": "ONE_DAY",
"question": {
"queries": [
{
"name": "query0",
"query": "Find DataStore with classification=('critical' or 'sensitive' or 'confidential' or 'restricted') and encrypted!=true",
"version": "v1"
}
]
},
"operations": [
{
"when": {
"type": "FILTER",
"condition": "{{queries.query0.total > 0}}"
},
"actions": [
{
"type": "CREATE_ALERT"
}
]
}
],
"outputs": ["queries.query0.total", "alertLevel"]
}
You can also configure rules to include deleted data in the results. For example:
// ...
"question": {
"queries": [
{
"name": "query0",
"query": "Find DataStore with classification='critical' and encrypted=false as d return d.tag.AccountName as Account, d.displayName as UnencryptedDataStores, d._type as Type, d.encrypted as Encrypted",
"version": "v1",
"includeDeleted": true
},
{
"name": "query1",
"query": "...",
"version": "v1",
"includeDeleted": false
},
{
"name": "query2",
"query": "...",
"version": "v1"
}
]
},
// ...
}
Rule properties
| Property | Type | Description |
|---|---|---|
id | string | Auto-generated, globally unique ID of each rule. |
version | number | Current version of the rule. Incremented each time the rule is updated. |
name | string | Name of the rule, which is unique to each account. |
description | string | Optional description of the rule. |
specVersion | number | Rule evaluation version in the case of breaking changes. This should always be 1. |
pollingInterval | PollingInterval | Optional frequency of automated rule evaluation. Defaults to ONE_DAY. |
question | Question | Contains properties related to queries used in the rule evaluation. |
questionId | string | A known unique ID for a question in the question library. |
operations | RuleOperation[] | Actions that are executed when a corresponding condition is met. |
templates | object | Optional key/value pairs of template name to template. |
outputs | string[] | Names of properties that can be used throughout the rule evaluation process and will be included in each record of a rule evaluation (for example, queries.query0.total). |
notifyOnFailure | boolean | Will send a notification to stakeholders (account admins, assigned users) if the rule query or any of its actions does not succeed. This property defaults to true if not provided when creating a rule. |
triggerActionsOnNewEntitiesOnly | boolean | Will only trigger actions to be run when entities that did not exist during the previous rule evaluation appear in the question results. This property defaults to true if not provided when creating a rule. |
PollingInterval
Enumeration of the scheduled frequencies on which rules will automatically be evaluated.
Possible values are DISABLED, THIRTY_MINUTES, ONE_HOUR, FOUR_HOURS, EIGHT_HOURS, TWELVE_HOURS, ONE_DAY, and ONE_WEEK.
Question and queries
Question
A Question contains a collection of named queries that should be executed during
the rule evaluation process and whose responses can be used in any
RuleOperation.
| Property | Type | Description |
|---|---|---|
queries | QuestionQuery[] | The collection of queries that are used during the rule evaluation. |
QuestionQuery
A named query that should be executed during the rule evaluation process and
whose responses can be used in any RuleOperation.
| Property | Type | Description |
|---|---|---|
name | string | Optional name to assign the query that will be used when referencing query data in RuleOperations. If not provided, the query name is automatically assigned based on the index in the queries array (for example, query0, query1). |
query | string | JupiterOne query to execute. |
version | string | JupiterOne query language execution version (for example, v1). |
includeDeleted | boolean | Whether deleted data should be considered for the specific query (defaults to false). |
Operations
A RuleOperation is a single condition and series of actions that are
executed when the condition is met.
| Property | Type | Description |
|---|---|---|
when | RuleOperationCondition|RuleOperationCondition[] | Type of conditional used to determine whether the associated actions should be executed. |
actions | RuleOperationAction[] | Actions that should be executed when the when conditions have been met. |