Skip to main content

Alert Rule Action Config Example with Entity Tag Values

This page demonstrates how to define an action config template within a JupiterOne alert rule that references entity tag values, such as:

DisplayName: {{item.displayName}} - Tag: {{item['tag.owner_email']}}

This is useful when you want to include specific tag values from your entities in alert notifications or actions (e.g., emails, Slack messages, Jira tickets).

Note: In JEXL Syntax, when accessing a property from an object that has a period in its name (like 'tag.name'), you need to use bracket notation instead of dot notation. Dot notation will try to interpret the part after the dot as a nested property.

Example: Send Email with Entity Tag Value

Below is a sample alert rule configuration that sends an email for all results, including the entity's display name and the value of the owner_email tag.

{
  "name": "entities-with-owner-email-tag",
  "description": "Alert on entities and include their owner email tag in the notification.",
  "notifyOnFailure": true,
  "triggerActionsOnNewEntitiesOnly": false,
  "ignorePreviousResults": true,
  "pollingInterval": "ONE_DAY",
  "templates": {
    "emailBody": "DisplayName: {{item.displayName}} - Tag: {{item['tag.owner_email']}}"
  },
  "outputs": [
    "alertLevel"
  ],
  "labels": [],
  "question": {
    "queries": [
      {
        "query": "FIND aws_s3_bucket WITH [tag.owner_email] != undefined",
        "name": "query0",
        "version": "v1",
        "includeDeleted": false
      }
    ]
  },
  "operations": [
    {
      "when": {
        "type": "FILTER",
        "condition": [
          "AND",
          [
            "queries.query0.total",
            ">",
            0
          ]
        ]
      },
      "actions": [
        {
          "type": "SET_PROPERTY",
          "targetProperty": "alertLevel",
          "targetValue": "MEDIUM"
        },
        {
          "type": "SEND_EMAIL",
          "body": "Entities with owner email tag:<br><br>{{ queries.query0.data | mapTemplate('emailBody') | join('<br>') }}",
          "recipients": [
            "security-team@company.com"
          ]
        }
      ]
    }
  ],
  "tags": [],
  "remediationSteps": null
}

Explanation

  • The templates.emailBody field defines a template string that references both the entity's display name and the owner_email tag value.
  • In the SEND_EMAIL action, the body uses mapTemplate('emailBody') to apply this template to each result.
  • The J1QL query finds all aws_s3_bucket entities that have a tag.owner_email defined.
  • The resulting email will list each entity with its display name and the value of its owner_email tag.

You can adapt this pattern for other actions (Slack, Jira, etc.) and other tag keys as needed.

Contents