Skip to main content

Alert Rule Action Config Example with Entity Tag Values

This page demonstrates how to define an action config template within a JupiterOne alert rule that references entity tag values, such as:

DisplayName: {{item.displayName}} - Tag: {{item['tag.owner_email']}}

This is useful when you want to include specific tag values from your entities in alert notifications or actions (e.g., emails, Slack messages, Jira tickets).

Note: In JEXL Syntax, when accessing a property from an object that has a period in its name (like 'tag.name'), you need to use bracket notation instead of dot notation. Dot notation will try to interpret the part after the dot as a nested property.

Example: Send Email with Entity Tag Value

Below is a sample alert rule configuration that sends an email for all results, including the entity's display name and the value of the owner_email tag.

{
"name": "entities-with-owner-email-tag",
"description": "Alert on entities and include their owner email tag in the notification.",
"notifyOnFailure": true,
"triggerActionsOnNewEntitiesOnly": false,
"ignorePreviousResults": true,
"pollingInterval": "ONE_DAY",
"templates": {
"emailBody": "DisplayName: {{item.displayName}} - Tag: {{item['tag.owner_email']}}"
},
"outputs": [
"alertLevel"
],
"labels": [],
"question": {
"queries": [
{
"query": "FIND aws_s3_bucket WITH [tag.owner_email] != undefined",
"name": "query0",
"version": "v1",
"includeDeleted": false
}
]
},
"operations": [
{
"when": {
"type": "FILTER",
"condition": [
"AND",
[
"queries.query0.total",
">",
0
]
]
},
"actions": [
{
"type": "SET_PROPERTY",
"targetProperty": "alertLevel",
"targetValue": "MEDIUM"
},
{
"type": "SEND_EMAIL",
"body": "Entities with owner email tag:<br><br>{{ queries.query0.data | mapTemplate('emailBody') | join('<br>') }}",
"recipients": [
"security-team@company.com"
]
}
]
}
],
"tags": [],
"remediationSteps": null
}

Explanation

  • The templates.emailBody field defines a template string that references both the entity's display name and the owner_email tag value.
  • In the SEND_EMAIL action, the body uses mapTemplate('emailBody') to apply this template to each result.
  • The J1QL query finds all aws_s3_bucket entities that have a tag.owner_email defined.
  • The resulting email will list each entity with its display name and the value of its owner_email tag.

You can adapt this pattern for other actions (Slack, Jira, etc.) and other tag keys as needed.