Alert Rule Action Configuration Examples
Quickly enable actions in your rules with these JupiterOne alert rule configuration examples. These are designed to provide guidance for our most commonly used actions to quickly get your workflows into action.
Send Email For All Results:
{
"id": "ca2c8bfb-c850-44de-b80c-eeef6f16ee1f",
"collectionId": null,
"name": "s3-buckets-not-allow-public-read-write-access",
"description": "S3 buckets should not allow public read or write access to the bucket ACL policy.",
"version": 5,
"lastEvaluationStartOn": 1729719748559,
"specVersion": 1,
"notifyOnFailure": true,
"triggerActionsOnNewEntitiesOnly": false,
"ignorePreviousResults": true,
"pollingInterval": "ONE_WEEK",
"templates": {
"emailBody": "({{itemIndex+1}} of {{itemCount}})Display Name: {{item.displayName}} ARN: {{item._key}} Link:{{item.webLink}} <br><br>"
},
"outputs": [
"alertLevel"
],
"labels": [],
"question": {
"queries": [
{
"query": "FIND aws_s3_bucket WITH ignorePublicAcls != true AND restrictPublicBuckets != true THAT ALLOWS AS grant Everyone WHERE grant.permission = 'READ_ACP' or grant.permission = 'WRITE_ACP'",
"name": "query0",
"version": "v1",
"includeDeleted": false
}
]
},
"questionId": null,
"operations": [
{
"when": {
"type": "FILTER",
"condition": [
"AND",
[
"queries.query0.total",
">",
0
]
]
},
"actions": [
{
"id": "8a60b644-ccb5-4727-af0e-03573e5b9cd2",
"type": "SET_PROPERTY",
"targetValue": "HIGH",
"targetProperty": "alertLevel"
},
{
"id": "c39abde5-b74a-42c3-be02-a559fa541ec5",
"type": "SEND_EMAIL",
"body": "Please review the following results: <br><br>{{ queries.query0.data | mapTemplate('emailBody') | join(' ') }}",
"recipients": [
"email_address@jupiterone.com"
]
}
]
}
],
"state": null,
"tags": [],
"remediationSteps": null
}
Jira Ticket For All Results:
{
"id": "4dc6e222-f11d-41c6-a495-5059d02cadaa",
"collectionId": null,
"name": "eks_publicly_accessible",
"description": "Checks if Amazon EKS endpoints are publicly accessible.",
"version": 13,
"lastEvaluationStartOn": 1730482765679,
"specVersion": 1,
"notifyOnFailure": true,
"triggerActionsOnNewEntitiesOnly": false,
"ignorePreviousResults": true,
"pollingInterval": "ONE_WEEK",
"templates": {
"jiraTicketBody": "Display Name: {{item.displayName}} ({{item.arn}}) Active Status: {{item.status}}, Tags: {{item.tags}}"
},
"outputs": [
"alertLevel"
],
"labels": [],
"question": {
"queries": [
{
"query": "FIND aws_eks_cluster WITH vpcEndpointPublicAccess = true",
"name": "query0",
"version": "v1",
"includeDeleted": false
}
]
},
"questionId": null,
"operations": [
{
"when": {
"type": "FILTER",
"condition": [
"AND",
[
"queries.query0.total",
">",
0
]
]
},
"actions": [
{
"id": "1b72deaf-8692-4b9a-aca6-1f4cc370c48d",
"type": "SET_PROPERTY",
"targetProperty": "alertLevel",
"targetValue": "CRITICAL"
},
{
"id": "2c586ecf-4b0a-4245-b556-865156962e7e",
"type": "CREATE_ALERT"
},
{
"integrationInstanceId": "1993ff4d-18bb-488a-8966-dde76a4c3669",
"id": "8ac582c8-033f-499f-be4e-ced993004876",
"type": "CREATE_JIRA_TICKET",
"entityClass": "Issue",
"summary": "{{alertRuleDescription}}",
"issueType": "Task",
"project": "PROS",
"additionalFields": {
"description": {
"type": "doc",
"version": 1,
"content": [
{
"type": "paragraph",
"content": [
{
"type": "text",
"text": "{{alertWebLink}}\n\n**Affected Items:**\n\n* {{queries.query0.data|mapTemplate('jiraTicketBody')|join('\n* ')}}"
}
]
}
]
},
"priority": {
"name": "High",
"id": "2"
}
}
}
]
}
],
"state": null,
"tags": [],
"remediationSteps": null
}
Slack Message For All Results:
{
"id": "5821ab03-e2cd-4d79-9067-13c0c8f07fdc",
"collectionId": null,
"name": "aws-iam-access-keys-greater-than-180-days",
"description": "All active AWS IAM access keys that were created more than 180 days ago",
"version": 6,
"lastEvaluationStartOn": 1729814129144,
"specVersion": 1,
"notifyOnFailure": true,
"triggerActionsOnNewEntitiesOnly": false,
"ignorePreviousResults": true,
"pollingInterval": "DISABLED",
"templates": {
"accessKey": "({{itemIndex+1}}) Key: {{item.displayName}} Created On: {{item._createdOn}}"
},
"outputs": [
"alertLevel"
],
"labels": [],
"question": {
"queries": [
{
"query": "FIND aws_iam_access_key WITH active = true AND createdOn < date.now - 180 days",
"name": "query0",
"version": "v1",
"includeDeleted": false
}
]
},
"questionId": null,
"operations": [
{
"when": {
"type": "FILTER",
"condition": [
"AND",
[
"queries.query0.total",
">",
0
]
]
},
"actions": [
{
"id": "739bc275-d45d-4157-a2e8-1bcff26ae55b",
"type": "SET_PROPERTY",
"targetProperty": "alertLevel",
"targetValue": "HIGH"
},
{
"integrationInstanceId": "ad8db463-af8e-4f55-aec2-406ac563f331",
"id": "630864c5-a43d-4571-9cc0-188d64b5a1b4",
"type": "SEND_SLACK_MESSAGE",
"channels": [
"#jupiterone-alerts"
],
"body": "*Affected Items:* \n\n- {{queries.query0.data|mapTemplate('accessKey')|join('\n- ')}}"
},
{
"id": "829b4bfd-5fae-4e41-9427-ffcdc4b92322",
"type": "CREATE_ALERT"
}
]
}
],
"state": null,
"tags": [],
"remediationSteps": null
}
For Each Action to Create Jira Tickets:
{
"id": "94a92bf2-5d06-495c-b260-e5c372be3cd7",
"collectionId": null,
"name": "AWS S3 Bucket Publicly Accessible Alert",
"description": null,
"version": 17,
"lastEvaluationStartOn": 1730287835953,
"specVersion": 1,
"notifyOnFailure": true,
"triggerActionsOnNewEntitiesOnly": false,
"ignorePreviousResults": true,
"pollingInterval": "ONE_DAY",
"templates": {},
"outputs": [
"alertLevel"
],
"labels": [],
"question": {
"queries": [
{
"query": "FIND aws_s3_bucket WITH ignorePublicAcls != true AND restrictPublicBuckets != true THAT ALLOWS AS grant Everyone WHERE grant.permission = 'READ_ACP' or grant.permission = 'WRITE_ACP'",
"name": "query0",
"version": "v1",
"includeDeleted": false
}
]
},
"questionId": null,
"operations": [
{
"when": {
"type": "FILTER",
"condition": [
"AND",
[
"queries.query0.total",
">",
0
]
]
},
"actions": [
{
"id": "e696b537-9617-4332-8509-de78b8926c56",
"type": "SET_PROPERTY",
"targetValue": "INFO",
"targetProperty": "alertLevel"
},
{
"id": "c1514c00-c6eb-497a-98c4-c9a76cecf7b1",
"type": "FOR_EACH_ITEM",
"items": "{{queries.query0.data}}",
"itemRef": "result",
"actions": [
{
"integrationInstanceId": "1993ff4d-18bb-488a-8966-dde76a4c3669",
"type": "CREATE_JIRA_TICKET",
"entityClass": "Issue",
"summary": "AWS S3 Bucket Publicly Accessible Alert",
"issueType": "Task",
"project": "PROS",
"autoResolve": true,
"resolvedStatus": "Closed",
"additionalFields": {
"description": {
"type": "doc",
"version": 1,
"content": [
{
"type": "paragraph",
"content": [
{
"type": "text",
"text": "[Alert Link]({{alertWebLink}})\n\n**Affected Item:** {{result.entity.displayName}}\n\nARN: {{result.entity._key}}\n\nOwner: {{result.properties.owner}}\n\n[Link to affected item]({{result.properties.webLink}})"
}
]
}
]
},
"priority": {
"name": "High",
"id": "2"
}
}
}
]
}
]
}
],
"state": null,
"tags": [],
"remediationSteps": null
}