Alert Rule Packs
Aside from creating alert rules from scratch, JupiterOne offers the ability to import rule packs that consist of pre-configured alert rules. All packs are aimed in assisting with continued surveillance over changes and areas of interest in your environment.
JupiterOne offers dedicated rule packs for the following CSPs and use cases:
- AWS
- Azure
- Google Cloud Provider
- Common Alerts
- Compliance
- Critical Assets
- Device Management
- Dev Ops
- Integrations Monitoring
- Toxic Combinations
For more information on rule packs offered by JupiterOne, check out our GitHub repo.
Importing JupiterOne Managed Rule Packs
To import any of the rule packs for use with Alerts:
- Navigate to Alerts and select the Rules tab.
- Select Import rules above the table.
- By default, you should be in the JupiterOne Managed Packs tab, select the pack you would like to use and press Import to install them.
You can view the individual rules per pack by selecting the drop-drown arrow and expanding each rule pack section.
::: note JupiterOne periodically makes updates to the managed rule packs, and we suggest occasionally re-importing your rule packs in order to ensure you have the latest batch of rules associated with each pack. This can be accomplished via the same flow as mentioned above, as if you were installing the pack for the first time. :::
Over time, we are also introducing new rule packs to be leveraged within your workspace as well to accommodate additional updates to our platform.
Custom rule packs
In addition to JupiterOne's built-in rule packs, you are able to upload your own custom rule packs in JSON format.
By following the example files within the Rule Packs repo, you can similarly create your own files of unique rules that suit your specific use case to get the most out of JupiterOne Alerts.
See our Alert Rules API documentation for additional information for managing alerts via API.
To import a custom JSON rule file:
- Navigate to Alerts and select the Rules tab.
- Select Import rules above the table.
- Choose Custom rule pack (JSON), paste your JSON into the window, and press Import.
Once imported, your rules will evaluate on the provided polling interval. You can also manually initiate an evaluation on an alert, by selecting it and pressing Evaluate. This will cause it to run immediately rather than wait until the polling interval.