Skip to main content

Global Mappings

jupiterone_account <-OWNS- <ROOT>

security_policy <-HAS- <ROOT>

(Service|Control|Team) -IMPLEMENTS-> security_procedure

Source Filters

  • function = !null
  • inUse = !false
  • active = !false

Target Filters

  • function = source.function

employee <-EMPLOYS- <ROOT>

Domain <-OWNS- <ROOT>

Organization -HAS-> Person

Target Filters

  • email = source.members

Team -HAS-> Person

Target Filters

  • email = source.members

Team <-MANAGES- Person

Target Filters

  • email = source.supervisor

Team <-HAS- Organization

Source Filters

  • organization = !null

Target Filters

  • _key = source.organization

Team <-HAS- <ROOT>

Source Filters

  • organization = null

Document <-APPROVED- Person

Target Filters

  • email = source.approvedBy

Document <-CREATED- Person

Target Filters

  • email = source.createdBy

Document <-UPDATED- Person

Target Filters

  • email = source.updatedBy

(Account|Application|Channel|Cluster|CodeRepo|Configuration|DataStore|Domain|Firewall|Function|Gateway|Host|Network|Organization|Product|Repository|Service) <-MANAGES- (Person|Team|UserGroup)

Target Filters

  • _key = [source.owner,source.tag.Owner]

(Account|Application|Channel|Cluster|CodeRepo|Configuration|DataStore|Domain|Firewall|Function|Gateway|Host|Network|Organization|Product|Repository|Service) <-MANAGES- (Person|Team|UserGroup)

Target Filters

  • email = [toLowerCase(source.email),toLowerCase(source.owner),toLowerCase(source.tag.Owner)]

Domain <-HAS- Organization

Target Filters

  • domains = source.name

Domain <-MANAGES- Person

Target Filters

  • email = source.contactEmails

DomainRecord -CONNECTS-> (Host|IpAddress|NetworkInterface|Gateway|Cluster)

Source Filters

  • type = (A|AAAA|CNAME)

Target Filters

  • publicIpAddress = source.value

DomainRecord -CONNECTS-> (Gateway|Host|Cluster)

Source Filters

  • type = (A|AAAA|CNAME)

Target Filters

  • dnsName = source.value

DomainRecord -CONNECTS-> (Gateway|Host|Cluster)

Source Filters

  • type = (A|AAAA|CNAME)

Target Filters

  • domainName = source.value

DomainRecord -CONNECTS-> (Gateway|Host|Cluster)

Source Filters

  • type = (A|AAAA|CNAME)

Target Filters

  • aliases = source.value

DomainRecord -CONNECTS-> (Gateway|Host|Cluster)

Source Filters

  • type = (A|AAAA|CNAME)

Target Filters

  • fqdn = source.value

DomainRecord -CONNECTS-> DomainRecord

Source Filters

  • type = CNAME

Target Filters

  • name = source.value

DomainZone <-HAS- Domain

Target Filters

  • name = source.parentDomain

Application -USES-> DomainZone

Target Filters

  • domainName = source.name

ApplicationEndpoint -USES-> DomainRecord

Target Filters

  • type = ("A"|"AAAA"|"CNAME")
  • name = source.address

Certificate <-HAS- (Domain|DomainZone|DomainRecord)

Target Filters

  • name = [source.domainName,source.alternativeNames]

User -IS-> Person

Target Filters

  • email = toLowerCase(source.email)

User -IS-> Person

Target Filters (this rule will not work if there are multiple Person Target entities)

  • username = toLowerCase(source.username)

User -IS-> Person

Target Filters

  • aliases = toLowerCase(source.email)

User -IS-> Person

Source Filters

  • _accountId = !(********-****-****-****-************|********-****-****-****-************)

Target Filters (this rule will not work if there are multiple Person Target entities)

  • name = source.name

User -IS-> Person

Source Filters

  • _accountId = !(********-****-****-****-************|********-****-****-****-************)

Target Filters (this rule will not work if there are multiple Person Target entities)

  • displayName = source.displayName

Person <-IS- User

Target Filters

  • email = source.email

Person <-IS- User

Target Filters

  • username = source.email

Person <-MANAGES- Person

Target Filters

  • employeeId = [toLowerCase(source.managerId),toLowerCase(source.manager)]

Person <-MANAGES- Person

Person <-MANAGES- Person

Target Filters

  • email = [toLowerCase(source.managerEmail),toLowerCase(source.manager)]

Person <-MANAGES- Person

Target Filters

  • name = source.manager

Person <-MANAGES- Person

Target Filters

  • displayName = source.manager

(Finding|Vulnerability) <-HAS- Host

Source Filters

  • _integrationType = !qualys
  • open = true

Target Filters

  • id = source.targets

(Finding|Vulnerability) <-HAS- Host

Source Filters

  • _integrationType = !qualys
  • open = true

Target Filters

  • name = source.targets

(Finding|Vulnerability) <-HAS- Host

Source Filters

  • _integrationType = !qualys
  • open = true

Target Filters

  • fqdn = source.targets

(Finding|Vulnerability) <-HAS- Host

Source Filters

  • _integrationType = !qualys
  • open = true

Target Filters

  • hostname = source.targets

(Finding|Vulnerability) <-HAS- Host

Source Filters

  • _integrationType = !qualys
  • open = true

Target Filters

  • address = source.targets

(Finding|Vulnerability) <-HAS- Host

Source Filters

  • _integrationType = !qualys
  • open = true

Target Filters

  • ipAddress = source.targets

(Finding|Vulnerability) <-HAS- Host

Source Filters

  • _integrationType = !qualys
  • open = true

Target Filters

  • publicIpAddress = source.targets

(Finding|Vulnerability) <-HAS- Host

Source Filters

  • _integrationType = !qualys
  • open = true

Target Filters

  • privateIpAddress = source.targets

(Finding|Vulnerability) <-HAD- Host

Source Filters

  • _integrationType = !qualys
  • open = false

Target Filters

  • id = source.targets

(Finding|Vulnerability) <-HAD- Host

Source Filters

  • _integrationType = !qualys
  • open = false

Target Filters

  • name = source.targets

(Finding|Vulnerability) <-HAD- Host

Source Filters

  • _integrationType = !qualys
  • open = false

Target Filters

  • fqdn = source.targets

(Finding|Vulnerability) <-HAD- Host

Source Filters

  • _integrationType = !qualys
  • open = false

Target Filters

  • hostname = source.targets

(Finding|Vulnerability) <-HAD- Host

Source Filters

  • _integrationType = !qualys
  • open = false

Target Filters

  • address = source.targets

(Finding|Vulnerability) <-HAD- Host

Source Filters

  • _integrationType = !qualys
  • open = false

Target Filters

  • ipAddress = source.targets

(Finding|Vulnerability) <-HAD- Host

Source Filters

  • _integrationType = !qualys
  • open = false

Target Filters

  • publicIpAddress = source.targets

(Finding|Vulnerability) <-HAD- Host

Source Filters

  • _integrationType = !qualys
  • open = false

Target Filters

  • privateIpAddress = source.targets

(Finding|Vulnerability) <-HAS- (CodeRepo|Project|Application)

Source Filters

  • _integrationType = !qualys
  • open = true

Target Filters

  • name = source.targets

Finding <-HAS- (Application)

Source Filters

  • _integrationType = !qualys

Target Filters

  • id = source.targets

(Finding|Vulnerability) <-HAD- (CodeRepo|Project|Application)

Source Filters

  • _integrationType = !qualys
  • open = false

Target Filters

  • name = source.targets

(Finding|Vulnerability) <-HAS- CodeRepo

Source Filters

  • _integrationType = !qualys
  • open = true

Target Filters

  • fullName = source.targets

(Finding|Vulnerability) <-HAD- CodeRepo

Source Filters

  • _integrationType = !qualys
  • open = false

Target Filters

  • fullName = source.targets

(Finding|Risk|Vulnerability) <-IDENTIFIED- Assessment

Source Filters

  • _integrationType = !(azure|qualys)

Target Filters

  • name = source.assessment

(Finding|Risk|Vulnerability) <-IDENTIFIED- Assessment

Source Filters

  • _integrationType = !(azure|qualys)

Target Filters

  • _key = source.assessment

ThreatIntel <-HAS- Vulnerability

Target Filters

  • qid = source.qid

Assessment <-PERFORMED- Person

Target Filters

  • email = [source.assessor,source.assessors]

Assessment -TARGETS-> Vendor

Target Filters

  • name = source.vendor

Device <-OWNS- Person

Target Filters

  • email = [toLowerCase(source.owner),toLowerCase(source.email),toLowerCase(source.username)]

Device <-OWNS- Person

Target Filters

  • userId = [toLowerCase(source.username),toLowerCase(source.userId)]

Device <-HAS- Person

Device <-HAS- Person

Target Filters

  • email = toLowerCase(source.users)

Vendor <-MANAGES- Person

Target Filters

  • email = [source.owner,source.owners,source.admins]

Vendor <-APPROVES- PR

Target Filters

  • webLink = source.approvalPRLink

Vendor <-APPROVES- PR

Target Filters

  • displayName = source.approvalPRName

Account <-HOSTS- Vendor

Target Filters

  • name = source.vendor

Transferred Properties

  • _type = toLowerCase(source.vendor)
  • name = source.vendor
  • displayName = source.vendor

CodeRepo <-HAS- Application

Target Filters

  • name = source.application

Transferred Properties

  • name = source.application

CodeRepo -DEFINES-> Function

Target Filters

  • name = [source.name,source.functions]

Product -HAS-> Project

Target Filters

  • key = source.projectKey

Module -REQUIRES-> Module

Target Filters

  • id = source.requires

Domain -HAS-> User

Source Filters

  • domainName = !null

custom_mapping_rule_load_test_custom_device -IS-> custom_mapping_rule_load_test_integration_device

Source Filters

  • _accountId = ********-****-****-****-************
  • integrationLinkId = !null

Target Filters

  • linkId = source.integrationLinkId

user_endpoint <-MANAGES- crowdstrike_sensor

Source Filters

  • _accountId = ********-****-****-****-************
  • serialNumber = !null

Target Filters

  • serialNumber = source.serialNumber

* <-HAS- *

Source Filters

  • _accountId = ********-****-****-****-************
  • tag.app = !null

Target Filters

  • displayName = toLowerCase(source.tag.app)

Project -HAS-> *

Source Filters

  • _accountId = ********-****-****-****-************

Target Filters

  • tag.app = toLowerCase(source.displayName)

User -IS-> Person

Target Filters

  • userId = toLowerCase(source.email)

User -IS-> Person

Target Filters

  • username = toLowerCase(source.email)

Device <-PROTECTS- HostAgent

Target Filters

  • macAddress = source.macAddress

Device <-PROTECTS- HostAgent

Target Filters

  • serialNumber = source.serial

Device <-PROTECTS- HostAgent

Target Filters

  • hostname = source.deviceId

Device <-PROTECTS- HostAgent

Target Filters

  • serialNumber = source._key

Device <-PROTECTS- HostAgent

Target Filters

  • macAddress = source.altMacAddress

(Application|Product|Software) <-SUPPLIES- Vendor

Target Filters

  • _key = source.vendor

(Application|Product|Software) <-SUPPLIES- Vendor

Target Filters

  • name = source.vendor

Document <-HAS- (Application|Product|Software)

Target Filters

  • _key = source.product

Document <-HAS- (Application|Product|Software)

Target Filters

  • name = source.product

flexera_device <-IS- tenable_asset

Target Filters

  • biosUuid = source.serial

* <-DEFINES- CodeRepo

Source Filters

  • tag.CodeRepoName = !null

Target Filters

  • name = source.tag.CodeRepoName

CodeRepo -DEFINES-> *

Target Filters

  • tag.CodeRepoName = source.name

* <-DEFINES- CodeRepo

Source Filters

  • tag.CodeRepoFullName = !null

Target Filters

  • fullName = source.tag.CodeRepoFullName

CodeRepo -DEFINES-> *

Target Filters

  • tag.CodeRepoFullName = source.fullName

* <-DEFINES- PR

Source Filters

  • tag.PRName = !null

Target Filters

  • displayName = source.tag.PRName

CodeRepo -DEFINES-> *

Target Filters

  • tag.PRName = source.displayName

Contents