Sections in this category

08/10 Manage Findings

  • Updated

JupiterOne provides a centralized repository and dashboard to let you easily manage security findings from different sources, including:

  • AWS Inspector findings
  • AWS GuardDuty findings
  • Veracode static and dynamic analysis findings
  • WhiteHat application security findings
  • Tenable Cloud scanning findings
  • HackerOne report findings
  • CVEs and other vulnerability findings
  • Manual penetration testing findings (imported via API - see this guide)

More vulnerability scanner integrations are being added. Current roadmap includes: Rapid7, Qualys, Bugcrowd, White Source, Source Clear, and Snyk.

Managing Findings

Consolidated findings can be accessed in the Alerts app, under the Findings tab. The header tab shows a total count of currently open findings. Selecting it will bring you to the detailed findings view:

JupiterOne will automatically map resources impacted by or related to each finding based on the available attributes from the finding source.

Selecting a finding from the list will show you a graph of those relationships. This allows you to visualize the context to further analyze the finding's impact and to determine a course of action for remediation.

Create Alerts for Findings

You can create custom alert rules to notify you on certain findings, using J1QL to filter and correlate.

Examples:

The following three rules are included in the J1 Common Alerts Rule Pack:

  • high-severity-finding

    -Alerts on Findings with a severity of High or a numeric severity rating higher than 7 that were new within the last 24 hours.*

  Find Finding with
    (severity='High' or severity='high' or numericSeverity>7) and
    _createdOn > date.now-24hours
  • prod-resources-with-high-severity-finding

    -Alerts when Production resources are impacted by high severity findings.*

  Find (Host|DataStore|Application|CodeRepo|Account|Service|Network)
    with tag.Production=true
    that has Finding with severity=('High' or 'high') or numericSeverity=(7 or 8)
  • prod-resources-with-critical-finding

    -Alerts when Production resources are impacted by critical findings.*

  Find (Host|DataStore|Application|CodeRepo|Account|Service|Network)
    with tag.Production=true
    that has Finding with severity=('Critical' or 'critical') or numericSeverity=(9 or 10)

The following rule is included in the J1 AWS Threat Rule Pack:

  • aws-guardduty-inspector-finding-instance-correlation

    -Identifies vulnerable EC2 instances (i.e. with medium or higher rated open Inspector finding) that are also targets of suspicious activities (i.e. with medium or higher rated open GuardDuty finding).*

  Find aws_guardduty_finding with numericSeverity>5 and open=true as guardduty
    that relates to aws_instance as i
    that has aws_inspector_finding with numericSeverity>5 and open=true as inspector
    return i.*, guardduty.*, inspector.*

Visualizing Findings with J1 Query and Graph

You can execute J1QL queries to generate graph visualizations that help you analyze the relationships among findings, the agents/scanners/services that identified them, and the resources they impact.

Here's an example:

Find cve that relates to (Host|HostAgent) with active=true return tree

This will give you a visual like this (you may need to move the nodes around to adjust their positioning):

graph-cve

🔝

Was this article helpful?

0 out of 0 found this helpful