JupiterOne provides a centralized repository and dashboard to let you easily manage security findings from different sources, including:
- AWS Inspector findings
- AWS GuardDuty findings
- Veracode static and dynamic analysis findings
- WhiteHat application security findings
- Tenable Cloud scanning findings
- HackerOne report findings
- CVEs and other vulnerability findings
- Manual penetration testing findings (imported via API - see this guide)
More vulnerability scanner integrations are being added. Current roadmap includes: Rapid7, Qualys, Bugcrowd, White Source, Source Clear, and Snyk.
Managing Findings
Consolidated findings can be accessed in the Alerts app, under the Findings tab. The header tab shows a total count of currently open findings. Selecting it will bring you to the detailed findings view:
JupiterOne will automatically map resources impacted by or related to each finding based on the available attributes from the finding source.
Selecting a finding from the list will show you a graph of those relationships. This allows you to visualize the context to further analyze the finding's impact and to determine a course of action for remediation.
Create Alerts for Findings
You can create custom alert rules to notify you on certain findings, using J1QL to filter and correlate.
Examples:
The following three rules are included in the J1 Common Alerts Rule Pack:
high-severity-finding
-Alerts on Findings with a severity of High or a numeric severity rating higher than 7 that were new within the last 24 hours.*
Find Finding with (severity='High' or severity='high' or numericSeverity>7) and _createdOn > date.now-24hours
prod-resources-with-high-severity-finding
-Alerts when Production resources are impacted by high severity findings.*
Find (Host|DataStore|Application|CodeRepo|Account|Service|Network) with tag.Production=true that has Finding with severity=('High' or 'high') or numericSeverity=(7 or 8)
prod-resources-with-critical-finding
-Alerts when Production resources are impacted by critical findings.*
Find (Host|DataStore|Application|CodeRepo|Account|Service|Network) with tag.Production=true that has Finding with severity=('Critical' or 'critical') or numericSeverity=(9 or 10)
The following rule is included in the J1 AWS Threat Rule Pack:
aws-guardduty-inspector-finding-instance-correlation
-Identifies vulnerable EC2 instances (i.e. with medium or higher rated open Inspector finding) that are also targets of suspicious activities (i.e. with medium or higher rated open GuardDuty finding).*
Find aws_guardduty_finding with numericSeverity>5 and open=true as guardduty that relates to aws_instance as i that has aws_inspector_finding with numericSeverity>5 and open=true as inspector return i.*, guardduty.*, inspector.*
Visualizing Findings with J1 Query and Graph
You can execute J1QL queries to generate graph visualizations that help you analyze the relationships among findings, the agents/scanners/services that identified them, and the resources they impact.
Here's an example:
Find cve that relates to (Host|HostAgent) with active=true return tree
This will give you a visual like this (you may need to move the nodes around to adjust their positioning):
Comments
0 comments
Please sign in to leave a comment.