Sections in this category

2021.79 Release

  • Updated

September 9, 2021

New Features and Improvements

  • Introduced a new filter to define critical assets in the Assets app, and a smart class query shorthand.

    Critical assets are defined using a preset combination of entities classes and attributes (such as hosts and applications tagged as production). You can easily customize this configuration to match your specific definition of what critical assets mean for your organization.

    You can reference critical assets in a query using a specific smart class shorthand: #CriticalAsset. This feature allows you to easily query and monitor important changes and receive alerts when a drift or problem occurs for any of the critical assets that are important to you. It allows you to focus and prioritize on the most important risks.

    For example, to identify and alert on new critical assets added in the last 24 hours:

    Find #CriticalAsset with _createdOn > date.now - 24hours

    This is the initial release of this capability. We will be adding some pre-built alert rules and Insights dashboards for critical assets soon.

    Learn more about how to customize and configure your critical assets here.

  • Updated the query language to follow De Morgan's Law.

    To maintain language correctness, J1QL fulfills shorthand filters in accordance with De Morgan's Law. This improvement only impacts queries that use the operators !=, !~=, !^=, !$= when operating on a group of values.

    For example,

  FIND jira_user WITH accountType != ('atlassian' OR 'app' OR 'customer')

is the equivalent of:

  FIND jira_user WITH 
    accountType != 'atlassian' AND 
    accountType !=  'app' AND 
    accountType !=  'customer'

Basically, J1QL interprets the above query to return all jira_user entities, excluding those that have an accountType value of atlassian or app or customer.

This is a breaking change! We have taken precautions to ensure saved questions and queries are not inadvertently affected.

We have run maintenance jobs to update all saved queries in questions, alerts, and Insights dashboard widgets. You do NOT have to make any changes manually in JupiterOne.

However, if you have stored queries outside of your JupiterOne account (such as in a custom script), please update those queries accordingly.

  • Updated the JupiterOne query language to enable relationship direction with the use of double arrows,<< and >>. Relationship direction can be important, depending on your requirements, giving J1QL more specificity on exactly how entities should relate to each other. For example, if you were to use the following query:
  FIND aws_iam_role as trusting THAT TRUSTS aws_iam_role as trusted 
  return trusting.name, trusted.name

The above query does not specify direction, so aliasing one as trusted and the other trusting does not behave as expected. Both entities will be represented in either column. By using double arrows, you can indicate the relationship direction:

  FIND UNIQUE aws_iam_role as trusting THAT TRUSTS >> aws_iam_role as trusted 
  return trusting.name, trusted.name`
  • Added traversal filters for use with the where clause to support filtering via AND and OR operators upon a single field, for example: find User where User.id=(1 or 2 or 3).

  • Added search functionality to the Groups page in the Users & Access menu.

  • Improved the text wrapping in the query search window.

  • Query Anywhere now auto-focuses when opened so you can immediately start typing.

  • Improved error messaging in the UI when bulk synchronization fails.

Dashboards

Added new reporting/visualization widgets to the S3 Security Insights dashboard:

  • Buckets granted access to AWS services without source condition
  • Public buckets with sensitive data or secrets
  • S3 cross account access via VPC peering
  • SAML SSO users with access to production s3 buckets
  • S3 buckets with server access logging enabled
  • S3 buckets with object level logging enabled
  • Production S3 buckets without any logging enabled
  • S3 buckets publishing inventory reports

Reimport the dashboard from the Insights app to get these new widgets in your account.

Stay tuned as additional dashboards, alert rules, managed questions, and compliance frameworks, and mappings are updated.

Bug Fixes

  • Resolved an issue where the Policy app would not load under certain conditions.

  • Resolved an error where users could not accept an invite if they were logged into another account with SSO.

  • Resolved an auto-complete issue in Query Anywhere.

  • Resolved the double scroll bars issue on the landing page.

Integrations

AWS

  • Ingested EC2 settings: ebsDefaultKmsKeyId and ebsEncryptionByDefault.

  • Created mapped relationships between the aws_ec2 service entity and the default aws_kms_key entity.

This change requires the additional ec2:GetEbsDefaultKmsKeyId and ec2:GetEbsEncryptionByDefault permissions in the JupiterOneSecurityAudit IAM policy of each AWS account being monitored.

  • Added ebsOptimizedByDefault and ebsOptimizationSupported Boolean flags on EC2 instance assets. See AWS docs.

  • Ingested AutoScaling policies and built aws_autoscaling_group USES aws_autoscaling_policy relationships.

  • Mapped relationships from aws_sns_topic and aws_sns_subscription to the endpoint asset on each subscription (such as an HTTP endpoint, a person by email, or a Lambda function).

  • Ingested roots and OUs in an AWS organization and mapped sub-accounts to each root/OU.

  • Added ELB attributes to properties. The attributes are mapped to properties as follows:

    ELB Entity Property ELB Attribute
    deletionProtection deletion_protection.enabled
    loggingEnabled access_logs.s3.enabled
    loggingTargetBucket access_logs.s3.bucket
    loggingTargetPrefix access_logs.s3.prefix
    idleTimeoutSeconds idle_timeout.timeout_seconds
    desyncMitigationMode routing.http.desync_mitigation_mode
    dropInvalidHeaders routing.http.drop_invalid_header_fields.enabled
    http2 routing.http2.enabled
    tlsVersionEnabled routing.http.x_amzn_tls_version_and_cipher_suite.enabled
    tlsCipherSuiteEnabled routing.http.x_amzn_tls_version_and_cipher_suite.enabled
    xffClientPortEnabled routing.http.xff_client_port.enabled
    wafFailOpen waf.fail_open.enabled
    crossZone load_balancing.cross_zone.enabled

  • Fixed a false positive where some buckets were incorrectly identified as public (with permission relationships to everyone) when the policy condition contains specific OrgIds or AccountIds.

  • Added the aws_organization asset.

  • Added support for parsing aws:PrincipalOrgID IAM policy conditions and mapped relationships to the corresponding aws_organization asset.

  • Improved IAM resource policy condition parsing to map permissions to services instead of the account when certain services are specified in the action.

Azure

  • Fixed the authorization token expiration to support steps that execute for more than one hour.

Google Cloud

  • Improved accuracy of the CIS 4.3 managed question, "Is blocking of project-wide SSK keys enabled for my Google Cloud VM instances?"

  • Relationships from google_cloud_organizations and google_cloud_folders to google_cloud_projects are now created for deleted projects.

  • Modified the google_bigquery_dataset step to be independent from google_kms_crypto_key step to ensure BigQuery data is ingested even when KMS Keys ingestion is disabled or fails.

  • Added the following new properties to these resources:

    Asset Properties
    google_storage_bucket isSubjectToObjectAcls
    google_iam_binding readonly

  • Updated google_storage_bucket.public to be true when the storage bucket does not have Uniform Bucket Access Level enabled. We cannot determine if the bucket is public or not when this setting is disabled.

OneLogin

  • Application Rules are now Configuration assets in the graph.

  • Onelogin Users are related to the AWS IAM roles they have access to based on the presence of IAM role ARNs in the application rules. This change requires that the IAM Role asset already exists in the J1 graph (the AWS integration is installed).

  • Added raw data to assets.

🔝

Was this article helpful?

0 out of 0 found this helpful