AMA: Track and Alert Using Firewall Rules Matrix

circle
circle

AMA is an ongoing series published each Thursday, highlighting questions the community has asked in our support and how-to channels on Slack. If you haven't already done so, please join us on Slack

 

"J1 comes with nice Firewall Rules Matrix insight after being integrated with AWS. But rather than reviewing that periodically, how can alerting be set up to track and alert on any changes in the matrix ?"

--Question from Pawel on the J1 Community Slack

 

Answer from JupiterOne Team

Hi Pawel.

You can create an alert rule (or multiple rules) with queries to alert on what you need.For example —Query for any new firewall rules added in the last 24 hours:
Find Firewall that allows * 
where allows._createdOn > date.now - 24 hours
return allows.*
 
Query for any new firewall rules updated in the last 24 hours:
Find Firewall that allows * 
where allows._beginOn > date.now - 24 hours
return allows.*
 
Combined, added or updated in the last 24 hours:
Find Firewall that allows * 
where
allows._createdOn > date.now - 24 hours OR
allows._beginOn > date.now - 24 hours
return allows.*
 
 For Internet facing rules only:
Find Firewall that allows Internet 
where
allows._createdOn > date.now - 24 hours OR
allows._beginOn > date.now - 24 hours
return allows.*
 
Ingress Internet rules only:
Find Firewall that allows Internet 
where
allows.ingress = true AND
(allows._createdOn > date.now - 24 hours OR
allows._beginOn > date.now - 24 hours)
return allows.*

 

Articles in this Series

  1. AMA: JupiterOne and PagerDuty WebHooks
  2. AMA: Export YAML Files for Vendors Pulled from SSO Providers
  3. AMA: Map Controls and Frameworks Relationships
  4. AMA: How to Track Professional Associations, Security Forums, and Threat Intel Sources
  5. AMA: Find AWS Instances by their Private IP Address
  6. AMA: SSO Integrated Authentication, Move to Another Role
  7. AMA: send-mail action to map two properties
  8. AMA: Setup the Policy Accept Button
  9. AMA: Match a blank field in J1QL
  10. AMA: Track and Alert Using Firewall Rules Matrix
  11. AMA: AWS Roles not used for 90 days, and date related queries
  12. AMA: Manage Alerts for Jira through J1 Terraform Provider
  13. AMA: Filter Results from Specific AWS Accounts
  14. AMA: Iterate and return total count of iam users per account
  15. AMA: Search for security groups by tag
  16. AMA: Identify S3 Buckets Open to Cross-Account Attacks

Resources for this AMA

 

Modern Visibility in Cyberseccurity

 

 

avatar

Posted By JupiterOne Team

The JupiterOne Team is a diverse set of engineers and developers who are working on the next generation of cyber asset visibility and monitoring.

To hear more from the JupiterOne Team, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.

PREVIOUS ARTICLE

cyber-security 1

Ad Title Placeholder

Lorem ipsum dolor sit amet, consectetur adipiscing elit.