AMA: send-mail action to map two properties

circle
circle

AMA is an ongoing series published each Thursday, highlighting questions the community has asked in our support and how-to channels on Slack. If you haven't already done so, please join us on Slack

 

"How do I create a send-mail action that would create an alert in the email-body that will map to two properties?"

--Question from Pawel on the J1 Community Slack

Pawel's original query and return response:

{
"type": "table",
"data": [
{
"vuln.cveId": "CVE-1",
"vuln.cvss3Score": "7.5",
"vuln.severity": "high",
"vuln.open": true
},
{
"vuln.cveId": "CVE-2",
"vuln.severity": "medium",
"vuln.open": true
},
{
"vuln.cveId": "CVE-3",
"vuln.cvss3Score": "8.1",
"vuln.severity": "high",
"vuln.open": true
},
]
}


This Email body givea me a list of CVEs:

<br><br>* 

in the format of:

*CVE-1
*CVE-2
*CVE-3

... but I would like to get:

*CVE-1: high
*CVE-2: medium
*CVE-3: high

 

Answer from JupiterOne Team

Editor's Note: What follows is an extended discussion showing how to work through the query to get the desired response.

Hi Pawel. You can do that by creating a “template” with those two properties and then use mapTemplate in the SEND_EMAIL action for the email body. See instructions here: https://support.jupiterone.io/hc/en-us/articles/360039711354-Alert-Rule-Schema#operationtemplating

For your specific example:

"templates": {
// The email template that we will use later
"emailBody": "*
( of ): {{item.cveId}}: {{item.severity}}<br>"
},

...and then in the actions:

{
"type": "SEND_EMAIL",
// Reference the `query0` data and include it in a template
"body": "",
"recipients": ["someone@yourcompany.com"]
}

 

Response from Pawel: I followed your advice but am still getting:

* (1 of 4): undefined: undefined
* (2 of 4): undefined: undefined
* (3 of 4): undefined: undefined
* (4 of 4): undefined: undefined

... with this template:

"emailBody": "( of ): : "
},

.. and the full body:

"body": "Affected Items: <br><br>* 
",

 

Response from J1 Team: You’ll need item.cveId and item.severity instead of vuln

Response from Pawel: I have tried with item as well. The results are the same. :disappointed: (edited) 

Find Unique aws_inspector_finding 
with rulesPackageName="Common Vulnerabilities and Exposures"
and open=true and createdOn < date.now-13days as vuln
return
vuln.cveId,
vuln.cvss3Score,
vuln.severity,
vuln.description,
vuln.recommendation,
vuln.open

 

Response from J1 Team: There’s a current limitation such that the return value must be referenced without the entity alias:

Find Unique aws_inspector_finding 
with rulesPackageName="Common Vulnerabilities and Exposures"
and open=true and createdOn < date.now-13days as vuln
return
vuln.cveId as cveId,
vuln.cvss3Score as cvss3Score,
vuln.severity as severity,
vuln.description as description,
vuln.recommendation as recommendation,
vuln.open as open

Once you do that, each of the properties can be referenced as item.property in the template.

Response from Pawel:tada:  success!

Response from the J1 Team: :tada:

Articles in this Series

  1. AMA: JupiterOne and PagerDuty WebHooks
  2. AMA: Export YAML Files for Vendors Pulled from SSO Providers
  3. AMA: Map Controls and Frameworks Relationships
  4. AMA: How to Track Professional Associations, Security Forums, and Threat Intel Sources
  5. AMA: Find AWS Instances by their Private IP Address
  6. AMA: SSO Integrated Authentication, Move to Another Role
  7. AMA: send-mail action to map two properties
  8. AMA: Setup the Policy Accept Button
  9. AMA: Match a blank field in J1QL
  10. AMA: Track and Alert Using Firewall Rules Matrix
  11. AMA: AWS Roles not used for 90 days, and date related queries
  12. AMA: Manage Alerts for Jira through J1 Terraform Provider
  13. AMA: Filter Results from Specific AWS Accounts
  14. AMA: Iterate and return total count of iam users per account
  15. AMA: Search for security groups by tag
  16. AMA: Identify S3 Buckets Open to Cross-Account Attacks

Resources for this AMA

 

Modern Visibility in Cyberseccurity

 

 

avatar

Posted By JupiterOne Team

The JupiterOne Team is a diverse set of engineers and developers who are working on the next generation of cyber asset visibility and monitoring.

To hear more from the JupiterOne Team, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.

PREVIOUS ARTICLE

cyber-security 1

Ad Title Placeholder

Lorem ipsum dolor sit amet, consectetur adipiscing elit.