JupiterOne & Project Discovery: Automating Nuclei with JupiterOne

by

At JupiterOne, we empower security practitioners to get deeper insights faster with contextual information about your cyber assets through a security Knowledge Graph. This context is accessible for developers (via API) to create or enhance workflows and augment their datasets. JupiterOne can enhance any off-the-shelf tools and capitalize on what they do best for deeper insights into all your cyber assets.

To show what is possible, we are releasing j1nuclei, an open-source tool to automate vulnerability scanning. The tool is available to anyone using the free version of JupiterOne (start here) by downloading the security scanner from ProjectDiscovery. j1nuclei combines the superpowers of JupiterOne and Nuclei to offer complete coverage of your endpoints, no matter how complex or ephemeral your environment is.

In this article, we’ll discuss the basics of leveraging j1nuclei. We’ll follow up in a later blog about using JupiterOne for continuous scanning.

j1nuclei overview

j1nuclei is a Python module that relays information between JupiterOne and Nuclei. It automates the extraction of vulnerability scanning targets, runs Nuclei, and brings back the findings to JupiterOne. You can analyze the results using our query language (J1QL) or JupiterOne Insights dashboards.

Installation

Installation is simple through python pip.

1. Install nuclei

pip install nuclei

2. Install j1nuclei

pip install j1nuclei

3. Launch j1nuclei from a console or terminal

usage: j1nuclei [-h] -a ACCOUNT [-c CONCURRENT] [-n NUCLEI_PARAMS] [-q QUERY_FILE] [-apikey-env APIKEY_ENV] [-r NUCLEI_REPORT_PATH]

Step 1 - Target discovery

As each environment becomes more hybrid, geo-distributed, and ephemeral, getting an accurate list of assets can take time and effort. JupiterOne provides a comprehensive view of all your assets. You can identify hosts to scan with JupiterOne Query Language (J1QL).

For example, we can ask, “What are all my domains?” 

FIND Domain

A complex question like “What endpoints are exposed to everyone on the internet?” can be answered via a query:

Find (Everyone|Internet) that ALLOWS * as target 
RETURN target.url

Because getting a comprehensive view may require several queries, j1nuclei automatically runs all questions in the target_query.json file. By default, the file is populated with common queries but can be extended with your queries or those found in the JupiterOne Questions library. Each extension query must retrieve the _key,  _integrationInstanceId, and _source properties used to maintain the state between JupiterOne and Nuclei.

Give me all endpoints exposed to everyone on the internet.

Find (Everyone|Internet) that ALLOWS * as d  
RETURN
d._key as key,
coalesce(d.baseUrl, d.url) as target,
d._integrationInstanceId as scope,
d._source as source

Give me all domains.

FIND Domain as d 
RETURN
d._key as key,
d.displayName as target,
d._integrationInstanceId as scope,
d._source as source

Give me all my data store endpoints.

FIND DataStore as d 
RETURN
d._key as key,
d.baseUrl as target,
d._integrationInstanceId as scope,
d._source as source

Give me all my public IP addresses.

FIND IpAddress 
WITH tag.Production = true and publicIp != "" as ip
RETURN
ip._key as key,
ip.publicIp as target,
ip._integrationDefinitionId as scope,
ip._source as source

You can experiment with queries through our web console or using our command-line utility jupiterone-client-nodejs.

Step 2 - Scanning

This step is quite simple. It passes the target to Nuclei directly through the -u or -target command-line arguments. The tool uses Python concurrency to launch multiple instances. You can control the number of concurrent Nuclei to launch with the j1nuclei -c argument (5 by default).

Step 3 - Bring learnings back

After the scan completes, the tool parses the Nuclei findings and brings the learnings back through our bulk synchronization API (documentation).

The Nuclei findings are connected back to their original target in this schema.

The data is available using our standard console, through J1QL, and our Insights dashboard. Below is a FAQ about the findings identified using J1QL. Converting the FAQ into an automated dashboard is easy using our J1 Insights dashboard. You can use the dashboard provided as part of j1nuclei (dashboard_nuclei_port.json) or create your own.

Exploring results with J1QL

Q. How many Nuclei issues do I have?

FIND nuclei_finding as f 
RETURN count(f) as value

Q. How many of my production critical assets are affected?

FIND *
WITH tag.Production = true AND classification = 'critical' AS asset
THAT HAS >> nuclei_finding
RETURN COUNT(asset)

Q. How many endpoints are affected?

FIND UNIQUE * as asset
THAT HAS >> nuclei_finding
RETURN count(asset) as value

Q. What is the criticality of the issues?

FIND nuclei_finding as f
RETURN f.severity as x, count(f) as y

Q. Show me my issues as a graph.

FIND *
THAT HAS >> nuclei_finding
THAT IS >> nuclei_vulnerability
RETURN TREE

JupiterOne Insight Dashboard

New call-to-action
J1 Labs
J1 Labs

J1 Labs is a diverse set of engineers and developers who are working on the next generation of cyber asset visibility and monitoring.

Keep Reading

Shopping for DSPM tools - What to know and where JupiterOne fits in
May 30, 2023
Blog
Shopping for DSPM tools - What to know and where JupiterOne fits in

When are Data Security Posture Management tools useful and how can JupiterOne be used for basic DSPM functions?

2023 SCAR expands on context and depth of analysis over inaugural report
May 19, 2023
Blog
2023 SCAR expands on context and depth of analysis over inaugural report

The 2023 SCAR report builds in some important contextual analysis of the findings, including company size breakdowns and CSP adoption details.

Why IT teams should be using JupiterOne, Part 3
May 16, 2023
Blog
Why IT teams should be using JupiterOne, Part 3

JupiterOne can assist many functions within your IT department, including one very visible and important team: Help Desk Support.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.