Asset Groups Expression Reference

If you want to create or edit your asset group manually with the Expression Editor (available from the Asset Groups page), you can refer to the asset groups expression schema, JSON field definitions, and list of eligible assets. Expression samples are also provided to help you get started.

For more information, see:

To learn how to create or edit the expression by choosing assets and tags in the Configuration page instead, see Asset Groups.

JSON schema

{
  "scopes": [
    {
      "include": [],
      "exclude": [],
      "asset_types": []
    }
  ]
}

Field definitions

  • scopes (object array) – [Required] An array of scope objects that define the asset membership in the group. Each scope object represents distinct, independent criteria for group inclusion. If an asset meets the criteria defined in any scope, the group includes it. At least one object is required.

    • include (array) – [Required] An array of topological constraints on assets that define the asset membership in the group. The group includes any eligible asset that meets the constraints on it (and whose topological ancestor assets meet the constraints on them).

    • exclude (array) – [Optional] An array of topological constraints on assets that define the asset membership in the group. The group excludes any eligible asset that meets the constraints on it (and whose topological ancestor assets meet the constraints on them), even if the asset meets the includes criteria.

    • asset_types (array) – [Optional] An array of asset types strings that define what type(s) of assets can be in the group. If set, the group includes only assets of the given type(s). If not set, all eligible asset types can be included in the group. For the list of asset types, see Asset Type Key Name.

Eligible assets

The following table lists asset types eligible for inclusion in, or exclusion from, an asset group and any additional supported asset properties.

To include or exclude a listed asset type, type its key name and value in the expression using the following format:

<asset_type_key_name>:<asset_key_value>

For example: “deployment:/al/134249236/deployment/aws/9969EC98-F3DD-4040-86C5-6A9019E2F07E”

To include or exclude a listed asset property, type the key name, property name, and value in the expression using the following format:

“<asset_type_key_name>.<asset_type_property_name>:<asset_type_property_value>”

For example: “deployment.type:aws”

To restrict an asset group to specific asset types, you can list any of the asset types in the Asset Type Key Name column as members of the asset_types array.

Asset Type Asset Type Key Name Asset Type Property: Friendly Name Asset Type Property Name
Access Control List acl Not applicable Not applicable
AKS Cluster aks-cluster Not applicable Not applicable
Auto Scaling Group auto-scaling-group Not applicable Not applicable
Blob Container blob-container Not applicable Not applicable
CloudTrail cloud-trail Not applicable Not applicable
Collector collector
  • Collector UUID
  • collector_uuid
   
  • Collector Type
  • collector_type
   
  • Collector Data Type
  • collector_datatype
   
  • Collector Platform
  • collector_platform
   
  • Collector Platform ID
  • collector_platform_id
   
  • Collector Region
  • collector_region
   
  • Collector Name
  • collector_name
   
  • Collector Full Name
  • collector_fullname
   
  • Application
  • application
   
  • Application ID
  • application_id
   
  • Native ID
  • native_id
   
  • Status
  • status
   
  • Status Updated
  • status_updated
DB Instance db-instance
  • DB Instance Class
  • db_instance_class
   
  • DB Name
  • db_name
   
  • Endpoint Address
  • endpoint_address
   
  • Endpoint Port
  • endpoint_port
   
  • Publicly Accessible
  • publicly_accessible
   
  • Storage Encrypted
  • storage_encrypted
Deployment deployment
  • Deployment Name
  • deployment_name
   
  • Deployment Type
  • deployment_type
   
  • Deployment ID
  • deployment_id
   
  • Last Scan Time
  • last_scan_time
   
  • Native Account ID
  • native_account_id
DNS Zone dns-zone
  • Zone Name
  • zone_name
   
  • Zone ID
  • zone_id
Host host
  • Alert Logic Appliance
  • alertlogic_appliance
   
  • Alert Logic Appliance Features
  • alertlogic_appliance_features
   
  • Architecture
  • architecture
   
  • Availability Zone
  • availability_zone
   
  • DNS Name
  • dns_name
   
  • Host UUID
  • host_uuid
   
  • Instance ID
  • instance_id
   
  • Instance Name
  • instance_name
   
  • Instance Type
  • instance_type
   
  • IP Address
  • ip_address
   
  • Last Discovery Time Stamp
  • last_discovery_ts
   
  • Last Scan Time
  • last_scan_time
   
  • Launch Time
  • launch_time
   
  • Local Host Name
  • local_hostname
   
  • Local IPv4
  • local_ipv4
   
  • Local IPv6
  • local_ipv6
   
  • Operating System Details
  • os_details
   
  • Operating System Type
  • os_type
   
  • Private DNS Name
  • private_dns_name
   
  • Private IP Address
  • private_ip_address
   
  • Private IP Addresses
  • private_ip_addresses
   
  • Private IPv4 Addresses
  • private_ipv4_addresses
   
  • Private IPv6 Addresses
  • private_ipv6_addresses
   
  • Public DNS Name
  • public_dns_name
   
  • Public IP Address
  • public_ip_address
   
  • Public IP Addresses
  • public_ip_addresses
   
  • Public IPv4
  • public_ipv4
   
  • Public IPv4 Addresses
  • public_ipv4_addresses
   
  • Public IPv6
  • public_ipv6
   
  • Public IPv6 Addresses
  • public_ipv6_addresses
   
  • State
  • state
Internet Gateway igw Not applicable Not applicable
Image image • Image ID • image_id
Instance Profile instance-profile Not applicable Not applicable
Key Vault key-vault
  • Key Vault ID
 • key_vault_id
Key Vault Key key-vault-key Not applicable Not applicable
Key Vault Secret key-vault-secret Not applicable Not applicable
KMS Key kms-key Not applicable Not applicable
Load Balancer load-balancer
  • Name
  • name
   
  • Scheme
  • scheme
   
  • DNS Name
  • dns_name
Log Profile log-profile Not applicable Not applicable
Network Security Group nsg Not applicable Not applicable
Redshift Cluster redshift-cluster
  • Cluster Identifier
  • cluster_identifier
Region region
  • Region Name
  • region_name
Resource Group resource-group Not applicable Not applicable
Role role Not applicable Not applicable
Route route Not applicable Not applicable
S3 Bucket s3-bucket
  • Bucket Name
  • bucket_name
   
  • Bucket Owner
  • bucket_owner
Security Group security-group
  • Group Name
  • group_name
   
  • Group ID
  • group_id
Storage Account storage-account Not applicable Not applicable
Subnet subnet
  • Alert Logic Security
  • alertlogic_security
   
  • CIDR Block
  • cidr_block
   
  • State
  • state
   
  • Subnet ID
  • subnet_id
   
  • Subnet UUID
  • subnet_uuid
   
  • Subnet Name
  • subnet_name
User user
  • User FQDN
  • user_fqdn
   
  • User ID
  • user_id
   
  • User Type
  • user_type
Volume volume
  • Volume ID
  • volume_id
VPC/VNet/Network vpc
  • CIDR Ranges
  • cidr_ranges
   
  • Network UUID
  • network_uuid
   
  • VPC ID
  • vpc_id
   
  • VPC Name
  • vpc_name
   
  • State
  • state
Web Application webapp
  • HTTPS Only
  • https_only
   
  • Client Certificate Enabled
  • client_cert_enabled
   
  • Platform Type
  • platform_type
   
  • Web Application Type
  • webapp_type

Sample asset group expressions

The following examples cover useful ways to define asset groups. You can use these examples as a guide when you create asset groups relevant to your organization and its security goals.

All assets in a region of a specific deployment

Suppose that you want an asset group to include all the assets in just one of your AWS deployments and only in one region (us-east-1). To do this, you need two include expressions. The resulting asset group contains all eligible assets (region, vpc, subnet, host, and so on) in the us-east-1 region of the specified AWS deployment.

{
  "scopes": [
    {
      "include": [
        "deployment:/deployment/aws/876AE14C-2F77-45E5-8E32-4B0A09894E72",
        "region:/aws/us-east-1"
     ]
    }
  ]
}

All hosts in a region of a specific deployment

Suppose that you want to include the hosts in just one of your AWS deployments and only in one region (us-east-1), but you do not want to include the other assets (VPCs, load balancers, auto scaling groups, images, and so on) in the group (for example, you only want to receive escalations for host resources in the deployment). You can use the same constraints as in the example All assets in a region of a specific deployment, but with the asset_types array to ensure that the group includes only the assets of the type you want.

{
  "scopes": [
    {
      "include": [
        "deployment:/deployment/aws/876AE14C-2F77-45E5-8E32-4B0A09894E72",
        "region:/aws/us-east-1"
      ]
    }
  ],
  "asset_types": ["host"]
}

All assets in a region of a specific deployment, except for a subnet with a specific name

Suppose that you want to include all the assets in just one of your AWS deployments and only in one region (us-east-1), but you want to exclude the "AlertLogic Security Subnet" hosts from the group. You want to exclude subnets with that name because the assets in those subnets are part of the Alert Logic infrastructure, not yours. You use an exclude in this case and reference the subnet by name rather than key or ID. Many subnets named "AlertLogic Security Subnet" might be in a single region, and the key or ID property excludes a specific AlertLogic Security Subnet instead of all subnets in the region with that name.

{
  "scopes": [
    {
      "include": [
        "deployment:/deployment/aws/876AE14C-2F77-45E5-8E32-4B0A09894E72",
        "region:/aws/us-east-1"
      ],
      "exclude": [
        "subnet.subnet_name:AlertLogic Security Subnet"
      ]
    }
  ]
}

All hosts in a specific Data Center deployment, except hosts in 10.0.1.0/24

Suppose that you have a Data Center production deployment that is very big, and you have not yet organized your subnets to classify your network assets. Still, you want to include all the hosts in the deployment in your “production” group, except the hosts in the 10.0.1.0/24 CIDR range, because those hosts are not used for production purposes and are safely isolated from network access to the rest of the deployment. You can use the :cidr_match: operation to exclude hosts that include an IP address in that CIDR range in their private_ip_addresses field, like this:

{
  "scopes": [
    {
      "include": [
        "deployment:/deployment/F00FECFC-3378-486A-ACD3-4160DBF1F40D"
      ],
      "exclude": [
        "host.private_ip_addresses::cidr_match:10.0.1.0/24"
      ],
      "asset_types": ["host"]
    }
  ] 
}

All assets with a specific tag

Suppose that you want to add all assets with a specific tag to a group, so that you can mark all the tagged assets (and their topological successor assets) across all your deployments as being in the asset group to escalate to the platform-services team when an incident is raised on them. In that case, you can use the "tag" on the include, and the resulting asset group includes any eligible asset that has that tag, along with any of its topological successor assets.

For example, if a VPC is tagged with mgr:some-manager, all of the subnets, hosts, load balancers, and so on that are in that VPC are part of the group, even if those individual assets are not specifically tagged with the mgr tag.

{
  "scopes": [
    {
      "include": [ 
        "tag:/tag/key/mgr/value/some-manager"
      ]
    }
  ]
}