[JupiterOne] Initial release of JupiterOne integration

.github/CODEOWNERS

@@ -301,6 +301,7 @@
 /packages/juniper_junos @elastic/integration-experience
 /packages/juniper_netscreen @elastic/integration-experience
 /packages/juniper_srx @elastic/integration-experience
+/packages/jupiter_one @elastic/security-service-integrations
 /packages/kafka @elastic/obs-infraobs-integrations
 /packages/kafka_log @elastic/obs-infraobs-integrations
 /packages/keeper_security_siem_integration @elastic/security-service-integrations

packages/jupiter_one/_dev/build/build.yml

@@ -0,0 +1,4 @@
+dependencies:
+  ecs:
+    reference: [email protected]
+    import_mappings: true

packages/jupiter_one/_dev/build/docs/README.md

@@ -0,0 +1,121 @@
+# JupiterOne Integration for Elastic
+
+## Overview
+
+[JupiterOne](https://www.jupiterone.com/) provides continuous monitoring to surface problems impacting critical assets and infrastructure. Secure your attack surface with continuous asset discovery and attack path analysis. Reduce risk, triage incidents, and prioritize vulnerability findings with greater clarity and 85% fewer SecOps resources.
+
+The JupiterOne integration for Elastic allows you to collect logs using [JupiterOne API](https://docs.jupiterone.io/reference), then visualise the data in Kibana.
+
+### Compatibility
+
+The JupiterOne integration uses the GraphQL endpoint to collect assests.
+
+### How it works
+
+This integration periodically queries the JupiterOne API to retrieve details for assets of class alert, vulnerability, and finding.
+
+## What data does this integration collect?
+
+This integration collects assets of the following classes:
+
+- [`Alert`](https://docs.jupiterone.io/data-model/schemas/Alert).
+- [`Vulnerability`](https://docs.jupiterone.io/data-model/schemas/Vulnerability).
+- [`Finding`](https://docs.jupiterone.io/data-model/schemas/Finding).
+
+### Supported use cases
+
+Integrating JupiterOne Alert, Finding, and Vulnerability data with SIEM dashboards delivers unified visibility into risk signals, asset classifications, and security posture across the environment. Dashboards summarize asset class, type, and source distributions, highlight classification and status trends, and surface key risk attributes such as category, level, and severity. Time-based severity trends, MITRE mappings, and product or device-based breakdowns help analysts understand threat patterns and prioritize response. Metrics for open alerts, closed alerts, open vulnerabilities, and affected entities provide quick operational insight, while tables of top device IPs and product versions add valuable investigative context. Together, these visualizations enable teams to track risks, monitor asset health, and strengthen overall detection and remediation efforts.
+
+## What do I need to use this integration?
+
+### From Elastic
+
+This integration installs [Elastic latest transforms](https://www.elastic.co/docs/explore-analyze/transforms/transform-overview#latest-transform-overview). For more details, check the [Transform](https://www.elastic.co/docs/explore-analyze/transforms/transform-setup) setup and requirements.
+
+### From JupiterOne
+
+To collect data from JupiterOne, Authentication is handled using a `API Token` and `Account ID`, which serve as the required credentials.
+
+#### Generate an `API Token`:
+
+1. Log in to the account you want to manage.
+2. Go to **Settings > Account Management**.
+3. In the left panel, click the **Key Icon**.
+4. In the User API Keys page, click **Add**.
+5. In the API Keys modal, enter the name of the key and the number of days before it expires, and click **Create**.
+
+For more details, check [Documentation](https://docs.jupiterone.io/api/authentication#create-account-level-api-keys).
+
+
+## How do I deploy this integration?
+
+This integration supports both Elastic Agentless-based and Agent-based installations.
+
+### Agentless-based installation
+
+Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html).
+
+Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.
+
+### Agent-based installation
+
+Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host.
+
+## Setup
+
+1. In the top search bar in Kibana, search for **Integrations**.
+2. In the search bar, type **JupiterOne**.
+3. Select the **JupiterOne** integration from the search results.
+4. Select **Add JupiterOne** to add the integration.
+5. Enable and configure only the collection methods which you will use.
+
+    * To **Collect assets from JupiterOne API**, you'll need to:
+
+        - Configure **URL**, **Account ID** and **API Token**.
+        - Enable the dataset.
+        - Adjust the integration configuration parameters if required, including the Interval, etc. to enable data collection.
+
+6. Select **Save and continue** to save the integration.
+
+### Validation
+
+#### Dashboards populated
+
+1. In the top search bar in Kibana, search for **Dashboards**.
+2. In the search bar, type **jupiter_one**.
+3. Select a dashboard for the dataset you are collecting, and verify the dashboard information is populated.
+
+#### Transforms healthy
+
+1. In the top search bar in Kibana, search for **Transforms**.
+2. Select the **Data / Transforms** from the search results.
+3. In the search bar, type **jupiter_one**.
+4. All transforms from the search results should indicate **Healthy** under the **Health** column.
+
+## Performance and scaling
+
+For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation.
+
+## Reference
+
+### ECS field reference
+
+#### Risks and Alerts
+
+{{fields "risks_and_alerts"}}
+
+### Inputs used
+
+These inputs can be used in this integration:
+
+- [cel](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-cel)
+
+### API usage
+
+This integration dataset uses the following API:
+
+- `Asset`: [JupiterOne API](https://docs.jupiterone.io/api/entity-relationship-queries).
+
+#### ILM Policy
+
+To facilitate user and device data, source data stream-backed indices `.ds-logs-jupiter_one.risks_and_alerts-*` are allowed to contain duplicates from each polling interval. ILM policy `logs-jupiter_one.risks_and_alerts-default_policy` is added to these source indices, so it doesn't lead to unbounded growth. This means that in these source indices data will be deleted after `30 days` from ingested date.

packages/jupiter_one/changelog.yml

@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: 0.1.0
+  changes:
+    - description: Initial release.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/16327

packages/jupiter_one/data_stream/asset/_dev/test/pipeline/test-asset.log

@@ -0,0 +1,3 @@
+{"id": "2afb2aaf-f3c5-51ad-8012-c74e107e9102", "entity": {"_beginOn": "2025-11-04T06:48:22.119Z", "_endOn": "2025-11-06T06:48:22.119Z", "_createdOn": "2025-11-03T10:55:37.188Z", "displayName": "Jira Alerts", "_scope": "jupiterone", "_key": "alert:ruleAlert:c9700500-8af3-4bd8-bbef-6721d3538582", "_integrationDefinitionId": "fc64977a-3fcb-4b72-99ad-9290c43a1021", "_integrationName": "J1J1", "_version": 1, "_deleted": false, "_integrationClass": ["Device Management", "Endpoint Security", "IT Service Management"], "_type": "jupiterone_rule_alert", "_integrationType": "jupiterone", "_accountId": "fd932a04-5401-49ce-9f4b-b674387085d8", "_source": "system-internal", "_id": "2afb2aaf-f3c5-51ad-8012-c74e107e9102", "_class": ["Alert"], "_integrationInstanceId": "9bf230c5-eff4-42f6-9a7d-d6542497c8ed"}, "properties": {"numericSeverity": 0, "awsAccountId": [], "tag.AccountName": ["test", "Falcon_Ingestlogs", "J1J1", "JupiterOne"], "webLink": "https://apps.us.jupiterone.io/alerts?alertId=ruleAlert:c9700500-8af3-4bd8-bbef-6721d3538582", "gcpProjectId": [], "description": "Jira Alerts", "createdOn": "2025-11-03T10:54:49.341Z", "azureAccountId": [], "id": "ruleAlert:c9700500-8af3-4bd8-bbef-6721d3538582", "severity": "INFO", "level": "INFO", "active": true, "updatedOn": "2025-11-03T10:55:21.737Z", "totalNumberOfAffectedEntities": 11131, "name": "Jira Alerts", "category": "alert", "open": true, "status": "ACTIVE"}}
+{"id": "b04ecca8-0b6e-5cfd-b1f5-df9b780da074", "entity": {"_createdOn": "2025-11-03T10:43:45.691Z", "_key": "29cbd8a5953943228e7cba331554f1d7_09502aabde923b2cbff94c77dfa49881", "_version": 1, "_deleted": false, "_integrationClass": ["EPP", "EDR", "EndpointSecurity"], "_source": "integration-managed", "_id": "b04ecca8-0b6e-5cfd-b1f5-df9b780da074", "_class": ["Finding", "Vulnerability"], "_integrationInstanceId": "89d2c2ca-2162-4858-bdc8-89d5d72ed9e5", "_beginOn": "2025-11-03T10:43:45.691Z", "displayName": "CVE-2025-49693", "_scope": "89d2c2ca-2162-4858-bdc8-89d5d72ed9e5", "_integrationDefinitionId": "5e650485-6df0-419d-a5c5-f76e564519d6", "_integrationName": "test", "_type": "crowdstrike_vulnerability", "_integrationType": "crowdstrike", "_accountId": "fd932a04-5401-49ce-9f4b-b674387085d8"}, "properties": {"publishedOn": "2025-07-08T07:00:00.000Z", "score": 7.8, "tag.Jira": "IS60896", "id": "29cbd8a5953943228e7cba331554f1d7_09502aabde923b2cbff94c77dfa49881", "cveId": "CVE-2025-49693", "impact": 5.9, "tag.Production": true, "updatedOn": "2025-11-03T01:35:08.000Z", "exprtRating": "MEDIUM", "name": "CVE-2025-49693", "aid": "29cbd8a5953943228e7cba331554f1d7", "exploitability": 1.8, "status": "reopen", "cid": "2cc98db1a47b4c98b913c94d43bfab70", "numericSeverity": 7, "productNameVersion": "Windows 11 23h2", "tag.AccountName": "test", "description": "Summary\n\n\n\nCVE-2025-49693 is a Double Free vulnerability affecting Microsoft Brokering File System.", "createdOn": "2025-09-12T05:06:36.000Z", "exploitStatus": 0, "public": true, "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "raw_severity": "High", "severity": "high", "category": "Host", "vendorAdvisory": ["https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2025-49693", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49693"], "open": true}}
+{"id":"ab576c5e-505e-5405-a6b1-4fa1f7bceab7","entity":{"_version":1,"_deleted":false,"_integrationClass":["EPP","EDR","EndpointSecurity"],"_source":"integration-managed","displayName":"ProcRansomware","_integrationDefinitionId":"5e650485-6df0-419d-a5c5-f76e564519d6","_type":"crowdstrike_alert","_integrationType":"crowdstrike","_createdOn":"2025-11-03T09:42:05.322Z","_key":"ind:baaeadf647d24b9e83c51ccf2f73b2a8:485359820702-10251-202153488","_id":"ab576c5e-505e-5405-a6b1-4fa1f7bceab7","_class":["Finding"],"_integrationInstanceId":"c4d8b528-b3b8-4f09-9c20-320684dcb13e","_beginOn":"2025-11-03T09:42:05.322Z","_scope":"c4d8b528-b3b8-4f09-9c20-320684dcb13e","_integrationName":"test","_accountId":"fd932a04-5401-49ce-9f4b-b674387085d8"},"properties":{"deviceId":"baaeadf647d24b9e83c51ccf2f73b2a8","detectedOn":"2025-11-03T07:00:56.621Z","objective":"Follow Through","tag.Jira":"IS60896","aggregateId":"ac39abcd0f5b59cfcd16d19511cbed1cabb835ae451ca67899cbb527c5c8e48a","dataDomains":"Endpoint","id":"ind:baaeadf647d24b9e83c51ccf2f73b2a8:485359820702-10251-202153488","falconHostLink":"https://falcon.us-2.crowdstrike.com/automated-leads/2cc98db1a47b4c98b913c94d43bfab70:ind:baaeadf647d24b9e83c51ccf2f73b2a8:485359820702-10251-202153488?_cid=g04000alcejocicbgp7infyokz7bajkq","updatedOn":"2025-11-03T08:01:00.649Z","filename":"python.exe","deviceLocalIp":"198.51.100.1","status":"new","createdOn":"2025-11-03T07:02:00.991Z","tactic":"Impact","deviceStatus":"normal","scenario":"ransomware","product":"automated-lead-context","userId":"S-1-5-18","parentFilename":"rundll32.exe","sourceProducts":"Automated Leads","severityName":"High","open":true,"mitreAttack":"Impact (TA0040) - Data Encrypted for Impact (T1486)","cmdline":"\"C:\\Program Files\\MySQL\\MySQL Workbench 8.0 CE\\python.exe\" -mcompileall ..","filepath":"\\Device\\HarddiskVolume3\\Program Files\\MySQL\\MySQL Workbench 8.0 CE\\python.exe","techniqueId":"T1486","name":"ProcRansomware","tacticId":"TA0040","deviceExternalIp":"81.2.69.192","cid":"2cc98db1a47b4c98b913c94d43bfab70","deviceMacAddress":"42-53-45-41-56-43","numericSeverity":70,"tag.AccountName":"test","sourceVendors":"CrowdStrike","description":"A process associated with a known ransomware campaign launched. Investigate the host for signs of a ransomware attack.","technique":"Data Encrypted for Impact","deviceOsVersion":"Windows Server 2022","deviceHostname":"WIN-9L94MPLCTI5","devicePlatformName":"Windows","severity":"High","userName":"WIN-9L94MPLCTI5$","childProcessIds":"pid:baaeadf647d24b9e83c51ccf2f73b2a8:485362198808","category":"Endpoint","compositeId":"2cc98db1a47b4c98b913c94d43bfab70:ind:baaeadf647d24b9e83c51ccf2f73b2a8:485359820702-10251-202153488","parentCmdline":"rundll32.exe \"C:\\Windows\\Installer\\MSI9B63.tmp\",zzzzInvokeManagedCustomActionOutOfProc SfxCA_937663500 15 MySQLCA!MySQLCA.CustomActions.PrecompilePythonFiles"}}