Tasks — Scheduled Intelligence Automation & Alerting
Overview
OneFirewall now includes a Tasks engine: a built-in automation system that lets users schedule periodic queries against OneFirewall’s threat intelligence APIs, evaluate conditions on the responses, and deliver notifications through in-app or email channels. Tasks replace the need for external cron scripts or third-party alerting integrations for common OneFirewall workflows. Everything is configured through a guided, multi-step wizard directly inside the portal.What Tasks Do
A Task is a scheduled unit of work with three parts:- One or more API queries — the Task calls internal OneFirewall API endpoints on a schedule.
- Conditions — the Task evaluates the API response against user-defined rules (e.g.
score > 500). Notification is only sent when conditions pass. Conditions can be omitted to notify on every run. - Notification delivery — the Task sends a message to the in-app notification bell, to email, or both.
Task Types
Guided Wizard
Creating a task uses a 6-step wizard:Step 1 — Task Name
Give the task a short descriptive name (e.g.Alert on High-Risk IP).
Step 2 — API Calls
Add one or more OneFirewall API endpoints to query. A searchable preset picker covers common endpoints:- IP / Domain / URL / File Hash intelligence
- Files, Domains, URLs, IPs above a score threshold
- Defence rules, overview statistics, and more
This allows recurring tasks to always query a rolling time window without manual updates.
Step 3 — Conditions & Template
Conditions define when a notification is sent. Each condition targets a field from an API response and evaluates it against a value.
Multiple conditions are combined with AND (all must pass) or OR (any must pass) logic, selectable per task.
When a task has multiple API calls, each condition can target a specific call’s response using
api_index.
Notification Template defines the message content using {{fieldName}} placeholders:
api2_1_*, api2_2_*, …), making it straightforward to reference ranked list data in templates.
HTML templates are supported — if the template begins with <!DOCTYPE html> or <html, it is treated as an HTML document. In-app notifications receive the stripped plain-text version; emails receive the full HTML.
Step 4 — Notification Channel
For email-capable channels, additional recipients can be added — up to 20 extra addresses beyond the task owner’s account email.
SMTP delivery uses
config.json settings (smtp.server, smtp.port, smtp.username, smtp.password). Environment variables take precedence if set: SMTP_HOST, SMTP_PORT, SMTP_USER, SMTP_PASS.
Step 5 — Schedule
Recurring tasks automatically reschedule themselves after each execution. One-time and “now” tasks are marked
done after a single run.
Step 6 — Review & Activate
A summary of the full task configuration is presented before submission. Navigate back to any step to make changes. Click Activate Task to create and start scheduling the task.Upcoming Tasks Table
The Upcoming Tasks card shows all active and pending tasks for the organisation with:- Task name (click to open the detail view)
- Notification channel
- Next scheduled run time (relative, e.g. “In 3 hours and 42 min”)
- Recurrence pattern
- Last sent time
- Execution status:
pending,running,done,failed
Task Log
The Task Log card provides a paginated audit trail of all task executions:- Timestamp (relative)
- Event name (task name)
- Message preview (click to view full content, including rendered HTML in a sandboxed iframe)
- Delivery channel
- Status
Global Enable / Disable
A toggle in the Configurations card enables or disables the Tasks engine organisation-wide. When disabled, no scheduled tasks execute and no notifications are delivered. The state is persisted per user account.In-App Notification Bell
Tasks that target theapp or email_app channel surface notifications in the bell icon in the top navigation bar. The bell shows an unread badge count. Clicking opens a notification panel where messages can be read, dismissed, or navigated to the full task log.
Deep-Link Pre-Population
Other pages in the portal can link directly to the task wizard with fields pre-filled using URL query parameters. This allows one-click task creation from intelligence views with the correct API path, conditions, and template already configured. Supported parameters include:name, api, cond_0_field, cond_0_op, cond_0_val, logic, template, channel, sched_type, and recurrence options.
Backend & Reliability
The Task Runner executes on a distributed, atomic-claim model:- An hourly sweep claims and runs all tasks with
scheduled_at ≤ now. - Tasks scheduled for immediate execution (
now) are triggered directly from the creation API without waiting for the next sweep. - Only one replica can claim a task at a time —
findOneAndUpdatewith a status guard prevents double-execution in multi-instance deployments. - Tasks left
in_progressfor more than 5 minutes (e.g. after a container crash) are automatically recovered and returned topendingon the next sweep.
API Endpoints
Weekly Email Reports
Tasks are the built-in way to send recurring security digest emails — no external tooling required. The sections below show how to build a weekly report that consolidates Live Traffic, the Defence Center, and the Threat Intelligence overview into a single formatted email.Which Endpoints to Query
These endpoints return JSON and work without manual timestamp parameters — they use their own internal windows or current-state snapshots:Timestamp note for Live Traffic:/malicious/topand/malicious/detailedaccept optionalfrom_tsandto_tsquery parameters in Unix seconds. When omitted, both default to the last hour automatically, which is the right behaviour for a recurring task — every run always reflects the most recent hour.
Building the Weekly Report Task
Follow the wizard with these settings: Step 1 — Name
Use the Test button on each to verify the live JSON response and confirm field names before proceeding.
Step 3 — Conditions & Template
Leave conditions empty — the task will notify on every scheduled run regardless of values.
Paste an HTML template in the Notification Template field. Because the template starts with
<!DOCTYPE html>, the Task Runner automatically treats it as HTML: the email receives the full rendered document, and the in-app notification receives the stripped plain-text version.
Example template:
The array-flattening logic in the Task Runner automatically expands the
malicious/top response array into api3_1_*, api3_2_*, … prefixed keys — up to 10 items — so no custom scripting is needed.
Step 4 — Notification Channel
Select Email + App Notification.
For an organisation-wide report, add the team’s shared security mailbox under Additional Recipients.
Step 5 — Schedule
Select Recurring → Weekly → Monday → 09:00 (or whichever day and time fits your team’s review cadence).
Step 6 — Review & Activate
Confirm all three API calls, the HTML template, and the weekly schedule, then click Activate Task.
Extending the Report
To add more data to the same report, add additional API calls in Step 2 and reference them in the template using{{api4_…}}, {{api5_…}}, etc.
Common additions:
Sending to Multiple Teams
Create one task per audience and adjust the Additional Recipients list in Step 4:SOC Weekly Digest→ SOC team mailing listExecutive Weekly Summary→ same API calls, simplified template without raw IPsCISO Board Report→ monthly schedule, higher-level stats only
Summary
- Scheduled API queries against any OneFirewall endpoint — run now, one-time, hourly, or on a daily/weekly/monthly recurring schedule.
- Condition engine with 7 operators, AND/OR logic, and multi-API-call support.
- Mustache-style templates with automatic array flattening and full HTML email support.
- Three notification channels: in-app bell, email, or both — with configurable additional recipients.
- Live API test in the wizard so you can inspect the JSON response before setting up conditions.
- Task log with paginated history and inline HTML message preview.
- Distributed, crash-safe execution with atomic locking and stale-task recovery.
- Deep-link URL support for pre-populating the wizard from other pages in the portal.
Tasks bring proactive alerting directly into OneFirewall — no external cron jobs, no third-party webhooks, no scripting required.

