Skip to main content

Tasks — Scheduled Intelligence Automation & Alerting

Overview

OneFirewall now includes a Tasks engine: a built-in automation system that lets users schedule periodic queries against OneFirewall’s threat intelligence APIs, evaluate conditions on the responses, and deliver notifications through in-app or email channels. Tasks replace the need for external cron scripts or third-party alerting integrations for common OneFirewall workflows. Everything is configured through a guided, multi-step wizard directly inside the portal.

What Tasks Do

A Task is a scheduled unit of work with three parts:
  1. One or more API queries — the Task calls internal OneFirewall API endpoints on a schedule.
  2. Conditions — the Task evaluates the API response against user-defined rules (e.g. score > 500). Notification is only sent when conditions pass. Conditions can be omitted to notify on every run.
  3. Notification delivery — the Task sends a message to the in-app notification bell, to email, or both.

Task Types


Guided Wizard

Creating a task uses a 6-step wizard:

Step 1 — Task Name

Give the task a short descriptive name (e.g. Alert on High-Risk IP).

Step 2 — API Calls

Add one or more OneFirewall API endpoints to query. A searchable preset picker covers common endpoints:
  • IP / Domain / URL / File Hash intelligence
  • Files, Domains, URLs, IPs above a score threshold
  • Defence rules, overview statistics, and more
Each API call has a Test button that fires the request live and shows the JSON response inline — useful for discovering which field names to use in conditions and templates. Multiple API calls are executed in sequence. Responses are merged into a single template data object for use in Step 3. Timestamp tokens in API paths are automatically resolved at execution time: This allows recurring tasks to always query a rolling time window without manual updates.

Step 3 — Conditions & Template

Conditions define when a notification is sent. Each condition targets a field from an API response and evaluates it against a value. Multiple conditions are combined with AND (all must pass) or OR (any must pass) logic, selectable per task. When a task has multiple API calls, each condition can target a specific call’s response using api_index. Notification Template defines the message content using {{fieldName}} placeholders:
For the second API call onwards, use prefixed references:
Array responses are automatically flattened up to 10 items with numbered prefixes (api2_1_*, api2_2_*, …), making it straightforward to reference ranked list data in templates. HTML templates are supported — if the template begins with <!DOCTYPE html> or <html, it is treated as an HTML document. In-app notifications receive the stripped plain-text version; emails receive the full HTML.

Step 4 — Notification Channel

For email-capable channels, additional recipients can be added — up to 20 extra addresses beyond the task owner’s account email. SMTP delivery uses config.json settings (smtp.server, smtp.port, smtp.username, smtp.password). Environment variables take precedence if set: SMTP_HOST, SMTP_PORT, SMTP_USER, SMTP_PASS.

Step 5 — Schedule

Recurring tasks automatically reschedule themselves after each execution. One-time and “now” tasks are marked done after a single run.

Step 6 — Review & Activate

A summary of the full task configuration is presented before submission. Navigate back to any step to make changes. Click Activate Task to create and start scheduling the task.

Upcoming Tasks Table

The Upcoming Tasks card shows all active and pending tasks for the organisation with:
  • Task name (click to open the detail view)
  • Notification channel
  • Next scheduled run time (relative, e.g. “In 3 hours and 42 min”)
  • Recurrence pattern
  • Last sent time
  • Execution status: pending, running, done, failed
Clicking a task name opens a detail modal showing the full configuration: API calls, conditions with logic, notification template, last message sent, and any error from the most recent run.

Task Log

The Task Log card provides a paginated audit trail of all task executions:
  • Timestamp (relative)
  • Event name (task name)
  • Message preview (click to view full content, including rendered HTML in a sandboxed iframe)
  • Delivery channel
  • Status
Individual entries can be deleted, or the entire log can be cleared with a single action.

Global Enable / Disable

A toggle in the Configurations card enables or disables the Tasks engine organisation-wide. When disabled, no scheduled tasks execute and no notifications are delivered. The state is persisted per user account.

In-App Notification Bell

Tasks that target the app or email_app channel surface notifications in the bell icon in the top navigation bar. The bell shows an unread badge count. Clicking opens a notification panel where messages can be read, dismissed, or navigated to the full task log.
Other pages in the portal can link directly to the task wizard with fields pre-filled using URL query parameters. This allows one-click task creation from intelligence views with the correct API path, conditions, and template already configured. Supported parameters include: name, api, cond_0_field, cond_0_op, cond_0_val, logic, template, channel, sched_type, and recurrence options.

Backend & Reliability

The Task Runner executes on a distributed, atomic-claim model:
  • An hourly sweep claims and runs all tasks with scheduled_at ≤ now.
  • Tasks scheduled for immediate execution (now) are triggered directly from the creation API without waiting for the next sweep.
  • Only one replica can claim a task at a time — findOneAndUpdate with a status guard prevents double-execution in multi-instance deployments.
  • Tasks left in_progress for more than 5 minutes (e.g. after a container crash) are automatically recovered and returned to pending on the next sweep.

API Endpoints


Weekly Email Reports

Tasks are the built-in way to send recurring security digest emails — no external tooling required. The sections below show how to build a weekly report that consolidates Live Traffic, the Defence Center, and the Threat Intelligence overview into a single formatted email.

Which Endpoints to Query

These endpoints return JSON and work without manual timestamp parameters — they use their own internal windows or current-state snapshots:
Timestamp note for Live Traffic: /malicious/top and /malicious/detailed accept optional from_ts and to_ts query parameters in Unix seconds. When omitted, both default to the last hour automatically, which is the right behaviour for a recurring task — every run always reflects the most recent hour.

Building the Weekly Report Task

Follow the wizard with these settings: Step 1 — Name
Step 2 — API Calls Add three calls in sequence: Use the Test button on each to verify the live JSON response and confirm field names before proceeding. Step 3 — Conditions & Template Leave conditions empty — the task will notify on every scheduled run regardless of values. Paste an HTML template in the Notification Template field. Because the template starts with <!DOCTYPE html>, the Task Runner automatically treats it as HTML: the email receives the full rendered document, and the in-app notification receives the stripped plain-text version. Example template:
Template field reference: The array-flattening logic in the Task Runner automatically expands the malicious/top response array into api3_1_*, api3_2_*, … prefixed keys — up to 10 items — so no custom scripting is needed. Step 4 — Notification Channel Select Email + App Notification. For an organisation-wide report, add the team’s shared security mailbox under Additional Recipients. Step 5 — Schedule Select Recurring → Weekly → Monday → 09:00 (or whichever day and time fits your team’s review cadence). Step 6 — Review & Activate Confirm all three API calls, the HTML template, and the weekly schedule, then click Activate Task.

Extending the Report

To add more data to the same report, add additional API calls in Step 2 and reference them in the template using {{api4_…}}, {{api5_…}}, etc. Common additions:

Sending to Multiple Teams

Create one task per audience and adjust the Additional Recipients list in Step 4:
  • SOC Weekly Digest → SOC team mailing list
  • Executive Weekly Summary → same API calls, simplified template without raw IPs
  • CISO Board Report → monthly schedule, higher-level stats only
Each task is independent and can have its own schedule, template, and recipient list.

Summary

  • Scheduled API queries against any OneFirewall endpoint — run now, one-time, hourly, or on a daily/weekly/monthly recurring schedule.
  • Condition engine with 7 operators, AND/OR logic, and multi-API-call support.
  • Mustache-style templates with automatic array flattening and full HTML email support.
  • Three notification channels: in-app bell, email, or both — with configurable additional recipients.
  • Live API test in the wizard so you can inspect the JSON response before setting up conditions.
  • Task log with paginated history and inline HTML message preview.
  • Distributed, crash-safe execution with atomic locking and stale-task recovery.
  • Deep-link URL support for pre-populating the wizard from other pages in the portal.
Tasks bring proactive alerting directly into OneFirewall — no external cron jobs, no third-party webhooks, no scripting required.