> ## Documentation Index > Fetch the complete documentation index at: https://docs.onefirewall.com/llms.txt > Use this file to discover all available pages before exploring further. # Release: v2026-05-18 > Tasks — Scheduled Intelligence Automation & Alerting # Tasks — Scheduled Intelligence Automation & Alerting ## Overview OneFirewall now includes a **Tasks** engine: a built-in automation system that lets users schedule periodic queries against OneFirewall's threat intelligence APIs, evaluate conditions on the responses, and deliver notifications through in-app or email channels. Tasks replace the need for external cron scripts or third-party alerting integrations for common OneFirewall workflows. Everything is configured through a guided, multi-step wizard directly inside the portal. *** ## What Tasks Do A Task is a scheduled unit of work with three parts: 1. **One or more API queries** — the Task calls internal OneFirewall API endpoints on a schedule. 2. **Conditions** — the Task evaluates the API response against user-defined rules (e.g. `score > 500`). Notification is only sent when conditions pass. Conditions can be omitted to notify on every run. 3. **Notification delivery** — the Task sends a message to the in-app notification bell, to email, or both. *** ## Task Types | Type | Behaviour | | --------------- | -------------------------------------------------------------------------------------------------- | | `api_condition` | Calls one or more APIs, checks conditions, sends a templated notification when conditions are met. | | `api_fetch` | Calls an API and sends the raw or templated response as a notification unconditionally. | | `hello_world` | Sends a static message (useful for testing notification delivery). | *** ## Guided Wizard Creating a task uses a **6-step wizard**: ### Step 1 — Task Name Give the task a short descriptive name (e.g. `Alert on High-Risk IP`). ### Step 2 — API Calls Add one or more OneFirewall API endpoints to query. A searchable preset picker covers common endpoints: * IP / Domain / URL / File Hash intelligence * Files, Domains, URLs, IPs above a score threshold * Defence rules, overview statistics, and more Each API call has a **Test** button that fires the request live and shows the JSON response inline — useful for discovering which field names to use in conditions and templates. Multiple API calls are executed in sequence. Responses are merged into a single template data object for use in Step 3. **Timestamp tokens** in API paths are automatically resolved at execution time: | Token | Resolves to | | ------------- | ------------------------------------ | | `__now__` | Current Unix timestamp (ms) | | `__24h_ago__` | Unix timestamp 24 hours earlier (ms) | This allows recurring tasks to always query a rolling time window without manual updates. ### Step 3 — Conditions & Template **Conditions** define when a notification is sent. Each condition targets a field from an API response and evaluates it against a value. | Operator | Description | | ---------- | -------------------------------- | | `>` | Greater than | | `<` | Less than | | `>=` | Greater than or equal | | `<=` | Less than or equal | | `==` | Exact string match | | `!=` | Not equal | | `contains` | Case-insensitive substring match | Multiple conditions are combined with **AND** (all must pass) or **OR** (any must pass) logic, selectable per task. When a task has multiple API calls, each condition can target a specific call's response using `api_index`. **Notification Template** defines the message content using `{{fieldName}}` placeholders: ``` Alert: {{score}} score detected for {{ip}} — reported by {{members}} members ``` For the second API call onwards, use prefixed references: ``` Top actor: {{api2_1_actor}} with score {{api2_1_score}} in {{api2_1_country}} ``` Array responses are automatically flattened up to 10 items with numbered prefixes (`api2_1_*`, `api2_2_*`, …), making it straightforward to reference ranked list data in templates. **HTML templates** are supported — if the template begins with `` or ` **Timestamp note for Live Traffic:** `/malicious/top` and `/malicious/detailed` accept optional `from_ts` and `to_ts` query parameters in **Unix seconds**. When omitted, both default to the last hour automatically, which is the right behaviour for a recurring task — every run always reflects the most recent hour. ### Building the Weekly Report Task Follow the wizard with these settings: **Step 1 — Name** ``` Weekly Security Digest ``` **Step 2 — API Calls** Add three calls in sequence: | Call | Path | | ---- | -------------------------------------- | | 1 | `/api/v1/graphs/overview` | | 2 | `/api/v1/defense` | | 3 | `/api/v1/graphs/traffic/malicious/top` | Use the **Test** button on each to verify the live JSON response and confirm field names before proceeding. **Step 3 — Conditions & Template** Leave conditions **empty** — the task will notify on every scheduled run regardless of values. Paste an HTML template in the Notification Template field. Because the template starts with ``, the Task Runner automatically treats it as HTML: the email receives the full rendered document, and the in-app notification receives the stripped plain-text version. Example template: ```html theme={null}

Weekly Security Digest

OneFirewall — automated report
Threat Intelligence Database
{{graph1.value}}
Live IPv4 Rules
{{graph2.value}}
File Signatures
{{graph3.value}}
Domains
{{graph4.value}}
URLs
Defence Center — Last 24 Hours
{{api2.attacks}}
Blocked Attacks
{{api2.actors}}
Unique Threat Actors
Top Malicious Actors — Last Hour of Live Traffic
{{api3_1_actor}}  ·  Score {{api3_1_live_score}}  ·  {{api3_1_ip_info_country}}
{{api3_2_actor}}  ·  Score {{api3_2_live_score}}  ·  {{api3_2_ip_info_country}}
{{api3_3_actor}}  ·  Score {{api3_3_live_score}}  ·  {{api3_3_ip_info_country}}
{{api3_4_actor}}  ·  Score {{api3_4_live_score}}  ·  {{api3_4_ip_info_country}}
{{api3_5_actor}}  ·  Score {{api3_5_live_score}}  ·  {{api3_5_ip_info_country}}
Generated automatically by OneFirewall Tasks
``` **Template field reference:** | Placeholder | Source | Field | | ---------------------------- | -------------------------------- | ---------------------------------- | | `{{graph1.value}}` | API 1 (`/graphs/overview`) | Total Live IPv4 rule count | | `{{graph2.value}}` | API 1 | Total File Signature count | | `{{graph3.value}}` | API 1 | Total Domain count | | `{{graph4.value}}` | API 1 | Total URL count | | `{{api2.attacks}}` | API 2 (`/defense`) | Blocked attack events (last 24h) | | `{{api2.actors}}` | API 2 | Unique threat actor IPs (last 24h) | | `{{api3_1_actor}}` | API 3 (`/malicious/top`), item 1 | Top threat actor IP | | `{{api3_1_live_score}}` | API 3, item 1 | OFA threat score | | `{{api3_1_ip_info_country}}` | API 3, item 1 | Geolocation country | | `{{api3_2_actor}}` … | API 3, item 2–5 | Second through fifth actors | The array-flattening logic in the Task Runner automatically expands the `malicious/top` response array into `api3_1_*`, `api3_2_*`, … prefixed keys — up to 10 items — so no custom scripting is needed. **Step 4 — Notification Channel** Select **Email + App Notification**. For an organisation-wide report, add the team's shared security mailbox under **Additional Recipients**. **Step 5 — Schedule** Select **Recurring → Weekly → Monday → 09:00** (or whichever day and time fits your team's review cadence). **Step 6 — Review & Activate** Confirm all three API calls, the HTML template, and the weekly schedule, then click **Activate Task**. *** ### Extending the Report To add more data to the same report, add additional API calls in Step 2 and reference them in the template using `{{api4_…}}`, `{{api5_…}}`, etc. Common additions: | Call | Path | Adds to report | | ---- | ------------------------------------------- | ---------------------------------------------------------------------------------- | | 4th | `/api/v1/graphs/traffic/malicious/detailed` | Traffic risk category breakdown (low/medium/high/critical counts) | | 4th | `/api/v1/feeds/500/5/10` | Current intelligence feed (IPs with score ≥ 500, seen by ≥ 5 members, ≥ 10 events) | | 4th | `/api/v1/domains/score/500` | Domains above a threat score threshold | | 4th | `/api/v1/files/score/500` | Malicious file hashes above threshold | ### Sending to Multiple Teams Create one task per audience and adjust the **Additional Recipients** list in Step 4: * `SOC Weekly Digest` → SOC team mailing list * `Executive Weekly Summary` → same API calls, simplified template without raw IPs * `CISO Board Report` → monthly schedule, higher-level stats only Each task is independent and can have its own schedule, template, and recipient list. *** ## Summary * **Scheduled API queries** against any OneFirewall endpoint — run now, one-time, hourly, or on a daily/weekly/monthly recurring schedule. * **Condition engine** with 7 operators, AND/OR logic, and multi-API-call support. * **Mustache-style templates** with automatic array flattening and full HTML email support. * **Three notification channels**: in-app bell, email, or both — with configurable additional recipients. * **Live API test** in the wizard so you can inspect the JSON response before setting up conditions. * **Task log** with paginated history and inline HTML message preview. * **Distributed, crash-safe execution** with atomic locking and stale-task recovery. * **Deep-link URL support** for pre-populating the wizard from other pages in the portal. > Tasks bring proactive alerting directly into OneFirewall — no external cron jobs, no third-party webhooks, no scripting required.