Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Set Restrictions to Prevent Resource-intensive Searches

 

You can balance the usage of your JSA infrastructure by setting resource restrictions on JSA event and flow searches.

Before you set resource restrictions, carefully consider the normal operational procedures in your environment. Try to set restrictions that ensure that all users have access to the data that they require, yet prevent them from inadvertently running large queries that negatively impact the system availability and performance for other users.

Types Of Resource Restrictions

You can set limitations on searches by configuring either time or data set restrictions based on user, role, or tenant.

Resource restrictions are applied in the following order: user, user role, and tenant. For example, restrictions that are set for a user take precedence over restrictions that are set for the user role or tenant that the user is assigned to.

You can set the following types of restrictions on event and flow searches:

  • The length of time that a search runs before data is returned

  • The time span of the data to be searched

  • The number of records that are processed by the Ariel query server

User-based Restrictions

User-based restrictions define limits for an individual user, and they take precedence over role and tenant restrictions.

For example, your organization hires university students to work with the junior analysts in your SOC. The students have the same user role as the other junior analysts, but you apply more restrictive user-based restrictions until the students are properly trained in building JSA queries.

Role-based Restrictions

Role-based restrictions allow you to define groups of users who require different levels of access to your JSA deployment. By setting role-based restrictions, you can balance the needs of different types of users.

For example, a junior security analyst might focus on security incidents that happened recently, while a senior security analyst might be more involved in forensic investigations that review data over a longer period of time. By setting role-based restrictions, you can limit a junior analyst to accessing only the last 7 days of data, while a senior analyst has access to a much larger time span of data.

Tenant-based Restrictions

In a Managed Security Service Provider (MSSP) or a multi-divisional organization, tenant-based restrictions can help you ensure quality of service by preventing resource contention and degradation of services. You can prevent a tenant from querying terabytes of data that can negatively impact the system performance for all other tenants.

As an MSSP, you might define standard resource restrictions based on a set of criteria that each tenant is compared to. For example, the standard configuration for a medium-sized tenant might include resource restrictions that limit searches to accessing only the last 14 days of data and a maximum of 10,000 records returned.

Resource Restrictions in Distributed Environments

In a distributed environment, the timing of the data transfer between the JSA console and managed hosts can impact the search results.

When you run a search in JSA, the search runs on all nodes at the same time. Each managed host runs the search, and sends the aggregated results to the JSA console when the search is complete or when it reaches the predefined number of rows.

It is important to understand how the resource restrictions that you set might impact the search results that are returned to a user:

  • Canceled searches -- Each managed host periodically checks the state of the resource restriction limit. If a limit is reached, the search is automatically canceled to prevent the incomplete results from being cached and reused.

    Results that were collected before the search was canceled by the system can be viewed by clicking Search >Manage Search Results on the Log Activity or Network Activity tab.

  • Empty search results -- When you set time-limit or record-limit restrictions, the remote aggregation might cause the JSA console to reach the resource restriction limit before the managed host sends the partial aggregate to the console. In this situation, the search results might appear to be empty even though some data was collected.

  • Inconsistent search results -- JSA monitors the load on each managed host, and manages the search to ensure optimized performance throughout the entire deployment. Depending on the system load, searches that are run repeatedly might show slightly different results due to the managed hosts returning the data in a different order.

    For example, in a deployment that has six event processors, EP1, EP3, and EP5 might be the first processors to return data on the initial run. In subsequent runs, EP2, EP4, and EP6 might return data first, which accounts for the inconsistent search results.

Depending on the frequency that users reach the resource restrictions, you can tune the limits to avoid restricting users from running reasonable searches to meet their job requirements. Users who consistently run searches that strain the system might benefit from more training in building JSA queries. For more information, see the Juniper Secure Analytics Ariel Query Language Guide.

Configuring Resource Restrictions

Set resource restrictions to apply time or data limitations to event and flow searches.

You can set the following types of resource restrictions:

  • Set Execution time restrictions to specify the maximum amount of time that a query runs before data is returned.

  • Set Record limit restrictions to specify the maximum number of data records that are returned by a search query.

  • Set Time span restrictions to specify the time span of the data to be searched.

Users who run searches that are limited by resource restrictions see the resource restriction icon () next to the search criteria.

  1. On the navigation menu (), click Admin to open the admin tab.
  2. In the System Configuration section, click Resource Restrictions.
  3. If your deployment has tenants that are configured, click Role or Tenant to specify the type of restrictions to set.
  4. Double-click the role or tenant that you want to set restrictions for.
  5. To set restrictions for all users who are assigned to the user role or tenant, follow these steps:
    1. Click the summary row at the top to open the Edit Restriction dialog box.

    2. Click Enabled for the type of restriction that you want to set, and specify the restriction values.

    3. Click Save.

  6. To set restrictions for a specific user, follow these steps:
    1. Double-click the user that you want to set the restrictions for.

      To search for a user, type the user name in the filter field.

    2. Click Enabled for the type of restriction that you want to set, and specify the restriction values.

    3. Click Save.