Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Domain-specific Rules and Offenses

 

A rule can work in the context of a single domain or in the context of all domains. Domain-aware rules provide the option of including the And Domain Is test.

You can restrict a rule so that it is applied only to events that are happening within a specified domain. An event that has a domain tag that is different from the domain that is set on the rule does not trigger an event response.

In an JSA system that does not have user-defined domains, a rule creates an offense and keeps contributing to it each time the rule fires. In a domain-aware environment, a rule creates a new offense each time the rule is triggered in the context of a different domain.

Rules that work in the context of all domains are referred to as system-wide rules. To create a system-wide rule that tests conditions across the entire system, select Any Domain in the domain list for the And Domain Is test. An Any Domain rule creates an Any Domain offense.

  • Single-domain rule--If the rule is a stateful rule, the states are maintained separately for each domain. The rule is triggered separately for each domain. When the rule is triggered, offenses are created separately for each domain that is involved and the offenses are tagged with those domains.

  • Single-domain offense--The offense is tagged with the corresponding domain name. It can contain only events that are tagged with that domain.

  • System-wide rule--If the rule is a stateful rule, a single state is maintained for the whole system and domain tags are ignored. When the rule runs, it creates or contributes to a single system-wide offense.

  • System-wide offense--The offense is tagged with Any Domain. It contains only events that are tagged with all domains.

The following table provides examples of domain-aware rules. The examples use a system that has three domains that are defined: Domain_A, Domain_B, and Domain_C.

The rule examples in the following table may not be applicable in your JSA environment. For example, rules that use flows and offenses are not applicable in Log Manager.

Table 1: Domain-aware Rules

Domain text

Explanation

Rule response

domain is one of: Domain_A

Looks only at events that are tagged with Domain_A and ignores rules that are tagged with other domains.

Creates or contributes to an offense that is tagged with Domain_A.

domain is one of: Domain_A and a stateful test that is defined as when HTTP flow is detected 10 times within 1 minute

Looks only at events that are tagged with Domain_A and ignores rules that are tagged with other domains.

Creates or contributes to an offense that is tagged with Domain_A. A single state, an HTTP flow counter, gets maintained for Domain_A.

domain is one of: Domain_A, Domain_B

Looks only at events that are tagged with Domain_A and Domain_B and ignores events that are tagged with Domain_C.

This rule behaves as two independent instances of a single domain rule, and creates separate offenses for different domains.

For data that is tagged with Domain_A, it creates or contributes to a single domain offense that is tagged with Domain_A.

For data that is tagged with Domain_B, it creates or contributes to a single domain offense that is tagged with Domain_B.

domain is one of: Domain_A, Domain_B and a stateful test that is defined as when HTTP flow is detected 10 times within 1 minute

Looks only at events that are tagged with Domain_A and Domain_B and ignores events that are tagged with Domain_C.

This rule behaves as two independent instances of a single domain rule, and maintains two separate states (HTTP flow counters) for two different domains.

When the rule detects 10 HTTP flows that are tagged with Domain_A within a minute, it creates or contributes to an offense that is tagged with Domain_A.

When the rule detects 10 HTTP flows that are tagged with Domain_B within a minute, it creates or contributes to an offense that is tagged with Domain_B.

No domain test defined

Looks at events that are tagged with all domains and creates or contributes to offenses on a per-domain basis.

Each independent domain has offenses that are generated for it, but offenses do not contain contributions from other domains.

A rule has a stateful test that is defined as when HTTP flow is detected 10 times within 1 minute and no domain test is defined

Looks at events that are tagged with Domain_A, Domain_B, or Domain_C.

Maintains separate states and creates separate offenses for each domain.

domain is one of: Any Domain

Looks at all events, regardless of which domain it is tagged with.

Creates or contributes to a single system-wide offense that is tagged with Any Domain.

domain is one of: Any Domain and a stateful test that is defined as when HTTP flow is detected 10 times within 1 minute

Looks at all events, regardless of which domain it is tagged with, and it maintains a single state for all domains.

Creates or contributes to a single system-wide offense that is tagged with Any Domain.

For example, if it detects 3 events that are tagged with Domain_A, 3 events that are tagged with Domain_B, and 4 events that are tagged with Domain_C within 1 minute, it creates an offense because it detected 10 events in total.

domain is one of: Any Domain, Domain_A

Works the same as a rule that has domain is one of: Any Domain.

When the domain test includes Any Domain, any single domains that are listed are ignored.

When you view the offense table, you can sort the offenses by clicking the Domain column. The Default Domain is not included in the sort function so it does not appear in alphabetical order. However, it appears at the top or bottom of the Domain list, depending on whether the column is sorted in ascending or descending order. Any Domain does not appear in the list of offenses.