Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Policy Question Monitoring

 

JSA Risk Manager can monitor any predefined or user-generated question in Policy Monitor. You can use monitor mode to generate events in JSA Risk Manager.

When you monitor a policy question, JSA Risk Manager analyzes the question against your topology every hour to determine if an asset or rule change generates an unapproved result. If JSA Risk Manager detects an unapproved result, an offense can be generated to alert you about a deviation in your defined policy. In monitor mode, JSA Risk Manager can simultaneously monitor the results of 10 questions.

Question monitoring provides the following key features:

  • Monitor for rule or asset changes hourly for unapproved results.

  • Use your high and low-level event categories to categorize unapproved results.

  • Generating offenses, emails, syslog messages, or dashboard notifications on unapproved results.

  • Use event viewing, correlation, event reporting, custom rules, and dashboards in JSA.

Monitoring a Policy Monitor Question and Generating Events

Monitor the results of policy monitor questions and configure the generation of events when the results of the monitored policy monitor questions change. You can set the policy evaluation interval, and configure events to send notifications.

  1. Click the Risks tab.
  2. On the navigation menu, click Policy Monitor.
  3. Select the question that you want to monitor.
  4. Click Monitor.
  5. Configure values for the parameters.
  6. Click Save Monitor.

    The parameters that you configure for an event are described in the following table.

    Table 1: Question Event Parameters

    Parameter

    Description

    Policy evaluation interval

    The frequency for the event to run.

    Event Name

    The name of the event you want to display in the Log Activity and Offenses tabs.

    Event Description

    The description for the event. The description is displayed in the Annotations of the event details.

    High-Level Category

    The high-level event category that you want this rule to use when processing events.

    Low-Level Category

    The low-level event category that you want this rule to use when processing events.

    Ensure the dispatched event is part of an offense

    Forwards the events to the Magistrate component. If no offense is generated, a new offense is created. If an offense exists, the event is added.

    If you correlate by question or simulation, then all events from a question are associated to a single offense.

    If you correlate by asset, then a unique offense is created or updated for each unique asset.

    Dispatch question passed events

    Forwards events that pass the policy monitor question to the Magistrate component.

    Vulnerability Score Adjustments

    Adjusts the vulnerability risk score of an asset, depending if the question fails or passes. The vulnerability risk scores are adjusted in JSA Vulnerability Manager.

    Additional Actions

    The additional actions to be taken when an event is received.

    Separate multiple email addresses by using a comma.

    Select Notify if you want events that generate as a result of this monitored question to display events in the System Notifications item in the dashboard.

    The syslog output might resemble the following code:

    Sep 28 12:39:01 localhost.localdomain ECS: Rule 'Name of Rule' Fired: 172.16.60.219:12642 -> 172.16.210.126:6666 6, Event Name:SCAN SYN FIN, QID: 1000398, Category: 1011, Notes: Event description

    Enable Monitor

    Monitor the question.