Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Monitoring Simulations

 

You can monitor a simulation to determine if the results of the simulation changed. If a change occurs, then an event is generated. A maximum of 10 simulations can be in monitor mode.

When a simulation is in monitor mode, the defaults time range is 1 hour. This value overrides the configured time value when the simulation was created.

For information about event categories, see the Juniper Secure Analytics Users Guide.

  1. Click the Risks tab.
  2. On the navigation menu, select Simulation >Simulations.
  3. Select the simulation that you want to monitor.
  4. Click Monitor.
  5. In the Event Name field, type the name of the event you want to display on the Log Activity and Offenses tab.
  6. In the Event Description field, type a description for the event. The description is displayed in the Annotations of the event details.
  7. From the High-Level Category list, select the high-level event category that you want this simulation to use when processing events.
  8. From the Low-Level Category list, select the low-level event category that you want this simulation to use when processing events.
  9. Select the Ensure the dispatched event is part of an offense check box if you want, as a result of this monitored simulation, the events that are forwarded to the Magistrate component. If no offense was generated, then a new offense is created. If an offense exists, this event is added to the existing offense. If you select the check box, then choose one of the following options:

    Option

    Description

    Question/Simulation

    All events from a question are associated with a single offense.

    Asset

    A unique offense is created (or updated) for each unique asset.

  10. In the Additional Actions section, select one or more of the following options:

    Option

    Description

    Email

    Select this check box and specify the email address to send notifications if the event is generated. Use a comma to separate multiple email addresses.

    Send to Syslog

    Select this check box if you want to log the event.

    For example, the syslog output might resemble:

    Sep 28 12:39:01 localhost.localdomain ECS: Rule 'Name of Rule'Fired: 172.16.60.219:12642 -> 172.16.210.126:6666 6, Event Name:SCAN SYN FIN, QID: 1000398, Category: 1011, Notes: Eventdescription

    Notify

    Select this check box if you want events that generate as a result of this monitored question to display in the System Notifications item in the Dashboard.

  11. In the Enable Monitor section, select the check box to monitor the simulation.
  12. Click Save Monitor.