Offense indexing provides the capability to group events or flows from different rules indexed on the same property together in a single offense.
JSA uses the offense index parameter to determine which offenses to chain together. For example, an offense that has only one source IP address and multiple destination IP addresses indicates that the threat has a single attacker and multiple victims. If you index this type of offense by the source IP address, all events and flows that originate from the same IP address are added to the same offense.
You can configure rules to index an offense based on any piece of information. JSA includes a set of predefined, normalized fields that you can use to index your offenses. If the field that you want to index on is not included in the normalized fields, create a custom event or a custom flow property to extract the data from the payload and use it as the offense indexing field in your rule. The custom property that you index on can be based on a regular expression, a calculation, or an AQL-based expression.
Offense Indexing Considerations
It is important to understand how offense indexing impacts your JSA deployment.
Ensure that you optimize and enable all custom properties that are used for offense indexing. Using properties that are not optimized can have a negative impact on performance.
When you create a rule, you cannot select non-optimized properties in the Index offense based on field. However, if an existing rule is indexed on a custom property, and then the custom property is de-optimized, the property is still available in the offense index list. Do not de-optimize custom properties that are used in rules.
Rule Action and Response
When the indexed property value is null, an offense is not created, even when you select the Ensure the detected event is part of an offense check box in the rule action. For example, if a rule is configured to create an offense that is indexed by host name, but the host name in the event is empty, an offense is not created even though all of the conditions in the rule tests are met.
When the response limiter uses a custom property, and the custom property value is null, the limit is applied to the null value. For example, if the response is Email, and the limiter says Respond no more than 1 time per 1 hour per custom property, if the rule fires a second time with a null property within 1 hour, an email will not be sent.
When you index using a custom property, the properties that you can use in the rule index and response limiter field depends on the type of rule that you are creating. An event rule accepts custom event properties in the rule index and response limiter fields, while a flow rule accepts only custom flow properties. A common rule accepts either custom event or custom flow properties in the rule index and response limiter fields.
You cannot use custom properties to index an offense that is created by a dispatched event.
Example: Detecting Malware Outbreaks Based on the MD5 Signature
As a network security analyst for a large organization, you use JSA to detect when a malware outbreak occurs. You set the criteria for an outbreak as a threat that occurs across 10 hosts within 4 hours. You want to use the MD5 signature as the basis for this threat detection.
You configure JSA to evaluate the incoming logs to determine whether a threat exists, and then you group all of the fired rules that contain the same MD5 signature into a single offense.
Creating a Regex-based Custom Property to extract the MD5 signature from the logs. Ensure that the custom property is optimized and enabled.
Creating a Custom Rule and configure the rule to create an offense that uses the MD5 signature custom property as the offense index field. When the rule fires, an offense is created. All fired rules that have the same MD5 signature are grouped into one offense.
You can Searching for Offenses That Are Indexed on a Custom Property to find the offenses that are indexed by the MD5 signature custom property.