Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Rules

 

Rules, sometimes called correlation rules are applied to events, flows, or offenses to search for or detect anomalies. If all the conditions of a test are met, the rule generates response.

What Are Rules?

Custom rules test events, flow, and offenses to detect unusual activity in your network. You create new rules by using AND and OR combinations of existing rules.

JSA Event Collectors gather events from local and remote sources, normalizes these events, and classifies them into low-level and high-level categories. For flows, JSA Flow Processor read packets from the wire or receive flows from other devices and then converts the network data to flow records. Each Event Processor processes events or flow data from the JSA Event Collectors. Event Processors examine and correlate the information to indicate behavioral changes or policy violations. The custom rules engine (CRE) processes events and compares them against defined rules to search for anomalies. When a rule condition is met, the Event Processor generates an action that is defined in the rule response. The CRE keeps track of the systems that are involved in incidents, contributes events to offenses, and generates notifications.

What Are Building Blocks?

A building block is a collection of tests that don't result in a response or an action.

A building block groups commonly used tests to build complex logic, so that it can be reused in rules. A building block often tests for IP addresses, privileged user names, or collections of event names. For example, a building block can include the IP addresses of all DNS servers. Rules can then use this building block.

How do Rules Work?

JSA Event Collectors gather events from local and remote sources, normalizes these events, and classifies them into low-level and high-level categories. For flows, JSA Flow Processor read packets from the wire or receive flows from other devices and then converts the network data to flow records. Each Event Processor processes events or flow data from the JSA Event Collectors. Flow Processors examine and correlate the information to indicate behavioral changes or policy violations. The custom rules engine (CRE) processes events and compares them against defined rules to search for anomalies. When a rule condition is met, the Event Processor generates an action that is defined in the rule response. The CRE keeps track of the systems that are involved in incidents, contributes events to offenses, and generates notifications.

How is an Offense Created from a Rule?

JSA creates an offense when events, flows, or both meet the test criteria that is specified in the rules.

JSA analyzes the following information:

  • Incoming events and flows

  • Asset information

  • Known vulnerabilities

The rule that created the offense determines the offense type.

The magistrate prioritizes the offenses and assigns the magnitude value based on several factors, including number of events, severity, relevance, and credibility.