Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

JSA Rules and Offenses

 

The configuration rule that is defined in the Custom Rules Engine (CRE) is used to generate offenses.

The following list describes rules and offenses:

  • CRE --The Custom Rules Engine (CRE) displays the rules and building blocks that are used by JSA. Rules and building blocks are stored in two separate lists because they function differently. The CRE provides information about how the rules are grouped, the types of tests that the rule performs, and the responses that each rule generates. For more information about rules and offenses, see the JSA User Guide.

  • Rules --A rule is a collection of tests that triggers an action when specific conditions are met. Each rule can be configured to capture and respond to a specific event, sequence of events, flow sequence, or offense. The actions that can be triggered include sending an email or generating a syslog message. A rule can reference multiple building blocks by using the tests that are found in the function sections of the test groups within the Rule Editor.

  • Offenses --As event and flow data passes through the CRE, it is correlated against the rules that are configured and an offense can be generated based on this correlation. You view offenses on the Offenses tab.

Viewing Rules That Are Deployed

You can view the rules that are deployed in your JSA deployment. For example, you can determine which rules are most active in generating offenses.

  1. Click the Offenses tab.
  2. On the navigation menu, click Rules.

    To determine which rules are most active in generating offenses, from the rules page, click Offense Count to reorder the column in descending order.

    For more information about your CRE configuration, see the Juniper Secure Analytics Users Guide.

  3. Double-click any rule to display the Rule Wizard. You can configure a response to each rule.

Investigating Offenses

JSA generates offenses by testing event and flow conditions. To investigate JSA offenses, you must view the rules that created the offense.

  1. Click the Offenses tab.
  2. On the navigation menu, click All Offenses.
  3. Double-click the offense that you are interested in.
  4. On the All Offenses Summary toolbar, click Display >Rules.
  5. From the List of Rules Contributing to Offense pane, double-click the Rule Name that you are interested in.Note

    The All Offenses Rules pane might display multiple rule names, if the offense generated by JSA is triggered by a series of different tests.

    For more information about investigating offenses, see the Juniper Secure Analytics Users Guide.