Rule Performance Visualization
Rule performance visualization extends the current logging around performance degradation and the expensive custom rules in the JSA pipeline. With rule performance visualization, you can easily determine the efficiency of rules in the JSA pipeline, directly from the Rules page.
Note: You must be an Administrator to turn on rule performance visualization. After rule performance visualization is turned on, users can view performance metrics for rules. For more information about turning on rule performance visualization, see the Juniper Secure Analystics Administration Guide.
When rule performance visualization is turned on, the Performance column is added to the Rules page. The Performance column is blank until a performance issue occurs in the custom rule engine.
When events or flows are routed to storage, JSA begins collecting metrics on enabled rules for efficiency measures. Metrics are collected on all event, common, and flow rules. When you save rule updates, the metrics are cleared for the rules that you updated to avoid any confusion around performance and updated rules. This option is configurable by an Administrator.
You can sort rules by their performance metrics and identify the more expensive rules. When you review the rules, you can adjust the tests to optimize each rule, and reduce the load on the system
With rule performance visualization, you see how expensive the rules are. JSA operations teams can monitor any expensive rules and ensure that they do not cause future performance issues.
By having rules run efficiently, the workload on the system can decrease. Over time, this efficiency can help JSA avoid any performance degradations around rules, which cause rules to bypass rule correlation. As a result, potential suspect activity might not trigger a notification, potentially missing future security-related issues.
For more information about tuning rules, see the Juniper Secure Analystics Tuning Guide.
View the Metrics for a Rule
You can view the metrics for a rule from the Rules page when you move the mouse pointer over the colored bars in the Performance column, and in the Performance Analysis textbox, which is in the lower-right corner of the Rules page. You can also view the metrics for a rule in the Rule Wizard when you edit a rule. The timestamp in the Performance Analysis textbox shows when the metrics for the rule were updated.
From the Network Activity tab or the Log Activity tab, click Rules to display the Rules page. Double-click a rule to open the Rule Wizard.
Colors and Bars in the Performance Column on the Rules Page
The number of bars that display is a visual aid for color blindness.
One red bar - The rule is under-performing and needs to be tuned. The EPS/FPS throughput for this rule is below the lower limit. Open the rule and tune the tests.
Two orange bars - The rule might need some tuning.
Three green bars - The rule has a high throughput above the upper limit of the EPS/FPS threshold.
The colors and number of bars can't be changed. The definition of a rule that is under-performing is configurable by an Administrator.