Using Reference Data in JSA
Use reference data collections to store and manage business data that you want to correlate against the events and flows in your JSA environment. You can add business data or data from external sources into a reference data collection, and then use the data in JSA searches, filters, rule test conditions, and rule responses.
Reference data collections are stored on the JSA console, but the collections are regularly copied to each managed host. For best performance on data lookups, the managed host caches the most frequently referenced data values.
External Threat Intelligence Data
You can use reference data collections to integrate indicator of compromise (IOC) data from third-party vendors into JSA. JSA uses IOC data to detect suspicious behavior faster, which helps security analysts investigate threats and respond to incidents more quickly.
For example, you can import IOC data, such as IP addresses, DNS names, URLs, and MD5s, from open source or subscription-based threat data providers, and correlate it with events and incidents on your network.
Reference data collections can contain business data that is specific to your organization, such as a list of users with privileged system access. Use the business data to create blacklists and whitelists.
For example, use a reference set that contains the user IDs of terminated employees to prevent them from logging in to the network. Or, you can use business data to build a whitelist that allows only a limited set of IP addresses to do specific functions.