Policy Question Monitoring
JSA Risk Manager can monitor any predefined or user-generated question in Policy Monitor. You can use monitor mode to generate events in JSA Risk Manager.
When you monitor a policy question, JSA Risk Manager analyzes the question at the configured interval to determine if an asset or rule change generates an unapproved result. If JSA Risk Manager detects an unapproved result, an offense can be generated to alert you about a deviation in your defined policy. In monitor mode, JSA Risk Manager can simultaneously monitor the results of 10 questions.
Question monitoring provides the following key features:
Monitor for rule or asset changes for unapproved results at the configured interval.
Use your high and low-level event categories to categorize unapproved results.
Generating offenses, emails, syslog messages, or dashboard notifications on unapproved results.
Use event viewing, correlation, event reporting, custom rules, and dashboards in JSA.
Monitoring a Policy Monitor Question and Generating Events
Monitor the results of policy monitor questions and configure the generation of events when the results of the monitored policy monitor questions change. You can set the policy evaluation interval, and configure events to send notifications.
- Click the Risks tab.
- On the navigation menu, click Policy Monitor.
- Select the question that you want to monitor.
- Click Monitor.
- Configure values for the parameters.
- Click Save Monitor.
The parameters that you configure for an event are described in the following table.
Table 1: Question Event Parameters
Policy evaluation interval
The frequency for the event to run.
The name of the event you want to display in the Log Activity and Offenses tabs.
The description for the event. The description is displayed in the Annotations of the event details.
The high-level event category that you want this rule to use when processing events.
The low-level event category that you want this rule to use when processing events.
Ensure the dispatched event is part of an offense
Forwards the events to the Magistrate component. If no offense is generated, a new offense is created. If an offense exists, the event is added.
If you correlate by question or simulation, then all events from a question are associated to a single offense.
If you correlate by asset, then a unique offense is created or updated for each unique asset.
Dispatch question passed events
Forwards events that pass the policy monitor question to the Magistrate component.
Note: You must enable this parameter in order to configure Vulnerability Score Adjustments. This is because these adjustments can be made to assets which both pass and fail policy monitor questions.
Vulnerability Score Adjustments
Adjusts the vulnerability risk score of an asset, depending if the question fails or passes. The vulnerability risk scores are adjusted in JSA Vulnerability Manager.
The additional actions to be taken when an event is received.
Separate multiple email addresses by using a comma.
Select Notify if you want events that generate as a result of this monitored question to display events in the System Notifications item in the dashboard.
The syslog output might resemble the following code:
Sep 28 12:39:01 localhost.localdomain ECS: Rule 'Name of Rule' Fired: 172.16.60.219:12642 -> 172.16.210.126:6666 6, Event Name:SCAN SYN FIN, QID: 1000398, Category: 1011, Notes: Event description
Monitor the question.