Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Guidelines for Tuning System Performance

 

How you tune JSA depends on different scenarios and whether you have one target or many targets within your network.

To ensure reliable system performance, you must consider the following guidelines:

  • Disable rules that produce numerous unwanted offenses.

  • To tune CRE rules, increase the rule threshold by doubling the numeric parameters and the time interval.

  • Consider modifying rules to consider the local network context rather than the remote network context.

  • When you edit a rule with the attach events for the next 300 seconds option enabled, wait 300 seconds before you close the related offenses.

For more information, see the Juniper Secure Analytics Users Guide.

The following table provides information on how to tune false positives according to these differing scenarios.

Table 1: Tuning Methodology.

Scenario

One Target

Many Targets

One attacker, one event

Use the False Positive Wizard to tune the specific event.

Use the False Positive Wizard to tune the specific event.

One attacker, many unique events in the same category

Use the False Positive Wizard to tune the category.

Use the False Positive Wizard to tune the category.

Many attackers, one event

Use the False Positive Wizard to tune the specific event.

Edit the building blocks by using the Custom Rules Editor to tune the specific event.

Many attackers, many events in the same category

Use the False Positive Wizard to tune the category.

Edit building blocks by using the Custom Rules Editor to tune the category.

One attacker, many unique events in different categories

Investigate the offense and determine the nature of the attacker. If the offense or offenses can be tuned out, edit the building blocks by using the Custom Rules Editor to tune categories for the host IP address.

Investigate the offense and determine the nature of the attacker. If the offense or offenses can be tuned out, edit the building blocks by using the Custom Rules Editor to tune the categories for the host IP address.

Many attackers, many unique events in different categories

Edit the building blocks by using the Custom Rules Editor to tune the categories.

Edit the building blocks by using the Custom Rules Editor to tune the categories.

Tuning False Positives

You can tune false positive events and flows to prevent them from creating offenses.

To create a new rule, you must have the Offenses > Maintain Custom Rules permission for creating customized rules to tune false positives. For more information about roles and permissions, see the Juniper Secure Analytics Users Guide.

  1. Click the Log Activity tab, or the Network Activity tab.
  2. Select the event or flow that you want to tune.
  3. Click False Positive.

    If you are viewing events or flows in streaming mode, you must pause streaming before you click False Positive.

  4. Select one of the following Event or Flow Property options:
    • Event/Flow(s) with a specific QID of <Event>

    • Any Event/Flow(s) with a low-level category of <Event>

    • Any Event/Flow(s) with a high-level category of <Event>

  5. Select one of the following Traffic Direction options:
    • <Source IP Address> to <Destination IP Address>

    • <Source IP Address> to Any Destination

    • Any Source to <Destination IP Address>

    • Any Source to any Destination

  6. Click Tune.

    JSA prevents you from selecting Any Events/Flow(s) and Any Source To Any Destination. This change creates a custom rule and prevents JSA from creating offenses.

    For more information about tuning false positives, see the Juniper Secure Analytics Users Guide.

False Positives Configuration

Manage the configuration of false positives to minimize their impact on legitimate threats and vulnerabilities. To prevent JSA from generating an excessive number of false positives, you can tune false positive events and flows to prevent them from creating offenses.

False Positive Rule Chains

The first rule to execute in the custom rules engine (CRE) is FalsePositive:False Positive Rules and Building Blocks. When it loads, all of its dependencies are loaded and tested.

When an event or flow successfully matches the rule, it bypasses all other rules in the CRE in order to prevent it from creating an offense.

Creating False Positive Building Blocks

When you create false positive building blocks within JSA, you must review the following information:

  • Naming conventions --Use a methodology similar to the default rule set, by creating new building blocks by using the following naming convention:

    <CustomerName>-BB:False Positive: All False Positive Building Blocks, where: <CustomerName> is a name that you assign to the false positive building block.

  • False positive building blocks --Building blocks must contain the test: and when a flow or an event matches any of the following rules. This test is a collection point for false positive building blocks and helps you to quickly find and identify customizations. Note the following guidelines when you create your false positive building blocks:

    • When the <CustomerName>-BB:False Positive: All False Positive Building Block is created, add it to the test in the rule FalsePositive: False Positive Rules and Building Blocks.

    • When the new false positive building block is created, you can create new building blocks to match the traffic that you want to prevent from creating offenses. Add these building blocks to the <CustomerName>-BB:False Positive: All False Positive Building block.

    • To prevent events from creating offenses, you must create a new building block that matches the traffic that you are interested in. Save this as a building block <CustomerName>-BB:False Positive: <name_of_rule>, then edit <CustomerName>-BB:False Positive: All False Positive building blocks, to include the rule that you created.

    Note

    If you add a rule or building block that includes a rule to the FalsePositive: False Positive Rules and Building Blocks rule, the rule that you add runs before the event is dropped by the CRE and might create offenses by overriding the false positive test.

Custom Rule Testing Order

When you build custom rules, you must optimize the order of the testing to ensure that the rules do not impact custom rules engine (CRE) performance.

The tests in a rule are executed in the order that they are displayed in the user interface. The most memory intensive tests for the CRE are the payload and regular expression searches. To ensure that these tests run against a smaller subset of data and execute faster, you must first include one of the following tests:

  • when the event(s) were detected by one or more of these log source types

  • when the event QID is one of the following QIDs

  • when the source IP is one of the following IP addresses

  • when the destination IP is one of the following IP addresses

  • when the local IP is one of the following IP addresses

  • when the remote IP is one of the following IP addresses

  • when either the source or destination IP is one of the following IP addresses

  • when the event(s) were detected by one of more of these log sources

You can further optimize JSA by exporting common tests to building blocks. Building blocks execute per event as opposed to multiple times if tests are individually included in a rule.

For more information about optimizing custom rules, see the Juniper Secure Analytics Users Guide.