JSA Rules and Offenses
The configuration rule that is defined in the Custom Rules Engine (CRE) is used to generate offenses.
The following list describes rules and offenses:
CRE --The Custom Rules Engine (CRE) displays the rules and building blocks that are used by JSA. Rules and building blocks are stored in two separate lists because they function differently. The CRE provides information about how the rules are grouped, the types of tests that the rule performs, and the responses that each rule generates. For more information about rules and offenses, see the JSA User Guide.
Rules --A rule is a collection of tests that triggers an action when specific conditions are met. Each rule can be configured to capture and respond to a specific event, sequence of events, flow sequence, or offense. The actions that can be triggered include sending an email or generating a syslog message. A rule can reference multiple building blocks by using the tests that are found in the function sections of the test groups within the Rule Editor.
Offenses --As event and flow data passes through the CRE, it is correlated against the rules that are configured and an offense can be generated based on this correlation. You view offenses on the Offenses tab.
Viewing Rules That Are Deployed
You can view the rules that are deployed in your JSA deployment. For example, you can determine which rules are most active in generating offenses.
- Click the Offenses tab.
- On the navigation menu, click Rules.
- To determine which rules are most active in generating offenses, from the rules page, click Offense Count to reorder the column in descending order.
- Double-click any rule to display the Rule Wizard. You can configure a response to each rule.
For more information about your CRE configuration, see the Juniper Secure Analytics User Guide.
Use the JSA Use Case Manager to tune the most active rules that create offenses and to tune the rules that generate CRE events.
JSA generates offenses by testing event and flow conditions. To investigate JSA offenses, you must view the rules that created the offense.
- Click the Offenses tab.
- On the navigation menu, click All Offenses.
- Double-click the offense that you are interested in.
- On the All Offenses Summary toolbar, click Display >Rules.
- From the List of Rules Contributing to Offense pane, double-click the Rule Name that you are interested
The All Offenses Rules pane might display multiple rule names, if the offense generated by JSA is triggered by a series of different tests.
For more information about investigating offenses, see the Juniper Secure Analytics Users Guide.