Configuring Charts
The chart type determines the data configured and displayed in the chart. You can create several charts for specific to data collected by devices in JSA Risk Manager.
The following chart types are specific to JSA Risk Manager:
Connection Charts
You can use the Connections chart to view network connection information. You can base your charts on data from saved connection searches from the Risks tab.
You can customize the data that you want to display in the generated report. You can configure the chart to plot data over a configurable time period. This functionality helps you to detect connection trends.
The following table provides configuration information for the Connections Chart container.
Table 1: Connections Chart Parameters
Parameter | Description |
|---|---|
Container Details - Connections | |
Chart Title | Type a chart title to a maximum of 100 characters. |
Chart Sub-Title | Clear the check box to change the automatically created subtitle. Type a title to a maximum of 100 characters. |
Graph Type | From the list, select the type of graph to display on the generated report. Options include: Bar—Displays the data in a bar chart. This is the default graph type. This graph type requires the saved search to be a grouped search. Line—Displays the data in a line chart. Pie—Displays the data in a pie chart. This graph type requires the saved search to be a grouped search. Stacked Bar—Displays the data in a stacked bar chart. Stacked Line—Displays the data in a stacked line chart. Table—Displays the data in table format. The Table option is only available for the full page width container only. |
Graph | From the list, select the number of connections to be displayed in the generated report. |
Manual Scheduling | The Manual Scheduling pane is displayed only if you selected the Manually scheduling option in the Report Wizard. To create a manual schedule:
|
Hourly Scheduling | The Hourly Scheduling pane is displayed only if you selected the Hourly scheduling option in the Report Wizard. Hourly Scheduling automatically graphs all data from the previous hour. |
Daily Scheduling | The Daily Scheduling pane is displayed only if you selected the Daily scheduling option in the Report Wizard. Choose one of the following options: All data from previous day (24 hours) Data of previous day from From the lists, select the time period that you want for the generated report. Time is available in half-hour increments. The default is 1:00 am. |
Weekly Scheduling | The Weekly Scheduling pane is displayed only if you selected the Weekly scheduling option in the Report Wizard. Choose one of the following options: All data from previous week All Data from previous week from From the lists, select the time period that you want for the generated report. The default is Sunday. |
Monthly Scheduling | The Monthly Scheduling pane is displayed only if you selected the Monthly scheduling option in the Report Wizard. Choose one of the following options: All data from previous month Data from previous month from the From the lists, select the time period that you want for the generated report. The default is 1st to 31st. |
Graph Content | |
Group | From the list, select a saved search group to display the saved searches that belong to that group in the Available Saved Searches list. |
Type Saved Search or Select from List | To refine the Available Saved Searches list, type the name of the search you want to locate in the Type Saved Search or Select from List field. You can also type a keyword to display a list of searches that include that keyword. For example, type DMZ to display a list of all searches that include DMZ in the search name. |
Available Saved Searches | Provides a list of available saved searches. By default, all available saved searches are displayed. However, you can filter the list by selecting a group from the Group list or typing the name of a known saved search in the Type Saved Search or Select from List field. |
Create New Connection Search | Click Create New Connection Search to create a new search. |
Device Rules Charts
You can use the Device Rules chart to view firewall rules and the event count of firewall rules triggered in your network.
Device Rule reports allows you to create a report for the following firewall rules:
Most active accept device rules
Most active deny device rules
Least active accept device rules
Least active deny device rules
Unused device rules
Shadowed device rules
The reports that you generate allow you to understand what rules are accepted, denied, unused, or untriggered across a single device, a specific adapter, or multiple devices. Reports allow JSA Risk Manager to automate reporting about the status of your device rules and display the reports on the JSA console.
This functionality helps you identify how rules are used on your network devices.
To create a Device Rules Chart container, configure values for the following parameters:
Table 2: Device Rules Chart Parameters
Parameter | Description |
|---|---|
Container Details - Device Rules | |
Limit Rules to Top | From the list, select the number of rules to be displayed in the generated report. For example, if you limit your report to the top 10 rules, then create a report for most used accept rules across all devices, the report returns 10 results. The results contain a list of the 10 most used accept rules based on the event count across all devices that are visible to JSA Risk Manager. |
Type | Select the type of device rules to display in the report. Options include: Most Used Accept Rules—Displays the most used accept rules by event count for a single device or a group of devices. This report lists the rules with highest accepted event counts, in descending order, for the time frame you specified in the report. Most Used Deny Rules—Displays the most used deny rules by event count for a single device or a group of devices. This report lists the rules with the highest deny event counts, in descending order, for the time frame you specified in the report. Unused Rules Displays any rules for a single device or a group of devices that are unused. Unused rules have zero event counts for the time frame you specified for the report. Least Used Accept Rules—Displays the least used accept rules for a single device or a group of devices. This report lists rules with the lowest accept event counts, in ascending order, for the time frame you specified in the report. Least Used Deny Rules—Displays the least used deny rules for a single device or a group of devices. This report lists rules with the lowest denied event counts, in ascending order, for the time frame you specified in the report. Shadowed Rules—Displays any rules for a single device that can never trigger because the rule is blocked by a proceeding rule. The results display a table of the rule creating the shadow and any the rules that can never trigger on your device because they are shadowed by a proceeding rule on the device. Note: Shadowed rule reports can only be run against a single device. These rules have zero event counts for the time frame you specified for the report and are identified with an icon in the Status column. |
Date/Time Range | Select the time frame for your report. The options include: Current Configuration—The results of the Device Rules report is based on the rules that exist in the current device configuration. This report displays rules and event counts for the existing device configuration. The current configuration for a device is based on the last time Configuration Source Management backed up your network device. Interval—The results of the Device Rules report is based on the rules that existed during the time frame of the interval. This report displays rules and event counts for the specified interval from the last hour to 30 days. Specific Range—The results of the Device Rules report is based on the rules that existed between the start time and end time of the time range. This report displays rules and event counts for the specified time frame. |
Timezone | Select the timezone you want to use as a basis for your report. The default timezone is based on the configuration of your JSA console. When configuring the Timezone parameter for your report, consider the location of the devices associated with the reported data. If the report uses data spanning multiple time zones, the data used for the report is based on the specific time range of the time zone. For example, if your JSA console is configured for Eastern Standard Time (EST) and you schedule a daily report between 1pm and 3pm and set the timezone as Central Standard Time (CST), the results in the report contains information from 2pm and 4pm EST. |
Targeted Data Selection | Targeted Data Selection is used to filter the Date/Time Range to a specific value. Using the Targeted Data Selection options, you can create a report to view your device rules over a custom defined period of time, with the option to only include data from the hours and days that you select. For example, you can schedule a report to run from October 1 to October 31 and view your most active, least active or unused rules and their rule counts that occur during your business hours, such as Monday to Friday, 8 AM to 9 PM. Note: The filter details only display when you select the Targeted Data Selection check box in the Report Wizard. |
Format | Select the format for your device rules report. The options include: One aggregate report for specified devices—This report format aggregates the report data across multiple devices. For example, if you create a report to display the top ten most denied rules, then an aggregate report displays the top ten most denied rules across all of the devices you have selected for the report. This report returns 10 results in total for the report. One report per device—This report format displays the report data for one device. For example, if you create a report to display the top ten most denied rules, then an aggregate report displays the top ten most denied rules for each device you have selected for the report. This report returns the top 10 results for every device selected for the report. If you selected 5 devices, the report returns 50 results. Note: Shadowed rule reports are only capable of displaying one report per device. |
Devices | Select the devices included in the report. The options include: All Devices—Select this option to include all devices in JSA Risk Manager in your report. Adapter—From the list, select an adapter type to include in your report. Only one adapter type can be selected from the list for a report. Specific Devices—Select this option to only include specific devices in your report. The Device Selection window allows you to select and add devices to your report. To add individual devices to your report:
To add all devices to your report:
To search for devices to include in your report:
|
Device Unused Objects Charts
A Device Unused Objects report displays object reference groups that are not being used by your network device.
This report displays object references, such as a collection of IP address, CIDR address ranges, or host names that are unused by your network device.
When you configure a device unused objects container, you configure values for the following parameters:
Table 3: Device Unused Objects Report Parameters
Parameter | Description |
|---|---|
Container Details - Device Unused Objects | |
Limit Objects to Top | From the list, select the number of rules to be displayed in the generated report. |
Devices | Select the devices included in the report. The options include: All Devices—Select this option to include all devices in JSA Risk Manager in your report. Adapter From the list, select an adapter type to include in your report. Only one adapter type can be selected from the list for a report. Specific Devices—Select this option to only include specific devices in your report. The Device Selection window allows you to select and add devices to your report. To add individual devices to your report:
To add all devices to your report:
To search for devices to include in your report:
|