Baseline Maintenance
The JSA Baseline Maintenance Content Extension updates several rules, building blocks, and other content from the core enterprise template in JSA.
About the Baseline Maintenance Extension
Installing this extension does not impact user modified rules, but instead updates the rule template to correct rule and building block issues and performance tuning across multiple categories. Custom properties, searches, or dashboard items that are installed by the app overwrite existing values to keep them up-to-date.
Default Baseline Maintenance Extension Version
JSA is installed with the following Baseline Maintenance extension as default.
JSA version 7.3.3 is installed with JSA Baseline Maintenance Content Extension V1.0.10
JSA version 7.3.2 is installed with JSA Baseline Maintenance Content Extension V1.0.4
JSA Baseline Maintenance Content Extensions
JSA Baseline Maintenance Content Extension V1.1.0
The following table shows the custom properties that are new or updated in JSA Baseline Maintenance Content Extension V1.1.0.
Table 1: Custom Properties Updated in JSA Baseline Maintenance Content Extension V1.1.0
Name | Optimized | Capture Group | Regex |
|---|---|---|---|
Event Summary | Yes | 1 | sum=([^\t]+) |
The following table shows the building blocks that are new or updated in JSA Baseline Maintenance Content Extension V1.1.0.
Table 2: Building Blocks in JSA Baseline Maintenance Content Extension V1.1.0
Name | Description |
|---|---|
BB:HostDefinition: DHCP Servers | Edit this building block to define typical DHCP servers. This building block is used in conjunction with the BB:False Positive: DHCP Server False Positives Categories and BB:FalsePositve: DHCP Server False Positive Events building blocks. |
BB:HostDefinition: DNS Servers | Edit this building block to define typical DNS servers. This building block is used in conjunction with the BB:FalsePositive: DNS Server False Positives Categories and BB:FalsePositve: DNS Server False Positive Events building blocks. |
BB:HostDefinition: Proxy Servers | Edit this building block to define typical proxy servers. This building block is used in conjunction with the BB:False Positive: Proxy Server False Positives Categories and BB:FalsePositve: Proxy Server False Positive Events building blocks. |
BB:HostReference: Database Servers | Include database server IP addresses in the Database Servers - IP reference set. |
BB:HostReference: DHCP Servers | Include DHCP server IP addresses in the DHCP Servers - IP reference set. |
BB:HostReference: DNS Servers | Include DNS server IP addresses in the DNS Servers - IP reference set. |
BB:HostReference: FTP Servers | Include FTP server IP addresses in the FTP Servers - IP reference set. |
BB:HostReference: LDAP Servers | Include LDAP server IP addresses in the LDAP Servers - IP reference set. |
BB:HostReference: Mail Servers | Include mail server IP addresses in the Mail Servers - IP reference set. |
BB:HostReference: Proxy Servers | Include proxy server IP addresses in the Proxy Servers - IP reference set . |
BB:HostReference: SSH Servers | Include SSH server IP addresses in the SSH Servers - IP reference set. |
BB:HostReference: Web Servers | Include web server IP addresses in the Web Servers - IP reference set. |
BB:HostReference: Windows Servers | Include Windows server IP addresses in the Windows Servers - IP reference set. |
The following table shows the reference set that is updated in JSA Baseline Maintenance Content Extension V1.1.0.
Table 3: Reference Set Updated in JSA Baseline Maintenance Content Extension V1.1.0
Reference set | Description |
|---|---|
JSA Deployment | Corrected the number of IP addresses contained in this reference set. |
The following table shows the saved searches that are new or updated in JSA Baseline Maintenance Content Extension V1.1.0.
Table 4: Saves Searches in JSA Baseline Maintenance Content Extension V1.1.0
Saved search | Description |
|---|---|
Deviating Asset Growth: Asset Report | Updated to allow the search to be translated. |
Deviating Asset Growth: Log Source Report | Updated to allow the search to be translated. |
Event Rate (EPS) | Updated from an EPS function to a count function by changing the search value from Average to Count. |
Flow Rate (FPS) | Updated from an FPS function to a Count function by changing the search value from Average to Count. |
JSA Baseline Maintenance Content Extension V1.0.10
This release includes a fix for broken links between rules and groups, and between searches and groups.
The following table shows the custom properties that are new or updated in JSA Baseline Maintenance Content Extension V1.0.10.
Table 5: Custom Properties Updated in JSA Baseline Maintenance Content Extension V1.0.10
Name | Optimized | Capture Group | Regex |
|---|---|---|---|
Group ID | Yes | 1 | Group ID: (\d+) |
The following table shows the rules that are new or updated in JSA Baseline Maintenance Content Extension V1.0.10.
Table 6: Rules Added in JSA Baseline Maintenance Content Extension V1.0.10
Type | Name | Description |
|---|---|---|
Rule | User Load Basic Building Blocks | This rule is a customizable version of the Load Basic Building Blocks rule. It loads building blocks that need to be run to assist with reporting. This rule has no actions or responses. Customizations desired for the Load Basic Building Blocks rule should instead be applied here. Customizations to theLoad Basic Building Blocks rule will prevent future updates to that rule from taking effect. If customizations have been applied to Load Basic Building Blocks, copy the existing rule here and enable it. Then, revertLoad Basic Building Blocks back to its initial state. |
JSA Baseline Maintenance Content Extension V1.0.9
The following table shows the new or updated rules and building blocks in JSA Baseline Maintenance Content Extension V1.0.9.
Table 7: New or Updated Rules and Building Blocks in JSA Baseline Maintenance Content Extension V1.0.9
Type | Name | Description |
|---|---|---|
Rule | Load Basic Building Blocks | This rule loads building blocks that need to be run to assist with reporting. This rule has no actions or responses. The following building blocks were added to this rule:
|
Building Block | BB:CategoryDefinition: SIEM User and Role Modifications | Added new Building Block. Checks the QID specific to JSA user and role creation and modification. |
JSA Baseline Maintenance Content Extension V1.0.8
The following table shows the new or updated custom properties in JSA Baseline Maintenance Content Extension V1.0.8.
Table 8: New or Updated Custom Properties in JSA Baseline Maintenance Content Extension V1.0.8
Name | Optimized | Capture Group | Regex |
|---|---|---|---|
File Path | No | 1 | filePath=([^\t]+)[\t]* |
Accesses | Yes | 1 | Accesses: (.*?) Privileges: |
Access intent | Yes | 1 | intent=([^\t]+) |
The Avt-App-VolumePackets, AVT-App-NAme, AVT-App-VolumeBytes, and AVT-App-Category custom properties were removed in this release.
The following table shows the new or updated rules and building blocks in JSA Baseline Maintenance Content Extension V1.0.8.
Table 9: New or Updated Rules and Building Blocks in JSA Baseline Maintenance Content Extension V1.0.8
Type | Name | Description |
|---|---|---|
Rule | System: Notification | Removed QID 38750002 for general warning. |
Building Block | BB:DeviceDefinition: Proxy | Added new devices: Forcepoint V Series, Microsoft ISA, McAfee Web Gateway. |
Building Block | BB:DeviceDefinition: Cloud | Added new Building Block. Defines all Cloud devices on the system. |
Building Block | BB:DeviceDefinition: DLP Devices | Added new Building Block. Defines all data loss prevention (DLP) devices on the system. |
Building Block | BB:DeviceDefinition: Mail | Added new Building Block. Defines all Mail devices on the system. |
Building Block | BB:DeviceDefinition: Operating System | Added new Building Block. Defines all Operating Systems on the system. |
JSA Baseline Maintenance Content Extension V1.0.7
The following table shows the new or changed custom properties in JSA Baseline Maintenance Content Extension V1.0.7.
Table 10: New or Changed Custom Properties in JSA Baseline Maintenance Content Extension V1.0.7
Name | Optimized | Capture Group | Regex |
|---|---|---|---|
Destination Host Name | Yes | 1 | dstHostName=([^\t]+)[\t]* |
EventID | Yes | 1 | \d{1,2}\s\d{1,2}[:\s]\d{1,2}[:\s]\d{1,2}\s+\d{1,4}\s+(\d+) |
The following table shows the new or changed rules and building blocks in JSA Baseline Maintenance Content Extension V1.0.7.
Table 11: New or Changed Rules and Building Blocks in JSA Baseline Maintenance Content Extension V1.0.7
Type | Name | Description |
|---|---|---|
Rule | System: Notification | This rule ensures that notification events shall be sent to the notification framework. Added new QIDs. |
Building Block | BB:HostReference: Database Servers | This building block defines typical database servers. |
Building Block | BB:HostReference: DHCP Servers | This building block defines typical DHCP servers. |
Building Block | BB:HostReference: DNS Servers | This building block defines typical DNS servers. |
Building Block | BB:HostReference: FTP Servers | This building block defines typical FTP servers. |
Building Block | BB:HostReference: LDAP Servers | This building block defines typical LDAP servers. |
Building Block | BB:HostReference: Mail Servers | This building block defines typical mail servers. |
Building Block | BB:HostReference: SSH Servers | This building block defines typical SSH servers. |
Building Block | BB:HostReference: Web Servers | This building block defines typical web servers. |
Building Block | BB:HostReference: Windows Servers | This building block defines typical Microsoft Windows servers. |
Building Block | BB:CategoryDefinition: Authentication Success | Updated this building block to remove 2 LLCs: Privilege Escalation Succeeded and Password Changed Succeeded. |
Building Block | BB:CategoryDefinition: Authentication Fail | Updated this building block to remove 2 LLCs: Privilege Escalation Failed and Password Changed Failed. |
The following table shows the new or changed saved searches in JSA Baseline Maintenance Content Extension V1.0.7.
Table 12: New or Changed Saved Searches in JSA Baseline Maintenance Content Extension V1.0.7
Name | Description |
|---|---|
SSH Logins | Search retrieving the authentication successes on the JSA system itself (web and SSH). |
UI Logins | Search retrieving the authentication successes on the JSA system itself (web and SSH). |
Offences over time | Search retrieving the authentication successes on the JSA system itself (web and SSH). |
Deviating asset growth: Asset Report | Search retrieving the authentication successes on the JSA system itself (web and SSH). |
Deviating asset growth: log Source Report | Search retrieving the authentication successes on the JSA system itself (web and SSH). |
JSA Baseline Maintenance Content Extension V1.0.6
The following table shows the custom properties in JSA Baseline Maintenance Content Extension V1.0.6.
Table 13: Custom Properties in JSA Baseline Maintenance Content Extension V1.0.6
Name | Optimized | Capture Group | Regex |
|---|---|---|---|
ObjectName | Yes | 1 | ObjectName: (.*) |
Event Summary | Yes | 1 | sum=([^\t]+) |
EventID | Yes | 1 | \d{1,2}\:\d{1,2}\:\d{1,2}\s+\d{1,4}\s+(\d+) |
SSH Login Audit | Yes | 1 | \[Authentication\] \[User\] \[(UserLogin|LoginAttempt)\] .*? on host .* |
Log Source Host | Yes | 1 | \s+hostName=(\S+) |
VirusName | Yes | 1 | Virus Name: (.*?), |
Audit Object ID | Yes | 1 | \s+id=(\S+) |
The following table shows the rules and building blocks in JSA Baseline Maintenance Content Extension V1.0.6.
Table 14: Rules and Building Blocks in JSA Baseline Maintenance Content Extension V1.0.6
Type | Name | Description |
|---|---|---|
Building Block | BB:CategoryDefinition: Auditing Changed | Added new QIDs and removed some other QIDs. |
Building Block | BB:CategoryDefinition: Successful Database Connections | Changed the name from BB:CategoryDefinition: Database Connections. Removed Oracle RDBMS Audit Record and added BB:DeviceDefinition: Database. |
Building Block | BB:CategoryDefinition: Malicious Attacks | Changed the name from BB:Malicious Attacks. Edit this building block to define malicious attacks. |
Rule | Destination Vulnerable to Detected Exploit | Detects an attack against a vulnerable local destination, where the host is known to exist, and the host is vulnerable to the attack. |
Rule | Destination Vulnerable to Detected Exploit on a Different Port | Detects an attack against a vulnerable local destination host, where the host is known to exist, and the host is vulnerable to the attack on a different port. |
Rule | Destination Vulnerable to Different Exploit than Attempted on Targeted Port | Detects an attack against a vulnerable local destination host, where the host is known to exist, and the host is vulnerable to some attack but not the one being attempted. |
The following table shows the saved searches in JSA Baseline Maintenance Content Extension V1.0.6.
Table 15: Saved Searches in JSA Baseline Maintenance Content Extension V1.0.6
Name | Description |
|---|---|
SSH Logins | Search retrieving the |
UI Logins | Search retrieving the UI authentication successes on the JSA system itself. |
JSA Baseline Maintenance Content Extension V1.0.5
The following table shows the custom properties that are updated in JSA Baseline Maintenance Content Extension V1.0.5.
Table 16: Custom Properties in JSA Baseline Maintenance Content Extension V1.0.5
Name | Optimized | Capture Group | Regex |
|---|---|---|---|
Events per Second Raw - Peak 1 Sec | Yes | 1 | StatFilter.+1s\:\d+\,\d+\s\(peak\s\d+\,(\d+) |
Events per Second Coalesced - Peak 1 Sec | Yes | 1 | StatFilter.+1s\:\d+\,\d+\s\(peak\s(\d+) |
AccountName | Yes | 2 | Account Name:\s*(.+?)\s+Account Name:\s*(.+?)\s+ |
The following table shows the rules and building blocks in JSA Baseline Maintenance Content Extension V1.0.5.
Table 17: Rules and Building Blocks in JSA Baseline Maintenance Content Extension V1.0.5
Type | Name | Description |
|---|---|---|
Building Block | BB:DeviceDefinition: IDS / IPS | Defines all intrusion detections systems (IDS) and intrusion prevention systems (IPS) on the system. |
Building Block | BB:DeviceDefinition: FW / Router / Switch | Defines all firewalls, routers, and switches on the system. |
Building Block | BB:DeviceDefinition: VPN | Defines all virtual private networks (VPN) on the system. |
Building Block | BB:DeviceDefinition: Database | Defines all databases on the system. |
Building Block | BB:DeviceDefinition: Proxy | Defines all proxy sources on the system. |
Building Block | BB:DeviceDefinition: AV/AM | Defines all anti-virus (AV) and anti-malware (AM) systems on the system. |
Building Block | BB:HostDefinition: Servers | Edit this building block to define generic servers. |
Building Block | BB:Failed Events | Edit this building block to define failed events. |
Building Block | BB:IT Admin Events | Edit this building block to define actions performed by IT admin staff. |
Building Block | BB:External Contractor Policy Violation Events | Edit this building block to define policy violations caused by external contractors. |
Building Block | BB:Mobile Worker Policy Violation Events | Edit this building block to define policy violations caused by mobile workers. |
Building Block | BB:Teleworker Policy Violation Events | Edit this building block to define policy violations caused by teleworkers. |
Building Block | BB:External Contractor Failed Events | Edit this building block to define failures caused by external contractors. |
Building Block | BB:Mobile Worker Failed Events | Edit this building block to define failures caused by mobile workers. |
Building Block | BB:Teleworker Failed Events | Edit this building block to define failures caused by teleworkers. |
Building Block | BB:Threats: Suspicious IP Protocol Usage: Illegal TCP Flag Combination | Identifies flows that have an illegal TCP flag combination. |
Building Block | BB:Threats: Suspicious IP Protocol Usage: Suspicious ICMP Type Code | Identifies Internet Control Message Protocol (ICMP) flows with suspicious ICMP type codes. |
Building Block | BB:Threats: Suspicious IP Protocol Usage: TCP or UDP Port 0 | Identifies suspicious flows using port 0. |
Building Block | BB:CategoryDefinition: Privileged Escalations | Identifies a privilege escalation on an event. |
Building Block | BB:CategoryDefinition: Privileged Escalation Failed | Identifies a failed privilege escalation on an event. |
Building Block | BB:Malicious Attacks | Edit this building block to define malicious attacks. |
Rule | Malware or Virus Clean Failed | Detects when a system detected a virus and failed to clean or remove it. Added the following new QIDs:
|
Rule | Vulnerabilities: Vulnerability Reported by Scanner | Detects when a vulnerability has been discovered on a local host. |
Rule | Policy: New Service Discovered | Detects when an existing host has a new service discovered on it. |
Rule | Policy: New Service Discovered in DMZ | Detects when an existing host has a new service discovered on it. |
Rule | Policy: New Host Discovered | Detects when a new host has been discovered on the network. |
Rule | Policy: New Host Discovered in DMZ | Detects when a new host has been discovered on the network. |
Rule | Destination Vulnerable to Detected Exploit | Detects an attack against a vulnerable local destination, where the host is known to exist, and the host is vulnerable to the attack. |
Rule | Destination Vulnerable to Detected Exploit on a Different Port | Detects an attack against a vulnerable local destination host, where the host is known to exist, and the host is vulnerable to the attack on a different port. |
The following table shows the reports in JSA Baseline Maintenance Content Extension V1.0.5.
Table 18: Reports in JSA Baseline Maintenance Content Extension V1.0.5
Report Name | Search Name and Dependencies |
|---|---|
Successful Login Events | Saved Search: SSH Logins, UI Logins Reference Set: JSA Deployment Edit the saved searches and the reference set to refine the results. |
The following table shows the reference data in JSA Baseline Maintenance Content Extension V1.0.5.
Table 19: Reference Data in JSA Baseline Maintenance Content Extension V1.0.5
Type | Name | Description |
|---|---|---|
Reference Set | JSA Deployment | List of JSA IP addresses. This reference set is used by the UI Logins saved search. By default it contains 127.0.0.1 and the range assigned to apps (169.254.3.1 to 169.254.3.10). Edit this list as needed. |
Reference Map of Sets | CorrelatedAttackMap | This reference map of sets maps Destination IP addresses with the QID. |
The following table shows the saved searches in JSA Baseline Maintenance Content Extension V1.0.5.
Table 20: Saved Searches in JSA Baseline Maintenance Content Extension V1.0.5
Name | Description |
|---|---|
Deviating Asset Growth: Asset Report | This search shows system notification warning messages with Vortex Asset IDs. |
Deviating Asset Growth: Log Source Report | This search shows the Asset Deviation Report category. |
Firewall Deny by DST Port | This search shows firewall or ACL deny events from firewall, router, or switch devices grouped by destination port. |
UI Logins | This search shows UI logins. |
SSH Logins | This search shows SSH logins. |
JSA Baseline Maintenance Content Extension V1.0.4
Updates in JSA Baseline Maintenance Content Extension V1.0.4
Type | Name | Change description |
|---|---|---|
Building Block | BB:CategoryDefinition: Authentication to Disabled Account | Added the following QIDs:
|
Building Block | BB:DeviceDefinition: Consumer Grade Routers | Added an identity check to improve performance. This building block now only checks for a MAC address for events with an identity. |
Building Block | BB:DeviceDefinition: FW / Router / Switch | Rule updated to include additional devices. |
Rule | All Exploits Become Offenses | Reports leverage attacks on events. By default, this rule is disabled. Enable this rule if you want all events that are categorized as leverages to create an offense. |
Rule | Flow Source Stopped Sending Flows | The dispatched events for this rule are now categorized as System > System Failure instead of as Access > ACL Deny. |
Rule | Device Stopped Sending Events (Firewall, IPS, VPN or Switch) | Fixed the import issue for this rule. |
Report | Accessible files vulnerability | Updated this report so that it returns accessible file vulnerabilities only, instead of all vulnerabilities. Also replaced all occurrences of fiiles with files in this report. |
Reference data | Asset Reconciliation IPv4 Blacklist, Asset Reconciliation NetBIOS Blacklist, Asset Reconciliation DNS Blacklist, and Asset Reconciliation MAC Blacklist | Sets a default 7-day expiry time on the following reference data:
After the extension is installed, all of the existing elements that were last seen more than 7 days ago will be removed from the reference data. This default value can be changed to reflect your needs and environment. |
JSA Baseline Maintenance Content Extension V1.0.3
Updates in JSA Baseline Maintenance Content Extension V1.0.3
Type | Name | Change description |
|---|---|---|
Rule / Building Block | Recon Followed by Accept | Updated the Recon Followed by Accept rule in JSA to use the BB:ReconDetected Basic Recon Rule building block and remove the All Recon Rules building block reference. Old Rule: Used as an extra mark if all the following rules match, in order, from the same source IP to any destination IP, over a 5-minute period:
Updated Rule: Used as an extra mark if all the following rules match, in order, from the same source IP to any destination IP, over a 5-minute period:
|
Rule / Building Block | DoS Events with High Magnitude Become Offenses | Updated the DoS Events with High Magnitude Become Offenses rule in JSA to change the associated building block BB:CategoryDefinition: High Magnitude Events to trigger when the severity is greater than 7. This change allows the offense to be generated on an event with a severity of 8, 9, or 10. |
Rule / Building Block | FalsePositive: False Positive Rules and Building Blocks | Updated the core FalsePositive: False Positive Rules and Building Blocks to remove three building blocks to reduce false negative rule triggers. Old rule: Apply FalsePositive: False Positive Rules and Building Blocks on events or flows that are detected by the local system, and when a flow or an event matches any of the following rules:
Updated rule: Apply FalsePositive: False Positive Rules and Building Blocks on events or flows that are detected by the local system, and when a flow or an event matches BB:FalsePositive: All Default False Positive BBs |
Rule / Building Block | BB:FalsePositive: All Default False Positive BBs | Added BB:HostDefinition: VA Scanner Source IP to the BB:FalsePositive: All Default False Positive rule. |
Rule / Building Block | BB:HostDefinition: Proxy Servers | Updated Proxy Servers Host Definition to add a new line in the building block to check for the BB:PortDefinition: Proxy Ports Building Block. Old Rule: Apply BB:HostDefinition: Proxy Servers on events or flows that are detected by the local system, and when either the source or destination IP is 127.0.0.2. Updated Rule: Apply Apply BB:HostDefinition: Proxy Servers on events or flows that are detected by the local system, and when the following conditions are met:
|
Rule / Building Block | Multiple Login Failures to the Same Destination | Updated the Multiple Login Failures to the Same Destination rule to ensure that it does not generate false positives from proxy server events. Old Rule: Apply Multiple Login Failures to the Same Destination on events that are detected by the local system that match BB:CategoryDefinition: Authentication Failures. Multiple Login Failures to the Same Destination also needs to be applied when at least 10 events are seen that have the same Destination IP but different Source IPs and user names in a 5-minute period. Updated Rule: Apply Multiple Login Failures to the Same Destination on events that are detected by the local system that match BB:CategoryDefinition: Authentication Failures, and when at least 10 events are seen that have the same Destination IP but different Source IPs and user names in a 5-minute period, but NOT when an event matches any of the following building blocks:
|
Rule / Building Block | Excessive Firewall Denies from Local Host | Updated the Excessive Firewall Denies from Local Host rule to ensure that it does not generate false positives from proxy server events. Old Rule: Apply Excessive Firewall Denies from Local Host on events that are detected by the local system, when the event context is Local to Local, or Local to Remote, and when an event matches either BB:CategoryDefinition: Firewall or ACL Denies with the same Source IP more than 40 times, across more than 40 Destination IPs within a 5-minute period. Updated Rule: Apply Excessive Firewall Denies from Local Host on events that are detected by the local system, when the event context is Local to Local, or Local to Remote, and when an event matches either BB:CategoryDefinition: Firewall or ACL Denies with the same Source IP more than 40 times, across more than 40 Destination IPs within a 5-minute period, but NOT when an event matches any of the following rules:
|
Rule / Building Block | Policy: Large Outbound Transfer Slow Rate of TransferPolicy: Large Outbound Transfer High Rate of Transfer | Updated the performance of both fast and slow data transfer policy rules. This update changes the order of the rule test to move this phrase: 'and when at least X flows are seen with the same Source IP, Destination IP in Y minutes' to the last line for both policy rules (slow transfer and fast transfer). The following updated rule example describes the rule change in more detail. Old rule: Apply Large Outbound Transfer Slow Rate of Transfer on flows that are detected by the local system when the following conditions are met:
Updated rule: Apply Large Outbound Transfer Slow Rate of Transfer on flows that are detected by the local system when the following conditions are met:
|
Rule / Building Block | Updated reference set rule responses for all Asset Reconciliation Exclusion rules | This change updates the rule response for Asset Exclusion rules to ensure that identity data is added to the correct reference set blacklist when the rule response triggers. The following rules were updated to include this change:
|
JSA Baseline Maintenance Content Extension V1.0.2
Type | Name | Change description |
|---|---|---|
Saved search | Flow Rate (FPS) | Updated the Flow Rate (FPS) saved search from a count function to an FPS function by changing the search value from Count to Average. Old: Top 10 Flow Source Results By Flows per Second - Peak 1 Min (Count) New: Top 10 Flow Source Results By Flows per Second - Peak 1 Min (Average) |
Dashboard | Added 'Top 10 Flow Source Results By Flows per Second - Peak 1 Min (Average)' to the System Monitoring Dashboard. | The corrected Flow Rate Results (FPS) saved search is added to the System Monitoring dashboard for all users. This graph displays on the Log Activity tab as Top 10 Flow Source (custom) Results By Flows per Second - Peak 1 Min (custom) (Average). |
Report | System Summary | Updated the System Summary report, which has a dependency on the Flow Rate (FPS) search results. |
Included in the content pack as a dependency | ||
|---|---|---|
Saved search | Event Rate (EPS) | No updates. Dependent on another property and must be included in the extension framework. |
Saved search | Offenses Over Time | No updates. Dependent on another property and must be included in the extension framework. |
Saved search | Link Utilization | No updates. Dependent on another property and must be included in the extension framework. |
Saved search | Event Processor Distribution | No updates. Dependent on another property and must be included in the extension framework. |
Accumulator References | AVG(flows per second - peak 1 min) | No updates. Dependent on another property and must be included in the extension framework. |
Accumulator References | AVG(flows per second - average 15 min) | No updates. Dependent on another property and must be included in the extension framework. |
Accumulator References | AVG(events per second coalesced - average 1 min) | No updates. Dependent on another property and must be included in the extension framework. |
Accumulator References | AVG(eventsper second raw - average 1 min) | No updates. Dependent on another property and must be included in the extension framework. |
Accumulator References | Offenses Over Time - SUM(dormant offense count) | No updates. Dependent on another property and must be included in the extension framework. |
Accumulator References | Offenses Over Time - SUM(active offense count) | No updates. Dependent on another property and must be included in the extension framework. |
Accumulator References | Event Processor Distribution - Count | No updates. Dependent on another property and must be included in the extension framework. |
Accumulator References | Event Processor Distribution - Sum(eventCount) | No updates. Dependent on another property and must be included in the extension framework. |
Accumulator References | Event Processor Distribution - UniqueCount(device) | No updates. Dependent on another property and must be included in the extension framework. |
Custom Property | Flow Source: SourceMonitor.+\[NOT\:\d+\]\[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*\] | No updates. Dependent on another property and must be included in the extension framework. |
Custom Property | Flows per Second - Average 15 Min: SourceMonitor.+900s\:\s\([\d|\.]+\)\:\(([\d|\.]+)\) | No updates. Dependent on another property and must be included in the extension framework. |
Custom Property | Parent \[parent=(.+?)\].+StatFilter | No updates. Dependent on another property and must be included in the extension framework. |
Custom Property | Events per Second Coalesced - Peak 1 Sec: StatFilter.+1s\:(\d+)\,\d+\s | No updates. Dependent on another property and must be included in the extension framework. |
Custom Property | Events per Second Raw - Peak 1 Sec: StatFilter.+1s\:\d+\,(\d+)\s | No updates. Dependent on another property and must be included in the extension framework. |
Custom Property | Events per Second Coalesced - Average 1 Min: StatFilter.+60s\:(\d+)\,\d+\s | No updates. Dependent on another property and must be included in the extension framework. |
Custom Property | Events per Second Raw - Average 1 Min: StatFilter.+60s\:\d+\,(\d+)\s | No updates. Dependent on another property and must be included in the extension framework. |
Custom Property | Dormant Offense Count: \,\sdormant\:\s(\d+)\, | No updates. Dependent on another property and must be included in the extension framework. |
Custom Property | Active Offense Count: \,\sactive\:\s(\d+)\, | No updates. Dependent on another property and must be included in the extension framework. |
Dashboard | System Monitoring: 5 (system) 10 (admin) | No updates. Dependent on another property and must be included in the extension framework. |
FGroup | Configuration and Change Management | No updates. Dependent on another property and must be included in the extension framework. |
FGroup | System Monitoring (Information, Failures and Errors) | No updates. Dependent on another property and must be included in the extension framework. |
FGroup | Network Monitoring and Management | No updates. Dependent on another property and must be included in the extension framework. |
JSA Baseline Maintenance Content Extension V1.0.1
Rules and building blocks that are updated in JSA Baseline Maintenance Content Extension V1.0.1
Type | Name | Change Description |
|---|---|---|
Rule | First-Time User Access to Critical Asset | Added a user name is not N/A as a rule test to the "First-Time User Access" rule. |
Rule | Remote SSH Server Scanner | Corrected rule test order to move the following test to the last position in the rule test order: and when BB:CategoryDefinition: Recon Events, BB:CategoryDefinition: Suspicious Events with the same Source IP more than five times, across more than 29 Destination IPs within 10 minutes |
Building Block | BB:Suspicious: Remote: Unidirectional UDP or Misc Flows | Corrects the following building block in the rule test: Old: and when BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows match at least 15 times in 1 minute Updated: and when BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows match at least 15 times in 1 minute |
Rule | BB:Suspicious: Local: Unidirectional UDP or Misc Flows | Corrects the following building block in the rule test: Old: and when BB:Threats: Suspicious IP Protocol Usage: Unidirectional TCP Flows match at least 15 times in 1 minute Updated: and when BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows match at least 15 times in 1 minute |
Rule | BB:External Contractor Policy Violation Events | Resolves a rule test issue to do the Reference Set look-up as the last rule test. Correct order:
|
Rule | BB:External Contractor Failed Events | Resolves a rule test issue to do the Reference Set look-up as the last rule test. Correct order:
|
Rule | BB:Mobile Worker Policy Violation Events | Resolves a rule test issue to do the Reference Set look-up as the last rule test. Correct order:
|
Rule | BB:Mobile Worker Failed Events | Resolves a rule test issue to do the Reference Set look-up as the last rule test. Correct order:
|
Rule | BB:Teleworker Policy Violation Events | Resolves a rule test issue to do the Reference Set look-up as the last rule test. Correct order:
|
Rule | BB:Teleworker Failed Events | Resolves a rule test issue to do the Reference Set look-up as the last rule test. Correct order:
|
Rule | BB:IT Admin Events | Resolves a rule test issue to do the Reference Set look-up as the last rule test. Correct order:
|
JSA Baseline Maintenance Content Extension V1.0.0
JSA rules and building blocks that are updated in JSA Baseline Maintenance Content Extension V1.0.0
Category | Name | Description of change |
|---|---|---|
X-Force Rule | X-Force Premium: Non-Mail Server Sending Mail to Servers Categorized as SPAM | Updated rule to resolve a performance issue. |
Custom Event Property | Events per Second Raw - Peak 1 Sec | Updated regex to StatFilter to use: +1s\:\d+\,\d+ \(peak \d+\,(\d+) |
Building Block | BB:CategoryDefinition: Authentication to Disabled Account | Added QID 5000475: Failure Audit: An account failed to log on. |
Building Block | BB:CategoryDefinition: Authentication to Expired Account | Added the following two QIDs:
|
Building Block | BB:DeviceDefinition: Consumer Grade Routers | Added a rule test: BB:DeviceDefinition: DHCP Server |
Rule | Anomaly: Excessive Firewall Accepts Across Multiple Hosts | Added a rule test: BB:DeviceDefinition: FW/Router/Switch to rule |
Rule | Botnet: Potential Botnet Connection (DNS) | Added a rule test: BB:DeviceDefinition: FW/Router/Switch to rule |
Rule | Recon: Recon Followed by Accept | Added a rule test: BB:DeviceDefinition: FW/Router/Switch to rule |
Rule | Policy: Host has well-known vulnerability | Updated user interface name and rule text description. |
Rule | Exploit: Destination Vulnerable to Detected Exploit | Updated user interface name and rule text description. |
Rule | Exploit: Destination Vulnerable to Detected Exploit on a Different Port | Updated user interface name and rule text description. |
Rule | Large Outbound Transfer High Rate of Transfer | Updated user interface name and rule text description. |
Rule | Large Outbound Transfer Slow Rate of Transfer | Updated user interface name and rule text description. |
Rule | Source Network Weight is High | Updated user interface name and rule text description. |
Rule | Source Network Weight is Medium | Updated user interface name and rule text description. |
Rule | Source Network Weight is Low | Updated user interface name and rule text description. |
Rule | Destination Network Weight is High | Updated user interface name and rule text description. |
Rule | Destination Network Weight is Medium | Updated user interface name and rule text description. |
Rule | Destination Network Weight is Low | Updated user interface name and rule text description. |
Rule | Multiple Exploit Types Against Single Destination | Updated user interface name and rule text description. |
Building Block | BB:HostDefinition: DNS Servers | No updates. Dependent on another rule and must be included in the extension framework. |
Building Block | BB:HostDefinition: Servers | No updates. Dependent on another rule and must be included in the extension framework. |
Building Block | BB:HostDefinition: DHCP Servers | No updates. Dependent on another rule and must be included in the extension framework. |
Building Block | BB:ReconDetected: All Recon Rules | No updates. Dependent on another rule and must be included in the extension framework. |
Building Block | BB:CategoryDefinition: Exploits Backdoors and Trojans | No updates. Dependent on another rule and must be included in the extension framework. |
Building Block | BB:CategoryDefinition: Firewall or ACL Accept | No updates. Dependent on another rule and must be included in the extension framework. |
Building Block | BB:CategoryDefinition: Firewall or ACL Denies | No updates. Dependent on another rule and must be included in the extension framework. |
Building Block | BB:DeviceDefinition: FW / Router / Switch | No updates. Dependent on another rule and must be included in the extension framework. |
Building Block | BB:CategoryDefinition: Any Flow | No updates. Dependent on another rule and must be included in the extension framework. |