Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

National Institute Of Standards and Technology (NIST)

 

Use the JSA Content Extension for NIST to meet NIST control requirements. Baseline Maintenance V1.09 or higher is required for the NIST Content Extension to perform correctly. Install Baseline Maintenance before you install the NIST Content Extension.

JSA Content Extension for NIST V1.0.1

The following table shows the rules and building blocks that are removed in JSA Content Extension for NIST V1.0.1.

Table 1: Removed Rules and Building Blocks in JSA Content Extension for NIST V1.0.1

Type

Name

Description

Building Block

BB:CategoryDefinition: Privileged Activity : UBA

Indicates when a user has performed an action which is considered to be privileged.

Rule

Load Basic Building Blocks

This rule loads building blocks that need to be run to assist with reporting. This rule has no actions or responses.

The JSA Content Extension for NIST RMF 800-53 content extension includes reports, rules, and saved searches. JSA also includes some features that meet NIST control requirements, such as offenses and data obfuscation.

JSA Content Extension for NIST V1.0.0

The following table shows the rules and building blocks in JSA Content Extension for NIST V1.0.0.

Table 2: Rules and Building Blocks in JSA Content Extension for NIST V1.0.0

Type

Name

Description

Building Block

BB:CategoryDefinition: Malicious Attacks

Edit this building block to define malicious attacks like buffer overlow, cross site scripting, database exploit, and others.

Building Block

BB:CategoryDefinition: Privileged Escalations

Edit this building block to define events related to successful privileged escalations.

Building Block

BB:CategoryDefinition: Privileged Activity : UBA

Indicates when a user has performed an action which is considered to be privileged.

Rule

Load Basic Building Blocks

This rule loads building blocks that need to be run to assist with reporting. This rule has no actions or responses.

The following table shows the reports in JSA Content Extension for NIST V1.0.0.

Table 3: Reports in JSA Content Extension for NIST V1.0.0

Report

Description

NIST RMF (AC-20) Use of External Information Systems

Provides a list of connections initiated from a Remote Network to a network that is not the DMZ. Configure the Network Hierarchy to define the assets in DMZ that apply in your environment.

NIST RMF (AC-6) Least Privilege

Provides an overview of privileged escalations and activities to ensure authorized accesses.

Define privilege activity and escalation on events in the following building block:

  • BB:CategoryDefinition: Privileged Escalations

NIST RMF (AC-7) Unsuccessful Logon Attempts

Provides a historical trend of the number of login failures by low level category, as well as the top 20 users with failed logins.

Define privilege activity and escalation on events in the following building block:

  • BB:CategoryDefinition: Authentication Failures

NIST RMF (CA-3) System Interconnections

Provides a historical trend of requests made from the local to the remote network, that are not reported by a Proxy. It include a top 10 graphs per Log Source / Destination IP couples, and a Top 50 list.

NIST RMF (CM-2) Baseline Configuration

Provides a summary of automated mechanisms used to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.

NIST RMF (CP-2-8) Contingency Plan - Identify Critical Assets

Provides the top 50 critical assets that have been backed up successfully and the top 50 of the attempts or failures. Configure the Critical Assets reference set to define the IPs that apply in your environment.

NIST RMF (IR-4) Incident Handling

Provides an overview of the top 20 security and policy offenses for the day. You can also refer to Offense Source Summary for a report on offenses by source IP, destination IP, user, and rule name.

NIST RMF (PM-12) Insider Threat Program

Provides an overview of insider threat activities from User Behavioural Analytics for JSA (UBA) app.

NIST RMF (RA-5) Vulnerability Scanning

Provides a summary of new, remediated, high risk, and overdue vulnerability count. Refer to the Vulnerabilities tab in JSA for more information.

NIST RMF (SI-3) Malicious Code Protection

Provides an overview of the malicious attacks in the network.

Define privilege activity and escalation on events in the following building block:

  • BB:CategoryDefinition: Malicious Attacks

NIST RMF (PM-5) System Inventory

Shows the top 50 assets sorted by vulnerability instances. Refer to the Assets tab in JSA for more information.

NIST RMF (SI-4-16) Information System Monitoring - Correlate Monitoring Information

Provides the top 10 offenses over time by magnitude. Refer to the Offenses tab in JSA for more information.

The following table shows the saved searches in JSA Content Extension for NIST V1.0.0.

Table 4: Saved Searches in JSA Content Extension for NIST V1.0.0

Saved Search Name

Login Failures by User

Login Failures By Low Level Category

Direct Remote Connection

Critical Assets Backup Success

Non Success Backup events on Critical Assets

Privileged Escalations

Privileged Activities

Insider Threat (UBA)

Automated Assets Management

ISO 27001 (11.4) - Malicious Attacks