Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Security Analytics Self Monitoring

 

Use the JSA Security Analytics Self Monitoring Content Extension to closely monitor your JSA deployment.

JSA Security Analytics Self Monitoring Content Extension V1.0.0

The following table shows the custom properties n JSA Security Analytics Self Monitoring Content Extension V1.0.0.

Table 1: Custom Properties in JSA Security Analytics Self Monitoring Content Extension V1.0.0

Name

Optimized

Capture Group

Regex

CRE Name

Yes

Yes

1

2

Rule Name="([^\"]+)

(\s+|Updated\s+)Rule Name="([^\"]+)

Previous CRE Name

Yes

1

Previous Rule Name="([^\"]+)

Command

Yes

1

CommandExecuted\]\s\:\s+([^\r\n]+)

Host status

Yes

1

Sent\supdate\sstatus\sof\shost\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\sto\s([^$]+)

API search ID

Yes

1

PathInfo=\/ariel\/searches\/(\S{36})\/results

Search executed

Yes

1

Filters:(.*?)\,\s+Columns

The following table shows the rules in JSA Security Analytics Self Monitoring Content Extension V1.0.0.

Table 2: Rules in JSA Security Analytics Self Monitoring Content Extension V1.0.0

Type

Name

Description

Rule

JSA Audit: Payload deleted or modified

Detects when a command might modify log files.

Rule

JSA Audit: Multiple Login Failures from the Same Source

Detects repeated authentication failures from the same source IP address on the JSA web interface or the CLI.

Rule

JSA Audit: Potential sensitive file modification

Detects when a sensitive file is accessed with a text editor, or is moved or removed through the JSA CLI. Edit this rule to monitor sensitive files and devices.

Rule

JSA Audit: JSA Hosts

Adds JSA IP addresses to the JSA Deployment – IP reference set.

Rule

JSA Audit: Shared Account

Detects when there is a potential shared account that is connected to JSA. Add JSA IP addresses to the JSA Deployment – IP reference set to exclude them as source IP addresses.

Rule

JSA Audit: JSA Host Unavailable

Monitors the JSA Managed hosts status.

The following table shows the reports in JSA Security Analytics Self Monitoring Content Extension V1.0.0.

Table 3: Reports in JSA Security Analytics Self Monitoring Content Extension V1.0.0

Report Name

Search Name and Dependencies

JSA Audit - Modifications overview

Saved Searches: SIEM Audit - Custom Rule Modification and SIEM Audit - Configuration Modification

JSA Audit - User Authentication Activity

Saved Searches: SIEM Audit - Authentication Success by Username, SIEM Audit - Authentication Failure by Username, and SIEM Audit - User Authentication Activity

JSA Audit - System warnings and errors

Saved Search: SIEM Audit - System Notifications

JSA Audit - Searches Executed

Saved Searches: Audit - User Processing Activities and Audit - User Processing Activities through API.

The following table shows the reference data in JSA Security Analytics Self Monitoring Content Extension V1.0.0.

Table 4: Reference Data in JSA Security Analytics Self Monitoring Content Extension V1.0.0

Type

Name

Description

Reference Set

JSA Deployment

List of JSA IP addresses, from SIEM Audit: JSA Hosts. Used in SIEM Audit: Shared Account. This list also contains 127.0.0.1 by default, and the range assigned to apps (169.254.3.1 to 169.254.3.10). Edit this list as needed.

The following table shows the saved searches in JSA Security Analytics Self Monitoring Content Extension V1.0.0.

Table 5: Saved Searches in JSA Security Analytics Self Monitoring Content Extension V1.0.0

Name

Description

Audit - User Authentication Activity

This search shows the authentication events on the JSA system (Web and SSH).

Audit - Authentication Success by Username

This search shows the authentication successes on the JSA system (Web and SSH).

Audit - Authentication Failure by Username

This search shows the authentication failures on the JSA system (Web and SSH).

Audit - Configuration Modification

This search shows the configuration updates that have been made on the JSA system.

Audit - System Notifications

This search shows the warnings and errors on the JSA system.

Audit - User Processing Activities

This search shows the searches executed by users.

Audit - User Processing Activities through API

This search shows the searches executed against /ariel/searches.