This topic includes:
Configuring JSA Tuning
You can tune JSA to meet the needs of your environment.
Before you tune JSA, wait one day to enable JSA to detect servers on your network, store events and flows, and create offenses that are based on existing rules.
Administrators can perform the following tuning tasks:
Optimize event and flow payload searches by enabling a payload index on the Log Activity and Network Activity property.
Provide a faster initial deployment and easier tuning by automatically or manually adding servers to building blocks.
Configure responses to event, flow, and offense conditions by creating or modifying custom rules.
Ensure that each host in your network creates offenses that are based on the most current rules, discovered servers, and network hierarchy.
Use the Quick Filter function, which is available on the Log Activity and Network Activity tabs, to search event and flow payloads.
To optimize the Quick Filter, you can enable a payload index Quick Filter property.
Enabling payload indexing might decrease system performance. Monitor the index statistics after you enable payload indexing on the Quick Filter property.
For more information about index management and statistics, see the Juniper Secure Analytics Administration Guide.
Enabling Payload Indexing
You can optimize event and flow payload searches by enabling a payload index on the Log Activity and Network Activity Quick Filter property.
To enable the payload indexing:
- Click the Admin tab.
- In the System Configuration section, click System Configuration.
- Click the Index Management icon.
- In the Quick Search field, type quick filter:
- Right-click the Quick Filter property that you want to index.
- Click Enable Index.
- Click Save, and then click OK.
- Optional: To disable a payload index, choose one of the
Click Disable Index.
Right-click a property and select Disable Index from the menu.
For more information about the parameters that are displayed in the Index Management window, see the Juniper Secure Analytics Administration Guide.
Servers and Building Blocks
JSA automatically discovers and classifies servers in your network, providing a faster initial deployment and easier tuning when network changes occur.
To ensure that the appropriate rules are applied to the server type, you can add individual devices or entire address ranges of devices. You can manually enter server types, that do not conform to unique protocols, into their respective Host Definition Building Block. For example, adding the following server types to building blocks reduces the need for further false positive tuning:
Add network management servers to the BB:HostDefinition: Network Management Servers building block.
Add proxy servers to the BB:HostDefinition: Proxy Servers building block.
Add virus and Windows update servers to the BB:HostDefinition: Virus Definition and Other Update Servers building block.
Add vulnerability assessment (VA) scanners to the BB-HostDefinition: VA Scanner Source IP building block.
The Server Discovery function uses the asset profile database to discover several types of servers on your network. The Server Discovery function lists automatically discovered servers and you can select which servers you want to include in building blocks.
For more information about discovering servers, see the Juniper Secure Analytics Administration Guide.
Using Building blocks, you can reuse specific rule tests in other rules. You can reduce the number of false positives by using building blocks to tune JSA and enable extra correlation rules.
Adding Servers to Building Blocks Automatically
You can automatically add servers to building blocks.
- Click the Assets tab.
- In the navigation pane, click Server Discovery.
- In the Server Type list, select the server
type that you want to discover.
Keep the remaining parameters as default.
- Click Discover Servers.
- In the Matching Servers pane, select the check box of all servers you want to assign to the server role.
- Click Approve Selected Servers.
You can right-click any IP address or host name to display DNS resolution information.
Adding Servers to Building Blocks Manually
If a server is not automatically detected, you can manually add the server to its corresponding Host Definition Building Block.
To add servers to building blocks manually:
- Click the Offenses tab.
- In the navigation pane, click Rules.
- In the Display list, select Building Blocks.
- In the Group list, select Host Definitions.
The name of the building block corresponds with the server type. For example, BB:HostDefinition: Proxy Servers applies to all proxy servers in your environment.
- To manually add a host or network, double-click the corresponding Host Definition Building Block appropriate to your environment.
- In the Building Block field, click the underlined value after the phrase and when either the source or destination IP is one of the following.
- In the Enter an IP address or CIDR field, type the host names or IP address ranges that you want to assign to the building block.
- Click Add.
- Click Submit.
- Click Finish.
- Repeat Step 1 to 10 for each server type that you want to add.
From the Log Activity, Network Activity, and Offenses tab, you can configure rules or building blocks.
To configure rules:
- Click the Offenses tab.
- Double-click the offense that you want to investigate.
- Click Display >Rules.
- Double-click a rule.
You can further tune the rules. For more information about tuning rules, see the Juniper Secure Analytics Administration Guide
- Close the Rules wizard.
The Creation Date property changes to the date and time when you last updated a rule.
- In the Rules page, click Actions.
- Optional: If you want to prevent the offense from being removed from the database after the offense retention period is elapsed, select Protect Offense.
- Optional: If you want to assign the offense to a JSA user, select Assign.
Cleaning the SIM Data Model
Clean the SIM data model to ensure that each host creates offenses that are based on the most current rules, discovered servers, and network hierarchy.
To clean the SIM model
- Click the Admin tab.
- On the toolbar, select Advanced >Clean SIM Model.
- Select an option:
Soft Clean to set the offenses to inactive.
Soft Clean with the optional Deactivate all offenses check box to close all offenses.
Hard Clean to erase all entries.
- Check the Are you sure you want to reset the data model? box.
- Click Proceed.
- After the SIM reset process is complete, refresh your browser.
When you clean the SIM model, all existing offenses are closed. Cleaning the SIM model does not affect existing events and flows.