Policy Monitor Question Parameters
You can define test questions to identify risk in network devices or rules on network devices.
Generic and Test-specific Parameters for Policy Monitor Tests
You configure parameters for each Policy Monitor test. Configurable parameters are bolded and underlined. You click a parameter to view the available options for your question.
Policy Monitor tests use two types of parameters; generic and test-specific. Generic parameters provide 2 or more options to customize a test. Clicking a generic parameter toggles the choices that are available. Test-specific parameters require user-input. You click test-specific parameters to specify information.
For example, the asset test called have accepted communication to destination remote network locations contains two generic parameters and one test-specific parameter. Click the generic parameter, have accepted, to select either have accepted or have rejected. Click the generic parameter, to destination, to select either to destination or from source. Click the test-specific parameter, remote network locations, to add a remote location for the asset test.
Asset Test Questions
Asset questions are used to identify assets on the network that violate a defined policy or introduce risk into the environment.
Asset test questions are categorized by communication type; actual or possible. Both communication types use contributing and restrictive tests.
Actual communication includes any assets on which communications have been detected using connections. Possible communication questions allow you to review if specific communications are possible on assets, regardless of whether or not a communication has been detected.
A contributing test question is the base test question that defines what type of actual communication you are trying to test.
A restrictive test question restricts the test results from the contributing test to further filter the actual communication for specific violations.
When you use a restrictive test, the direction of the restrictive test should follow the same direction as the contributing test. Restrictive tests that use a mix of inbound and outbound directions can be used in situations where you are trying to locate assets in between two points, such as two networks or IP addresses.
Inbound refers to a test that is filtering the connections for which the asset in question is a destination. Outbound refers to a test that is filtering connections for which the asset in question is a source.
Devices/Rules Test Questions
Devices and rules are used to identify rules in a device that violate a defined policy that can introduce risk into the environment.
For a detailed list of device rule questions, see Device/rules test questionsDevices/rules test questions are used to identify rules in a device that violate a defined policy that can introduce risk into the environment..
Contributing Questions for Actual Communication Tests
The actual communication tests for assets include contributing questions and parameters that you choose when you create a policy monitor test.
When you apply the have not condition to a test, the not condition is associated with the parameter that you are testing.
For example, if you configure a test as have not accepted communication to destination networks, then the test detects assets that have accepted communications to networks other than the configured network. Another example is if you configure a test as have not accepted communication to the Internet, then the test detects assets that have accepted communications from or to areas other than the Internet.
The following table lists and describes the contributing question parameters for actual communication tests.
Table 1: Contributing Question Parameters for Actual Communication Tests
Test Name | Description |
|---|---|
have accepted communication to any destination | Detects assets that have communications to any or from any configured network. This test allows you to define a start or end point to your question. For example, to identify the assets that have accepted communication from the DMZ, configure the test as follows: have accepted communication from any source You can use this test to detect out-of-policy communications. |
have accepted communication to destination networks | Detects assets that have communications to or from the networks that you specify. This test allows you to define a start or end point to your question. For example, to identify the assets that communicated to the DMZ, configure the test as follows: have accepted communication from source <networks> You can use this test to detect out-of-policy communications. |
have accepted communication to destination IP addresses | Detects assets that have communications to or from the IP address that you specify. This test allows you to specify IP or CIDR address. For example, if you want to identify all assets that communicated to a specific compliance server, configure the test as follows: have accepted communications to destination <compliance server IP address> |
have accepted communication to destination asset building blocks | Detects assets that have communications to or from the asset building blocks that you specify. This test allows you to re-use building blocks defined in the JSA Rules Wizard in your query. For more information about rules, assets, and building blocks, see the Juniper Secure Analytics Administration Guide. |
have accepted communication to destination asset saved searches | Detects assets that have communications to or from the assets that are returned by the saved search that you specify. For information about creating and saving an asset search, see the Juniper Secure Analytics Users Guide. |
have accepted communication to destination reference sets | Detects assets that have communicated to or from the defined reference sets. |
have accepted communication to destination remote network locations | Detects assets that have communicated with networks defined as a remote network. For example, this test can identify hosts that have communicated to botnets or other suspicious Internet address space. |
have accepted communication to destination geographic network locations | Detects assets that have communicated with networks defined as geographic networks. For example, this test can detect assets that have attempted communications with countries in which you do not have business operations. |
have accepted communication to the Internet | Detects source or destination communications to or from the Internet. |
are susceptible to one of the following vulnerabilities | Detects specific vulnerabilities. If you want to detect vulnerabilities of a particular type, use the test, are susceptible to vulnerabilities with one of the following classifications. You can search for vulnerabilities by using the OSVDB ID, CVE ID, Bugtraq ID, or title. |
are susceptible to vulnerabilities with one of the following classifications | A vulnerability can be associated with one or more vulnerability classifications. This test filters all assets that include vulnerabilities with the specified classifications. Configure the classifications parameter to identify the vulnerability classifications that you want this test to apply. For example, a vulnerability classification might be Input Manipulation or Denial of Service. |
are susceptible to vulnerabilities with CVSS score greater than 5 | A Common Vulnerability Scoring System (CVSS) value is an industry standard for assessing the severity of vulnerabilities. CVSS is composed of 3 metric groups: Base, Temporal, and Environmental. These metrics allow CVSS to define and communicate the fundamental characteristics of a vulnerability. This test filters assets in your network that include vulnerabilities with the CVSS score that you specify. |
are susceptible to vulnerabilities disclosed after specified date | Detects assets in your network with a vulnerability that is disclosed after, before, or on the configured date. |
are susceptible to vulnerabilities on one of the following ports | Detects assets in your network with a vulnerability that is associated with the configured ports. Configure the ports parameter to identify ports you want this test to consider. |
are susceptible to vulnerabilities where the name, vendor, version or service contains one of the following text entries | Detects assets in your network with a vulnerability that matches the asset name, vendor, version or service based one or more text entry. Configure the text entries parameter to identify the asset name, vendor, version or service you want this test to consider. |
are susceptible to vulnerabilities where the name, vendor, version or service contains one of the following regular expressions | Detects assets in your network with a vulnerability that matches the asset name, vendor, version or service based one or more regular expression. Configure the regular expressions parameter to identify the asset name, vendor, version or service you want this test to consider. |
are susceptible to vulnerabilities contained in vulnerability saved searches | Detects risks that are associated with saved searches that are created in JSA Vulnerability Manager. |
Deprecated Contributing Test Questions
Contributing questions that are replaced by another test are hidden in policy monitor.
The following tests are hidden in the Policy Monitor:
assets that are susceptible to vulnerabilities
assets that are susceptible to vulnerabilities from the following services
These contributing tests have been replaced by other tests.
Restrictive Questions for Actual Communication Tests
The actual communication tests for assets include restrictive questions and parameters that you can choose when you create a policy monitor test.
When you apply the exclude condition to a test, the exclude condition applies to the protocols parameter.
For example, if you configure this test to exclude the following protocols, the test will return only assets that do not use the excluded protocols.
The following table lists and describes the restrictive question parameters for actual communication tests.
Table 2: Restrictive Question Parameters for Actual Communication Tests
Test Name | Description |
|---|---|
include only the following protocols | Filters assets from the contributing test that include or exclude the specified protocols. This test is only selectable when a contributing asset test is added to this question. |
include only the following inbound ports | Filters assets from the contributing test that include only or exclude the specified ports. This test is only selectable when a contributing asset test is added to this question. |
include only the following inbound applications | Filters assets from the contributing test question that include only or exclude any inbound or outbound applications. This test filters connections that only include flow data. |
include only if the source inbound and destination outbound bytes have a percentage difference less than 10 | Filters assets from the contributing test question that is based on communications with a specific ratio of inbound to outbound (or outbound to inbound) bytes. This test is useful for detecting hosts that might be exhibiting proxy type behavior (inbound equals outbound). |
include only if the inbound and outbound flow count has a percentage difference less than 10 | Filters assets from the contributing test question that is based on communications with a specific ratio of inbound to outbound (or outbound to inbound) flows. This test filters connections that include flow data when flow count is selected. This restrictive test requires two contributing tests that specify a source and destination. The following test outlines a set of questions trying to determine what assets between two points have an inbound and outbound percentage difference greater than 40%. For example, Contributing test—have accepted communication to the Internet. Contributing test—have accepted communication from the Internet. Restrictive test—include only if the inbound and outbound flow count has a percentage difference greater than 40. |
include only if the time is between start time and end time inclusive | Filters communications within your network that occurred within a specific time range. This allows you to detect out-of-policy communications. For example, if your corporate policy allows FTP communications between 1 and 3 am, this test can detect any attempt to use FTP to communicate outside of that time range. |
include only if the day of week is between start day and end day inclusive | Filters assets from the contributing test question based on network communications that occurred within a specific time range. This allows you to detect out-of-policy communications. |
include only if susceptible to vulnerabilities that are exploitable. | Filters assets from a contributing test question searching for specific vulnerabilities and restricts results to exploitable assets. This restrictive test does not contain configurable parameters, but is used in conjunction with the contributing test, are susceptible to one of the following vulnerabilities. This contributing rule containing a vulnerabilities parameter is required. |
include only the following networks | Filters assets from a contributing test question that includes or excludes the configured networks. |
include only the following asset building blocks | Filters assets from a contributing test question that are or are not associated with the configured asset building blocks. |
include only the following asset saved searches | Filters assets from a contributing test question that are or are not associated with the asset saved search. |
include only the following reference sets | Filters assets that are from a contributing test question that includes or excludes the configured reference sets. |
include only the following IP addresses | Filters assets that are or are not associated with the configured IP addresses. |
include only if the MicrosoftWindows service pack for operating systems is below 0 | Filters assets to determine if a MicrosoftWindows service pack level for an operating system is below the level your company policy specifies. |
include only if the MicrosoftWindows security setting is less than 0 | Filters assets to determine if a MicrosoftWindows security setting is below the level your company policy specifies. |
include only if the MicrosoftWindows service equals status | Filters assets to determine if a MicrosoftWindows service is unknown, boot, kernel, auto, demand, or disabled. |
include only if the MicrosoftWindows setting equals regular expressions | Filters assets to determine if a MicrosoftWindows Setting is the specified regular expression. |
Contributing Questions for Possible Communication Tests
The possible communication tests for assets include contributing questions and parameters that you can choose when you create a policy monitor test.
The following table lists and describes the contributing question parameters for possible communication tests.
Table 3: Possible Communication Question Parameters for Contributing Tests
Test Name | Description |
|---|---|
have accepted communication to any destination | Detects assets that have possible communications to or from any specified source or destination. For example, to determine if a critical server can possibly receive communications from any source, configure the test as follows: have accepted communication from any source. You can then apply a restrictive test to return if that critical server has received any communications on port 21. This allows you to detect out-of-policy communications for that critical server. |
have accepted communication to destination networks | Detects assets that have possible communications to or from the configured network. This test allows you to define a start or end point to your question. For example, to identify the assets that have the possibility of communicating to the DMZ, configure the test as follows: have accepted communication from source <networks> You can use this test to detect out-of-policy communications. |
have accepted communication to destination IP addresses | Detects assets that have possible communications to or from the configured IP address. This test allows you to specify a single IP address as a focus for possible communications. For example, if you want to identify all assets that can communicate to a specific compliance server, configure the test as follows: have accepted communications to destination <compliance server IP address> |
have accepted communication to destination asset building blocks | Detects assets that have possible communications to or from the configured asset using building blocks. This test allows you to re-use building blocks defined in the JSA Rules Wizard in your query. For example, if you want to identify all assets that can communicate to a Protected Assets, configure the test as follows: have accepted communications to destination For more information about rules and building blocks, see the Juniper Secure Analytics Administration Guide. |
have accepted communication to destination asset saved searches | Detects assets that have accepted communications to or from the assets that are returned by the saved search that you specify. A saved asset search must exist before you use this test. For information about creating and saving an asset search, see the Juniper Secure Analytics Users Guide. |
have accepted communication to destination reference sets | Detects if source or destination communication are possible to or from reference sets. |
have accepted communication to the Internet | Detects if source or destination communications are possible to or from the Internet. Specify the to or from parameter, to consider communication traffic to the Internet or from the Internet. |
are susceptible to one of the following vulnerabilities | Detects possible specific vulnerabilities. If you want to detect vulnerabilities of a particular type, use the test, are susceptible to vulnerabilities with one of the following classifications. Specify the vulnerabilities to which you want this test to apply. You can search for vulnerabilities using the OSVDB ID, CVE ID, Bugtraq ID, or title |
are susceptible to vulnerabilities with one of the following classifications | A vulnerability can be associated with one or more vulnerability classification. This test filters all assets that have possible vulnerabilities with a Common Vulnerability Scoring System (CVSS) score, as specified. Configure the classifications parameter to identify the vulnerability classifications that you want this test to apply. |
are susceptible to vulnerabilities with CVSS score greater than 5 | A Common Vulnerability Scoring System (CVSS) value is an industry standard for assessing the severity of possible vulnerabilities. CVSS is composed of three metric groups: Base, Temporal, and Environmental. These metrics allow CVSS to define and communicate the fundamental characteristics of a vulnerability. This test filters assets in your network that include the configured CVSS value. |
are susceptible to vulnerabilities disclosed after specified date | Filters assets in your network with a possible vulnerability that is disclosed after, before, or on the configured date. |
are susceptible to vulnerabilities on one of the following ports | Filters assets in your network with a possible vulnerability that is associated with the configured ports. Configure the ports parameter to identify assets that have possible vulnerabilities based on the specified port number. |
are susceptible to vulnerabilities where the name, vendor, version or service contains one of the following text entries | Detects assets in your network with a vulnerability that matches the asset name, vendor, version or service based one or more text entry. Configure the text entries parameter to identify the asset name, vendor, version or service you want this test to consider. |
are susceptible to vulnerabilities where the name, vendor, version or service contains one of the following regular expressions | Detects assets in your network with a vulnerability that matches the asset name, vendor, version or service based one or more regular expression. Configure the regular expressions parameter to identify the asset name, vendor, version or service you want this test to consider. |
are susceptible to vulnerabilities contained in vulnerability saved searches | Detects risks that are associated with saved searches that are created in JSA Vulnerability Manager. |
Deprecated Contributing Test Questions
If a test is replaced with another test, it is hidden in policy monitor.
The following tests are hidden in the Policy Monitor:
assets that are susceptible to vulnerabilities from the following vendors
assets that are susceptible to vulnerabilities from the following services
These contributing tests have been replaced by other tests.
Restrictive Question Parameters for Possible Communication Tests
Possible communication tests for assets include restrictive question parameters.
The following table lists and describes the restrictive question parameters for possible communication tests.
Table 4: Restrictive Tests for Possible Communication Tests
Test Name | Description |
|---|---|
include only the following protocols | Filters assets that have or have not possibly communicated with the configured protocols, in conjunction with the other tests added to this question. |
include only the following inbound ports | Filters assets that have or have not possibly communicated with the configured ports, in conjunction with the other tests added to this question. |
include only ports other than the following inbound ports | Filters assets from a contributing test question that have or have not possibly communicated with ports other than the configured ports, in conjunction with the other tests added to this question. |
include only if susceptible to vulnerabilities that are exploitable. | Filters assets from a contributing test question searching for possible specific vulnerabilities and restricts results to exploitable assets. This restrictive test does not contain configurable parameters, but is used in conjunction with the contributing test, are susceptible to one of the following vulnerabilities. This contributing rule containing a vulnerabilities parameter is required. |
include only the following networks | Filters assets from a contributing test question that include only or exclude the configured networks. |
include only the following asset building blocks | Filters assets from a contributing test question that include only or exclude the configured asset building blocks. |
include only the following asset saved searches | Filters assets from a contributing test question that include only or exclude the associated asset saved search. |
include only the following reference sets | Filters assets from a contributing test question that include only or exclude the configured |
include only the following IP addresses | Filters assets Filters assets from a contributing test question that include only or exclude the configured IP addresses. |
include only if the MicrosoftWindows service pack for operating systems is below 0 | Filters assets to determine if a MicrosoftWindows service pack level for an operating system is below the level your company policy specifies. |
include only if the MicrosoftWindows security setting is less than 0 | Filters assets to determine if a MicrosoftWindows security setting is below the level your company policy specifies. |
include only if the MicrosoftWindows service equals status | Filters assets to determine if a MicrosoftWindows service is unknown, boot, kernel, auto, demand, or disabled. |
include only if the MicrosoftWindows setting equals regular expressions | Filters assets to determine if a MicrosoftWindows Setting is the specified regular expression. |
Device/rules Test Questions
Devices/rules test questions are used to identify rules in a device that violate a defined policy that can introduce risk into the environment.
The device/rules test questions are described in the following table.
Table 5: Device/rules Tests
Test Name | Description |
|---|---|
allow connections to the following networks | Filters device rules and connections to or from the configured networks. For example, if you configure the test to allow communications to a network, the test filters all rules and connections that allow connections to the configured network. |
allow connections to the following IP addresses | Filters device rules and connections to or from the configured IP addresses. For example, if you configure the test to allow communications to an IP address, the test filters all rules and connections that allow connections to the configured IP address. |
allow connections to the following asset building blocks | Filters device rules and connections to or from the configured asset building block. |
allow connections to the following reference sets | Filters device rules and connections to or from the configured reference sets. |
allow connections using the following destination ports and protocols | Filters device rules and connections to or from the configured ports and protocols |
allow connections using the following protocols | Filters device rules and connections to or from the configured protocols. |
allow connections to the Internet | Filters device rules and connections to and from the Internet. |
are one of the following devices | Filters all network devices to the configured devices. This test can filter based on devices that are or are not in the configured list. |
are one of the following reference sets | Filters device rule based on the reference sets that you specify. |
are one of the following networks | Filters device rules based on the networks that you specify. |
are using one of the following adapters | Filters device rules based on the adapters that you specify. |
Importance Factor
The Importance Factor is used to calculate the Risk Score and define the number of results returned for a question.
The range is 1 (low importance) to 10 (high importance). The default is 5.
Table 6: Importance Factor Results Matrix
Importance Factor | Returned Results for Asset Tests | Returned Results for Device/Rule Tests |
|---|---|---|
1 (low importance) | 10,000 | 1,000 |
10 (high importance) | 1 | 1 |
For example, a policy question that states have accepted communication from the Internet and include only the following networks (DMZ) would require a high importance factor of 10 since any results to the question is unacceptable due to the high risk nature of the question. However, a policy question that states have accepted communication from the Internet and include only the following inbound applications (P2P) might require a lower importance factor since the results of the question does not indicate high risk but you might monitor this communication for informational purposes.