Getting Started for Architects
If you're an architect, the following topics are a good place to get started to learn how to use JSA in your everyday workflow.
Do you understand the distributed architecture and the roles of various components of JSA?
JSA architecture overview
JSA SIEM (Security Information and Event Management) is a modular architecture that provides real-time visibility of your IT infrastructure, which you can use for threat detection and prioritization. You can scale JSA to meet your log and flow collection, and analysis needs. You can add integrated modules to your JSA platform, such as JSA Risk Manager, and JSA Vulnerability Manager.
Use JSA components to scale a deployment, and to manage data collection and processing in distributed networks.
JSA events and flows
The core functions of JSA are managing network security by monitoring flows and events. A significant difference between event and flow data is that an event, which typically is a log of a specific action such as a user login, or a VPN connection, occurs at a specific time and the event is logged then. A flow is a record of network activity that can last for seconds, minutes, hours, or days, depending on the activity within the session.
Do you know how to scope an environment for architectural requirements, data rates, and retention policies to optimally build a JSA deployment?
Retention buckets define how long event and flow data is retained in JSA. As JSA receives events and flows, each one is compared against the retention bucket filter criteria. When an event or flow matches a retention bucket filter, it is stored in that retention bucket until the deletion policy time period is reached. The default retention period is 30 days; then, the data is immediately deleted.
Distributing event and flow capacity
Use the License Pool Management window to ensure that the events per second (EPS) and flows per minute (FPM) that you are entitled to is fully used. Also, ensure that JSA is configured to handle periodic bursts of data without dropping events or flows, or having excessive unused EPS and FPM.
Do you know how to determine which network segments are reporting to JSA?
Guidelines for defining your network hierarchy
Building a network hierarchy in JSA is an essential first step in configuring your deployment. Without a configured network hierarchy, JSA cannot determine flow directions, build a reliable asset database, or benefit from useful building blocks in rules.
Defining your network hierarchy
A default network hierarchy that contains pre-defined network groups is included in JSA. You can edit the pre-defined network hierarchy objects, or you can create new network groups or objects.