You can use reference sets in JSA or IBM QRadar to store data in a simple list format. You can populate the reference set with external data, such as indicators of compromise (IOCs), or you can use it to store business data, such as IP addresses and user names, that is collected from events and flows that occur on your network.
A reference set contains unique values that you can use in searches, filters, rule test conditions, and rule responses. Use rules to test whether a reference set contains a data element, or configure the rule response to add data to a reference set. For example, you can create a rule that detects when an employee accesses a prohibited website, and configure the rule response to add the employee's IP address or user name to a reference set.
Use a reference set to compare a property value, such as an IP address or user name, against a list. You can use reference sets with rules to keep watch lists. For example, you can create a rule to detect when an employee accesses a prohibited website and then add that employee's IP address to a reference set.
After registration with Security Director, all available reference sets are automatically converted to dynamic address groups in Security Director. Whenever an administrator creates a new reference set in JSA or IBM QRadar, the corresponding dynamic address group is automatically added in Security Director. The dynamic address groups are added with the same name in Security Director.
The newly added reference sets are automatically converted to dynamic address groups in Security Director within 5 minutes.
To add a reference set:
You can refer the same procedure for creating reference sets in IBM QRadar.
- Log in to the JSA application.
- Select Admin.
The System Configuration options are displayed.
- Click Reference Set Management.
The Reference Set Management page is displayed.
- Click Add.
The New Reference Collection page is displayed.
- Configure the parameters according to the guidelines in Table 1.
- Click Create to create a reference set or Cancel to discard the changes.
Table 1: Reference Collection Parameters
The maximum length of the reference set name is 255 characters.
Select the data types for the reference elements. You cannot edit the Type parameter after you create a reference set.
The IP type stores IPv4 addresses. Alphanumeric (Ignore Case) automatically changes any alphanumeric value to lowercase.
To compare obfuscated event and flow properties to the reference data, you must use an alphanumeric reference set.
Time to Live of elements
Specifies when JSA automatically deletes elements from the reference set. Lives Forever is the default setting.
If you specify an amount of time, indicate whether the time-to-live interval is based on when the data was first seen, or was last seen.
When a reference set element expires, a Reference Data Expiry event is triggered. The event contains the reference set name and the element value.
A feed server running in Security Director serves feed requests from SRX or vSRX Series Devices for the Dynamic Address Groups. Before configuring Security Director firewall rules, you must configure feed server on SRX or vSRX Series devices with the following CLI:
set security dynamic-address feed-server JSA hostname SD_IP
set security dynamic-address feed-server JSA update-interval 600000
set security dynamic-address feed-server JSA hold-interval 36000000
Administrators can use the dynamic address groups to configure firewall policy rules in Security Director. For configuring firewall policy rules in Security Director, see Creating Firewall Policy Rules in Security Director User Guide.
For details on Reference Sets, see JSA Administration Guide