Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Reference Sets Overview

Use reference sets in JSA to store data in a simple list format.

You can populate the reference set with external data, such as indicators of compromise (IOCs), or you can use it to store business data, such as IP addresses and user names, that is collected from events and flows that occur on your network.

A reference set contains unique values that you can use in searches, filters, rule test conditions, and rule responses. Use rules to test whether a reference set contains a data element, or configure the rule response to add data to a reference set. For example, you can create a rule that detects when an employee accesses a prohibited website, and configure the rule response to add the employee's IP address or user name to a reference set.

For more information about configuring rule responses to add data to a reference set, see the Juniper Secure Analytics Users Guide.

Reference sets are the only type of reference data collection that you can manage in JSA. You can also use the Creating Reference Data Collections by Using the Command Line and the Creating Reference Data Collections with the APIs to manage reference sets.

Adding, Editing, and Deleting Reference Sets

Use a reference set to compare a property value, such as an IP address or user name, against a list. You can use reference sets with rules to keep watch lists. For example, you can create a rule to detect when an employee accesses a prohibited website and then add that employee's IP address to a reference set.

After you add data to the reference set, the Number of Elements and Associated Rules parameters are automatically updated.

When you edit a reference set, you can change the data values, but you cannot change the type of data that the reference set contains.

Before a reference set is deleted, JSA runs a dependency check to see whether the reference set has rules that are associated with it.

Note:

If you use techniques to obfuscate data on the event properties that you want to compare to the reference set data, use an alphanumeric reference set and add the obfuscated data values.

  1. On the navigation menu (), click Admin.

  2. In the System Configuration section, click Reference Set Management.

  3. To add a reference set:

    1. Click Add and configure the parameters.

      Learn more about reference set parameters:

      The following table describes each of the parameters that are used to configure a reference set.

      Table 1: Reference Set Parameters

      Parameter

      Description

      Name

      The maximum length of the reference set name is 255 characters.

      Type

      Select the data types for the reference elements. You can't edit the Type parameter after you create a reference set.

      The IP type stores IPv4 addresses. Alphanumeric (Ignore Case) automatically changes any alphanumeric value to lowercase.

      To compare obfuscated event and flow properties to the reference data, you must use an alphanumeric reference set.

      Time to Live of elements

      Specifies when reference elements expire. If you select the Lives Forever default setting, the reference elements don’t expire.

      If you specify an amount of time, indicate whether the time-to-live interval is based on when the data was first seen, or was last seen.

      JSA removes expired elements from the reference set periodically (by default, every 5 minutes).

      When elements expire

      Specifies how expired reference elements are logged in the qradar.log file when they are removed from the reference set.

      The Log each element in a separate log entry option triggers an Expired ReferenceData element log event for each reference element that is removed. The event contains the reference set name and the element value.

      The Log elements in one log entry option triggers one Expired ReferenceData element log event for all reference elements that are removed at the same time. The event contains the reference set name and the element values.

      The Do not log elements option does not trigger a log event for removed reference elements.

    2. Click Create.

  4. Click Edit or Delete to work with existing reference sets.

    Tip:

    To delete multiple reference sets, use the Quick Search text box to search for the reference sets that you want to delete, and then click Delete Listed.

Viewing the Contents Of a Reference Set

View information about the data elements in the reference set, such as the domain assignment, the expiry on the data, and when the element was last seen in your network.

  1. On the navigation menu (), click Admin.

  2. In the System Configuration section, click Reference Set Management.

  3. Select a reference set and click View Contents.

  4. Click the Content tab to view information about each data element.

    Tip:

    Use the search field to filter for all elements that match a keyword. You can't search for data in the Time To Live column.

    Learn more about the data elements:

    The following table describes the information that is shown for each data element in the reference set.

    Table 2: Information About the Reference Set Data Elements

    Description

    Domain

    Domain-specific reference data can be viewed by tenant users who have access to the domain, MSSP Administrators, and users who do not have a tenant assignment. Users in all tenants can view shared reference data.

    Value

    The data element that is stored in the reference set. For example, the value might show user names or IP addresses.

    Origin

    Shows the user name when the data element is added manually, and the file name when the data was added by importing it from an external file. Shows the rule name when the data element is added in response to a rule.

    Time to Live

    The time that is remaining until this element is removed from the reference set.

    Date Last Seen

    The date and time that this element was last detected on your network.

  5. Click the References tab to view the rules that use the reference set in a rule test or in a rule response.

    Table 3: Content Tab Parameters

    Parameter

    Description

    Rule Name

    Name of the rule that is configured to use the reference set.

    Group

    The group that the rule belongs to.

    Category

    Shows if the rule is a custom rule rule.

    Type

    Shows event, flow, common, or offense to indicate the type of data that the rule is tested against.

    Enabled

    A rule must be enabled for the custom rule engine to evaluate it.

    Response

    The responses that are configured for this rule.

    Origin

    System indicates a default rule.

    Modified indicates that a default rule was customized.

    User indicates a user-created rule.

  6. To view or edit an associated rule, double-click the rule in the References list and complete the rule wizard.

Adding Elements to a Reference Set

Add elements to a reference set when you want JSA to compare a property to the element value. Use JSA to manually add elements to a reference set, or to import elements from a .csv file.

To import elements, make sure that the .csv file is stored locally.

Domain-specific reference data can be viewed by tenant users who have access to the domain, MSSP Administrators, and users who do not have a tenant assignment. Users in all tenants can view shared reference data.

You can assign reference data to a specific domain. Domain-specific reference data can be viewed by tenant users who have access to the domain, MSSP Administrators, and users who do not have a tenant assignment. Users in all tenants can view shared reference data. For example, MSSP users who are not administrators can view reference data that is assigned to a domain.

  1. On the navigation menu (), click Admin.

  2. In the System Configuration section, click Reference Set Management.

  3. Select the reference set that you want to add the elements to, and click View Contents.

  4. Click the Content tab.

  5. To add data elements manually, follow these steps:

    1. Click Add and configure the parameters.

      Valid port values are 0 - 65535. Valid IP addresses are between 0 and 255.255.255.255.

      Note:

      If you use data obfuscation techniques on the event properties that you want to compare to the reference set data, you must use an alphanumeric reference set that contains the obfuscated data values.

    2. Click Add.

  6. To add elements from a .csv file, follow these steps:

    1. Click Import.

    2. Click Select File and browse to select the .csv file that you want to import.

      The .csv file must be formatted with all items comma-separated on a single line, or with each item on a separate line. A delimiter is not required when each item is on a separate line.

    3. Select the Domain that you want to add the reference set data to.

    4. Click Import.

      The import adds the content of the text file to the reference set.

Exporting Elements from a Reference Set

Export reference set elements to a .csv file when you want to include the information in reports, or share the information with people who don't use JSA.

  1. On the navigation menu (), click Admin.

  2. In the System Configuration section, click Reference Set Management.

  3. Select the reference set that you want to export, and click View Contents.

  4. Click the Content tab, and click Export.

  5. Choose whether to open the file immediately, or save the file, and then click OK.

Deleting Elements from a Reference Set

You might need to delete elements from a reference set when an element is added to the reference set in error, or when you no longer need to compare the element with other JSA properties. For example, you might need to remove an asset that was mistakenly added to an asset exclusion blacklist.

  1. On the navigation menu (), click Admin.

  2. In the System Configuration section, click Reference Set Management.

  3. Select the reference set that contains the elements that you want to delete, and click View Contents.

  4. Click the Content tab and choose one of the following options:

    • To delete a single element, select the element from the list, and click Delete.

    • To delete multiple elements, use the search box to filter the list to show only the elements that you want to delete, and then click Delete Listed.