Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Examples for Using Reference Data Collections

These examples show how you can use reference data collections to track and store data that you want to use in JSA searches, filters, rule test conditions, and rule responses.

Tracking Expired User Accounts

Use reference data collections to identify stale data, such as expired user accounts, in your JSA environment.

By default, reference data remains in JSA until it is removed. However, when you create a reference data collection, you can configure JSA to remove the data after a specified period of time.

When the data element expires, JSA automatically deletes the value from the reference data collection and triggers an event to track the expiry.

  1. Create a reference set to keep track of the time since a user last logged in.

    1. Set the Time to Live of elements to represent the period of time after which an unused user account is considered expired.

    2. Select the Since last seen button.

  2. Create a custom event rule to add login data, such as the username, to the reference set.


    JSA tracks the Date Last Seen for each data element. If no data is added for a particular user within the time-to-live period, the reference set element expires, and a Reference Data Expiry event is triggered. The event contains the reference set name and the username that is expired.

  3. Use the Log Activity tab to track the Reference Data Expiry events.

Use the reference set data in searches, filters, rule test conditions, and rule responses.

Integrate Dynamic Data from External Sources

Large enterprise organizations can use reference data collections to share information about their IT assets with the security teams that manage the JSA deployment.

For example, the Information Technology (IT) team maintains an asset management database that includes information about all the network assets. Some of the information, such as the IP addresses for the web servers, changes frequently.

Once a week, the IT team exports the list of IP addresses for all of the web servers that are deployed in the network and provides the list to the security team. The security team imports the list into a reference set, which can then be used in rules, searches, and reports to provide more context to the events and flows that are processed by JSA.