Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Offense Actions

JSA provides the capability to act on the offenses as you investigate them. To help you track offenses that were acted upon, JSA adds an icon to the Flag column when you assign an offense to a user, protect or hide an offense, add notes, or mark the offense for follow-up.

To perform the same action on multiple offenses, hold the Control key while you select each offense you want to act on. To view offense details on a new page, press the Ctrl key while you double-click an offense.

Adding Notes

Add notes to an offense to track information that is collected during an investigation. Notes can include up to 2000 characters.

  1. Click the Offenses tab.

  2. Select the offense to which you want to add the note.

    To add the same note to multiple offenses, press the Ctrl key while you select each offense.

  3. From the Actions list, select Add Note.

  4. Type the note that you want to include for this offense.

  5. Click Add Note.

The note is displayed in the Last 5 Notes pane on the Offense Summary window. A Notes icon is displayed in the flag column of the offense list.

Hover your mouse over the notes indicator in the Flag column of the Offenses list to view the note.

Hiding Offenses

Hide an offense to prevent it from being displayed in the offense list. After you hide an offense, the offense is no longer displayed in any list on the Offenses tab, including the All Offenses list. However, if you perform a search that includes hidden offenses, the offense is displayed in the search results.

  1. Click the Offenses tab.

  2. Select the offense that you want to hide.

    To hide multiple offenses, hold the Control key while you select each offense.

  3. From the Actions list box, select Hide.

  4. Click OK.

Showing Hidden Offenses

By default, the offense list on the Offenses tab filters to exclude hidden offenses. To view hidden offenses, clear the filter on the Offenses tab or perform a search that includes hidden offenses. When you include hidden offenses in the offense list, the offenses show the Hidden icon in the Flag column.

  1. Click the Offenses tab.

  2. To clear the filter on the offense list, click Clear Filter next to the Exclude Hidden Offenses search parameter.

  3. To create a new search that includes hidden offenses, follow these steps:

    1. From the Search list box, select New Search.

    2. In the Search Parameters window, clear the Hidden Offenses check box in the Exclude options list.

    3. Click Search.

  4. To remove the hidden flag from an offense, follow these steps:

    1. Select the offense for which you want to remove the hidden flag.

      To select multiple offenses, hold the Control key while you click each offense.

    2. From the Actions list box, select Show.

    The hidden flag is removed and the offense appears in the offense list without having to clear the Exclude Hidden Offenses filter.

Closing Offenses

Close an offense to remove it completely from your system.

The default offense retention period is 30 days. After the offense retention period expires, closed offenses are deleted from the system. You can protect an offense to prevent it from being deleted when the retention period expires.

Closed offenses are no longer displayed in any list on the Offenses tab, including the All Offenses list. If you include closed offenses in a search, and the offense is still within the retention period, the offense is displayed in the search results. If more events occur for an offense that is closed, a new offense is created.

When you close offenses, you must select a reason for closing the offense. If you have the Manage Offense Closing permission, you can add custom closing reasons. For more information about user role permissions, see the Juniper Secure Analytics Administration Guide.

  1. Click the Offenses tab.

  2. Select the offense that you want to close.

    To close multiple offenses, hold the Control key while you select each offense.

  3. From the Actions list, select Close.

  4. In the Reason for Closing list, specify a closing reason.

    To add a close reason, click the icon beside Reason for Closing to open the Custom Offense Close Reasons dialog box.

  5. In the Notes field, type a note to provide more information.

    The Notes field displays the note that was entered for the previous offense closing. Notes must not exceed 2,000 characters.

  6. Click OK.

After you close offenses, the counts that are displayed on the By Category window of the Offenses tab can take several minutes to reflect the closed offenses.

Exporting Offenses

Export offenses when you want to reuse the data or when you want to store the data externally. For example, you can use the offense data to create reports in a third-party application. You can also export offenses as a secondary long-term retention strategy. Customer Support might require you to export offenses for troubleshooting purposes.

You can export offenses in Extensible Markup Language (XML) or comma-separated values (CSV) format. The resulting XML or CSV file includes the parameters that are specified in the Column Definition pane of the search parameters. The length of time that is required to export the data depends on the number of parameters specified.

  1. Click the Offenses tab.

  2. Select the offenses that you want to export.

    To select multiple offenses, hold the Control key while you select each offense.

  3. Choose one of the following options:

    • To export the offenses in XML format, select Actions >Export to XML.

    • To export the offenses in CSV format, select Actions >Export to CSV.

    Note:

    If you use Microsoft Excel to import the CSV file, you must select the correct locale to ensure that the data displays correctly.

  4. Choose one of the following options:

    • To open the file for immediate viewing, select Open with and select an application from the list.

    • To save the file, select Save File.

  5. Click OK.

    The file, <date>-data_export.xml.zip, is saved in the default download folder on your computer.

Assigning Offenses to Users

By default, all new offenses are unassigned. You can assign an offense to an JSA user for investigation.

When you assign an offense to a user, the offense is displayed on the My Offenses page for that user. You must have the Assign Offenses to Users permission to assign offenses to users. For more information about user role permissions, see the Juniper Secure Analytics Administration Guide.

You can assign offenses to users from either the Offenses tab or Offense Summary pages. This procedure provides instruction on how to assign offenses from the Offenses tab.

  1. Click the Offenses tab.

  2. Select the offense that you want to assign.

    To assign multiple offenses, hold the Control key while you select each offense.

  3. From the Actions list, select Assign.

  4. In the Assign To User list, select the user that you want to assign this offense to.

    Note:

    The Assign To User list displays only those users who have privileges to view the Offenses tab. The security profile settings for the user are followed as well.

  5. Click Save.

The offense is assigned to the selected user. The User icon is displayed in the Flag column of the Offenses tab to indicate that the offense is assigned. The designated user can see this offense on the My Offenses page.

Sending Email Notifications

Share the offense summary information with another person by sending an email.

The body of the email message includes the following information, if available:

  • Source IP address

  • Source user name, host name, or asset name

  • Total number of sources

  • Top five sources by magnitude

  • Source networks

  • Destination IP address

  • Destination user name, host name, or asset name

  • Total number of destinations

  • Top five destinations by magnitude

  • Destination networks

  • Total number of events

  • Rules that caused the offense or event rule to fire

  • Full description of the offense or event rule

  • Offense ID

  • Top five categories

  • Start time of the offense or the time the event was generated

  • Top five annotations

  • Link to the offense user interface

  • Contributing CRE rules

  1. Click the Offenses tab.

  2. Select the offense for which you want to send an email notification.

  3. From the Actions list box, select Email.

  4. Configure the following parameters:

    Option

    Description

    Parameter

    Description

    To

    Type the email address of the user you want to notify when a change occurs to the selected offense. Separate multiple email addresses with a comma.

    From

    Type the originating email address. The default is root@localhost.com.

    Email Subject

    Type the subject for the email. The default is Offense ID.

    Email Message

    Type the standard message that you want to accompany the notification email.

  5. Click Send.

Marking an Offense for Follow-up

Mark an offense for follow-up when you want to flag it for further investigation.

  1. Click the Offenses tab.

  2. Find the offense that you want to mark for follow-up.

  3. Double-click the offense.

  4. From the Actions list, select Follow up.

The offense now displays the follow-up icon in the Flag column. To sort the offense list to show flagged offenses at the top, click the Flags column header.

Related Documentation