Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Custom Rules in JSA

Rules, sometimes called correlation rules are applied to events, flows, or offenses to search for or detect anomalies. If all the conditions of a test are met, the rule generates response.

What Are Rules?

Custom rules test events, flow, and offenses to detect unusual activity in your network. You create new rules by using AND and OR combinations of existing rule tests.

JSA Event Collectors gather events from local and remote sources, normalizes these events, and classifies them into low-level and high-level categories. For flows, JSA Flow Processor read packets from the wire or receive flows from other devices and then converts the network data to flow records. Each Event Processor processes events or flow data from the JSA Event Collectors. Event Processors examine and correlate the information to indicate behavioral changes or policy violations. The custom rules engine (CRE) processes events and compares them against defined rules to search for anomalies. When a rule condition is met, the Event Processor generates an action that is defined in the rule response. The CRE keeps track of the systems that are involved in incidents, contributes events to offenses, and generates notifications.

What Are Building Blocks?

A building block is a collection of tests that don't result in a response or an action.

A building block groups commonly used tests to build complex logic, so that it can be reused in rules. A building block often tests for IP addresses, privileged user names, or collections of event names. For example, a building block can include the IP addresses of all DNS servers. Rules can then use this building block.

How do Rules Work?

JSA Event Collectors gather events from local and remote sources, normalize these events, and classify them into low-level and high-level categories. For flows, JSA Flow Processor read packets from the wire or receive flows from other devices and then converts the network data to flow records. Each Event Processor processes events or flow data from the JSA Event Collectors. Flow Processors examine and correlate the information to indicate behavioral changes or policy violations. The custom rules engine (CRE) processes events and compares them against defined rules to search for anomalies. When a rule condition is met, the Event Processor generates an action that is defined in the rule response. The CRE keeps track of the systems that are involved in incidents, contributes events to offenses, and generates notifications.

How is an Offense Created from a Rule?

JSA creates an offense when events, flows, or both meet the test criteria that is specified in the rules.

JSA analyzes the following information:

  • Incoming events and flows

  • Asset information

  • Known vulnerabilities

The rule that created the offense determines the offense type.

The magistrate prioritizes the offenses and assigns the magnitude value based on several factors, including number of events, severity, relevance, and credibility.

Note:

Building blocks are tested before rules are tested.

For example, you have a building block that is defined to trigger an offense on high magnitude events. The log activity can show that there were high magnitude events, but no offense was triggered. This can happen because when the building block was tested, the events was not at high magnitude. The magnitude of the event did not increase until the rules were tested.

One solution is to set a rule to check for the different in Severity, Credibility, and Relevance rather than to use a building block.