Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring a Rule Response to Add Data to a Reference Data Collection

Set up rules that use reference data to alert you to suspicious activity. For example, include a list of privileged users into reference data and then set up a rule that is triggered to alert you when privileged user anomalies occur.

Before you send data to a reference set, your JSA administrator must create the reference set.

JSA supports the following data collection types:

  • Reference set--A set of elements, such as a list of IP addresses or user names, that are derived from events and flows that are occurring on your network.

  • Reference map--Data is stored in records that map a key to a value. For example, to correlate user activity on your network, you create a reference map that uses the Username parameter as a key and the user’s Global ID as a value.

  • Reference map of sets--Data is stored in records that map a key to multiple values. For example, to test for authorized access to a patent, use a custom event property for Patent ID as the key and the Username parameter as the value. Use a map of sets to populate a list of authorized users.

  • Reference map of maps--Data is stored in records that map one key to another key, which is then mapped to single value. For example, to test for network bandwidth violations, you create a map of maps. Use the Source IP parameter as the first key, the Application parameter as the second key, and the Total Bytes parameter as the value.

  • Reference table--In a reference table, data is stored in a table that maps one key to another key, which is then mapped to single value. The second key has an assigned type. This mapping is similar to a database table where each column in the table is associated with a type. For example, you create a reference table that stores the Username parameter as the first key, and has multiple secondary keys that have a user-defined assigned type such as IP Type with the Source IP or Source Port parameter as a value. You can configure a rule response to add one or more keys that are defined in the table. You can also add custom values to the rule response. The custom value must be valid for the secondary key's type.

  1. Create the reference data collection by using the Reference Set Management widget on the Admin tab.

    You can also create a reference data collection by using the ReferenceDataUtil.sh script.

  2. Create a rule by using the Rules wizard.
  3. Create a rule response that sends data to a reference data collection. You can add the data as either shared data or domain-specific data.

    Learn more about Add to Reference Data parameters:

    Add to a Reference Map - Sends data to a collection of single key/multiple value pairs. You must select the key and value for the data record, and then select the reference map that you want to add the data record to.

    Add to a Reference Map Of Sets - Sends data to a collection of key/single value pairs. You must select the key and the value for the data record, and then select the reference map of sets you want to add the data record to.

    Add to a Reference Map Of Maps - Send data to a collection of multiple key/single value pairs. You must select a key for the first map, a key for the second map, and then the value for the data record. You must also select the reference map of maps you want to add the data record to.

    Add to a Reference Table - Sends data to a collection of multiple key/single value pairs, where a type was assigned to the secondary keys. Select the reference table that you want to add data to, and then select a primary key. Select your inner keys (secondary keys) and their values for the data records.

Related Documentation