- play_arrow What's New for Administrators
- play_arrow Overview of JSA Administration
- play_arrow User Management
- play_arrow License Management
- play_arrow System Management
- System Management
- System Health Information
- JSA Component Types
- Data Nodes
- Network Interface Management
- JSA System Time
- NAT-Enabled Networks
- Off-site Hosts Management
- Managed Hosts
- Configuration Changes in your JSA Environment
- Deploying Changes
- Restarting the Event Collection Service
- Shutting Down a System
- Restarting a System
- Collecting Log Files
- Changing the Root Password on Your JSA Console
- Resetting SIM
- play_arrow JSA Set Up Tasks
- JSA Set Up Tasks
- Network Hierarchy
- Automatic Updates
- Manual Updates
- Configuring System settings
- IF-MAP Server Certificates
- SSL Certificates
- IPv6 Addressing in JSA Deployments
- Advanced Iptables Rules Examples
- Data Retention
- System Notifications
- Custom Offense Close Reasons
- Configuring a Custom Asset Property
- Index Management
- Restrictions to Prevent Resource-intensive Searches
- App Hosts
- Checking the Integrity Of Event and Flow Logs
- Adding Custom Actions
- Managing Aggregated Data Views
- Accessing a GLOBALVIEW Database
- play_arrow Event Data Processing in JSA
- Event Data Processing in JSA
- DSM Editor Overview
- Properties in the DSM Editor
- Property Configuration in the DSM Editor
- Opening the DSM Editor
- Configuring a Log Source Type
- Configuring Property Autodetection for Log Source Types
- Configuring Log Source Autodetection for Log Source Types
- Configuring DSM Parameters for Log Source Types
- Custom Log Source Types
- Custom Property Definitions in the DSM Editor
- Event Mapping
- Exporting Contents from the DSM Editor
- play_arrow Using Reference Data in JSA
- play_arrow User Information Source Configuration
- play_arrow Juniper Networks X-Force Integration
- play_arrow Managing Authorized Services
- play_arrow Backup and Recovery
- play_arrow Flow Sources Management
- play_arrow Remote Networks and Services Configuration
- play_arrow Server Discovery
- play_arrow Domain Segmentation
- play_arrow Multitenant Management
- Multitenant Management
- User Roles in a Multitenant Environment
- Domains and Log Sources in Multitenant Environments
- Provisioning a New Tenant
- Monitoring License Usage in Multitenant Deployments
- Rules Management in Multitenant Deployments
- Network Hierarchy Updates in a Multitenant Deployment
- Retention Policies for Tenants
- play_arrow Configuring JSA to Forward Data to Other Systems
- Forward Data to Other Systems
- Adding Forwarding Destinations
- Configuring Forwarding Profiles
- Configuring Routing Rules to Forward Data
- Using Custom Rules and Rule Responses to Forward Data
- Configuring Routing Rules to Use the JSA Data Store
- Viewing Forwarding Destinations
- Viewing and Managing Forwarding Destinations
- Viewing and Managing Routing Rules
- play_arrow Event Store and Forward
- play_arrow Security Content
- play_arrow SNMP Trap Configuration
- play_arrow Protect Sensitive Data
- play_arrow Log Files
- play_arrow Event Categories
- play_arrow Common Ports and Servers Used by JSA
- play_arrow RESTful API
Identification Of Asset Growth Deviations
Sometimes, asset data sources produce updates that JSA cannot handle properly without manual remediation. Depending on the cause of the abnormal asset growth, you can either fix the asset data source that is causing the problem or you can block asset updates that come from that data source.
Asset growth deviations occur when the number of asset updates for a single device grows beyond the limit that is set by the retention threshold for a specific type of the identity information. Proper handling of asset growth deviations is critical to maintaining an accurate asset model.
At the root of every asset growth deviation is an asset data source whose data is untrustworthy for updating the asset model. When a potential asset growth deviation is identified, you must look at the source of the information to determine whether there is a reasonable explanation for the asset to accumulate large amounts of identity data. The cause of an asset growth deviation is specific to an environment.
DHCP Server Example Of Unnatural Asset Growth in an Asset Profile
Consider a virtual private network (VPN) server in a Dynamic Host Configuration Protocol (DHCP) network. The VPN server is configured to assign IP addresses to incoming VPN clients by proxying DHCP requests on behalf of the client to the network's DHCP server.
From the perspective of the DHCP server, the same MAC address repeatedly requests many IP address assignments. In the context of network operations, the VPN server is delegating the IP addresses to the clients, but the DHCP server can't distinguish when a request is made by one asset on behalf of another.
The DHCP server log, which is configured as a JSA log source, generates a DHCP acknowledgment (DHCP ACK) event that associates the MAC address of the VPN server with the IP address that it assigned to the VPN client. When asset reconciliation occurs, the system reconciles this event by MAC address, which results in a single existing asset that grows by one IP address for every DHCP ACK event that is parsed.
Eventually, one asset profile contains every IP address that was allocated to the VPN server. This asset growth deviation is caused by asset updates that contain information about more than one asset.
Threshold Settings
When an asset in the database reaches a specific number of properties, such as multiple IP addresses or MAC addresses, JSA blocks that asset from receiving more updates.
The Asset Profiler threshold settings specify the conditions under which an asset is blocked from updates. The asset is updated normally up to the threshold value. When the system collects enough data to exceed the threshold, the asset shows an asset growth deviation. Future updates to the asset are blocked until the growth deviation is rectified.
System Notifications That Indicate Asset Growth Deviations
JSA generates system notifications to help you identify and manage the asset growth deviations in your environment.
The following system messages indicate that JSA identified potential asset growth deviations:
The system detected asset profiles that exceed the normal size thresholdThe asset blacklist rules have added new asset data to the asset blacklists
The system notification messages include links to reports to help you identify the assets that have growth deviations.
Asset Data That Changes Frequently
Asset growth can be caused by large volumes of asset data that changes legitimately, such as in these situations:
A mobile device that travels from office-to-office frequently and is assigned a new IP address whenever it logs in.
A device that connects to a public wifi with short IP addresses leases, such as at a university campus, might collect large volumes of asset data over a semester.
Example: How Configuration Errors for Log Source Extensions Can Cause Asset Growth Deviations
Customized log source extensions that are improperly configured can cause asset growth deviations.
You configure a customized log source extension to provide asset updates to JSA by parsing user names from the event payload that is on a central log server. You configure the log source extension to override the event host name property so that the asset updates that are generated by the custom log source always specify the DNS host name of the central log server.
Instead of JSA receiving an update that has the host name of the asset that the user logged in to, the log source generates many asset updates that all have the same host name.
In this situation, the asset growth deviation is caused by one asset profile that contains many IP addresses and user names.
Troubleshooting Asset Profiles That Exceed the Normal Size Threshold
JSA generates the following system notification when the accumulation of data under a single asset exceeds the configured threshold limits for identity data.
The system detected asset profiles that exceed the normal size threshold
Explanation
The payload of the notification shows a list of the top five most frequently deviating assets and why the system marked each asset as a growth deviation. As shown in the following example, the payload also shows the number of times that the asset attempted to grow beyond the asset size threshold.
Feb 13 20:13:23 127.0.0.1 [AssetProfilerLogTimer] com.q1labs.assetprofile.updateresolution.UpdateResolutionManager: [INFO] [NOT:0010006101][192.0.2.83/- -] [-/- -] The top five most frequently deviating asset profiles between Feb 13, 2015 8:10:23 PM AST and Feb 13, 2015 8:13:23 PM AST: [ASSET ID:1003, REASON:Too Many IPs, COUNT:508], [ASSET ID:1002, REASON:Too many DNS Names, COUNT:93], [ASSET ID:1001, REASON:Too many MAC Addresses, COUNT:62]
When the asset data exceeds the configured threshold, JSA blocks the asset from future updates. This intervention prevents the system from receiving more corrupted data and mitigates the performance impacts that might occur if the system attempts to reconcile incoming updates against an abnormally large asset profile.
Required User Action
Use the information in the notification payload to identify the assets that are contributing to the asset growth deviation and determine what is causing the abnormal growth. The notification provides a link to a report of all assets that experienced deviating asset growth over the past 24 hours.
After you resolve the asset growth deviation in your environment, you can run the report again.
Click the Log Activity tab and click Search >New Search.
Select the Deviating Asset Growth: Asset Report saved search.
Use the report to identify and repair inaccurate asset data that was created during the deviation.
New Asset Data is Added to the Asset Blocklists
JSA generates the following system notification when a piece of asset data exhibits behavior that is consistent with deviating asset growth.
The asset blacklist rules have added new asset data to the asset blacklists
Explanation
Asset exclusion rules monitor asset data for consistency and integrity. The rules track specific pieces of asset data over time to ensure that they are consistently being observed with the same subset of data within a reasonable time.
For example, if an asset update includes both a MAC address and a DNS host name, the MAC address is associated with that DNS host name for a sustained period. Subsequent asset updates that contain that MAC address also contain that same DNS host name when one is included in the asset update. If the MAC address suddenly is associated with a different DNS host name for a short period, the change is monitored. If the MAC address changes again within a short period, the MAC address is flagged as contributing to an instance of deviating or abnormal asset growth.
Required User Action
Use the information in the notification payload to identify the rules that are used to monitor asset data. Click the Asset deviations by log source link in the notification to see the asset deviations that occurred in the last 24 hours.
If the asset data is valid, JSA administrators can configure JSA to resolve the problem.
If your blocklists are populating too aggressively, you can tune the asset reconciliation exclusion rules that populate them.
If you want to add the data to the asset database, you can remove the asset data from the blocklist and add it to the corresponding asset allowlist. Adding asset data to the whitelist prevents it from inadvertently reappearing on the blocklist.
