Restrictions to Prevent Resource-intensive Searches
You can balance the usage of your JSA infrastructure by setting resource restrictions on JSA event and flow searches.
Before you set resource restrictions, carefully consider the normal operational procedures in your environment. Try to set restrictions that ensure that all users have access to the data that they require, yet prevent them from inadvertently running large queries that negatively impact the system availability and performance for other users.
Types Of Resource Restrictions
You can set limitations on searches by configuring either time or data set restrictions based on user, role, or tenant.
Resource restrictions are applied in the following order: user, user role, and tenant. For example, restrictions that are set for a user take precedence over restrictions that are set for the user role or tenant that the user is assigned to.
You can set the following types of restrictions on event and flow searches:
The length of time that a search runs before data is returned
The time span of the data to be searched
The number of records that are processed by the Ariel query server
Note:Ariel search stops when the record limit is reached, but all in-progress search results are returned to the search manager and are not truncated. Therefore, the search result set is often larger than the specified record limit.
User-based Restrictions
User-based restrictions define limits for an individual user, and they take precedence over role and tenant restrictions.
For example, your organization hires university students to work with the junior analysts in your SOC. The students have the same user role as the other junior analysts, but you apply more restrictive user-based restrictions until the students are properly trained in building JSA queries.
Role-based Restrictions
Role-based restrictions allow you to define groups of users who require different levels of access to your JSA deployment. By setting role-based restrictions, you can balance the needs of different types of users.
For example, a junior security analyst might focus on security incidents that happened recently, while a senior security analyst might be more involved in forensic investigations that review data over a longer period of time. By setting role-based restrictions, you can limit a junior analyst to accessing only the last 7 days of data, while a senior analyst has access to a much larger time span of data.
Tenant-based Restrictions
In a Managed Security Service Provider (MSSP) or a multi-divisional organization, tenant-based restrictions can help you ensure quality of service by preventing resource contention and degradation of services. You can prevent a tenant from querying terabytes of data that can negatively impact the system performance for all other tenants.
As an MSSP, you might define standard resource restrictions based on a set of criteria that each tenant is compared to. For example, the standard configuration for a medium-sized tenant might include resource restrictions that limit searches to accessing only the last 14 days of data and a maximum of 10,000 records returned.
Resource Restrictions in Distributed Environments
In a distributed environment, the timing of the data transfer between the JSA console and managed hosts can impact the search results.
When you run a search in JSA, the search runs on all nodes at the same time. Each managed host runs the search, and sends the aggregated results to the JSA console when the search is complete or when it reaches the predefined number of rows.
It is important to understand how the resource restrictions that you set might impact the search results that are returned to a user:
Canceled searches -- Each managed host periodically checks the state of the resource restriction limit. If a limit is reached, the search is automatically canceled to prevent the incomplete results from being cached and reused.
Results that were collected before the search was canceled by the system can be viewed by clicking Search >Manage Search Results on the Log Activity or Network Activity tab.
Empty search results -- When you set time-limit or record-limit restrictions, the remote aggregation might cause the JSA console to reach the resource restriction limit before the managed host sends the partial aggregate to the console. In this situation, the search results might appear to be empty even though some data was collected.
Inconsistent search results -- JSA monitors the load on each managed host, and manages the search to ensure optimized performance throughout the entire deployment. Depending on the system load, searches that are run repeatedly might show slightly different results due to the managed hosts that return the data in a different order.
For example, in a deployment that has six event processors, EP1, EP3, and EP5 might be the first processors to return data on the initial run. In subsequent runs, EP2, EP4, and EP6 might return data first, which accounts for the inconsistent search results.
Limited search results — You can set a limit restriction on search results for JSA that limits the number of records that are read from the disk in a search query. A limit ensures that the query stops after any managed host that is participating in the search reads the restricted number of entries from the disk. The query does not retrieve all the data and gives you only the restricted number of rows. Setting this restriction can prevent a system crash in the instance of a large amount of data.
For example, if you set the restriction at 10,000 rows, the query stops running after the managed host processes 10,000 records.
Depending on the frequency that users reach the resource restrictions, you can tune the limits to avoid restricting users from running reasonable searches to meet their job requirements. Users who consistently run searches that strain the system might benefit from more training in building JSA queries. For more information, see the Juniper Secure Analytics Ariel Query Language Guide.
Configuring Resource Restrictions
Set resource restrictions to apply time or data limitations to event and flow searches.
You can set the following types of resource restrictions:
Execution time restrictions specify the maximum amount of time that a query runs before data is returned.
Time span restrictions specify the time span of the data to be searched.
Record limit restrictions specify the number of data records that are returned by a search query.
Users who run searches that are limited by resource restrictions see the resource restriction icon () next to the search criteria.
The search result set is often larger than the specified record limit. When the record limit is reached, the search manager signals all search participants to stop (there are multiple search participants even on a single system), but results continue to accumulate until the search fully stops on all participants. All search results are added to the result set.
On the navigation menu (), click Admin.
In the System Configuration section, click Resource Restrictions.
If your deployment has tenants that are configured, click Role or Tenant to specify the type of restrictions to set.
Double-click the role or tenant that you want to set restrictions for.
To set restrictions for all users who are assigned to the user role or tenant, follow these steps:
Click the summary row at the top to open the Edit Restriction dialog box.
Click Enabled for the type of restriction that you want to set, and specify the restriction values.
Click Save.
To set restrictions for a specific user, follow these steps:
Double-click the user that you want to set the restrictions for.
To search for a user, type the user name in the filter field.
Click Enabled for the type of restriction that you want to set, and specify the restriction values.
Click Save.