- play_arrow What's New for Administrators
- play_arrow Overview of JSA Administration
- play_arrow User Management
- play_arrow License Management
- play_arrow System Management
- System Management
- System Health Information
- JSA Component Types
- Data Nodes
- Network Interface Management
- JSA System Time
- NAT-Enabled Networks
- Off-site Hosts Management
- Managed Hosts
- Configuration Changes in your JSA Environment
- Deploying Changes
- Restarting the Event Collection Service
- Shutting Down a System
- Restarting a System
- Collecting Log Files
- Changing the Root Password on Your JSA Console
- Resetting SIM
- play_arrow JSA Set Up Tasks
- JSA Set Up Tasks
- Network Hierarchy
- Automatic Updates
- Manual Updates
- Configuring System settings
- IF-MAP Server Certificates
- SSL Certificates
- IPv6 Addressing in JSA Deployments
- Advanced Iptables Rules Examples
- Data Retention
- System Notifications
- Custom Offense Close Reasons
- Configuring a Custom Asset Property
- Index Management
- Restrictions to Prevent Resource-intensive Searches
- App Hosts
- Checking the Integrity Of Event and Flow Logs
- Adding Custom Actions
- Managing Aggregated Data Views
- Accessing a GLOBALVIEW Database
- play_arrow Event Data Processing in JSA
- Event Data Processing in JSA
- DSM Editor Overview
- Properties in the DSM Editor
- Property Configuration in the DSM Editor
- Opening the DSM Editor
- Configuring a Log Source Type
- Configuring Property Autodetection for Log Source Types
- Configuring Log Source Autodetection for Log Source Types
- Configuring DSM Parameters for Log Source Types
- Custom Log Source Types
- Custom Property Definitions in the DSM Editor
- Event Mapping
- Exporting Contents from the DSM Editor
- play_arrow Using Reference Data in JSA
- play_arrow User Information Source Configuration
- play_arrow Juniper Networks X-Force Integration
- play_arrow Managing Authorized Services
- play_arrow Backup and Recovery
- play_arrow Flow Sources Management
- play_arrow Remote Networks and Services Configuration
- play_arrow Server Discovery
- play_arrow Multitenant Management
- Multitenant Management
- User Roles in a Multitenant Environment
- Domains and Log Sources in Multitenant Environments
- Provisioning a New Tenant
- Monitoring License Usage in Multitenant Deployments
- Rules Management in Multitenant Deployments
- Network Hierarchy Updates in a Multitenant Deployment
- Retention Policies for Tenants
- play_arrow Asset Management
- play_arrow Configuring JSA to Forward Data to Other Systems
- Forward Data to Other Systems
- Adding Forwarding Destinations
- Configuring Forwarding Profiles
- Configuring Routing Rules to Forward Data
- Using Custom Rules and Rule Responses to Forward Data
- Configuring Routing Rules to Use the JSA Data Store
- Viewing Forwarding Destinations
- Viewing and Managing Forwarding Destinations
- Viewing and Managing Routing Rules
- play_arrow Event Store and Forward
- play_arrow Security Content
- play_arrow SNMP Trap Configuration
- play_arrow Protect Sensitive Data
- play_arrow Log Files
- play_arrow Event Categories
- play_arrow Common Ports and Servers Used by JSA
- play_arrow RESTful API
Domain-specific Rules and Offenses
A rule can work in the context of a single domain or in the context of all domains. Domain-aware rules provide the option of including the And Domain Is test.
The following diagram shows an example using multiple domains.
You can restrict a rule so that it is applied only to events that are happening within a specified domain. An event that has a domain tag that is different from the domain that is set on the rule does not trigger an event response.
In an JSA system that does not have user-defined domains, a rule creates an offense and keeps contributing to it each time the rule fires. In a domain-aware environment, a rule creates a new offense each time the rule is triggered in the context of a different domain.
Rules that work in the context of all domains are referred to as system-wide rules. To create a system-wide rule that tests conditions across the entire system, select Any Domain in the domain list for the And Domain Is test. An Any Domain rule creates an Any Domain offense.
Single-domain rule--If the rule is a stateful rule, the states are maintained separately for each domain. The rule is triggered separately for each domain. When the rule is triggered, offenses are created separately for each domain that is involved and the offenses are tagged with those domains.
Single-domain offense--The offense is tagged with the corresponding domain name. It can contain only events that are tagged with that domain.
System-wide rule--If the rule is a stateful rule, a single state is maintained for the whole system and domain tags are ignored. When the rule runs, it creates or contributes to a single system-wide offense.
System-wide offense--The offense is tagged with Any Domain. It contains only events that are tagged with all domains.
The following table provides examples of domain-aware rules. The examples use a system that has three domains that are defined: Domain_A, Domain_B, and Domain_C.
The rule examples in the following table may not be applicable in your JSA environment. For example, rules that use flows and offenses are not applicable in Log Manager.
Domain text | Explanation | Rule response |
|---|---|---|
domain is one of: Domain_A | Looks only at events that are tagged with | Creates or contributes to an offense that
is tagged with |
domain is one of: Domain_A and a stateful test that is defined as when HTTP flow is detected 10 times within 1 minute | Looks only at events that are tagged with | Creates or contributes to an offense that
is tagged with |
domain is one of: Domain_A, Domain_B | Looks only at events that are tagged with This rule behaves as two independent instances of a single domain rule, and creates separate offenses for different domains. | For data that is tagged with For data that is tagged with |
domain is one of: Domain_A, Domain_B and a stateful test that is defined as when HTTP flow is detected 10 times within 1 minute | Looks only at events that are tagged with This rule behaves as two independent instances of a single domain rule, and maintains two separate states (HTTP flow counters) for two different domains. | When the rule detects 10 HTTP flows that
are tagged with When the rule detects 10 HTTP flows that are tagged with |
No domain test defined | Looks at events that are tagged with all domains and creates or contributes to offenses on a per-domain basis. | Each independent domain has offenses that are generated for it, but offenses do not contain contributions from other domains. |
A rule has a stateful test that is defined as when HTTP flow is detected 10 times within 1 minute and no domain test is defined | Looks at events that are tagged with | Maintains separate states and creates separate offenses for each domain. |
domain is one of: Any Domain | Looks at all events, regardless of which domain it is tagged with. | Creates or contributes to a single system-wide
offense that is tagged with |
domain is one of: Any Domain and a stateful test that is defined as when HTTP flow is detected 10 times within 1 minute | Looks at all events, regardless of which domain it is tagged with, and it maintains a single state for all domains. | Creates or contributes to a single system-wide
offense that is tagged with For example, if it detects 3 events that are tagged with |
domain is one of: Any Domain, Domain_A | Works the same as a rule that has domain is one of: Any Domain. | When the domain test includes |
When you view the offense table, you can sort the offenses by clicking the Domain column. The Default Domain is not included in the sort function so it does not appear in alphabetical order. However, it appears at the top or bottom of the Domain list, depending on whether the column is sorted in ascending or descending order. Any Domain does not appear in the list of offenses.
