Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Monitoring a Policy Monitor Question and Generating Events

SUMMARY Monitor the results of Policy Monitor questions and configure the generation of events when the results of the monitored Policy Monitor questions change. You can set the policy evaluation interval, and configure events to send notifications.

When you monitor a policy question, JSA Risk Manager analyzes the question at the configured interval to determine if an asset or rule change generates an unapproved result. If JSA Risk Manager detects an unapproved result, an offense can be generated to alert you about a deviation in your defined policy. In monitor mode, JSA Risk Manager can simultaneously monitor the results of 10 questions.

Question monitoring provides the following key features:
  • Monitor for rule or asset changes for unapproved results at the configured interval.
  • Use your high and low-level event categories to categorize unapproved results.
  • Generating offenses, emails, syslog messages, or dashboard notifications on unapproved results.
  • Use event viewing, correlation, event reporting, custom rules, and dashboards in JSA.
  1. Click the Risks tab.
  2. On the navigation menu, click Policy Monitor.
  3. Select the question that you want to monitor.
  4. Click Monitor.
  5. Configure values for the parameters.

    The parameters that you configure for an event are described in the following table.

    Table 1: Configuring Question Event Parameters
    Parameter Description
    Policy evaluation interval The frequency for the event to run.
    Event Name The name of the event you want to display in the Log Activity and Offenses tabs.
    Event Description

    The description for the event. The description is displayed in the Annotations of the event details.
    High-Level Category The high-level event category that you want this rule to use when processing events.
    Low-Level Category The low-level event category that you want this rule to use when processing events.
    Ensure the dispatched event is part of an offense

    Forwards the events to the Magistrate component. If no offense is generated, a new offense is created. If an offense exists, the event is added.

    If you correlate by question or simulation, then all events from a question are associated to a single offense.

    If you correlate by asset, then a unique offense is created or updated for each unique asset.
    Dispatch question passed events Forwards events that pass the policy monitor question to the Magistrate component.
    Tip: You must enable this parameter to configure Vulnerability Score Adjustments because these adjustments can be made to assets that both pass and fail policy monitor questions.
    Vulnerability Score Adjustments Adjusts the vulnerability risk score of an asset, depending if the question fails or passes. The vulnerability risk scores are adjusted in JSA Vulnerability Manager.
    Additional Actions

    The additional actions to be taken when an event is received.

    Separate multiple email addresses by using a comma.

    Select Notify if you want events that generate as a result of this monitored question to display events in the System Notifications item in the dashboard.

    The syslog output might resemble the following code:

    Sep 28 12:39:01 localhost.localdomain ECS:
Rule 'Name of Rule'
Fired: 172.16.60.219:12642 -> 172.16.210.126:6666 6,
Event Name:SCAN SYN FIN, QID: 1000398, Category: 1011,
 Notes: Event description
    Enable Monitor

    Monitor the question.

  6. Click Save Monitor.