JSA Building Blocks
Building blocks group commonly used tests, to build complex logic, so that they can be used in rules.
Building blocks use the same tests that rules use, but have no actions that are associated with them. They are often configured to test groups of IP addresses, privileged user names, or collections of event names. For example, you might create a building block that includes the IP addresses of all mail servers in your network, then use that building block in another rule, to exclude those hosts. The building block defaults are provided as guidelines, which can be reviewed and edited based on the needs of your network.
You can configure the host definition building blocks (BB:HostDefinition) to enable JSA to discover and classify more servers on your network. If a particular server is not automatically detected, you can manually add the server to its corresponding host definition building block. This action ensures that the appropriate rules are applied to the particular server type. You can also manually add IP address ranges instead of individual devices.
Edit the following building blocks to reduce the number of offenses that are generated by high volume traffic servers:
BB:HostDefinition --VA Scanner Source IP
BB:HostDefinition --Network Management Servers
BB:HostDefinition --Virus Definition and Other Update Servers
BB:HostDefinition --Proxy Servers
BB:NetworkDefinition --NAT Address Range
BB:NetworkDefinition --Trusted Network
Tuning Building Blocks
You can edit building blocks to reduce the number of false positives that are generated by JSA.
To edit building blocks, you must add the IP address or IP addresses of the server or servers into the appropriate building blocks.
Click the Offenses tab.
On the navigation menu, click Rules.
From the Display list, select Building Blocks.
Double-click the building block that you want to edit.
Update the building block.
-
Click Finish.
The following table describes editable building blocks.
Table 1: List Of Building Blocks to Edit Building Block
Description
BB:NetworkDefinition: NAT Address Range
Edit the and where either the source or destination IP is one of the following test to include the IP addresses of the Network Address Translation (NAT) servers.
Edit this building block only if you have a detection in the non-NATd address space. Editing this building block means that offenses are not created for attacks that are targeted or sourced from this IP address range.
BB:HostDefinition: Network Management Servers
Network management systems create traffic, such as ICMP (Internet Control Message Protocol) sweeps, to discover hosts. JSA might consider this threatening traffic. To ignore this behavior and define network management systems, edit the and when either the source or destination IP is one of the following test to include the IP addresses of the Network Management Servers (NMS), and other hosts that normally perform network discovery or monitoring.
BB:HostDefinition: Proxy Servers
Edit the and when either the source or destination IP is one of the following test to include the IP addresses of the proxy servers.
Edit this building block if you have sufficient detection on the proxy server. Editing this building block prevents offense creation for attacks that are targeted or sourced from the proxy server. This adjustment is useful when hundreds of hosts use a single proxy server and that single IP address of the proxy server might be infected with spyware.
BB:HostDefinition: VA Scanner Source IP
Vulnerability assessment products launch attacks that can result in offense creation. To avoid this behavior and define vulnerability assessment products or any server that you want to ignore as a source, edit the and when the source IP is one of the following test to include the IP addresses of the following scanners:
-
VA Scanners
-
Authorized Scanners
BB:HostDefinition: Virus Definition and Other Update Servers
Edit the and when either the source or destination IP is one of the following test to include the IP addresses of virus protection and update function servers.
BB:Category Definition: Countries with no Remote Access
Edit the and when the source is located in test to include geographic locations that you want to prevent from accessing your network. This change enables the use of rules to create an offense when successful logins are detected from remote locations.
BB:ComplianceDefinition: GLBA Servers
Edit the and when either the source or destination IP is one of the following test to include the IP addresses of servers that are used for GLBA (Gramm-Leach-Bliley Act) compliance. By populating this building block, you can use rules such as Compliance: Excessive Failed Logins to Compliance IS, which create offenses for compliance and regulation-based situations.
BB:ComplianceDefinition: HIPAA Servers
Edit the and when either the source or destination IP is one of the following test to include the IP addresses of servers that are used for HIPAA (Health Insurance Portability and Accountability Act) compliance. By populating this building block, you can use rules, such as Compliance: Excessive Failed Logins to Compliance IS, which creates offenses for compliance and regulation-based situations.
BB:ComplianceDefinition: SOX Servers
Edit the and when either the source or destination IP is one of the following test to include the IP addresses of servers that are used for SOX (Sarbanes-Oxley Act) compliance. By populating this building block, you can use rules, such as Compliance: Excessive Failed Logins to Compliance IS, which creates offenses for compliance and regulation-based situations.
BB:ComplianceDefinition: PCI DSS Servers
Edit the and when either the source or destination IP is one of the following test to include the IP addresses of servers that are used for PCI DSS (Payment Card Industry Data Security Standards) compliance. By populating this building block, you can use rules such as Compliance: Excessive Failed Logins to Compliance IS, which creates offenses for compliance and regulation-based situations.
BB:NetworkDefinition: Broadcast Address Space
Edit the and when either the source or destination IP is one of the following test to include the broadcast addresses of your network. This change removes false positive events that might be caused by the use of broadcast messages.
BB:NetworkDefinition: Client Networks
Edit the and when the local network is test to include workstation networks that users are operating.
BB:NetworkDefinition: Server Networks
Edit the when the local network is test to include any server networks.
BB:NetworkDefinition: Darknet Addresses
Edit the and when the local network is test to include the IP addresses that are considered to be a darknet. Any traffic or events that are directed towards a darknet is considered suspicious.
BB:NetworkDefinition: DLP Addresses
Edit the and when the any IP is a part of any of the following test to include the remote services that might be used to obtain information from the network. This change can include services, such as webmail hosts or file sharing sites.
BB:NetworkDefinition: DMZ Addresses
Edit the and when the local network test to include networks that are considered to be part of the network’s DMZ.
BB:PortDefinition: Authorized L2R Ports
Edit the and when the destination port is one of the following test to include common outbound ports that are allowed on the network.
BB:NetworkDefinition: Watch List Addresses
Edit the and when the local network is to include the remote networks that are on a watch list. This change helps to identify events from hosts that are on a watch list.
BB:FalsePositive: User Defined Server Type False Positive Category
Edit this building block to include any categories that you want to consider as false positives for hosts that are defined in the BB:HostDefinition: User Defined Server Type building block.
BB:FalsePositive: User Defined Server Type False Positive Events
Edit this building block to include any events that you want to consider as false positives for hosts that are defined in the BB:HostDefinition: User Defined Server Type building block.
BB:HostDefinition: User Defined Server Type
Edit this building block to include the IP address of your custom server type. After you add the servers, you must add any events or categories that you want to consider as false positives to this server, as defined in the BB:FalsePositives: User Defined Server Type False Positive Category or the BB:False Positives: User Defined Server Type False Positive Events building blocks.
You can include a CIDR range or subnet in any of the building blocks instead of listing the IP addresses. For example, 192.168.1/24 includes addresses 192.168.1.0 to 192.168.1.255. You can also include CIDR ranges in any of the BB:HostDefinition building blocks.
For more information, see the Juniper Secure Analytics Administration Guide.
Use the QRadar Use Case Manager to review your building blocks. Download the app from the IBM Security App Exchange.
-