JSA Rules and Offenses
The configuration rule that is defined in the Custom Rules Engine (CRE) is used to generate offenses.
The following list describes rules and offenses:
CRE --The Custom Rules Engine (CRE) displays the rules and building blocks that are used by JSA. Rules and building blocks are stored in two separate lists because they function differently. The CRE provides information about how the rules are grouped, the types of tests that the rule performs, and the responses that each rule generates. For more information about rules and offenses, see the Juniper Secure Analytics Users Guide.
Rules --A rule is a collection of tests that triggers an action when specific conditions are met. Each rule can be configured to capture and respond to a specific event, sequence of events, flow sequence, or offense. The actions that can be triggered include sending an email or generating a syslog message. A rule can reference multiple building blocks by using the tests that are found in the function sections of the test groups within the Rule Editor.
Offenses --As event and flow data passes through the CRE, it is correlated against the rules that are configured and an offense can be generated based on this correlation. You view offenses on the Offenses tab.
Use the QRadar Use Case Manager to review your rules and offenses. Download the app from the IBM Security App Exchange.
Viewing Rules That Are Deployed
You can view the rules that are deployed in your JSA deployment. For example, you can determine which rules are most active in generating offenses.
Click the Offenses tab.
On the navigation menu, click Rules.
To determine which rules are most active in generating offenses, from the rules page, click Offense Count to reorder the column in descending order.
Double-click any rule to display the Rule Wizard. You can configure a response to each rule.
Note:For more information about your CRE configuration, see the Juniper Secure Analytics Users Guide.
Use the QRadar Use Case Manager to tune the most active rules that create offenses and to tune the rules that generate CRE events. Download the app from the IBM Security App Exchange.
Investigating Offenses
JSA generates offenses by testing event and flow conditions. To investigate JSA offenses, you must view the rules that created the offense.
Click the Offenses tab.
On the navigation menu, click All Offenses.
Double-click the offense that you are interested in.
On the All Offenses Summary toolbar, click Display >Rules.
From the List of Rules Contributing to Offense pane, double-click the Rule Name that you are interested in.
Tip:The All Offenses Rules pane might display multiple rule names, if the offense generated by JSA is triggered by a series of different tests.
For more information about investigating offenses, see the Juniper Secure Analytics Users Guide.
Use the QRadar Use Case Manager app to tune the most active rules that create offenses. Download the app at the IBM Security App Exchange.
Mapping Custom Rules or Building Blocks to MITRE ATT&CK Tactics
Use QRadar Use Case Manager to create your own rule and building block mappings or modify JSA default mappings to map your custom rules and building blocks to specific tactics and techniques.
In the report section of the Rules Explorer page, select the relevant rule.
Tip:Filter on the rule name, tactic, or technique to find the rule you want to edit or search by using a regular expression. You can also use the Group filter to select the group you want to search, such as authentication or compliance.
On the Investigate rules page, click the pencil icon in the MITRE ATT&CK section.
On the MITRE ATT&CK Mapping page, customize rule-mapping options by either adding new tactics or editing existing ones.
Tip:The MITRE ATT&CK Mapping page shows only the mappings that are directly related to a rule. You can see mappings that the rule inherited from its dependencies in the rule details section of the Investigate rules page or in the Rules Explorer report. Use the Mapping source column in the report, or in the MITRE ATT&CK section of the rule details page, to see the relationships between the rules and their mappings. Or, if you create content extensions for the IBM Security App Exchange, and you want to map rules in them, export the mappings and upload them when you submit your content.
To add or remove tactics with the rule or building block, click the plus sign icon, select the relevant tactics, and then click Apply.
To add or remove techniques for a tactic, click the plus sign icon for the tactic, select the relevant techniques, and then click Apply.
To include the tactic and technique in the heat map calculation, keep the Enable checkbox selected.
Select the confidence level for each tactic and click Save. You must set a confidence level; otherwise, you can't save the mapping.
To reset to the default mappings, click the Reset icon in the Tactics or Techniques columns.
After you finish customizing your mappings, click Save or Save and close to return to the Investigate rules page.
To refresh the report to see updated content, click Apply in the Filters pane.