Table of Contents
Advertisement
• Event Collector—Collects security events from various types of security devices, known as log
sources, in your network. The Event Collector gathers events from local and remote log sources. The
Event Collector then normalizes the events and sends the information to the Event Processor. The
Event Collector also bundles all virtually identical events to conserve system usage.
• Event Processor—Processes event and flow data from the Event Collector. The events are bundled to
conserve network usage. When received, the Event Processor correlates the information from JSA
and distributes to the appropriate area, depending on the type of event. The Event Processor also
includes information gathered by JSA to indicate any behavioral changes or policy violations for that
event. Rules are then applied to the events that allow the Event Processor to process according to
the configured rules. When complete, the Event Processor sends the events to the Magistrate.
A non-Console Event Processor can be connected to the Event Processor on the Console or
connected to another Event Processor in your deployment. The Accumulator is responsible for
gathering flow and event information from the Event Processor.
The Event Processor on the Console is always connected to the magistrate. This connection cannot
be deleted.
• Off-site Source—Indicates an off-site event or flow data source that forwards normalized data to an
Event Collector. You can configure an off-site source to receive flows or events and allows the data
to be encrypted before forwarding.
• Off-site Target—Indicates an off-site device that receives event or flow data. An off-site target can
only receive data from an Event Collector.
• Magistrate—The Magistrate component provides the core processing components of the security
information and event management (SIEM) system. You can add one Magistrate component for each
deployment. The Magistrate provides views, reports, alerts, and analysis of network traffic and
security events.
The Magistrate processes the events or flows against the defined custom rules to create an offense.
If no custom rules exist, the Magistrate uses the default rule set to process the offending event or
flow. An offense is an event or flow that has been processed through JSA using multiple inputs,
individual events or flows, and combined events or flows with analyzed behavior and vulnerabilities.
The Magistrate prioritizes the offenses and assigns a magnitude value based on several factors,
including the amount of offenses, severity, relevance, and credibility.
RELATED DOCUMENTATION
Preparing the Network Hierarchy | 73
Identifying Network Settings | 96
Identifying Security Monitoring Devices and Flow Data Sources | 97
72
Advertisement
Table of Contents
