Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring System settings

System settings specify how your JSA system components are configured for normal operation.

  1. On the navigation menu (), click Admin.

  2. In the System Configuration section, click System Settings.

  3. Configure the system settings. Click the Help button to see setting descriptions.

  4. Click Save.

  5. On the Admin tab menu, select Advanced >Deploy Full Configuration.

Note:

JSA continues to collect events when you deploy the full configuration. When the event collection service must restart, JSA does not restart it automatically. A message displays that gives you the option to cancel the deployment and restart the service at a more convenient time.

Enhancing the Right-click Menu for Event and Flow Columns

You can add more actions to the right-click options that are available on the columns in the Log Activity table or the Network Activity table. For example, you can add an option to view more information about the source IP or destination IP.

Note:

The right-click feature is not available on fields in the Event Information window.

You can pass any data that is in the event or flow to the URL or script.

  1. Using SSH, log in to the JSA console appliance as the root user.

  2. Go to the /opt/qradar/conf directory and create a file that is named arielRightClick.properties.

  3. Edit the /opt/qradar/conf/arielRightClick.properties file. Use the following table to specify the parameters that determine the options for the right-click menu.

    Table 1: ArielRightClick.properties File Parameters

    Parameter

    Requirement

    Description

    Example

    pluginActions

    Required

    Indicates either a URL or script action.

     

    arielProperty

    Required

    Specifies the column, or Ariel field name, for which the right-click menu is enabled.

    sourceIP

    sourcePort

    destinationIP

    qid

    text

    Required

    Specifies the text that is displayed on the right-click menu.

    Google search

    useFormattedValue

    Optional

    Specifies whether formatted values are passed to the script.

    Set to true to ensure that the formatted value for attributes, such as username and payload, are passed. Formatted values are easier for administrators to read than unformatted values.

    If the parameter is set to true for the event name (QID) property, the event name of the QID is passed to the script.

    If the parameter is set to false, the raw, unformatted QID value is passed to the script.

    url

    Required to access a URL

    Specifies the URL, which opens in a new window, and the parameters to pass to the URL.

    Use the format: $Ariel_Field Name$

    sourceIPwebUrlAction.url= http://www.mywebsite.com? q=$sourceIP$

    command

    Required if the action is a command

    Specifies the absolute path of the command or script file.

    destinationPortScript Action.command=/bin/echo

    arguments

    Required if the action is a command

    Specifies the data to pass to the script.

    Use the following format: $Ariel_Field Name$

    destinationPortScript Action.arguments=$qid$

    For each of the key names that are specified in the pluginActions list, define the action by using a key with the format key name, property.

  4. Save and close the file.

  5. Log in to the JSA user interface.

  6. On the navigation menu (), click Admin.

  7. Select Advanced >Restart Web Server.

The following example shows how to add Test URL as a right-click option for source IP addresses.

pluginActions=sourceIPwebUrlAction

sourceIPwebUrlAction.arielProperty=sourceIP sourceIPwebUrlAction.text=Test URL sourceIPwebUrlAction.url=http://www.mywebsite.com?q=$sourceIP$

The following example shows how to enable script action for destination ports.

pluginActions=destinationPortScriptAction

destinationPortScriptAction.arielProperty=destination Port destinationPortScriptAction.text=Test Unformatted Command destinationPortScriptAction.useFormattedValue=false destinationPortScriptAction.command=/bin/echo destinationPortScriptAction.arguments=$qid$

The following example shows adding several parameters to a URL or a scripting action.

pluginActions=qidwebUrlAction,sourcePortScriptAction

qidwebUrlAction.arielProperty=qid,device,eventCount qidwebUrlAction.text=Search on Google qidwebUrlAction.url=http://www.google.com?q=$qid$-$device$-$eventCount$

sourcePortScriptAction.arielProperty=sourcePort sourcePortScriptAction.text=Port Unformatted Command sourcePortScriptAction.useFormattedValue=true sourcePortScriptAction.command=/bin/echo sourcePortScriptAction.arguments=$qid$-$sourcePort$-$device$-$CONTEXT$

Asset Retention Values Overview

Additional information for the period, in days, that you want to store the asset profile information.

  • Assets are tested against the retention thresholds at regular intervals. By default, the cleanup interval is 12 hours

  • All specified retention periods are relative to the last seen date of the information, regardless of whether the information was last seen by a scanner or passively observed by the system.

  • Asset information is deleted as it expires, meaning that following a cleanup interval, all asset information within its retention threshold remains.

  • By default, assets that are associated with un-remediated vulnerabilities (as detected by JSA Vulnerability Manager or other scanner) are retained.

  • Assets can always be deleted manually through the user interface.

Table 2: Asset Components

Asset component

Default retention (in days)

Notes

IP Address

120 days

By default, user-supplied IP Addresses are retained until they are deleted manually.

MAC Addresses (Interfaces)

120 days

By default, user-supplied interfaces are retained until they are deleted manually.

DNS and NetBIOS Hostnames

120 days

by default, user-supplied hostnames are retained until they are deleted manually.

Asset Properties

120 days

By default, user-supplied IP Addresses are retained until they are deleted manually.

The asset properties this value can affect are Given Name, Unified Name, Weight, Description, Business Owner, Business Contact, Technical Owner, Technical Contact, Location, Detection Confidence, Wireless AP, Wireless SSID, Switch ID, Switch Port ID, CVSS Confidentiality Requirement, CVSS Integrity Requirement, CVSS Availability Requirement, CVSS Collateral Damage Potential, Technical User, User Supplied OS, OS Override Type, OS Override Id, Extended, Legacy (Pre-2014.x) Cvss Risk, VLAN, and Asset Type.

Asset Products

120 days

By default, user-supplied products are retained until they are deleted manually.

Asset products include Asset OS, Asset Installed Applications, and products that are associated with open asset ports

Asset "Open" Ports

120 days

 

Asset netBIOS Groups

120 days

NetBIOS groups are seldom used, and more customers may not be aware of their existence. In the case where they are used, they are deleted after 120 days.

Asset Client Application

120 days

Client Applications are not yet leveraged in the user interface. This value can be ignored.

Asset Users

30 days

 

Adding or Editing a JSA Login Message

Create a new login message or edit an existing login message on your JSAConsole.

  1. On the navigation menu (), click Admin.

  2. In the System Configuration section, click User Management.

  3. Click Authentication, and then click General Authentication Settings.

  4. To edit the login message, click Login Page and then set Login Message to On.

    1. Type your message in the Edit Login Message window.

    2. To force users to consent to the login message before they can log in, set Require explicit consent of this message for login to On.

    3. Click Save Settings.

      The login message is saved in the opt/qradar/conf/LoginMessage.txt file.

      Note:

      You can also upload the LoginMessage.txt file to the opt/qradar/conf/ directory.

  5. On the Admin tab, click Deploy Changes.

  6. To see your changes, log out of JSA.

Turning on and Configuring Rule Performance Visualization

Use the Custom Rule Settings feature to turn on and configure metrics for rule performance analysis. Rule performance visualization extends the current logging around performance degradation and the expensive custom rules in the JSA pipeline. With rule performance visualization, you can determine the efficiency of rules in the JSA pipeline directly from the Rules page.

After you turn on rule performance visualization, the metrics remain blank unless an event or flow performance issue occurs.

  1. On the navigation menu (), click Admin.

  2. In the System Configuration section, click System Settings.

  3. On the System Settings page, click Advanced.

  4. Configure the Custom Rule Settings.

    Table 3: Custom Rule Settings

    Setting

    Description

    Enable Performance Analysis

    Enable cost performance analysis tracking for custom rules. The default is False.

    Reset Metrics on Rule Change

    Enable the reset of the rule performance analysis metrics when a rule is modified. The default is True.

    Note:

    To reset metrics on a rule, edit the rule, and then save it. The metrics are cleared for the rule that you modified.

    Performance Analysis Upper Limit

    The upper threshold (in EPS or FPS) that is used to determine the performance bar value for a rule.

    • If the throughput for a rule drops below this limit and is above the Performance Analysis Lower Limit, the performance is displayed as two orange bars.

    • If the throughput for a rule is above this limit, the performance is displayed as three green bars.

    The default is 50,000.

    Performance Analysis Lower Limit

    The lower threshold (in EPS or FPS) used to determine the performance bar value for a rule. If the throughput for a rule drops below this limit, the performance is displayed as one red bar.

    The default is 12,500.

  5. Click Save.

  6. On the navigation menu (), click Admin.

  7. Click Deploy Changes.

When rule performance visualization is turned on, the Performance column is added to the Rules page. The Performance column on the Rules page is blank until a performance issue occurs in the custom rule engine.

For more information about Rule performance visualization, see the Juniper Secure Analytics User Guide.

Troubleshooting Rule Performance Visualization

This reference provides troubleshooting information for rule performance visualization.

Why am I not seeing metrics for a rule?

Table 4: Rule Metrics Issues

Issue

Solution

Performance Analysis is not enabled.

Deploy the changes

Metrics do not display for rules that are not enabled.

Works as designed. Metrics display only for enabled rules.

Metrics do not display for offense rules.

Works as designed. Metrics are collected only for all event, common, and flow rules.

Metrics do not display for a rule.

The rule might be recently modified, which resets the metrics. The metrics are cleared for the rule that you modified. If you don't want the metric to be reset when a rule is resaved, disable Reset Metrics on Rule Change.

Why would I want to change the upper and lower thresholds?

Whether you would want to change the upper and lower threshold limits, depends on what you deem to be an acceptable event per second (EPS) or flows per second (FPS) throughput for your rules. You might want to start with your general system EPS or FPS throughput. Increase your upper threshold limit by a few thousand, and decrease your lower threshold limit by a few thousand. When you change these settings, keep in mind your license and hardware throughput limitations. Your upper limit doesn't need to go above your license or hardware capacity. Typically, as you use this feature to tune your rules, you might want to update the lower limit with a slightly higher value so that you can focus on the under-performing rules.

Example:

  • General EPS load for system: 5,000 EPS

  • Upper Limit: 8,000 EPS

  • Lower Limit: 2,000 EPS

Rules that can process 8,001 EPS or more display three green bars. Rules that can process only 1,999 EPS or lower display 1 red bar. All rules between these ranges are marked with two orange bars. After you tune all of your rules that display red bars and only the orange and green bars display, you can increase the lower limit to 3,000 EPS.

Why does a disabled rule show as expensive?

When rule performance is turned on, previous values might display for disabled rules, which might cause the rule to show as expensive.

If you selected Reset Metrics on Rule Change when you enabled rule performance, reset the metrics for the rule by editing the rule, and then saving it. The metrics are cleared for the rule that you modified.

You can view the metrics for a rule from the Rules page when you move the mouse pointer over the colored bars in the Performance column, and in the Performance Analysis textbox, which is in the lower-right corner of the Rules page. You can also view the metrics for a rule in the Rule Wizard when you edit a rule. The timestamp in the Performance Analysis textbox shows when the metrics for the rule were updated.

For more information about editing rules, see the Juniper Secure Analytics User Guide.