- play_arrow What's New for Administrators
- play_arrow Overview of JSA Administration
- play_arrow User Management
- play_arrow License Management
- play_arrow System Management
- System Management
- System Health Information
- JSA Component Types
- Data Nodes
- Network Interface Management
- JSA System Time
- NAT-Enabled Networks
- Off-site Hosts Management
- Managed Hosts
- Configuration Changes in your JSA Environment
- Deploying Changes
- Restarting the Event Collection Service
- Shutting Down a System
- Restarting a System
- Collecting Log Files
- Changing the Root Password on Your JSA Console
- Resetting SIM
- play_arrow JSA Set Up Tasks
- JSA Set Up Tasks
- Network Hierarchy
- Automatic Updates
- Manual Updates
- Configuring System settings
- IF-MAP Server Certificates
- SSL Certificates
- IPv6 Addressing in JSA Deployments
- Advanced Iptables Rules Examples
- Data Retention
- System Notifications
- Custom Offense Close Reasons
- Configuring a Custom Asset Property
- Index Management
- Restrictions to Prevent Resource-intensive Searches
- App Hosts
- Checking the Integrity Of Event and Flow Logs
- Adding Custom Actions
- Managing Aggregated Data Views
- Accessing a GLOBALVIEW Database
- play_arrow Event Data Processing in JSA
- Event Data Processing in JSA
- DSM Editor Overview
- Properties in the DSM Editor
- Property Configuration in the DSM Editor
- Opening the DSM Editor
- Configuring a Log Source Type
- Configuring Property Autodetection for Log Source Types
- Configuring Log Source Autodetection for Log Source Types
- Configuring DSM Parameters for Log Source Types
- Custom Log Source Types
- Custom Property Definitions in the DSM Editor
- Event Mapping
- Exporting Contents from the DSM Editor
- play_arrow User Information Source Configuration
- play_arrow Juniper Networks X-Force Integration
- play_arrow Managing Authorized Services
- play_arrow Backup and Recovery
- play_arrow Flow Sources Management
- play_arrow Remote Networks and Services Configuration
- play_arrow Server Discovery
- play_arrow Domain Segmentation
- play_arrow Multitenant Management
- Multitenant Management
- User Roles in a Multitenant Environment
- Domains and Log Sources in Multitenant Environments
- Provisioning a New Tenant
- Monitoring License Usage in Multitenant Deployments
- Rules Management in Multitenant Deployments
- Network Hierarchy Updates in a Multitenant Deployment
- Retention Policies for Tenants
- play_arrow Asset Management
- play_arrow Configuring JSA to Forward Data to Other Systems
- Forward Data to Other Systems
- Adding Forwarding Destinations
- Configuring Forwarding Profiles
- Configuring Routing Rules to Forward Data
- Using Custom Rules and Rule Responses to Forward Data
- Configuring Routing Rules to Use the JSA Data Store
- Viewing Forwarding Destinations
- Viewing and Managing Forwarding Destinations
- Viewing and Managing Routing Rules
- play_arrow Event Store and Forward
- play_arrow Security Content
- play_arrow SNMP Trap Configuration
- play_arrow Protect Sensitive Data
- play_arrow Log Files
- play_arrow Event Categories
- play_arrow Common Ports and Servers Used by JSA
- play_arrow RESTful API
Creating Reference Data Collections by Using the Command Line
Use the command line to manage reference data collections that cannot be managed in JSA, such as reference maps, map of sets, map of maps, and tables. Although it's easier to manage reference sets using JSA, use the command line when you want to schedule management tasks.
Use the ReferenceDataUtil.sh script to manage reference sets
and other types of reference data collections.
When you use an external file to populate the reference data collection, the first non-comment line in the file identifies the column names in the reference data collection. Each line after that is a data record that gets added to the collection. While the data type for the reference collection values is specified when the collection is created, each key is an alphanumeric string.
The following table shows examples of how to format data in an external file that is to be used for populating reference maps.
Type of reference collection | Data formatting examples |
|---|---|
Reference map |
|
Reference map of sets |
|
Reference map of maps |
|
You can also create reference data collections by using the /reference_data endpoint in the JSA RESTful API.
Using SSH, log in to JSA as the root user.
Go to the /opt/qradar/bin directory.
To create the reference data collection, type the following command:
./ReferenceDataUtil.sh create name [SET | MAP | MAPOFSETS | MAPOFMAPS | REFTABLE] [ALN | NUM | IP | PORT | ALNIC | DATE] [-timeoutType=[FIRST_SEEN | LAST_SEEN]] [-timeToLive=]
To populate the map with data from an external file, type the following command:
./ReferenceDataUtil.sh load name filename [-encoding=...] [-sdf=" ... "]
Here are some examples of how to use the command line to create different types of reference data collections:
Create an alphanumeric map:
./ReferenceDataUtil.sh create testALN MAP ALN
Create a map of sets that contains port values that will age out 3 hours after they were last seen:
./ReferenceDataUtil.sh create testPORT MAPOFSETS PORT -timeoutType=LAST_SEEN -timeToLive='3 hours'
Create a map of maps that contains numeric values that will age out 3 hours 15 minutes after they were first seen:
./ReferenceDataUtil.sh create testNUM MAPOFMAPS NUM -timeoutType=FIRST_SEEN -timeToLive='3 hours 15 minutes'
Create a reference table where the default format is alphanumeric:
./ReferenceDataUtil.sh create testTable REFTABLE ALN -keyType=ipKey:IP,portKey:PORT,numKey:NUM,dateKey:DATE
Log in to JSA to create rules that add data to your reference data collections. You can also create rule tests that detect activity from elements that are in your reference data collection.
Command Reference for Reference Data Utilities
You can manage your reference data collections by using the ReferenceDataUtil.sh utility on the command line. The
following commands are available to use with the script.
Create
Creates a reference data collection.
| name | The name of the reference data collection. |
| [SET | MAP | MAPOFSETS | MAPOFMAPS | REFTABLE] | The type of reference data collection. |
| [ALN | ALNIC | NUM | IP | PORT | DATE] | The type of data in the reference set.
|
| [-timeoutType=[FIRST_SEEN | LAST_SEEN]] | Specifies whether the amount of time the data elements remain in the reference data collection is from the time the element was first seen or last seen. |
| [-TimeToLive=''] | The amount of time the data elements remain in the reference data collection. |
| [-keyType=name:elementType,name:elementType,...] | A mandatory REFTABLE parameter of consisting of key name to ELEMENTTYPE pairs. |
| [-key1Label=''] | An optional label for key1, or the primary key. A key is a type of information, such as an IP address. |
| [-valueLabel=''] | An optional label for the values of the collection. |
Update
Updates a reference data collection.
| name | The name of the reference data collection. |
| [-timeoutType=[FIRST_SEEN | LAST_SEEN]] | Specifies whether the amount of time the data elements remain in the reference data collection is from the time the element was first seen or last seen. |
| [-timeToLive=''] | The amount of time the data elements remain in the reference data collection. |
| [-keyType=name:elementType,name:elementType,...] | A mandatory REFTABLE parameter of consisting of key name to elementType pairs. |
| [-key1Label=''] | An optional label for key1. |
| [-valueLabel=''] | An optional label for the values of the collection. |
Add
Adds a data element to a reference data collection.
| name | The name of the reference data collection. |
| <value> <key1> <key2> | The key value pair that you want to add. The keys are alphanumeric strings.
|
| [-sdf=" ... "] | The Simple Date Format string that is used to parse the date data. |
Delete
Deletes an element from a reference data collection.
| name | The name of the reference data collection. |
| <value> <key1> <key2> | The key value pair that you want to add. The keys are alphanumeric strings.
|
| [-sdf=" ... "] | The Simple Date Format string that is used to parse the date data. |
Remove
Removes a reference data collection.
| name | The name of the reference data collection. |
Purge
Purges all elements from a reference data collection.
| name | The name of the reference data collection. |
List
Lists elements in a reference data collection.
| name | The name of the reference data collection. |
| [displayContents] | Lists all elements in the specified reference data collection. |
Listall
Lists all elements in all reference data collection.
| [displayContents] | Lists all elements in all reference data collections. |
Load
Populates a reference data collection with data from an external .csv file.
| name | The name of the reference data collection. |
| filename | The fully qualified file name to be loaded. Each line in the file represents a record to be added to the reference data collection. |
| [-encoding=...] | Encoding that is used to read the file. |
| [-sdf=" ... "] | The Simple Date Format string that is used to parse the date data. |
