Configuring System settings

System settings specify how your JSA system components are configured for normal operation.

On the navigation menu (), click Admin to open the admin tab.
In the System Configuration section, click System Settings.
Configure the system settings. Click the Help button to see setting descriptions.
Click Save.
On the Admin tab menu, select Advanced >Deploy Full Configuration.

Note

JSA continues to collect events when you deploy the full configuration. When the event collection service must restart, JSA does not restart it automatically. A message displays that gives you the option to cancel the deployment and restart the service at a more convenient time.

Customizing the right-click menu

To provide quick access to functions, customize menu options by using a plug-in application programming interface (API). For example, you can add more menu items, such as an option to scan the NetBIOS.

The ip_context_menu.xml file accepts menuEntry XML nodes to customize the right-click menu.

<menuEntry name="{Name}" description="{Description}" exec="{Command}" url="{URL}" requiredCapabilities="{Required Capabilities}"/>

The following list describes the attributes in the menuEntry element:

Name --The text that is displayed in the right-click menu.
Description -- The description of the entry. The description text is displayed in the tooltip for your menu option. The description is optional.
URL -- Specifies the web address that opens in a new window.
You can use the placeholder %IP% to represent the IP address. The ampersand character (&), the left angle bracket (<), and the right angle bracket (>) must be escaped using the strings &, <, and > respectively.
For example, to pass a URL with multiple parameters that includes a placeholder for the IP address, you can use this syntax: url="/lookup?&ip=%IP%;force=true"
Command --A command that you want to run on the JSA Console. The output of the command is displayed in a new window. Use the placeholder, %IP%, to represent the IP address that is selected.
Required Capabilities --Any capabilities, for example, "ADMIN", that the user must have before they select this option, comma-delimited. If the user does not have all capabilities that are listed, the entries are not displayed. Required capabilities is an optional field.

The edited file must look similar to the following example:

<?xml version="1.0" encoding="UTF-8"?>

<!- This is a configuration file to add custom actions into

the IP address right-click menu. Entries must be of one of the

following formats: -->

<contextMenu>

<menuEntry name="Traceroute" exec="/usr/sbin/traceroute %IP%" />

<menuEntry name="External ARIN Lookup"

url="http://ws.arin.net/whois/?queryinput=%IP%" />

</contextMenu>

Using SSH, log in to JSA as the root user.
On the JSA server, copy the ip_context_menu.xml file from the /opt/qradar/conf/templates directory to the /opt/qradar/conf directory.
Open the /opt/qradar/conf/ip_context_menu.xml file for editing.
Edit the attributes in the menuEntry element.
Save and close the file.
To apply these changes, restart the JSA GUI by typing the following command:
systemctl restart tomcat

Enhancing the Right-click Menu for Event and Flow Columns

You can add more actions to the right-click options that are available on the columns in the Log Activity table or the Network Activity table. For example, you can add an option to view more information about the source IP or destination IP.

You can pass any data that is in the event or flow to the URL or script.

Using SSH, log in to the JSA console appliance as the root user.
Go to the /opt/qradar/conf directory and create a file that is named arielRightClick.properties.

Edit the /opt/qradar/conf/arielRightClick.properties file. Use the following table to specify the parameters that determine the options for the right-click menu.

Table 1: Description Of the ArielRightClick.properties File Parameters

Parameter	Requirement	Description	Example
pluginActions	Required	Indicates either a URL or script action.
arielProperty	Required	Specifies the column, or Ariel field name, for which the right-click menu is enabled.	sourceIP sourcePort destinationIP qid
text	Required	Specifies the text that is displayed on the right-click menu.	Google search
useFormattedValue	Optional	Specifies whether formatted values are passed to the script. Set to true to ensure that the formatted value for attributes, such as `username` and `payload`, are passed. Formatted values are easier for administrators to read than unformatted values.	If the parameter is set to true for the event name (QID) property, the event name of the QID is passed to the script. If the parameter is set to false, the raw, unformatted QID value is passed to the script.
url	Required to access a URL	Specifies the URL, which opens in a new window, and the parameters to pass to the URL. Use the format: $Ariel_Field Name$	sourceIPwebUrlAction.url= http://www.mywebsite.com? q=$sourceIP$
command	Required if the action is a command	Specifies the absolute path of the command or script file.	destinationPortScript Action.command=/bin/echo
arguments	Required if the action is a command	Specifies the data to pass to the script. Use the following format: $Ariel_Field Name$	destinationPortScript Action.arguments=$qid$

For each of the key names that are specified in the pluginActions list, define the action by using a key with the format key name, property.

Save and close the file.
Log in to the JSA user interface.
On the navigation menu (), click Admin to open the admin tab.
Select Advanced >Restart Web Server.

The following example shows how to add Test URL as a right-click option for source IP addresses.

pluginActions=sourceIPwebUrlAction

sourceIPwebUrlAction.arielProperty=sourceIP

sourceIPwebUrlAction.text=Test URL

sourceIPwebUrlAction.url=http://www.mywebsite.com?q=$sourceIP$

The following example shows how to enable script action for destination ports.

pluginActions=destinationPortScriptAction

destinationPortScriptAction.arielProperty=destination

Port destinationPortScriptAction.text=Test Unformatted Command

destinationPortScriptAction.useFormattedValue=false

destinationPortScriptAction.command=/bin/echo

destinationPortScriptAction.arguments=$qid$

The following example shows adding several parameters to a URL or a scripting action.

pluginActions=qidwebUrlAction,sourcePortScriptAction

qidwebUrlAction.arielProperty=qid,device,eventCount

qidwebUrlAction.text=Search on Google

qidwebUrlAction.url=http://www.google.com?q=$qid$-$device$-$eventCount$

sourcePortScriptAction.arielProperty=sourcePort

sourcePortScriptAction.text=Port Unformatted Command

sourcePortScriptAction.useFormattedValue=true

sourcePortScriptAction.command=/bin/echo

sourcePortScriptAction.arguments=$qid$-$sourcePort$-$device$-$CONTEXT$

Asset Retention Values Overview

Additional information for the period, in days, that you want to store the asset profile information.

Assets are tested against the retention thresholds at regular intervals. By default, the cleanup interval is 12 hours
All specified retention periods are relative to the last seen date of the information, regardless of whether the information was last seen by a scanner or passively observed by the system.
Asset information is deleted as it expires, meaning that following a cleanup interval, all asset information within its retention threshold remains.
By default, assets that are associated with un-remediated vulnerabilities (as detected by JSA Vulnerability Manager or other scanner) are retained.
Assets can always be deleted manually through the user interface.

Table 2: Asset Components

Asset component	Default retention (in days)	Notes
IP Address	120 days	By default, user-supplied IP Addresses are retained until they are deleted manually.
MAC Addresses (Interfaces)	120 days	By default, user-supplied interfaces are retained until they are deleted manually.
DNS and NetBIOS Hostnames	120 days	by default, user-supplied hostnames are retained until they are deleted manually.
Asset Properties	120 days	By default, user-supplied IP Addresses are retained until they are deleted manually. The asset properties this value can affect are Given Name, Unified Name, Weight, Description, Business Owner, Business Contact, Technical Owner, Technical Contact, Location, Detection Confidence, Wireless AP, Wireless SSID, Switch ID, Switch Port ID, CVSS Confidentiality Requirement, CVSS Integrity Requirement, CVSS Availability Requirement, CVSS Collateral Damage Potential, Technical User, User Supplied OS, OS Override Type, OS Override Id, Extended, Legacy (Pre-7.2) Cvss Risk, VLAN, and Asset Type.
Asset Products	120 days	By default, user-supplied products are retained until they are deleted manually. Asset products include Asset OS, Asset Installed Applications, and products that are associated with open asset ports
Asset "Open" Ports	120 days
Asset netBIOS Groups	120 days	NetBIOS groups are seldom used, and more customers may not be aware of their existence. In the case where they are used, they are deleted after 120 days.
Asset Client Application	120 days	Client Applications are not yet leveraged in the user interface. This value can be ignored.
Asset Users	30 days

Adding or Editing a JSA Login Message

Create a new login message or edit an existing login message on your JSAConsole.

On the navigation menu (), click Admin to open the admin tab.
In the System Configuration section, click System Settings.
Click Authentication Settings.
To edit the login message, click Edit in the Login Message field.
1. Type your message in the Edit Login Message window.
2. To force users to consent to the login message before they can log in, select the check box.
3. Click Save.
  The login message is saved in the opt/qradar/conf/LoginMessage.txt file.
  Note
  You can also upload the LoginMessage.txt file to the opt/qradar/conf/ directory.
On the Admin tab, click Deploy Changes.
To see your changes, log out of JSA.