Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Configuring System settings


System settings specify how your JSA system components are configured for normal operation.

  1. On the navigation menu (), click Admin to open the admin tab.
  2. In the System Configuration section, click System Settings.
  3. Configure the system settings. Click the Help button to see setting descriptions.
  4. Click Save.
  5. On the Admin tab menu, select Advanced >Deploy Full Configuration.

JSA continues to collect events when you deploy the full configuration. When the event collection service must restart, JSA does not restart it automatically. A message displays that gives you the option to cancel the deployment and restart the service at a more convenient time.

Customizing the right-click menu

To provide quick access to functions, customize menu options by using a plug-in application programming interface (API). For example, you can add more menu items, such as an option to scan the NetBIOS.

The ip_context_menu.xml file accepts menuEntry XML nodes to customize the right-click menu.

<menuEntry name="{Name}" description="{Description}" exec="{Command}" url="{URL}" requiredCapabilities="{Required Capabilities}"/>

The following list describes the attributes in the menuEntry element:

  • Name --The text that is displayed in the right-click menu.

  • Description -- The description of the entry. The description text is displayed in the tooltip for your menu option. The description is optional.

  • URL -- Specifies the web address that opens in a new window.

    You can use the placeholder %IP% to represent the IP address. The ampersand character (&), the left angle bracket (<), and the right angle bracket (>) must be escaped using the strings &amp;, &lt;, and &gt; respectively.

    For example, to pass a URL with multiple parameters that includes a placeholder for the IP address, you can use this syntax: url="/lookup?&amp;ip=%IP%;force=true"

  • Command --A command that you want to run on the JSA Console. The output of the command is displayed in a new window. Use the placeholder, %IP%, to represent the IP address that is selected.

  • Required Capabilities --Any capabilities, for example, "ADMIN", that the user must have before they select this option, comma-delimited. If the user does not have all capabilities that are listed, the entries are not displayed. Required capabilities is an optional field.

The edited file must look similar to the following example:

<?xml version="1.0" encoding="UTF-8"?>

<!- This is a configuration file to add custom actions into

the IP address right-click menu. Entries must be of one of the

following formats: -->


<menuEntry name="Traceroute" exec="/usr/sbin/traceroute %IP%" />

<menuEntry name="External ARIN Lookup"

url="" />


  1. Using SSH, log in to JSA as the root user.
  2. On the JSA server, copy the ip_context_menu.xml file from the /opt/qradar/conf/templates directory to the /opt/qradar/conf directory.
  3. Open the /opt/qradar/conf/ip_context_menu.xml file for editing.
  4. Edit the attributes in the menuEntry element.
  5. Save and close the file.
  6. To apply these changes, restart the JSA GUI by typing the following command:

    systemctl restart tomcat

Enhancing the Right-click Menu for Event and Flow Columns

You can add more actions to the right-click options that are available on the columns in the Log Activity table or the Network Activity table. For example, you can add an option to view more information about the source IP or destination IP.

You can pass any data that is in the event or flow to the URL or script.

  1. Using SSH, log in to the JSA console appliance as the root user.
  2. Go to the /opt/qradar/conf directory and create a file that is named
  3. Edit the /opt/qradar/conf/ file. Use the following table to specify the parameters that determine the options for the right-click menu.

    Table 1: Description Of the File Parameters







    Indicates either a URL or script action.




    Specifies the column, or Ariel field name, for which the right-click menu is enabled.







    Specifies the text that is displayed on the right-click menu.

    Google search



    Specifies whether formatted values are passed to the script.

    Set to true to ensure that the formatted value for attributes, such as username and payload, are passed. Formatted values are easier for administrators to read than unformatted values.

    If the parameter is set to true for the event name (QID) property, the event name of the QID is passed to the script.

    If the parameter is set to false, the raw, unformatted QID value is passed to the script.


    Required to access a URL

    Specifies the URL, which opens in a new window, and the parameters to pass to the URL.

    Use the format: $Ariel_Field Name$

    sourceIPwebUrlAction.url= q=$sourceIP$


    Required if the action is a command

    Specifies the absolute path of the command or script file.

    destinationPortScript Action.command=/bin/echo


    Required if the action is a command

    Specifies the data to pass to the script.

    Use the following format: $Ariel_Field Name$

    destinationPortScript Action.arguments=$qid$

    For each of the key names that are specified in the pluginActions list, define the action by using a key with the format key name, property.

  4. Save and close the file.
  5. Log in to the JSA user interface.
  6. On the navigation menu (), click Admin to open the admin tab.
  7. Select Advanced >Restart Web Server.

The following example shows how to add Test URL as a right-click option for source IP addresses.



sourceIPwebUrlAction.text=Test URL


The following example shows how to enable script action for destination ports.



Port destinationPortScriptAction.text=Test Unformatted Command




The following example shows adding several parameters to a URL or a scripting action.



qidwebUrlAction.text=Search on Google



sourcePortScriptAction.text=Port Unformatted Command




Asset Retention Values Overview

Additional information for the period, in days, that you want to store the asset profile information.

  • Assets are tested against the retention thresholds at regular intervals. By default, the cleanup interval is 12 hours

  • All specified retention periods are relative to the last seen date of the information, regardless of whether the information was last seen by a scanner or passively observed by the system.

  • Asset information is deleted as it expires, meaning that following a cleanup interval, all asset information within its retention threshold remains.

  • By default, assets that are associated with un-remediated vulnerabilities (as detected by JSA Vulnerability Manager or other scanner) are retained.

  • Assets can always be deleted manually through the user interface.

Table 2: Asset Components

Asset component

Default retention (in days)


IP Address

120 days

By default, user-supplied IP Addresses are retained until they are deleted manually.

MAC Addresses (Interfaces)

120 days

By default, user-supplied interfaces are retained until they are deleted manually.

DNS and NetBIOS Hostnames

120 days

by default, user-supplied hostnames are retained until they are deleted manually.

Asset Properties

120 days

By default, user-supplied IP Addresses are retained until they are deleted manually.

The asset properties this value can affect are Given Name, Unified Name, Weight, Description, Business Owner, Business Contact, Technical Owner, Technical Contact, Location, Detection Confidence, Wireless AP, Wireless SSID, Switch ID, Switch Port ID, CVSS Confidentiality Requirement, CVSS Integrity Requirement, CVSS Availability Requirement, CVSS Collateral Damage Potential, Technical User, User Supplied OS, OS Override Type, OS Override Id, Extended, Legacy (Pre-7.2) Cvss Risk, VLAN, and Asset Type.

Asset Products

120 days

By default, user-supplied products are retained until they are deleted manually.

Asset products include Asset OS, Asset Installed Applications, and products that are associated with open asset ports

Asset "Open" Ports

120 days


Asset netBIOS Groups

120 days

NetBIOS groups are seldom used, and more customers may not be aware of their existence. In the case where they are used, they are deleted after 120 days.

Asset Client Application

120 days

Client Applications are not yet leveraged in the user interface. This value can be ignored.

Asset Users

30 days


Adding or Editing a JSA Login Message

Create a new login message or edit an existing login message on your JSAConsole.

  1. On the navigation menu (), click Admin to open the admin tab.
  2. In the System Configuration section, click System Settings.
  3. Click Authentication Settings.
  4. To edit the login message, click Edit in the Login Message field.
    1. Type your message in the Edit Login Message window.

    2. To force users to consent to the login message before they can log in, select the check box.

    3. Click Save.

      The login message is saved in the opt/qradar/conf/LoginMessage.txt file.


      You can also upload the LoginMessage.txt file to the opt/qradar/conf/ directory.

  5. On the Admin tab, click Deploy Changes.
  6. To see your changes, log out of JSA.