Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Methods Of Importing and Exporting Content

 

You can use the following tools to import and export content in your JSA deployment.

Extensions Management Tool

Use the Extensions Management tool to add extensions to your JSA deployment. When you import content using the Extensions Management tool, you can view the content before it is installed. If the content items exist in your system, you can specify whether to replace the content item or skip the update.

You cannot use the Extensions Management tool to export content.

Content Management Script

Use the content management script to export custom content from your JSA deployment into an external, portable format. You can then use the script to import the custom content into another JSA deployment. The script is useful when you want to automate moving content between your JSA deployments.

The contentManagement.pl script is in the /opt/qradar/bin directory.

You must use the content management script to export content from the JSA source deployment. You can use either the content management script or the Extensions Management tool to import the content to the target deployment.

DSM Editor

In JSA 7.3.3 and later, you can export your custom content that you create in the DSM Editor. Click the Export button in the DSM Editor to export your content from one JSA deployment to another, or to external media.

Note

You can export content from an earlier release of JSA and import into a later release. However, you cannot import content from a later release into an earlier release.

Note

If you move overridden rules from one JSA deployment to another, use the Replace Existing Content Items option to ensure that the rules are imported correctly.

Exporting All Custom Content

You use the contentManagement.pl script to export all custom content in your JSA deployment.

  1. Use SSH to log in to JSA as the root user.
  2. Go to /opt/qradar/bin directory, and type the command to export all of the custom content:

    ./contentManagement.pl -a export -c all

    Examples:

    • To include accumulated data in the export, type the following command:

    • To specify the directory for the exported file and change the compression format, type the following command:

The content is exported to a compressed file, for example, all-ContentExport-20151022101803.zip. You can manually change the file name to a name that is more descriptive. The exported file might contain more content items than expected because all dependencies are exported with the specified content items. For example, if you export a report, the saved search that the report uses is also exported.

Exporting All Custom Content Of a Specific Type

You can export all custom content of a specific type in one action.

The content management script uses text identifiers or numeric identifiers to specify the type of content that you want to export.

Table 1: Content Type Identifiers for Exporting Custom Content

Custom content type

Text identifier

Numeric identifier

Dashboards

dashboard

4

Reports

report

10

Saved searches

search

1

FGroups 1

fgroup

12

FGroup types

fgrouptype

13

Custom rules

customrule

3

Custom properties

customproperty

6

Log sources

sensordevice

17

Log source types

sensordevicetype

24

Log source categories

sensordevicecategory

18

Log source extensions

deviceextension

16

Reference data collections

referencedata

28

Custom QID map entries

qidmap

27

Historical correlation profiles

historicalsearch

25

Custom functions

custom_function

77

Custom actions

custom_action

78

Applications

installed_application

100

DSM event mapping

dsmevent

41

1An FGroup represents a group of content, such as a log source group, reporting group, or search group.

  1. Use SSH to log in to JSA as the root user.
  2. Go to the /opt/qradar/bin directory and type the command to export all content of the specified type:

    ./contentManagement.pl -a export --content-type [content_type] --id all

    Parameters:

    Table 2: contentManagement.pl Script Parameters for exporting Custom Content of a Specific Type

    Parameter

    Description

    -c [content_type] or --content-type [content_type]

    Specifies the type of content.

    You can type the corresponding text or numeric identifier to specify the content type.

    -e or --include-reference-data-elements

    Set this flag to include reference data keys and elements in the export.

    Reference data keys and reference data elements are applicable to the referencedata content type. This parameter is applicable only when you export reference data, or content items that are dependent on reference data.

    -g or --global-view

    Includes accumulated data in the export.

    -i [content_identifier] or --id [content_identifier]

    Specifies the identifier of a specific instance of custom content such as a single report or a single reference set.

    You can specify all to export all content of the specified type.

    -o [filepath] or --output-directory [filepath]

    Specifies the full path to the directory where the export file is written.

    If no output directory is specified, the content is exported to the current directory. If the specified output directory does not exist, it is created.

    -t [compression_type] or --compression-type [compression_type]

    Specifies the compression type of the export file.

    Valid options are ZIP and TARGZ (case sensitive). If you do not specify a compression type, the default compression type is ZIP.

    Examples:

    • To export all custom searches, type the following command:

    • To export all reports and include accumulated data, type the following command:

The content is exported to a compressed file, for example, reports-ContentExport-20151022101803.zip. You can manually change the file name to a name that is more descriptive. The exported file might contain more content items than expected because all dependencies are exported with the specified content items. For example, if you export a report, the saved search that the report uses is also exported.

Searching for Specific Content Items to Export

You use the content management script to search for specific content in your JSA deployment. After you find the content, you can use the unique identifier to export the content item.

The following table lists the identifiers to use when you want to search for specific types of content.

Table 3: Content Type Identifiers for Searching Custom Content

Custom content type

Text identifier

Numeric identifier

Dashboards

dashboard

4

Reports

report

10

Saved searches

search

1

FGroups 1

fgroup

12

FGroup types

fgrouptype

13

Custom rules

customrule

3

Custom properties

customproperty

6

Log sources

sensordevice

17

Log source types

sensordevicetype

24

Log source categories

sensordevicecategory

18

Log source extensions

deviceextension

16

Reference data collections

referencedata

28

Custom QID map entries

qidmap

27

Historical correlation profiles

historicalsearch

25

Custom functions

custom_function

77

Custom actions

custom_action

78

Applications

installed_application

100

1An FGroup represents a group of content, such as a log source group, reporting group, or search group.

  1. Use SSH to log in to JSA as the root user.
  2. Go to the /opt/qradar/bin directory and type the following command to search for custom content that matches a regular expression:

    ./contentManagement.pl -a search -c [content_type] -r [regex]

    Parameters:

    Table 4: contentManagement.pl Script Parameters for Searching Content Items

    Parameter

    Description

    -c [content_type] or --content-type [content_type]

    Specifies the type of content to search for.

    You must specify the type of content to search for. You cannot use -c package or -c all with the search action.

    -r [regex] or --regex [regex]

    Specifies the content to search for.

    All content that matches the expression is displayed.

    Examples:

    • To search for all reports that includes Overview in the description, type the following command:

    • To list all log sources, type the following command:

    The search results list details, including the unique ID, for the content items that are found.

    [INFO] Search results: [INFO] - [ID] - [Name] - [Description] [INFO] - [67] - [Asset Profiler-2 :: hostname] - [Asset Profiler] [INFO] - [62] - [SIM Generic Log DSM-7 :: hostname] - [SIM Generic Log DSM] [INFO] - [63] - [Custom Rule Engine-8 :: hostname] - [Custom Rule Engine] [INFO] - [71] - [Pix @ apophis] - [Pix device] [INFO] - [70] - [Snort @ wolverine] - [Snort device] [INFO] - [64] - [SIM Audit-2 :: hostname] - [SIM Audit] [INFO] - [69] - [Health Metrics-2 :: hostname] - [Health Metrics]

Use the unique identifier to export specific content items from JSA. For more information, see Exporting Custom Content Items Of Different Types and Exporting a Single Custom Content Item.

Exporting a Single Custom Content Item

Export a single custom content item, such as a custom rule or a saved search, from JSA.

You must know the unique identifier for the custom content item that you want to export.

  1. Us SSH to log in to JSA as the root user.
  2. Go to the /opt/qradar/bin directory and type the command to export the content:

    ./contentManagement.pl -a export -c [content_type] -i [content_identifier]

    Parameters:

    Table 5: contentManagement.pl Script Parameters for Exporting a Single Content Item

    Parameter

    Description

    -c [content_type] or --content-type [content_type]

    Specifies the type of content to export.

    Type the corresponding text identifier or numeric identifier for specific content types.

    -e or --include-reference-data-elements

    Set this flag to include reference data keys and elements in the export.

    Reference data keys and reference data elements are applicable to the referencedata content type. This parameter is applicable only when you export reference data, or content items that are dependent on reference data.

    -g or --global-view

    Includes accumulated data in the export.

    -i [content_identifier] or --id [content_identifier]

    Specifies the identifier of a specific instance of custom content such as a single report or a single reference set.

    -o [filepath] or --output-directory [filepath]

    Specifies the full path to the directory where the export file is written.

    If no output directory is specified, the content is exported to the current directory. If the specified output directory does not exist, it is created.

    -t [compression_type] or --compression-type [compression_type]

    Used with the export action.

    Specifies the compression type of the export file. Valid options are ZIP and TARGZ (case sensitive). If you do not specify a compression type, the default compression type is ZIP.

    Examples:

    • To export the dashboard that has ID 7 into the current directory, type the following command:

    • To export the log source that has ID 70, including accumulated data, into the /store/cmt/exports directory, type the following command:

The content is exported to a compressed .zip file. The exported file might contain more content items than expected because all dependencies are exported with the specified content items. For example, if you export a report, the saved search that the report uses is also exported. You can manually change the file name to a name that is more descriptive.

Exporting Custom Content Items Of Different Types

Export multiple custom content items from JSA, such as custom rules, or dashboards and reports, by using the content management script.

You must know the unique identifiers for each custom content item that you want to export.

  1. Use SSH to log in to JSA as the root user.
  2. Create a text file that lists the content that you want to export.

    Each line must include the custom content type followed by a comma-separated list of unique IDs for that type.

    Example: To export two dashboards that have ID 5 and ID 7, all custom rules, and a group, create a text file that has the following entries:

  3. Go to /opt/qradar/bin and type the command to export the content:

    ./contentManagement.pl -a export -c package -f [source_file]

    Parameters:

    Table 6: contentManagement.pl Script Parameters for Exporting Different Types of Content Item

    Parameter

    Description

    -c [content_type] or --content-type [content_type]

    Specifies the type of content.

    Specifies the type of content. You can specify -c package, or you can type the corresponding text or numeric identifier for specific content types. When you use -c package, you must specify the --file or --name parameters.

    -e or --include-reference-data-elements

    Set this flag to include reference data keys and elements in the export.

    Reference data keys and reference data elements are applicable to the referencedata content type. This parameter is applicable only when you export reference data, or content items that are dependent on reference data.

    -f [source_file] or --file [source_file]

    Specifies the path and file name of the text file that contains the list of custom content items that you want to export.

    The first time you use the --file parameter, a package template file is written to the /store/cmt/packages directory so that you can reuse it.

    The filename and path are case-sensitive.

    -g or --global-view

    Includes accumulated data in the export.

    -n [name] or --name [name]

    Specifies the name of the package template file that contains the list of custom content to export.

    The package template file is created the first time that you use the --file parameter. By default, the --name parameter assumes that the text file is in the /store/cmt/packages directory.

    You must specify the --file or --name parameter when --content-type package is used.

    -o [filepath] or --output-directory [filepath]

    Specifies the full path to the directory where the export file is written.

    If no output directory is specified, the content is exported to the current directory. If the specified output directory does not exist, it is created.

    -t [compression_type] or --compression-type [compression_type]

    Specifies the compression type of the export file.

    Valid compression types are ZIP and TARGZ (case sensitive). If you do not specify a compression type, the default compression type is ZIP.

    Examples:

    • To export all items in the exportlist.txt file in the jsa directory, and save the exported file in the current directory, type the following command:

    • To export all items in the exportlist.txt file in the jsa directory, including accumulated data, and save the output in the /store/cmt/exports directory, type the following command:

    When you use the --file parameter, a package template file is automatically generated in /store/cmt/packages. To use the package template file, specify the filename as the value for the --name parameter.

The content is exported to a compressed .zip file. The exported file might contain more content items than expected because all dependencies are exported with the specified content items. For example, if you export a report, the saved search that the report uses is also exported. You can manually change the file name to a name that is more descriptive.

Installing Extensions by Using Extensions Management

Use the Extensions Management tool to add security extensions to JSA. The Extensions Management tool allows you to view the content items in the extension and specify the method of handling content updates before you install the extension.

Extensions must be on your local computer before you install them in JSA.

An extension is a bundle of JSA functions. An extension can include content such as rules, reports, searches, reference sets, and dashboards. It can also include applications that enhance JSA functions.

  1. On the navigation menu (), click Admin.
  2. In the System Configuration section, click Extensions Management.
  3. To upload a new extension to the JSA console, follow these steps:
    1. Click Add.

    2. Click Browse and navigate to find the extension.

    3. Click Install immediately to install the extension without viewing the contents. See 5.b.

    4. Click Add.

  4. To view the contents of the extension, select it from the extensions list and click More Details.
  5. To install the extension, follow these steps:
    1. Select the extension from the list and click Install.

    2. To assign a user to the app, select the User Selection menu, and select a user. For example, you might want to associate the app with a specified user that is listed in the User Selection menu who has the defined permissions.

      Note

      This screen appears only if any of the apps in the extension that you are installing are configured to request authentication for background processes.

    3. If the extension does not include a digital signature, or it is signed but the signature is not associated with the JSA Security Certificate Authority (CA), you must confirm that you still want to install it. Click Install to proceed with the installation.

    4. Review the changes that the installation makes to the system.

    5. Select Overwrite or Keep existing data to specify how to handle existing content items.

      Note

      If the extension contains overridden system rules, select Replace Existing Items to ensure that the rules are imported correctly.

    6. Click Install.

    7. Review the installation summary and click OK.

Uninstalling a Content Extension

Remove a content extension that isn't useful anymore or that adversely impacts the system. You can remove rules, custom properties, reference data, and saved searches. You might not be able to remove some content if another content item depends on it.

When you uninstall a content extension, any rules, custom properties, and reference data that were installed by the content extension are removed or reverted to their previous state. Saved searches can't be reverted. They can only be removed.

For example, if you've edited custom rules in an app that you now want to uninstall, you can preserve the changes you made for each customized rule. If the custom rule previously existed on the system, you can revert the rule to its previous state. If the custom rule didn't previously exist, you can remove it.

Note

If you have introduced an outside dependency on a content extension that is installed by the app, JSA doesn't remove that piece of content when you uninstall the app. For example, if you create a custom rule that uses one of the app's custom properties, that custom property isn't removed when you uninstall the app.

  1. On the navigation menu (), click Admin.
  2. In the System Configuration section, click Extensions Management.
  3. Select the extension that you want to uninstall and click Uninstall.

    JSA checks for any applications, rules, custom properties, reference data, and saved searches that are installed by the content extension that can be removed.

  4. If you have manually altered any rules, custom properties, or reference data after you installed the app, choose whether to Preserve or Remove/Revert that content extension.
  5. Click Uninstall, and then click OK.

Importing Content by Using the Content Management Script

You can import custom content that you exported from another JSA system.

If you want to import content from another JSA system, you must first export the content and copy it to the target system. For more information about exporting content, see Content Type Identifiers for Exporting Custom Content.

When you import content that has log sources, confirm that DSM and protocol RPMs are installed and current on the target system.

Note

If the content contains overridden system rules, use the update action instead of the import action to ensure that the rules are imported correctly.

You can export content from an earlier release of JSA and import into a later release. However, you cannot import content from a later release into an earlier release.

You do not have to export content in a specific order. However, do not start multiple imports on the same system at the same time. The imports fail due to conflicts with shared resources.

  1. Use SSH to log in to JSA as the root user.
  2. Go to the directory where the export content file is located.
  3. Type this command to import the content:

    /opt/qradar/bin/contentManagement.pl -a import -f [source_file] -u [user]

    Parameters:

    Table 7: contentManagement.pl Script Parameters for Importing Custom Content

    Parameter

    Description

    -f [source_file] or --file [source_file]

    Specifies the file that contains the content items to import.

    Valid file types are zip, targz, and xml.

    The file name and path are case-sensitive.

    -u [user] or --user [user]

    Specifies the user that replaces the current owner when you import user-specific data. The user must exist on the target system before you import the content.

    Examples:

    • To import content from the fgroup-ContentExport-20120418163707.tar.gz file in the current directory, type the following command:

    • To import content from the fgroup-ContentExport-20120418163707.tar.gz file in the current directory and make the admin user the owner of all sensitive data in the import, type the following command:

    The import script displays the following message when reference data is actively collected while it is being exported: Foreign key constraint violation. To avoid this issue, run the export process when no reference data is being collected.

Updating Content by Using the Content Management Script

Use the update action to update existing JSA content or add new content to the system.

If you want to update content with content that was exported from another JSA system, ensure that the exported file is on the target system. For more information about exporting content, see Content Type Identifiers for Exporting Custom Content.

When you import content that has log sources, confirm that DSM and protocol RPMs are installed and current on the target system.

You can export content from an earlier release of JSA and import into a later release. However, you cannot import content from a later release into an earlier release.

You do not have to export content in a specific order. However, do not start multiple imports on the same system at the same time. The imports will fail due to conflicts with shared resources.

  1. Use SSH to log in to JSA as the root user.
  2. To update content, type the following command:

    /opt/qradar/bin/contentManagement.pl -a update -f [source_file]

    Parameters:

    Table 8: contentManagement.pl Script Parameters for Updating Custom Content

    Parameter

    Description

    -f [source_file] or --file [source_file]

    Specifies the file that contains the content items to update.

    Valid file types are zip, targz, and xml.

    The filename and path are case-sensitive.

    -u [user] or --user [user]

    Specifies the user that replaces the current owner when you import user-specific data.

    The user must exist on the target system before you import the content.

    Example:

    • To update based on the content in the fgroup-ContentExport- 20120418163707.zip file, type the following command: