Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

New Features and Enhancements in JSA 7.3.1

 

The following new features and enhancements make it easier for administrators to manage their JSA 7.3.1 deployment.

Reduced Downtime for Event Collection Services

In earlier versions, deploying changes to your JSA system sometimes resulted in gaps in data collection while the hostcontext service restarted. To minimize these interruptions, the event collection service is now managed separately from other JSA services. The new event collection service, ecs-ec-ingress, listens on port 7787.

With the new separation of services, the event collection service does not automatically restart each time that you deploy changes. The service restarts only when the deployed changes impact the event collection service directly.

This enhancement significantly reduces interruptions in collecting data, and makes it easier for you to comply with your organization's data collection targets.

Continuous Collection of Events during Minor Patch Updates

You can expect fewer disruptions in event collection when you apply future patches to JSA 7.3.1 or later. Minor patches that do not require the system to restart will not restart the event collection service.

Ability to Restart only the Event Collection Service

From the JSA product interface, you can restart the event collection service on all managed hosts in your deployment.

This new capability is useful when you want to restart the event collection service without impacting other JSA services. For example, after you restore a configuration backup, you can defer restarting the service to a time that is convenient for you.

Event Collection Continues when you Install or Update a Protocol RPM

Before JSA 7.3.1, installing or updating a protocol RPM required a full deployment, which caused event collection to stop for several minutes for all installed protocols.

Now, protocols are loaded dynamically when you deploy the changes. Only those protocols that were updated experience a brief outage (in seconds).

New Slide-out Mavigation Menu with Favorite Tabs

As the number of apps that are installed in your deployment grows, so does the number of visible tabs. The new slide-out navigation menu makes it easier for you to find the apps that you use the most by managing which tabs are visible in JSA.

When you upgrade to JSA 7.3.1, all JSA tabs are available from the slide-out menu ( ). Each menu item is marked as a favorite, which also makes it available as a tab. You can control which tabs are visible by selecting or clearing the star next to the menu item.

To access the settings that were on the Admin tab in earlier JSA versions, click Admin at the bottom of the slide-out navigation menu.

Browser-Based System Notifications

JSA now uses your browser notification settings to display system notifications. With this enhancement, you can continue to monitor the status and health of your JSA deployment even when JSA is not the active browser window. To show system notifications on your screen, you must configure your browser to allow notifications from JSA.

Browser notifications are supported for Mozilla Firefox, Google Chrome, and Microsoft Edge 10. Microsoft Internet Explorer does not support browser-based notifications. Notifications in Internet Explorer now appear in a restyled JSA notification window.

More Health Metrics Data

JSA collects up to 60x more health metrics data than before, making it easier for administrators to monitor their deployment and diagnose issues when they occur. You can visualize the new health metrics by using the QRadar Deployment Intelligence, which is available from the IBM Security App Exchange.

The QRadar Deployment Intelligence replaces the System Health information that was previously available on the Admin tab.

The additional health metrics data increases the size of the JSA log files and the disk storage requirements for the data. Administrators who require more control over the disk storage that is required for the accumulated health data can create a retention bucket that uses Log Source Type = Health Metrics as the criteria.

IPv6 Support

JSA uses the network hierarchy objects and groups to view network activity and monitor groups or services in your network. The network hierarchy can be defined by a range of IP addresses in IPv6 as well as IPv4 format. In addition to Network Hierarchy, Offense Manager used to only support IPv6 indexing but it now updates and displays all the appropriate fields for an offense with IPv6 data.

Improved Security with New Password Policy

When using local JSA authentication, you can enforce minimum password length and complexity, and control password expiry and reuse. The rules that you set are enforced for administrative and non-administrative users.

Create an Alias for the User Base DN (Distinguished Name) that is used for LDAP Authentication

When you enter your user name on the login page, the Repository ID acts as an alias for the User Base DN (distinguished name). This use of an alias omits the need for typing a long distinguished name that might be hard to remember.

Edit or Create a Login Message that is Displayed to Users in JSA

Provide users with important information before they log in to JSA. If needed, you can force users to consent to the login message terms before they can log in.

Monitor Successful Login Events by Running Reports in JSA

Easily monitor successful login events for the time period that you configure by running the Weekly Successful Login Events report template on the JSA Reports tab.

Two New Preinstalled Apps in JSA 7.3.1

App Authorization Manager

The App Authorization Manager app provides improved security for app authorization tokens. Users who have the appropriate permissions can delete authorization tokens, or change the assigned user level authorization.

QRadar Assistant App

The QRadar Assistant App provides the following functionality on the Dashboard tab:

  • Recommended apps and content extensions that are based on your configured preferences.

  • JSA Help Center dashboard widget to help you access helpful information about JSA.

  • Content update status is highlighted, and then users can download updates from within JSA.

Log Source Auto-detection Configuration

Before JSA 7.3.1, log source auto-detection configuration was controlled by a configuration file that was edited manually on each event processor managed host.

As of JSA 7.3.1, global configuration settings are now available. You can use the JSA REST API or a command line script to enable and disable which log source types are auto-detected. If you use a smaller number of log source types, you can configure which log sources are auto-detected to improve the speed of detection. Log source auto-detection configuration also helps to improve the accuracy of detecting devices that share a common format, and can improve pipeline performance by avoiding the creation of incorrectly detected devices.

Note

You can still enable per-event processor auto-detection settings by using the configuration file method. You can manage the method that is used on each event processor in Admin > System & License Management > Component Management. Upgrades from previous versions do not enable global settings, and retain the use of the local configuration files. Fresh installations of JSA 7.3.1 enable the global auto-detection settings option.

Configuring Auto Property Discovery for Log Source Types and a New Configuration Tab in DSM Editor

You can configure the automatic discovery of new properties for a log source type. By default, the Auto Property Discovery option for a log source type is disabled. When you enable the option on the new Configuration tab of the DSM Editor, new properties are automatically generated. The new properties capture all the fields that are present in the events that are received by the selected log source type. The newly discovered properties become available in the Properties tab of the DSM Editor.

New JSA Data Store Offering

A new offering, JSA Data Store, normalizes and stores both security and operational log data for future analysis and review. The offering supports the storage of an unlimited number of logs without counting against your organization’s Events Per Second JSA license, and enables your organization to build custom apps and reports based on this stored data to gain deeper insights into your IT environments.

Enhancements to the routing rules in JSA 7.3.1 require a license for JSA Data Store. After the license is applied and the routing rule enhancement is selected, events that match the routing rule will be stored to disk and will be available to view and for searches. The events bypass the custom rule engine and no real-time correlation or analytics occur. The events can't contribute to offenses and are ignored when historical correlation runs.

Log Source Extensions can Extract Values Events in JSON Format by Key Reference

Log Source Extensions can now extract values by using the JsonKeypath.

For an event data in a nested JSON format, a valid JSON expression is in the form /"<name of top-level field>"/"<name of sub-level field_1>".../"<name of sub-level field_n>".

The following two examples show how to extract data from a JSON record:

  • Simple case of an event for a flat JSON record: {"action": "login", "user": "John Doe"}

    To extract the 'user' field, use this expression: /"user".

  • Complex case of an event for a JSON record with nested objects: { "action": "login", "user": { "first_name": "John", "last_name": "Doe" } }

    To extract just the 'last_name' value from the 'user' subobject, use this expression: /"user"/"last_name".