Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

JSA

 

JSA 7.4.0 includes enhancements to performance, security, workflow enhancements, and flow improvements.

Performance Optimization

The performance improvements in JSA 7.4.0 include enhanced parsing support for name value pairs and generic list events, the ability to remove reference data when you uninstall a content extension, a faster way to export content from the DSM Editor, and updates to flow records.

Enhanced Parsing Support for XML Events in the DSM Editor

In the DSM Editor, you can now easily parse both standard and custom properties from events in the XML format without writing regular expressions (regex). When you enable Property autodiscovery for log source types that consume XML events, all available fields are parsed as custom properties. With these new capabilities, administrators and users who have permission to create custom properties, can quickly and easily parse these events.

Use the DSM Editor to create a custom log source type to handle XML events in JSA. Add custom properties to help parse an existing log source type. Use simple XML expressions instead of regex to define how to parse custom properties. The DSM Editor automatically provides expressions for system properties based on their predefined keys in the XML specification.

Turn on XML property autodiscovery to discover custom properties for all XML fields in any events that are received for the log source type. You can also use XML expressions in the Custom Event Property Editor and when you manually create log source extensions.

The following figure shows where you parse XML events in the DSM Editor.

Figure 1: XML Structured Data Type
XML Structured Data Type

To learn more about enhanced parsing support for XML events, see the Juniper Secure Analytics Administration Guide.

DSM Parameter support in the DSM Editor

In JSA 7.4.0, if your log source type has DSM parameters, you can use the DSM Editor to configure the DSM parameters. Enable the Display DSM Parameters Configuration option to view and edit the DSM parameters.

The following figure shows configuring DSM parameters in the DSM Editor:

Figure 2: DSM Parameters Configuration
DSM Parameters Configuration

To learn more about configuring DSM parameters in the DSM Editor, see the Juniper Secure Analytics Administration Guide.

Additional Standard Fields for Events

View additional details about your events. These details provide increased visibility into how events are internally processed by JSA.

To learn more about event details, see the Juniper Secure Analytics User Guide.

Security Enhancements

Stronger security capabilities in JSA 7.4.0 include modifying the inactivity timeout for user accounts.

More secure operating system

JSA 7.4.0 runs on Red Hat Enterprise Linux version 7.6. The update to RHEL V7.6 is necessary to continue receiving security updates from Red Hat Enterprise Linux.

Reverse tunnel initiation

The SSH tunnel between two managed hosts can now be initiated from the remote host instead of the local host. For example, you have a connection from an Event Processor in a secure environment to an Event Collector that is outside of the secure environment. You also have a firewall rule that prevents you from having a host outside the secure environment connect to a host in the secure environment. In JSA 7.4.0, you can switch which host creates the tunnel so that the connection is established from the Event Processor by selecting the Remote Tunnel Initiation checkbox for the Event Collector.

To learn more about enhanced parsing support for XML events, see the Juniper Secure Analytics Administration Guide.

Secure email server

Send email to distribute alerts, reports, notifications, and event messages to mail servers that require authentication.

You can configure an email server for your entire JSA deployment, or multiple email servers.

To learn more about configuring Secure email server, see the Juniper Secure Analytics Administration Guide.

Workflow enhancements in JSA

Improvements to workflow in JSA for 7.4.0 include three apps previously only available on the IBM Security App Exchange.

Apps installed by default

In JSA V7.4.0, the QRadar Assistant app, the JSA Pulse app, and the JSA Log Source Management app are installed by default.

Use the QRadar Assistant app to manage your app and content extension inventory, view app and content extension recommendations, follow the JSA Twitter feed, and get links to other information.

JSA Pulse is a dashboard app that you can use to communicate insights and analysis about your network. Take the pulse of your SOC with dynamic real-time dashboards that provide meaningful insights into your security posture and threat landscape. Visualize offenses, network data, threats, malicious user behavior, and cloud environments from around the world in geographical maps, a built-in 3D threat globe, and auto updating charts. Import and export dashboards to share with colleagues. See offenses unfold near real time and track your security threats from around the globe.

The JSA Log Source Management app provides an easy-to-use workflow that helps you quickly find, create, edit, and delete log sources. Use the simplified workflow to change parameters for a number of log sources at the same time. To configure log sources in 7.4.0, you must use the JSA Log Source Management app.

Flow Improvements

JSA 7.4.0 gives you more control over flow timestamps.

Improved flow timestamp handling

Two new configuration settings provide more control over the way that flow timestamps are handled when Netflow V9 begins sending records with overflowed system uptime values. The new settings eliminate the need to reset the first and last switched times.

The new configuration options and the default values are shown here:

  • NORMALISE_OVERFLOWED_UPTIMES=YES

  • UPTIME_OVERFLOW_THRESHOLD_MSEC=86400000

The timestamps are corrected when the system uptime value is less than the first and last switched packet times by more than the value that is specified in the UPTIME_OVERFLOW_THRESHOLD_MSEC configuration. The timestamps are corrected based on the assumption that the system uptime wrapped around the maximum 32-bit value.

To learn more about managing flow timestamps, see the Juniper Secure Analytics Administration Guide.

What's changed or removed

JSA 7.4.0 includes enhancements to existing features and updated browser conformance specifications.

Clicking Log Sources icon opens JSA Log Source Management app

When you click the Log Sources icon in the Admin menu, the JSA Log Source Management app opens, which is the new method for configuring log sources in 7.4.0.

Asset Profiler Configuration changes

In JSA 7.4.0, the QVM Configuration and Manage Identity Exclusion sections of the Asset Profiler Configuration now have their own icons in the Admin menu.

Browser conformance change

The Microsoft Internet Explorer web browser is no longer supported as of JSA 7.4.0.

Global System Notifications configuration

Global System Notifications are now local, making them host specific and more useful. As a result, the thresholds are now set automatically by JSA and the Global System Notification section of the Admin tab was removed.