Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


JSA Content Extensions


Use content extensions to update JSA security template information or add new content such as rules, reports, searches, reference sets, and custom properties.

Types Of JSA Content Extensions

All content extensions are hosted on the IBM X-Force Exchange portal, where you can filter by content type such as custom AQL function or custom property. You can also use content extensions with apps.

The following table describes the types of content extension that you can deploy in JSA.

Table 1: Types Of Content Extensions

Content extension type



An associated set of dashboard items, which you view on the Dashboard tab in JSA. Dashboard items are visual representations of saved search results.


Templates for reports that are built upon saved event or flow searches. Generate on-demand reports or schedule them to run at repeating intervals.

Saved searches

A set of search criteria (filters, time window, columns to display or group data by). By saving the criteria of commonly run searches, you don't need to define them repeatedly. Saved searches are required for reports and dashboards.


A group of similar items by type, such as a group of log sources, a group of rules, a group of searches, or a group of report templates. FGroups are used as organizational units.

Custom rules

A set of tests that is run against events or flows that enter the system. The rule is triggered when the tests match the input. Rules can have responses, which are actions that are triggered when the conditions of a test are met. Responses can include actions such as generating an offense, generating a new event, sending an email, annotating the event, or adding data to a reference data collection.

Custom properties

Defines a property that is extracted or derived from an inbound event or flow. Can be based on a regular expression that extracts a subset of a particular event or flow payload as a textual property. They can be based on calculations, and perform an arithmetic operation on existing numeric properties of the event or flow. In JSAV7.3.1 and later they can also be AQL functions.

Log source

A representation of a source of events such as a server, mainframe, workstation, firewall, router, application, or database. Any events that enter JSA and originate from that source are attributed to the log source. Log sources contain the configuration information that is needed to receive inbound events, or to pull event data from the event source. Log sources contain information that is specific to your environment such as IP address or host name and other possible configuration parameters.

Log source extensions

A parsing logic definition that is used to synthesize a custom DSM for an event source for which no DSM exists. Use log source extensions to enhance or override the parsing behavior of an existing DSM.

Custom QID map entries

A combination of Event name, Event description, Severity, and Low-level category values that are used to represent a particular type of event that a log source might receive. Custom QID map entries are created to supplement the default QID map that JSA provides for events that are not officially supported by JSA.

Reference Data Collection

A container definition that is represented as either a set, a map, a map of sets, a map of maps, or a table for holding reference data. Searches and rules can refer to Reference data collections.

Historical Correlation Profile

A combination of a saved search and a set of one or more rules. Use historical correlation profiles to test rules by rerunning a set of historical events through an offline version of the custom rule engine that has a subset of rules enabled.

Custom Functions

An SQL-like function (defined in JavaScript) that you can use in an Advanced search to enhance or manipulate data.

Custom Actions

A custom response for a rule to run, when the rule is triggered. Custom actions are defined by a Python, Perl, or Bash script that can accept arguments from the event or flow data that triggered the rule.

Building Block

A group of commonly used tests to build complex logic so that they can be used in rules. Building blocks use the same tests that rules use, but have no actions that are associated with them, and are often configured to test groups of IP addresses, privileged user names, or collections of event names.