New Features and Enhancements in JSA 7.3.1
For JSA users, JSA 7.3.1 introduces the following new features.
AQL-based Custom Properties
With AQL-based custom event or custom flow properties, you can use an AQL expression to extract data from the event or flow payload that JSA does not typically normalize and display.
For example, you can create an AQL-based property when you want to combine multiple extraction and calculation-based properties, such as URLs, virus names, or secondary user names, into a single property. You can use the new property in custom rules, searches, reports, or you can use it for indexing offenses.
New slide-out Navigation Menu with Favorite Tabs
As the number of apps that are installed in your deployment grows, so does the number of visible tabs. The new slide-out navigation menu makes it easier for you to find the apps that you use the most by managing which tabs are visible in JSA.
When you upgrade to JSA 7.3.1, all JSA tabs are available from the slide-out menu. Each menu item is marked as a favorite, which also makes it available as a tab. You can control which tabs are visible by selecting or clearing the star next to the menu item.
Identifying Flow Direction Reversal
As you are viewing a flow in the JSA Console, you might want to know whether JSA modified the flow direction, and whether any processing occurred. This algorithm provides information on how the traffic originally appeared on the network and which traffic features caused it to be reversed, if at all.
When the Flow Processor detects flows, it checks some of the flow properties before it acts. In some cases, the communication or flows between devices is bidirectional (the client communicates with the server and the server responds to the client). In this scenario, both the client and the server operate as though they are the source and the other is the destination. In reality, JSA normalizes the communication, and all flows between these two entities then follow the same convention: destination always refers to the server, and source always refers to the client.
Identifying How Application Fields are set for Flows
As you are viewing a flow in the JSA Console, you might want to know whether JSA modified the flow application name, and whether any processing occurred. You can use this information to gain insight into which algorithm classified the application, and to ensure that algorithms are extracting flow features correctly.
When the Flow Processor detects a flow, it uses various algorithms to determine which application the flow came from. After the Flow Processor identifies the application, it sets the ‘Application’ property that appears in the Flow Details window.