JSA 7.4.1 includes enhancements to performance, security, workflow enhancements, and flow improvements.
DSM Editor Enhancements
The DSM Editor enhancements in JSA 7.4.1 include enhanced parsing support for name value pairs and generic list events, the ability to remove reference data when you uninstall a content extension, a faster way to export content from the DSM Editor, and updates to flow records.
Parsing Status in the DSM Editor
In the Log Activity Preview of the DSM Editor, you can track the status of event properties. The Parsing Status column indicates whether your event properties are successfully parsing and mapping to a QID record.
The following figure shows how the parsing status is displayed.
Support for Multiline Event Payloads in the DSM Editor
In the DSM Editor, you can specify a custom delimiter that makes it easier for JSA 7.4.1 to ingest multiline events. To ensure that your event is kept intact as a single multiline event, select the Override event delimiter checkbox to separate the individual events based on another character or sequence of characters. For example, if your configuration is ingesting multiline events, you can add a special character to the end of each distinct event in the Workspace, and then identify this special character as the event delimiter.
The following figures show how you can use the Override event delimiter checkbox to specify double exclamation marks as the custom delimiter for a payload.
Event ID and Event Category fields copied to Event Mapping
In JSA 7.4.1, you can select the unmapped Event ID and Event Category fields of your previewed events to copy them into the corresponding event mapping fields. Now you can map your events to QID records faster than in previous versions, where you had to manually enter your event ID and event category combinations to create your event mappings. On the Event Mappings tab, go to the Unknown Event Mappings section of the Create a New Event Mapping window. Click on a row to copy the event ID and the event category into the corresponding fields, and then click Create.
The following figure shows how you can create new event mappings in the Event Mappings tab of the DSM Editor.
Stronger security capabilities in JSA 7.4.1 include a more secure operating system.
More secure operating system
JSA 7.4.1 runs on Red Hat Enterprise Linux version 7.7. The update to RHEL V7.7 is necessary to continue receiving security updates from Red Hat Enterprise Linux.
Workflow Enhancements in JSA
Improvements to workflow in JSA for 7.4.1 include the JSA Use Case Manager and an analyst workflow for investigating offenses.
JSA Use Case Manager app installed by default
In JSA 7.4.1, the JSA Use Case Manager app is installed by default. Use the guided tips in JSA Use Case Manager to help you ensure that JSA is optimally configured to accurately detect threats throughout the attack chain. JSA Use Case Manager includes a rule explorer that offers flexible reports that are related to your rules. JSA Use Case Manager also exposes pre-defined mappings to system rules and to help you map your own custom rules to MITRE ATT&CK tactics and techniques.
User roles with the system administrator permission are updated automatically to include the required permissions for the apps installed by default. All other user roles must be modified to include the app permissions as needed.
QRadar Analyst Workflow to help you investigate offenses
QRadar Analyst Workflow provides new methods for filtering offenses and events, and graphical representations of offenses, by magnitude, assignee, and type. The improved offenses workflow provides a more intuitive method to investigate offenses to determine the root cause of an issue and work to resolve it. Use the built-in query builder to create AQL queries by using examples and saved or shared searches, or by typing plain text into the search field.
The workflow includes a redesigned offenses page, an AQL search page, and access to compatible apps that are already installed on your JSA Console. QRadar Analyst Workflow is supported on JSA 7.4.0 or later.
For more information about the QRadar Analyst Workflow, see the Juniper Secure Analytics Users Guide.
JSA 7.4.1 introduces support for the flowId field in NetFlow V9 data exports.
Support for the flow ID field in NetFlow V9 flow records
JSA now supports the flowId field (IANA element 148) in NetFlow Version 9 data exports. In JSA, the field appears in the Vendor Flow ID field on the Flow Details window.
The flow ID is used as part of the flow's unique identifier so that only flow records with the same flow ID value are aggregated together. Sessions with different flow IDs are kept separate and mapped to different Flow ID values.
You can use the flowId field in filters and searches to quickly identify all of the flow records in a particular session.