Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

JSA

 

JSA 7.4.2 includes enhancements to operational efficiency, DSM Editor enhancements, and flow improvements.

Operational Efficiency

The operational efficiency improvements in JSA 7.4.2 include adjusting the number of MAC addresses allowed for an asset.

Adjusting the Number of MAC Addresses Allowed for an Asset

In JSA 7.4.2, you can adjust the number of MAC addresses that are allowed for a single asset. In previous releases of JSA, administrators were not able to adjust this number, which resulted in an error message that stated that there were too many MAC addresses for the asset. Enter the number in the Number of MAC Addresses Allowed for a Single Asset field in the Asset Profiler Configuration window.

If you have users who log in from multiple wireless access points, or multiple users who log in remotely through a VPN, you can set the number of MAC addresses that are allowed for the asset in the same way that you can for IP addresses.

Figure 1: Asset Profiler Configuration Window
Asset Profiler Configuration Window

DSM Editor Enhancements

The DSM Editor enhancements in JSA 7.4.2 include generating regex to parse event properties.

Generating Regex for Parsing Event Properties

JSA 7.4.2 can suggest regular expressions (regex) when you enter event data in the Workspace. If you are not familiar with creating regex expressions, use this feature to generate your regex.

Highlight the payload text that you want to capture and in the Properties tab, click Suggest Regex. The suggested expression appears in the Expression field. Alternatively, you can click the Regex button in the Workspace and select the property that you want to write an expression for. If JSA is unable to generate a suitable regex for your data sample, a system message appears.

Tip

The regex generator works best for fields in well-structured event payloads. If your payload consists of complex data from natural language or unstructured events, the regex generator might not be able to parse it and does not return a result.

The following figure shows how you can generate your regex with the Suggest Regex button in the Properties tab, or with the Regex button in the Workspace.

Figure 2: Suggest Regex Button
Suggest Regex Button

Flow Improvements

JSA 7.4.2 introduces new flow algorithms, new accumulated byte and packet counters, and support for MAC address fields.

Accumulated Byte and Packet Counters

Flows are reported in 1-minute intervals, and can span several minutes, hours, or even days. For sessions that span more than a minute, JSA reports on the current metrics for the flow at the end of each 1-minute interval. The byte and packet counters show the number of bytes and packets that were received in that 1-minute interval.

In JSA 7.4.2, you can now see the total number of bytes and packets that accumulated over the duration of the flow session. The byte and packet counters for each 1-minute interval that the flow is observed are also preserved.

You can view the accumulated counters by including the following fields in your search results.

  • Accumulated source bytes

  • Accumulated source packets

  • Accumulated destination bytes

  • Accumulated destination packets

New "Common Destination Port" Flow Direction Algorithms

JSA provides information about which algorithm was used to determine the flow direction.

JSA 7.4.2 introduces two new common destination port algorithms for use when the flow matches the criteria, but the flow direction is unchanged:

  • Single common destination port (unaltered) (5)

  • Both common destination ports, RFC 1700 preferred (unaltered) (6)

In previous releases of JSA, the common destination port algorithms were reported only when the flow direction was reversed. Most other flows used the Arrival time algorithm, including the flows that matched the common destination port criteria but did not have the flow direction reversed.

Now, the only flows that show the Arrival time annotation in the Flow Direction Algorithm field are the flows that do not match the criteria for any other flow direction algorithm.

MAC Address Support

JSA can now receive MAC address information from IPFIX and NetFlow V9 exporters.

The following MAC address fields are supported in JSA 7.4.2:

  • sourceMacAddress (IANA Element ID 56)

  • postDestinationMacAddress (IANA Element ID 57)

  • destinationMacAddress (IANA Element ID 80)

  • postSourceMacAddress (IANA Element ID 81)

You can use the new MAC address fields in filters, searches, and rules.

What's Changed or Removed

In JSA 7.4.2, some features were changed or removed.

Active Directory

User authentication with Active Directory (AD) is no longer supported as of JSA 7.4.2. Use Lightweight Directory Access Protocol (LDAP) for user authentication to an AD server instead.

GlusterFS no Longer Supported

GlusterFS is no longer supported in JSA. You must migrate any Event Collectors in your deployment to Distributed Replicated Block Device before you upgrade to JSA 7.4.2. You must be running JSA 7.3.2 fix patch 3 or later before you can upgrade to JSA 7.4.2.