WIXLIB

4The following figure shows how you can generate your regex with the Suggest Regex button in theProperties tab, or with the Regex button in the Workspace.Figure 2: Suggest Regex ButtonRELATED DOCUMENTATIONWhat's New for Administrators 2New Features and Enhancements in JSA 7.4.1 4New Features and Enhancements in JSA 7.4.0 5New Features and Enhancements in JSA 7.4.1The following new features and enhancements make it easier for administrators to manage their JSA7.4.1 deployment.To view a list of all new features in this release, see What’s New Guide.RELATED DOCUMENTATIONWhat's New for Administrators 2New Features and Enhancements in JSA 7.4.2 2New Features and Enhancements in JSA 7.4.0 5

5New Features and Enhancements in JSA 7.4.0IN THIS SECTIONGlobal System Notifications configuration 5Secure email server 5DSM Parameter support in the DSM Editor 6Reverse tunnel initiation 8Improved flow timestamp handling 8The following new features and enhancements make it easier for administrators to manage their JSA7.4.0 deployment.To view a list of all new features in this release, see What’s New Guide.Global System Notifications configurationGlobal System Notifications are now local, making them host specific and more useful. As a result, thethresholds are now set automatically by JSA and the Global System Notification section of the Admintab was removed.Secure email serverSend email to distribute alerts, reports, notifications, and event messages to mail servers that requireauthentication.You can configure an email server for your entire JSA deployment, or multiple email servers.

6DSM Parameter support in the DSM EditorIn JSA 7.4.0, if your log source type has DSM parameters, you can use the DSM Editor to configure theDSM parameters. Enable the Display DSM Parameters Configuration option to view and edit the DSMparameters.

7Figure 3: DSM Parameters Configuration

8Reverse tunnel initiationThe SSH tunnel between two managed hosts can now be initiated from the remote host instead of thelocal host. For example, you have a connection from an Event Processor in a secure environment to anEvent Collector that is outside of the secure environment. You also have a firewall rule that prevents youfrom having a host outside the secure environment connect to a host in the secure environment. In JSA7.4.0, you can switch which host creates the tunnel so that the connection is established from the EventProcessor by selecting the Remote Tunnel Initiation checkbox for the Event Collector.Improved flow timestamp handlingTwo new configuration settings provide more control over the way that flow timestamps are handledwhen Netflow V9 begins sending records with overflowed system uptime values. The new settingseliminate the need to reset the first and last switched times.The new configuration options and the default values are shown here: NORMALISE OVERFLOWED UPTIMES YES UPTIME OVERFLOW THRESHOLD MSEC 86400000The timestamps are corrected when the system uptime value is less than the first and last switchedpacket times by more than the value that is specified in the UPTIME OVERFLOW THRESHOLD MSECconfiguration. The timestamps are corrected based on the assumption that the system uptime wrappedaround the maximum 32-bit value.RELATED DOCUMENTATIONWhat's New for Administrators 2New Features and Enhancements in JSA 7.4.1 4

2CHAPTEROverview of JSA AdministrationJSA Administration 10Capabilities in Your JSA Product 10Supported Web Browsers 13

10JSA AdministrationAs a JSA administrator, you have a variety of tools available to help you configure and manage your JSAdeployment.For example, using the tools on the Admin tab, you can perform the following tasks: Deploy and manage JSA hosts and licenses. Configure user accounts and authentication. Build a network hierarchy. Configure domains and set up a multi-tenant environment. Define and manage log and flow data sources. Manage JSA data retention. Manage assets and reference data. Schedule regular backups of JSA configuration and data. Monitor the system health of managed hosts.RELATED DOCUMENTATIONCapabilities in Your JSA Product 10Supported Web Browsers 13Capabilities in Your JSA ProductIN THIS SECTIONJSA Product Capabilities 11

11JSA product documentation describes functionality such as offenses, flows, assets, and historicalcorrelation, that might not be available in all JSA products. Depending on the product that you are using,some documented features might not be available in your deployment. Log Manager-- Log Manager is a basic, high-performance, and scalable solution for collecting,analyzing, storing, and reporting on large volumes of network and security event logs. JSA-- JSA is an advanced offering that includes the full range of security intelligence capabilities foron-premises deployments. It consolidates log source and network flow data from thousands ofassets, devices, endpoints, and applications that are distributed throughout your network, andperforms immediate normalization and correlation activities on the raw data to distinguish realthreats from false positives.JSA Product CapabilitiesReview the following table to compare the capabilities in each JSA product.Table 1: Comparison Of JSA CapabilitiesCapabilityJSALog ManagerFull administrative capabilitiesYesYesSupports hosted deploymentsNoNoCustomizable dashboardsYesYesCustom rules engineYesYesManage network and security eventsYesYesManage host and application logsYesYesThreshold-based alertsYesYesCompliance templatesYesYes

12Table 1: Comparison Of JSA Capabilities (Continued)CapabilityJSALog ManagerData archivingYesYesJuniper X-Force Threat Intelligence IP reputation feedintegrationYesYesWinCollect stand-alone deploymentsYesYesWinCollect managed deploymentsYesYesJSA Vulnerability Manager integrationYesYesNetwork activity monitoringYesYesAsset profilingYesNo 1Offenses managementYesNoNetwork flow capture and analysisYesYesHistorical correlationYesNoJSA Risk Manager integrationYesNoVulnerability assessment scannersYesYes1LogManager tracks asset data only if JSA Vulnerability Manager is installed.Some documentation, such as the Juniper Secure Analytics Administration Guide and the Juniper SecureAnalytics Users Guide, is common across multiple products and might describe capabilities that are notavailable in your deployment.

13RELATED DOCUMENTATIONSupported Web Browsers 13Supported Web BrowsersFor the features in JSA products to work properly, you must use a supported web browser.The following table lists the supported versions of web browsers.Table 2: Supported Web Browsers for JSA ProductsWeb browserSupported versions64-bit Mozilla Firefox60 Extended Support Release and later64-bit Microsoft Edge38.14393 and later64-bit Google ChromeLatestThe Microsoft Internet Explorer web browser is no longer supported as of JSA 7.4.0.Security Exceptions and CertificatesIf you are using the Mozilla Firefox web browser, you must add an exception to Mozilla Firefox to log into JSA. For more information, see your Mozilla Firefox web browser documentation.Navigate the Web-Based ApplicationWhen you use JSA, use the navigation options available in the JSA user interface instead of your webbrowser Back button.RELATED DOCUMENTATIONCapabilities in Your JSA Product 10

3CHAPTERUser ManagementUser Management 15User Roles 15Security Profiles 21User Accounts 27User Authentication 34LDAP Authentication 41SAML Single Sign-on Authentication 53

15User ManagementYou define user roles, security profiles, and user accounts to control who has access to JSA, which tasksthey can perform, and which data they have access to.When you initially configure JSA, use the User Management feature on the Admin tab to configure andmanage user accounts for all users that require access to JSA.User RolesIN THIS SECTIONCreating a User Role 15Editing a User Role 20Deleting a User Role 20A user role defines the functions that a user can access in JSA.During the installation, four default user roles are defined: Admin, All, WinCollect, and Disabled.Before you add user accounts, you must create the user roles to meet the permission requirements ofyour users.Creating a User RoleCreate user roles to manage the functions that a user can access in JSA.By default, your system provides a default administrative user role, which provides access to all areas ofJSA. Users who are assigned an administrative user role cannot edit their own account. This restrictionapplies to the default Admin user role. Another administrative user must make any account changes.1. On the Admin tab, click User Roles.2. On the toolbar, click New.

163. In the User Role Name field, type a unique name for this user role.4. Select the permissions that you want to assign to the user role.The permissions that are visible on the User Role Management window depend on which JSAcomponents are installed.Table 3: User Role Management window permissionsPermissionDescriptionAdminGrants administrative access to the user interface. You can grant specific Adminpermissions.Users with System Administrator permission can access all areas of the user interface.Users who have this access cannot edit other administrator accounts.Administrator ManagerGrants users permission to create and edit other administrative user accounts.Remote Networks and Services ConfigurationGrants users access to the Remote Networks and Services icon on the Admin tab.System AdministratorGrants users permission to access all areas of user interface. Users with this access arenot able to edit other administrator accounts.DelegatedAdministrationOffensesGrant users permissions to perform limited administrative functions. In a multi-tenantenvironment, tenant users with Delegated Administration permissions can see onlydata for their own tenant environment. If you assign other administrative permissionsthat are not part of Delegated Administration, tenant users can see data for all tenants.Grants administrative access to all functions on the Offenses tab.Users must have administrative access to create or edit a search group on theOffenses tab.User roles must have the Maintain Custom Rules permission to create and edit customrules.

17Table 3: User Role Management window permissions (Continued)PermissionDescriptionLog ActivityGrants access to functions in the Log Activity tab. You can also grant specificpermissions:Maintain Custom RulesGrants permission to create or edit rules that are displayed on the Log Activity tab.Manage Time SeriesGrants permission to configure and view time series data charts.User Defined Event PropertiesGrants permission to create custom event properties.View Custom RulesGrants permission to view custom rules. If granted to a user role that does not alsohave the Maintain Custom Rules permission, the user role cannot create or editcustom rules.Network ActivityGrants access to all the functions in the Network Activity tab. You can grant specificaccess to the following permissions:Maintain Custom RulesGrants permission to create or edit rules that are displayed on the Network Activitytab.Manage Time SeriesGrants permission to configure and view time series data charts.User Defined Flow PropertiesGrants permission to create custom flow properties.View Custom RulesGrants permission to view custom rules. If the user role does not also have theMaintain Custom Rules permission, the user role cannot create or edit custom rules.View Flow ContentGrants permission to view source payload and destination payload in the flow datadetails.

18Table 3: User Role Management window permissions (Continued)PermissionDescriptionAssetsThis permission is displayed only if JSA Vulnerability Manager is installed on yoursystem.Grants access to the function in the Assets tab. You can grant specific permissions:Perform VA ScansGrants permission to complete vulnerability assessment scans. For more informationabout vulnerability assessment, see the Managing Vulnerability Assessment Guide.Remove VulnerabilitiesGrants permission to remove vulnerabilities from assets.Server DiscoveryGrants permission to discover servers.View VA DataGrants permission to vulnerability assessment data. For more information aboutvulnerability assessment, see the Managing Vulnerability Assessment guide.ReportsGrants permission to access all of the functions on the Reports tab.Distribute Reports via EmailGrants permission to distribute reports through email.Maintain TemplatesGrants permission to edit report templates.Risk ManagerGrants users permission to access JSA Risk Manager functions. JSA Risk Manager mustbe activated.VulnerabilityManagerGrants permission to QRadar Vulnerability Manager function. QRadar VulnerabilityManager must be activated.For more information, see the Juniper Secure Analytics Vulnerability Manager UserGuide.

19Table 3: User Role Management window permissions (Continued)PermissionDescriptionIP Right Click MenuExtensionsGrants permission to options added to the right-click menu.PlatformConfigurationGrants permission to Platform Configuration services.Dismiss System NotificationsGrants permission to hide system notifications from the Messages tab.View Reference DataGrants permission to view reference data when it is available in search results.View System NotificationsGrants permission to view system notifications from the Messages tab.JSA Log SourceGrants permission to the JSA Log Source Management app.ManagementPulse - DashboardGrants permission to dashboards in the QRadar Pulse app.Pulse - ThreatGlobeGrants permission to Threat Globe dashboard in the QRadar Pulse app.QRadar AssistantGrants permission to the IBM QRadar Assistant app.QRadar Use CaseManagerGrants permission to the QRadar Use Case Manager app.5. In the Dashboards area, select the dashboards that you want the user role to access, and click Add.NOTE: A dashboard displays no information when the user role does not have permission toview dashboard data. If a user modifies the displayed dashboards, the defined dashboards forthe user role appear at the next login.6. Click Save and close the User Role Management window.

207. On the Admin tab menu, click Deploy Changes.Editing a User RoleYou can edit an existing role to change the permissions that are assigned to the role.To quickly locate the user role you want to edit on the User Role Management window, you can type arole name in the Type to filter text box.1. On the Admin tab, click User Roles.2. In the left pane of the User Role Management window, select the user role that you want to edit.3. In the right pane, update the permissions, as necessary.4. Modify the Dashboards options for the user role as necessary.5. Click Save.6. Close the User Role Management window.7. On the Admin tab menu, click Deploy Changes.Deleting a User RoleIf a user role is no longer required, you can delete the user role.If user accounts are assigned to the user role you want to delete, you must reassign the user accounts toanother user role. The system automatically detects this condition and prompts you to update the useraccounts.You can quickly locate the user role that you want to delete on the User Role Management window.Type a role name in the Type to filter text box, which is located above the left pane.1. On the Admin tab, click User Roles.2. In the left pane of the User Role Management window, select the role that you want to delete.3. On the toolbar, click Delete.4. Click OK. If user accounts are assigned to this user role, the Users are Assigned to this User Role windowopens. Go to Step "6" on page 21.

21 If no user accounts are assigned to this role, the user role is successfully deleted. Go to Step "7"on page 21.5. Reassign the listed user accounts to another user role:a. From the User Role to assign list box, select a user role.b. Click Confirm.6. Close the User Role Management window.7. On the Admin tab menu, click Deploy Changes.RELATED DOCUMENTATIONSecurity Profiles 21User Accounts 27User Authentication 34Security ProfilesIN THIS SECTIONDomains 22Permission Precedence 22Creating a Security Profile 23Editing a Security Profile 25Duplicating a Security Profile 25Deleting a Security Profile 26Security profiles define which networks, log sources, and domains that a user can access.JSA includes one default security profile for administrative users. The Admin security profile includesaccess to all networks, log sources, and domains.

22Before you add user accounts, you must create more security profiles to meet the specific accessrequirements of your users.DomainsSecurity profiles must be updated with an associated domain. You must define domains on the DomainManagement window before the Domains tab is shown on the Security Profile Management window.Domain-level restrictions are not applied until the security profiles are updated, and the changes aredeployed.Domain assignments take precedence over all settings on the Permission Precedence, Networks, andLog Sources tabs.If the domain is assigned to a tenant, the tenant name appears in brackets beside the domain name inthe Assigned Domains window.Permission PrecedencePermission precedence determines which security profile components to consider when the systemdisplays events in the Log Activity tab and flows in the Network Activity tab.Choose from the following restrictions when you create a security profile: No Restrictions -This option does not place restrictions on which events are displayed in the LogActivity tab, and which flows are displayed in the Network Activity tab. Network Only - This option restricts the user to view only events and flows that are associated withthe networks that are specified in this security profile. Log Sources Only -This option restricts the user to view only events that are associated with the logsources that are specified in this security profile. Networks AND Log Sources -This option allows the user to view only events and flows that areassociated with the log sources and networks that are specified in this security profile.For

Backup and Restore the QRadar Analyst Workflow 326. 13. Flow Sources Management. Flow Sources 329 Types of Flow Sources 330 Adding or Editing a Flow Source 338 Enabling and Disabling a Flow Source 339 Deleting a Flow Source 340 Flow Source Aliases Management 341 vii. Updating X-Force Data in a Proxy Server. 280