Table 32: System Settings Window Parameters (continued)

Description Parameter

Root mail is the default location for host context messages.

Delete Root Mail

The period that you want the system to retain temporary files. The default storage location for temporary files is the/store/tmpdirectory.

Temporary Files Retention Period

The period for an asset search to process before a timeout occurs.

Asset Profile Query Period

The coalesce log settings for events. SelectYesto enable log sources to coalesce, or bundle, events.

This value applies to all log sources. However, if you want to alter this value for a specific log source, edit theCoalescing Eventparameter in the log source configuration. For more information, see the Log Sources Users Guide.

Coalescing Events

Log sources can store event payload information.

This value applies to all log sources. However, if you want to alter this value for a specific log source, edit theEvent Payloadparameter in the log source configuration. For more information, see the Log Sources Users Guide.

Store Event Payload

The IP addresses of non-console systems that do not have iptables configuration to which you want to enable direct access. To enter multiple systems, type a comma separated list of IP addresses.

Global Ip tables Access

The amount of time that the status of a syslog device is recorded as an error if no events are received within the timeout period. The status is displayed on theLog Sourceswindow.

Syslog Event Timeout (minutes)

The amount of time for a partition test to perform before a timeout occurs.

Partition Tester Timeout (seconds)

The maximum number of Transmission Control Protocol (TCP) syslog connections you want to allow your system.

Max Number of TCP Syslog Connections

The location where offense, event, and flow exports are stored. The default location is /store/exports.

Export Directory

If geographic information is available for an IP address, the country or region is visually indicated by a flag. You can selectNofrom this list disable this feature.

Display Country/Region Flags

Database Settings

The location of the user profiles. The default location is/store/users. User Data Files

The period that you want to retain minute-by-minute data accumulations.

Every 60 seconds, the data is aggregated into a single data set.

Accumulator Retention -Minute-By-Minute

The period that you want to retain hourly data accumulations.

Accumulator Retention - Hourly

Table 32: System Settings Window Parameters (continued)

Description Parameter

The period that you want to retain daily data accumulations.

At the end of every day, the hourly data sets are aggregated into a single daily data set.

Accumulator Retention - Daily

The amount of time you want to store payload indexes.

Payload Index Retention

The period that you want to retain closed offense information. The default setting is 3 days.

The minimum is 1 day and the maximum is 2 years.

After the offense retention period elapses, closed offenses are purged from the database.

Offenses can be retained indefinitely if they are not closed or inactive, and they are still receiving events. The magistrate automatically marks an offense as Inactive if the offense has not received an event for 5 days. This 5- day period is known as the dormant time. If an event is received during the dormant time, the dormant time is reset back to zero. When an offense is closed either by you (Closed) or the magistrate (Inactive), theOffense Retention Periodsetting is applied.

Offense Retention Period

From the list, select the amount of time that you want to store the attacker history.

Attacker History Retention Period

From the list, select the amount of time that you want to store the target history.

Target Retention Period

Ariel Database Settings

The location that you want to store the flow log information. The default location is /store/ariel/ flows.

Flow Data Storage Location

The location where you want to store the log source information. The default location is /store/ariel/ events.

Log Source Storage Location

The amount of time you want to store search results.

Search Results Retention Period

The maximum number of results you want a report to return.

Reporting Max Matched Results

The maximum number of results you want the AQL command line to return.

Command Line Max Matched Results

The maximum amount of time, in seconds, you want a query to process before a timeout occurs.

Web Execution Time Limit

The maximum amount of time, in seconds, you want a reporting query to process before a timeout occurs.

Reporting Execution Time Limit for Manual Reports

The maximum amount of time, in seconds, you want a query in the AQL command line to process before a timeout occurs.

Command Line Execution Time Limit

The maximum amount of time, in seconds, you want an auto refresh to process before a timeout occurs.

Web Last Minute (Auto refresh) Execution Time Limit

Stores a hash file for every stored flow log file. SelectYesto enable logging.

Flow Log Hashing

Chapter 5: Set up JSA

Table 32: System Settings Window Parameters (continued)

Description Parameter

Stores a hash file for every stored event log file. SelectYesto enable logging.

Event Log Hashing

This parameter only displays when theEvent Log HashingorFlow Log Hashingsystem setting is enabled.

This parameter only displays when theEvent Log Hashingsystem setting is enabled.

SelectYesto allow JSA to encrypt the integrity hashes on stored event and flow log files.

HMAC Encryption

The key that you want to use for HMAC encryption. The key must be unique.

This parameter only displays when theHMAC Encryptionsystem setting is enabled.

HMAC Key

This parameter only displays when theHMAC Encryptionsystem setting is enabled.

Retype the key that you want to use for HMAC encryption. The key must match the key that you typed in theHMAC Keyfield.

Verify

You can use a hashing algorithm for database integrity. JSA uses the following hashing algorithm types:

• Message-Digest Hash Algorithm –Transforms digital signatures into shorter values called Message- Digests (MD).

• Secure Hash Algorithm (SHA) Hash Algorithm –Standard algorithm that creates a larger (60 bit) MD.

• From the list, select the log hashing algorithm that you want to use for your deployment.

If theHMAC Encryptionparameter is disabled, the following options are available:

• MD2 –Algorithm that is defined by RFC 1319.

• MD5 –Algorithm that is defined by RFC 1321.

• SHA-1 –Algorithm that is defined by Secure Hash Standard (SHS), NIST FIPS 180-1. This is the default setting.

• SHA-256 –Algorithm that is defined by the draft Federal Information Processing Standard 180-2, SHS.

SHA-256 is a 255-bit hash algorithm that is intended for 128 bits of security against security attacks.

• SHA-384 –Algorithm that is defined by the draft Federal Information Processing Standard 180-2, SHS. SHA-384 is a bit hash algorithm, created by truncating the SHA-512 output.

• SHA-512 –Algorithm that is defined by the draft Federal Information Processing Standard 180-2, SHS. SHA-512 is a bit hash algorithm that is intended to provide 256 bits of security.

If theHMAC Encryptionparameter is enabled, the following options are available:

• HMAC-MD5 –An encryption method that is based on the MD5 hashing algorithm.

• HMAC-SHA-1 –An encryption method that is based on the SHA-1 hashing algorithm.

• HMAC-SHA-256 –An encryption method that is based on the SHA-256 hashing algorithm.

• HMAC-SHA-384 –An encryption method that is based on the SHA-384 hashing algorithm.

• HMAC-SHA-512 –An encryption method that is based on the SHA-512 hashing algorithm.

Hashing Algorithm

Table 32: System Settings Window Parameters (continued)

Description Parameter

A transaction sentry detects unresponsive applications using transaction analysis. If an unresponsive application is detected, the transaction sentry attempts to return the application to a functional state.

The length of time you want the system to check for transactional issues in the database.

Transaction Max Time Limit

The transaction sentry can resolve all error conditions that are detected on the console or non-encrypted managed hosts.

If you selectNo, the conditions are detected and logged but you must manually intervene and correct the error.

Resolve Transaction on Non-Encrypted Host

The transaction sentry can resolve all error conditions that are detected on the encrypted managed host.

If you selectNo, the conditions are detected and logged but you must manually intervene and correct the error.

Resolve Transaction on Encrypted Host

SNMP Settings

The version of SNMP that you want to use. Disable this setting if you do not want SNMP responses in the JSA custom rules engine.

SNMP Version

SNMPv2c Settings

The IP address to which you want to send SNMP notifications.

Destination Host

The port number to which you want to send SNMP notifications.

Destination Port

The SNMP community, such as public.

Community

SNMPv3 Settings

The IP address to which you want to send SNMP notifications.

Destination Host

The port to which you want to send SNMP notifications.

Destination Port

The name of the user you want to access SNMP-related properties.

Username

The security level for SNMP.

Security Level

The algorithm that you want to use to authenticate SNMP traps.

Authentication Protocol

The password that you want to use to authenticate SNMP traps.

Authentication Password

The protocol that you want to use to decrypt SNMP traps.

Privacy Protocol

The password that is used to decrypt SNMP traps.

Privacy Password

Embedded SNMP Daemon Settings

Chapter 5: Set up JSA

Table 32: System Settings Window Parameters (continued)

Description Parameter

Enables access to data from the SNMP Agent using SNMP requests.

After you enable the embedded SNMP daemon, you must access the host that is specified in theDestination Hostparameter and type qradar in theUsernamefield. A password is not required. The location where you configure a destination host to communicate with JSA can vary depending on the vendor host. For more information on configuring your destination host to communicate with JSA, see your vendor documentation.

Enabled

The port that you want to use for sending SNMP requests.

Daemon Port

The SNMP community, such aspublic. This parameter applies only if you are using SNMPv2 and SNMPv3.

Community String

The systems that can access data from the SNMP agent using an SNMP request. If the Enabledoption is set to Yes, this option is enforced.

IP Access List

IF-MAP Client/Server Settings

The version of IF-MAP that you require.

The Interface For Metadata Access Points (IF-MAP) rule response enables JSAto publish alert and offense data derived from events, flows, and offense data on an IFMAP server.

If this setting is disabled, the other IF-MAP Client/Server settings are not displayed.

IF-MAP Version

The IP address of the IF-MAP server.

Server Address

The port number for the basic IF-MAP server.

Basic Server Port

The port number for the credential server.

Credential Server Port

The type of authentication that you require.

Before you can configure IF-MAP authentication, you must configure your IF-MAP server certificate. For more information on how to configure your IFMAP certificate, see“Configuring your IF-MAP Server Certificates” on page 85.

Authentication

The key password to be shared between the IF-MAP client and server.

This setting is displayed only when you select theMutualoption for theAuthenticationsetting.

Key Password

The user name that is required to access the IF-MAP server.

This setting is displayed only when you select theBasicoption for theAuthenticationsetting.

Username

The password that is required to access the IF-MAP server.

This setting is displayed only when you select theBasicoption for theAuthenticationsetting.

User Password

To configure system settings:

1. Click the Admin tab.

2. On the navigation menu, click System Configuration.

3. Click the System Settings icon.

4. Configure the system settings.

5. Click Save.

6. On the Admin tab menu, select Advanced > Deploy Full Configuration.