Juniper Secure Analycs What’s New
Guide
Published
2021-05-25
RELEASE
7.4.2
Juniper Networks, Inc.
1133 Innovaon Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc.
in the United States and other countries. All other trademarks, service marks, registered marks, or registered service
marks are the property of their respecve owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right
to change, modify, transfer, or otherwise revise this publicaon without noce.
Juniper Secure Analycs What’s New Guide
7.4.2
Copyright © 2021 Juniper Networks, Inc. All rights reserved.
The informaon in this document is current as of the date on the tle page.
YEAR 2000 NOTICE
Juniper Networks hardware and soware products are Year 2000 compliant. Junos OS has no known me-related
limitaons through the year 2038. However, the NTP applicaon is known to have some diculty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentaon consists of (or is intended for use
with) Juniper Networks soware. Use of such soware is subject to the terms and condions of the End User License
Agreement ("EULA") posted at hps://support.juniper.net/support/eula/. By downloading, installing or using such
soware, you agree to the terms and condions of that EULA.
ii
About This Guide
Use this guide to understand whether to upgrade, plan training for the users that they support, and to
become aware of new capabilies.
iv
What’s New in JSA 7.4.2
JSA 7.4.2 includes enhancements to operaonal eciency, DSM Editor enhancements, and ow
improvements.
JSA
IN THIS SECTION
Operaonal Eciency | 2
DSM Editor Enhancements | 3
Flow Improvements | 4
What's Changed or Removed | 5
JSA 7.4.2 includes enhancements to operaonal eciency, DSM Editor enhancements, and ow
improvements.
Operaonal Eciency
The operaonal eciency improvements in JSA 7.4.2 include adjusng the number of MAC addresses
allowed for an asset.
Adjusng the Number of MAC Addresses Allowed for an Asset
In JSA 7.4.2, you can adjust the number of MAC addresses that are allowed for a single asset. In
previous releases of JSA, administrators were not able to adjust this number, which resulted in an error
message that stated that there were too many MAC addresses for the asset. Enter the number in the
Number of MAC Addresses Allowed for a Single Asset eld in the Asset Proler Conguraon window.
2
If you have users who log in from mulple wireless access points, or mulple users who log in remotely
through a VPN, you can set the number of MAC addresses that are allowed for the asset in the same
way that you can for IP addresses.
Figure 1: Asset Proler Conguraon Window
DSM Editor Enhancements
The DSM Editor enhancements in JSA 7.4.2 include generang regex to parse event properes.
Generang Regex for Parsing Event Properes
JSA 7.4.2 can suggest regular expressions (regex) when you enter event data in the Workspace. If you
are not familiar with creang regex expressions, use this feature to generate your regex.
Highlight the payload text that you want to capture and in the Properes tab, click Suggest Regex. The
suggested expression appears in the Expression eld. Alternavely, you can click the Regex buon in the
Workspace and select the property that you want to write an expression for. If JSA is unable to generate
a suitable regex for your data sample, a system message appears.
3
TIP: The regex generator works best for elds in well-structured event payloads. If your payload
consists of complex data from natural language or unstructured events, the regex generator
might not be able to parse it and does not return a result.
The following gure shows how you can generate your regex with the Suggest Regex buon in the
Properes tab, or with the Regex buon in the Workspace.
Figure 2: Suggest Regex Buon
Flow Improvements
JSA 7.4.2 introduces new ow algorithms, new accumulated byte and packet counters, and support for
MAC address elds.
Accumulated Byte and Packet Counters
Flows are reported in 1-minute intervals, and can span several minutes, hours, or even days. For sessions
that span more than a minute, JSA reports on the current metrics for the ow at the end of each 1-
minute interval. The byte and packet counters show the number of bytes and packets that were received
in that 1-minute interval.
In JSA 7.4.2, you can now see the total number of bytes and packets that accumulated over the duraon
of the ow session. The byte and packet counters for each 1-minute interval that the ow is observed
are also preserved.
You can view the accumulated counters by including the following elds in your search results.
• Accumulated source bytes
4
• Accumulated source packets
• Accumulated desnaon bytes
• Accumulated desnaon packets
New "Common Desnaon Port" Flow Direcon Algorithms
JSA provides informaon about which algorithm was used to determine the ow direcon.
JSA 7.4.2 introduces two new common desnaon port algorithms for use when the ow matches the
criteria, but the ow direcon is unchanged:
• Single common desnaon port (unaltered) (5)
• Both common desnaon ports, RFC 1700 preferred (unaltered) (6)
In previous releases of JSA, the common desnaon port algorithms were reported only when the ow
direcon was reversed. Most other ows used the Arrival me algorithm, including the ows that
matched the common desnaon port criteria but did not have the ow direcon reversed.
Now, the only ows that show the Arrival me annotaon in the Flow Direcon Algorithm eld are the
ows that do not match the criteria for any other ow direcon algorithm.
MAC Address Support
JSA can now receive MAC address informaon from IPFIX and NetFlow V9 exporters.
The following MAC address elds are supported in JSA 7.4.2:
• sourceMacAddress (IANA Element ID 56)
•postDesnaonMacAddress (IANA Element ID 57)
•desnaonMacAddress (IANA Element ID 80)
• postSourceMacAddress (IANA Element ID 81)
You can use the new MAC address elds in lters, searches, and rules.
What's Changed or Removed
In JSA 7.4.2, some features were changed or removed.
5
Acve Directory
User authencaon with Acve Directory (AD) is no longer supported as of JSA 7.4.2. Use Lightweight
Directory Access Protocol (LDAP) for user authencaon to an AD server instead.
GlusterFS no Longer Supported
GlusterFS is no longer supported in JSA. You must migrate any Event Collectors in your deployment to
Distributed Replicated Block Device before you upgrade to JSA 7.4.2. You must be running JSA 7.3.2 x
patch 3 or later before you can upgrade to JSA 7.4.2.
6
What’s New in JSA 7.4.1
JSA 7.4.1 includes enhancements to performance, security, workow enhancements, and ow
improvements.
JSA
IN THIS SECTION
DSM Editor Enhancements | 8
Security Enhancements | 9
Workow Enhancements in JSA | 9
Flow Improvements | 10
JSA 7.4.1 includes enhancements to performance, security, workow enhancements, and ow
improvements.
DSM Editor Enhancements
The DSM Editor enhancements in JSA 7.4.2 include generang regex to parse event properes.
Generang regex for parsing event properes
JSA 7.4.2 can suggest regular expressions (regex) when you enter event data in the Workspace. If you
are not familiar with creang regex expressions, use this feature to generate your regex.
Highlight the payload text that you want to capture and in the Properes tab, click Suggest Regex. The
suggested expression appears in the Expression eld. Alternavely, you can click the Regex buon in the
Workspace and select the property that you want to write an expression for. If JSA is unable to generate
a suitable regex for your data sample, a system message appears.
8
TIP: The regex generator works best for elds in well-structured event payloads. If your payload
consists of complex data from natural language or unstructured events, the regex generator
might not be able to parse it and does not return a result.
The following gure shows how you can generate your regex with the Suggest Regex buon in the
Properes tab, or with the Regex buon in the Workspace.
Figure 3: Suggest Regex Buon
Security Enhancements
Stronger security capabilies in JSA 7.4.1 include a more secure operang system.
More secure operang system
JSA 7.4.1 runs on Red Hat Enterprise Linux version 7.7. The update to RHEL V7.7 is necessary to
connue receiving security updates from Red Hat Enterprise Linux.
Workow Enhancements in JSA
Improvements to workow in JSA for 7.4.1 include the JSA Use Case Manager and an analyst workow
for invesgang oenses.
9
JSA Use Case Manager app installed by default
In JSA 7.4.1, the JSA Use Case Manager app is installed by default. Use the guided ps in JSA Use Case
Manager to help you ensure that JSA is opmally congured to accurately detect threats throughout the
aack chain. JSA Use Case Manager includes a rule explorer that oers exible reports that are related
to your rules. JSA Use Case Manager also exposes pre-dened mappings to system rules and to help you
map your own custom rules to MITRE ATT&CK taccs and techniques.
NOTE: User roles with the system administrator permission are updated automacally to include
the required permissions for the apps installed by default. All other user roles must be modied
to include the app permissions as needed.
QRadar Analyst Workow to help you invesgate oenses
QRadar Analyst Workow provides new methods for ltering oenses and events, and graphical
representaons of oenses, by magnitude, assignee, and type. The improved oenses workow
provides a more intuive method to invesgate oenses to determine the root cause of an issue and
work to resolve it. Use the built-in query builder to create AQL queries by using examples and saved or
shared searches, or by typing plain text into the search eld.
The workow includes a redesigned oenses page, an AQL search page, and access to compable apps
that are already installed on your JSA Console. QRadar Analyst Workow is supported on JSA 7.4.0 or
later.
For more informaon about the QRadar Analyst Workow, see the
Juniper Secure Analycs Users
Guide
.
Flow Improvements
JSA 7.4.1 introduces support for the owId eld in NetFlow V9 data exports.
Support for the ow ID eld in NetFlow V9 ow records
JSA now supports the owId eld (IANA element 148) in NetFlow Version 9 data exports. In JSA, the
eld appears in the Vendor Flow ID eld on the Flow Details window.
The ow ID is used as part of the ow's unique idener so that only ow records with the same ow
ID value are aggregated together. Sessions with dierent ow IDs are kept separate and mapped to
dierent Flow ID values.
10
You can use the owId eld in lters and searches to quickly idenfy all of the ow records in a
parcular session.
11
What’s New in JSA 7.4.0
JSA 7.4.0 family of products includes enhancements to performance, workow, security, and user
experience.
JSA
IN THIS SECTION
Performance Opmizaon | 13
Security Enhancements | 16
Workow enhancements in JSA | 17
Flow Improvements | 17
What's changed or removed | 18
JSA 7.4.0 includes enhancements to performance, security, workow enhancements, and ow
improvements.
Performance Opmizaon
The performance improvements in JSA 7.4.0 include enhanced parsing support for name value pairs and
generic list events, the ability to remove reference data when you uninstall a content extension, a faster
way to export content from the DSM Editor, and updates to ow records.
Enhanced Parsing Support for XML Events in the DSM Editor
In the DSM Editor, you can now easily parse both standard and custom properes from events in the
XML format without wring regular expressions (regex). When you enable Property autodiscovery for
log source types that consume XML events, all available elds are parsed as custom properes. With
these new capabilies, administrators and users who have permission to create custom properes, can
quickly and easily parse these events.
13
Use the DSM Editor to create a custom log source type to handle XML events in JSA. Add custom
properes to help parse an exisng log source type. Use simple XML expressions instead of regex to
dene how to parse custom properes. The DSM Editor automacally provides expressions for system
properes based on their predened keys in the XML specicaon.
Turn on XML property autodiscovery to discover custom properes for all XML elds in any events that
are received for the log source type. You can also use XML expressions in the Custom Event Property
Editor and when you manually create log source extensions.
The following gure shows where you parse XML events in the DSM Editor.
Figure 4: XML Structured Data Type
To learn more about enhanced parsing support for XML events, see the
Juniper Secure Analycs
Administraon Guide
.
DSM Parameter support in the DSM Editor
In JSA 7.4.0, if your log source type has DSM parameters, you can use the DSM Editor to congure the
DSM parameters. Enable the Display DSM Parameters Conguraon opon to view and edit the DSM
parameters.
14
The following gure shows conguring DSM parameters in the DSM Editor:
Figure 5: DSM Parameters Conguraon
15
To learn more about conguring DSM parameters in the DSM Editor, see the
Juniper Secure Analycs
Administraon Guide
.
Addional Standard Fields for Events
View addional details about your events. These details provide increased visibility into how events are
internally processed by JSA.
To learn more about event details, see the
Juniper Secure Analycs User Guide
.
Security Enhancements
Stronger security capabilies in JSA 7.4.0 include modifying the inacvity meout for user accounts.
More secure operang system
JSA 7.4.0 runs on Red Hat Enterprise Linux version 7.6. The update to RHEL V7.6 is necessary to
connue receiving security updates from Red Hat Enterprise Linux.
Reverse tunnel iniaon
The SSH tunnel between two managed hosts can now be iniated from the remote host instead of the
local host. For example, you have a connecon from an Event Processor in a secure environment to an
Event Collector that is outside of the secure environment. You also have a rewall rule that prevents you
from having a host outside the secure environment connect to a host in the secure environment. In JSA
7.4.0, you can switch which host creates the tunnel so that the connecon is established from the Event
Processor by selecng the Remote Tunnel Iniaon checkbox for the Event Collector.
To learn more about enhanced parsing support for XML events, see the
Juniper Secure Analycs
Administraon Guide
.
Secure email server
Send email to distribute alerts, reports, nocaons, and event messages to mail servers that require
authencaon.
You can congure an email server for your enre JSA deployment, or mulple email servers.
To learn more about conguring Secure email server, see the
Juniper Secure Analycs Administraon
Guide
.
16
Page is loading ...
Page is loading ...
Page is loading ...
-
1
-
2
-
3
-
4
-
5
-
6
-
7
-
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
Juniper JSA3800 User guide
- Type
- User guide
- This manual is also suitable for
Ask a question and I''ll find the answer in the document
Finding information in a document is now easier with AI
Related papers
-
Juniper JSA3800 User guide
-
-
-
-
Juniper JSA5800 Quick Start
-
-
-
-
Juniper JSA7500 Hardware Guide
-
Other documents
-
Quick SBC 1950 ADV PLUS User manual
-
ARISTA Analytics User guide
-
Motorola Concealed Weapons Detection Cloud Portal User guide
-
tekmar Belimo Actuator M3062 Installation guide
-
Biostar K8NHA-M Grand Owner's manual
-
Dux 26XL Specification
-
Patton SmartNode 4830 DSL Series User manual
-
Coleman 513K Owner's manual
-
Conair CS480 User manual
-
3M Hearing Protection DL DPR Operating instructions