Juniper JSA7500 User guide

Type
User guide

This manual is also suitable for

Juniper Secure Analycs What’s New
Guide
Published
2021-05-25
RELEASE
7.4.2
Juniper Networks, Inc.
1133 Innovaon Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc.
in the United States and other countries. All other trademarks, service marks, registered marks, or registered service
marks are the property of their respecve owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right
to change, modify, transfer, or otherwise revise this publicaon without noce.
Juniper Secure Analycs What’s New Guide
7.4.2
Copyright © 2021 Juniper Networks, Inc. All rights reserved.
The informaon in this document is current as of the date on the tle page.
YEAR 2000 NOTICE
Juniper Networks hardware and soware products are Year 2000 compliant. Junos OS has no known me-related
limitaons through the year 2038. However, the NTP applicaon is known to have some diculty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentaon consists of (or is intended for use
with) Juniper Networks soware. Use of such soware is subject to the terms and condions of the End User License
Agreement ("EULA") posted at hps://support.juniper.net/support/eula/. By downloading, installing or using such
soware, you agree to the terms and condions of that EULA.
ii
Table of Contents
About This Guide | iv
1
What’s New in JSA 7.4.2
What’s New in JSA 7.4.2 | 2
JSA | 2
2
What’s New in JSA 7.4.1
What’s New in JSA 7.4.1 | 8
JSA | 8
3
What’s New in JSA 7.4.0
What’s New in JSA 7.4.0 | 13
JSA | 13
JSA Vulnerability Manager and JSA Risk Manager | 18
iii
About This Guide
Use this guide to understand whether to upgrade, plan training for the users that they support, and to
become aware of new capabilies.
iv
1
CHAPTER
What’s New in JSA 7.4.2
What’s New in JSA 7.4.2 | 2
JSA | 2
What’s New in JSA 7.4.2
JSA 7.4.2 includes enhancements to operaonal eciency, DSM Editor enhancements, and ow
improvements.
JSA
IN THIS SECTION
Operaonal Eciency | 2
DSM Editor Enhancements | 3
Flow Improvements | 4
What's Changed or Removed | 5
JSA 7.4.2 includes enhancements to operaonal eciency, DSM Editor enhancements, and ow
improvements.
Operaonal Eciency
The operaonal eciency improvements in JSA 7.4.2 include adjusng the number of MAC addresses
allowed for an asset.
Adjusng the Number of MAC Addresses Allowed for an Asset
In JSA 7.4.2, you can adjust the number of MAC addresses that are allowed for a single asset. In
previous releases of JSA, administrators were not able to adjust this number, which resulted in an error
message that stated that there were too many MAC addresses for the asset. Enter the number in the
Number of MAC Addresses Allowed for a Single Asset eld in the Asset Proler Conguraon window.
2
If you have users who log in from mulple wireless access points, or mulple users who log in remotely
through a VPN, you can set the number of MAC addresses that are allowed for the asset in the same
way that you can for IP addresses.
Figure 1: Asset Proler Conguraon Window
DSM Editor Enhancements
The DSM Editor enhancements in JSA 7.4.2 include generang regex to parse event properes.
Generang Regex for Parsing Event Properes
JSA 7.4.2 can suggest regular expressions (regex) when you enter event data in the Workspace. If you
are not familiar with creang regex expressions, use this feature to generate your regex.
Highlight the payload text that you want to capture and in the Properes tab, click Suggest Regex. The
suggested expression appears in the Expression eld. Alternavely, you can click the Regex buon in the
Workspace and select the property that you want to write an expression for. If JSA is unable to generate
a suitable regex for your data sample, a system message appears.
3
TIP: The regex generator works best for elds in well-structured event payloads. If your payload
consists of complex data from natural language or unstructured events, the regex generator
might not be able to parse it and does not return a result.
The following gure shows how you can generate your regex with the Suggest Regex buon in the
Properes tab, or with the Regex buon in the Workspace.
Figure 2: Suggest Regex Buon
Flow Improvements
JSA 7.4.2 introduces new ow algorithms, new accumulated byte and packet counters, and support for
MAC address elds.
Accumulated Byte and Packet Counters
Flows are reported in 1-minute intervals, and can span several minutes, hours, or even days. For sessions
that span more than a minute, JSA reports on the current metrics for the ow at the end of each 1-
minute interval. The byte and packet counters show the number of bytes and packets that were received
in that 1-minute interval.
In JSA 7.4.2, you can now see the total number of bytes and packets that accumulated over the duraon
of the ow session. The byte and packet counters for each 1-minute interval that the ow is observed
are also preserved.
You can view the accumulated counters by including the following elds in your search results.
Accumulated source bytes
4
Accumulated source packets
Accumulated desnaon bytes
Accumulated desnaon packets
New "Common Desnaon Port" Flow Direcon Algorithms
JSA provides informaon about which algorithm was used to determine the ow direcon.
JSA 7.4.2 introduces two new common desnaon port algorithms for use when the ow matches the
criteria, but the ow direcon is unchanged:
Single common desnaon port (unaltered) (5)
Both common desnaon ports, RFC 1700 preferred (unaltered) (6)
In previous releases of JSA, the common desnaon port algorithms were reported only when the ow
direcon was reversed. Most other ows used the Arrival me algorithm, including the ows that
matched the common desnaon port criteria but did not have the ow direcon reversed.
Now, the only ows that show the Arrival me annotaon in the Flow Direcon Algorithm eld are the
ows that do not match the criteria for any other ow direcon algorithm.
MAC Address Support
JSA can now receive MAC address informaon from IPFIX and NetFlow V9 exporters.
The following MAC address elds are supported in JSA 7.4.2:
sourceMacAddress (IANA Element ID 56)
postDesnaonMacAddress (IANA Element ID 57)
desnaonMacAddress (IANA Element ID 80)
postSourceMacAddress (IANA Element ID 81)
You can use the new MAC address elds in lters, searches, and rules.
What's Changed or Removed
In JSA 7.4.2, some features were changed or removed.
5
Acve Directory
User authencaon with Acve Directory (AD) is no longer supported as of JSA 7.4.2. Use Lightweight
Directory Access Protocol (LDAP) for user authencaon to an AD server instead.
GlusterFS no Longer Supported
GlusterFS is no longer supported in JSA. You must migrate any Event Collectors in your deployment to
Distributed Replicated Block Device before you upgrade to JSA 7.4.2. You must be running JSA 7.3.2 x
patch 3 or later before you can upgrade to JSA 7.4.2.
6
2
CHAPTER
What’s New in JSA 7.4.1
What’s New in JSA 7.4.1 | 8
JSA | 8
What’s New in JSA 7.4.1
JSA 7.4.1 includes enhancements to performance, security, workow enhancements, and ow
improvements.
JSA
IN THIS SECTION
DSM Editor Enhancements | 8
Security Enhancements | 9
Workow Enhancements in JSA | 9
Flow Improvements | 10
JSA 7.4.1 includes enhancements to performance, security, workow enhancements, and ow
improvements.
DSM Editor Enhancements
The DSM Editor enhancements in JSA 7.4.2 include generang regex to parse event properes.
Generang regex for parsing event properes
JSA 7.4.2 can suggest regular expressions (regex) when you enter event data in the Workspace. If you
are not familiar with creang regex expressions, use this feature to generate your regex.
Highlight the payload text that you want to capture and in the Properes tab, click Suggest Regex. The
suggested expression appears in the Expression eld. Alternavely, you can click the Regex buon in the
Workspace and select the property that you want to write an expression for. If JSA is unable to generate
a suitable regex for your data sample, a system message appears.
8
TIP: The regex generator works best for elds in well-structured event payloads. If your payload
consists of complex data from natural language or unstructured events, the regex generator
might not be able to parse it and does not return a result.
The following gure shows how you can generate your regex with the Suggest Regex buon in the
Properes tab, or with the Regex buon in the Workspace.
Figure 3: Suggest Regex Buon
Security Enhancements
Stronger security capabilies in JSA 7.4.1 include a more secure operang system.
More secure operang system
JSA 7.4.1 runs on Red Hat Enterprise Linux version 7.7. The update to RHEL V7.7 is necessary to
connue receiving security updates from Red Hat Enterprise Linux.
Workow Enhancements in JSA
Improvements to workow in JSA for 7.4.1 include the JSA Use Case Manager and an analyst workow
for invesgang oenses.
9
JSA Use Case Manager app installed by default
In JSA 7.4.1, the JSA Use Case Manager app is installed by default. Use the guided ps in JSA Use Case
Manager to help you ensure that JSA is opmally congured to accurately detect threats throughout the
aack chain. JSA Use Case Manager includes a rule explorer that oers exible reports that are related
to your rules. JSA Use Case Manager also exposes pre-dened mappings to system rules and to help you
map your own custom rules to MITRE ATT&CK taccs and techniques.
NOTE: User roles with the system administrator permission are updated automacally to include
the required permissions for the apps installed by default. All other user roles must be modied
to include the app permissions as needed.
QRadar Analyst Workow to help you invesgate oenses
QRadar Analyst Workow provides new methods for ltering oenses and events, and graphical
representaons of oenses, by magnitude, assignee, and type. The improved oenses workow
provides a more intuive method to invesgate oenses to determine the root cause of an issue and
work to resolve it. Use the built-in query builder to create AQL queries by using examples and saved or
shared searches, or by typing plain text into the search eld.
The workow includes a redesigned oenses page, an AQL search page, and access to compable apps
that are already installed on your JSA Console. QRadar Analyst Workow is supported on JSA 7.4.0 or
later.
For more informaon about the QRadar Analyst Workow, see the
Juniper Secure Analycs Users
Guide
.
Flow Improvements
JSA 7.4.1 introduces support for the owId eld in NetFlow V9 data exports.
Support for the ow ID eld in NetFlow V9 ow records
JSA now supports the owId eld (IANA element 148) in NetFlow Version 9 data exports. In JSA, the
eld appears in the Vendor Flow ID eld on the Flow Details window.
The ow ID is used as part of the ow's unique idener so that only ow records with the same ow
ID value are aggregated together. Sessions with dierent ow IDs are kept separate and mapped to
dierent Flow ID values.
10
You can use the owId eld in lters and searches to quickly idenfy all of the ow records in a
parcular session.
11
3
CHAPTER
What’s New in JSA 7.4.0
What’s New in JSA 7.4.0 | 13
JSA | 13
JSA Vulnerability Manager and JSA Risk Manager | 18
What’s New in JSA 7.4.0
JSA 7.4.0 family of products includes enhancements to performance, workow, security, and user
experience.
JSA
IN THIS SECTION
Performance Opmizaon | 13
Security Enhancements | 16
Workow enhancements in JSA | 17
Flow Improvements | 17
What's changed or removed | 18
JSA 7.4.0 includes enhancements to performance, security, workow enhancements, and ow
improvements.
Performance Opmizaon
The performance improvements in JSA 7.4.0 include enhanced parsing support for name value pairs and
generic list events, the ability to remove reference data when you uninstall a content extension, a faster
way to export content from the DSM Editor, and updates to ow records.
Enhanced Parsing Support for XML Events in the DSM Editor
In the DSM Editor, you can now easily parse both standard and custom properes from events in the
XML format without wring regular expressions (regex). When you enable Property autodiscovery for
log source types that consume XML events, all available elds are parsed as custom properes. With
these new capabilies, administrators and users who have permission to create custom properes, can
quickly and easily parse these events.
13
Use the DSM Editor to create a custom log source type to handle XML events in JSA. Add custom
properes to help parse an exisng log source type. Use simple XML expressions instead of regex to
dene how to parse custom properes. The DSM Editor automacally provides expressions for system
properes based on their predened keys in the XML specicaon.
Turn on XML property autodiscovery to discover custom properes for all XML elds in any events that
are received for the log source type. You can also use XML expressions in the Custom Event Property
Editor and when you manually create log source extensions.
The following gure shows where you parse XML events in the DSM Editor.
Figure 4: XML Structured Data Type
To learn more about enhanced parsing support for XML events, see the
Juniper Secure Analycs
Administraon Guide
.
DSM Parameter support in the DSM Editor
In JSA 7.4.0, if your log source type has DSM parameters, you can use the DSM Editor to congure the
DSM parameters. Enable the Display DSM Parameters Conguraon opon to view and edit the DSM
parameters.
14
The following gure shows conguring DSM parameters in the DSM Editor:
Figure 5: DSM Parameters Conguraon
15
To learn more about conguring DSM parameters in the DSM Editor, see the
Juniper Secure Analycs
Administraon Guide
.
Addional Standard Fields for Events
View addional details about your events. These details provide increased visibility into how events are
internally processed by JSA.
To learn more about event details, see the
Juniper Secure Analycs User Guide
.
Security Enhancements
Stronger security capabilies in JSA 7.4.0 include modifying the inacvity meout for user accounts.
More secure operang system
JSA 7.4.0 runs on Red Hat Enterprise Linux version 7.6. The update to RHEL V7.6 is necessary to
connue receiving security updates from Red Hat Enterprise Linux.
Reverse tunnel iniaon
The SSH tunnel between two managed hosts can now be iniated from the remote host instead of the
local host. For example, you have a connecon from an Event Processor in a secure environment to an
Event Collector that is outside of the secure environment. You also have a rewall rule that prevents you
from having a host outside the secure environment connect to a host in the secure environment. In JSA
7.4.0, you can switch which host creates the tunnel so that the connecon is established from the Event
Processor by selecng the Remote Tunnel Iniaon checkbox for the Event Collector.
To learn more about enhanced parsing support for XML events, see the
Juniper Secure Analycs
Administraon Guide
.
Secure email server
Send email to distribute alerts, reports, nocaons, and event messages to mail servers that require
authencaon.
You can congure an email server for your enre JSA deployment, or mulple email servers.
To learn more about conguring Secure email server, see the
Juniper Secure Analycs Administraon
Guide
.
16
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23

Juniper JSA7500 User guide

Type
User guide
This manual is also suitable for

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI