Juniper Secure Analytics Users Guide

Juniper Secure Analytics Users Guide
Release
7.3.0
Modified: 2017-09-13
Copyright © 2017, Juniper Networks, Inc.
Juniper Networks, Inc.
1133 Innovation Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Copyright © 2017 Juniper Networks, Inc. All rights reserved.
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. and/or its affiliates in
the United States and other countries. All other trademarks may be property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
Juniper Secure Analytics Users Guide
7.3.0
Copyright © 2017 Juniper Networks, Inc. All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the
year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks
software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at
http://www.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions of that
EULA.
ii
Copyright © 2017, Juniper Networks, Inc.
Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
Chapter 1
What's New for Users in JSA 7.3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
What's New for Users in JSA 7.3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Tenant Users Can Create Custom Properties . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Tenant Users Can Create Reference Data Collections . . . . . . . . . . . . . . . . . . . 21
Chapter 2
About JSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
About JSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Default License Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Security Exceptions and Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Navigate the Web-based Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Capabilities in Your JSA Product . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
JSA Product Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Supported Web Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Enabling Document Mode and Browser Mode in Internet Explorer . . . . . . . . . . . . 26
JSA Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
RESTful API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
JSA API Forum and Code Samples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
User Interface Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Dashboard Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Offenses Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Log Activity Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Network Activity Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Assets Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Reports Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
JSA Risk Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
JSA Common Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Viewing Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Sorting Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Refreshing and Pausing the User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Investigating IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Investigate User Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
System Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Updating User Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Copyright © 2017, Juniper Networks, Inc.
iii
Juniper Secure Analytics Users Guide
Access Online Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Resize Columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Page Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Chapter 3
Dashboard Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Dashboard Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Default Dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Custom Dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Customize Your Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Flow Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Offenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Log Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Most Recent Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
System Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Risk Monitoring Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Monitoring Policy Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Monitoring Risk Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Vulnerability Management Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
System Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Internet Threat Information Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Creating a Custom Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Using the Dashboard to Investigate Log or Network Activity . . . . . . . . . . . . . . . . . 48
Configuring Charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Removing Dashboard Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Detaching a Dashboard Item . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Renaming a Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Deleting a Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Managing System Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Adding Search-based Dashboard Items to the Add Items List . . . . . . . . . . . . . . . 53
Chapter 4
Offense Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Offense Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Offense Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Offense Chaining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Offense Indexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Offense Indexing Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
System Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Rule Action and Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Example: Detecting Malware Outbreaks Based on the MD5 Signature . . . . . 58
Offense Retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Protecting Offenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Unprotecting Offenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Offense Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Selecting an Offense to Investigate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Investigating an Offense by Using the Summary Information . . . . . . . . . . . . 63
Investigating Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Investigating Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Offense Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Adding Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Hiding Offenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
iv
Copyright © 2017, Juniper Networks, Inc.
Table of Contents
Showing Hidden Offenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Closing Offenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Exporting Offenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Assigning Offenses to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Sending Email Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Marking an Offense for Follow-up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Chapter 5
Log Activity Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Log Activity Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Log Activity Tab Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Log Activity Tab Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Right-click Menu Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Status Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Log Activity Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Viewing Streaming Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Viewing Normalized Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Viewing Raw Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Viewing Grouped Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Viewing Event Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Event Details Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Viewing Associated Offenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Modifying Event Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Tuning False Positives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
PCAP Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Displaying the PCAP Data Column . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Viewing PCAP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Downloading the PCAP File to Your Desktop System . . . . . . . . . . . . . . . . . . . 92
Exporting Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Chapter 6
Network Activity Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Network Activity Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Network Tab Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Network Activity Tab Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Right-click Menu Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Status Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
OverFlow Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Network Activity Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Viewing Streaming Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Viewing Normalized Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Viewing Grouped Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Flow Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Flow Details Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Tuning False Positives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Exporting Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Chapter 7
Asset Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Asset Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Asset Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Asset Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Copyright © 2017, Juniper Networks, Inc.
v
Juniper Secure Analytics Users Guide
Collecting Asset Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Sources Of Asset Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Domain-aware Asset Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Incoming Asset Data Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Updates to Asset Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Identity Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Asset Reconciliation Exclusion Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Example: Asset Exclusion Rules That Are Tuned to Exclude IP Addresses
from the Blacklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Blacklisting IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Tuning Asset Reconciliation Rules to Ignore Some Asset Updates . . . . . 117
Asset Merging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Identification Of Asset Growth Deviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
DHCP Server Example Of Unnatural Asset Growth in an Asset Profile . . . . . 118
Threshold Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
System Notifications That Indicate Asset Growth Deviations . . . . . . . . . . . . 119
Asset Data That Changes Frequently . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Example: How Configuration Errors for Log Source Extensions Can Cause
Asset Growth Deviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Troubleshooting Asset Profiles That Exceed the Normal Size Threshold . . . 120
Explanation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Required User Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
New Asset Data is Added to the Asset Blacklists . . . . . . . . . . . . . . . . . . . . . . 121
Explanation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Required User Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Asset Blacklists and Whitelists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Asset Blacklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Asset Whitelists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Example Of a Whitelist Use Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Mass Entries to the Asset Whitelist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Types Of Asset Whitelists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Asset Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Assets Tab Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Viewing an Asset Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Adding or Editing an Asset Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Searching Asset Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Saving Asset Search Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Asset Search Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Viewing Search Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Creating a New Search Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Editing a Search Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Copying a Saved Search to Another Group . . . . . . . . . . . . . . . . . . . . . . . 134
Removing a Group or a Saved Search from a Group . . . . . . . . . . . . . . . . 135
Asset Profile Management Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Deleting Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Importing Asset Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Exporting Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Research Asset Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
vi
Copyright © 2017, Juniper Networks, Inc.
Table of Contents
Chapter 8
Chart Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Chart Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Chart Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Time Series Chart Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Chart Legends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Configuring Charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Chapter 9
Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Event and Flow Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Creating a Customized Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Creating a Custom Column Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Deleting a Custom Column Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Saving Search Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Scheduled Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Advanced Search Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Accessing Advanced Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
AQL Search String Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
AQL Search String Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Quick Filter Search Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
How Does Quick Filter Search and Payload Tokens Work? . . . . . . . . . . 162
Offense Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Searching Offenses on the My Offenses and All Offenses Pages . . . . . . . . . 163
Searching Offenses on the By Source IP Page . . . . . . . . . . . . . . . . . . . . . . . . 168
Searching Offenses on the By Destination IP Page . . . . . . . . . . . . . . . . . . . . 169
Searching Offenses on the By Networks Page . . . . . . . . . . . . . . . . . . . . . . . . . 171
Saving Search Criteria on the Offenses Tab . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Searching for Offenses That Are Indexed on a Custom Property . . . . . . . . . . 172
Finding IOCs Quickly with Lazy Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Deleting Search Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Using a Subsearch to Refine Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Managing Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Canceling a Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Deleting a Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Managing Search Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Viewing Search Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Creating a New Search Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Editing a Search Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Copying a Saved Search to Another Group . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Removing a Group or a Saved Search from a Group . . . . . . . . . . . . . . . . . . . 180
Search Example: Daily Employee Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Chapter 10
Custom Event and Flow Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Custom Event and Flow Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Required Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Custom Property Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Creating a Regex-based Custom Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Creating a Calculation-based Custom Property . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Copyright © 2017, Juniper Networks, Inc.
vii
Juniper Secure Analytics Users Guide
Modifying a Custom Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Copying a Custom Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Deleting a Custom Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Chapter 11
Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
What Are Rules? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
What Are Building Blocks? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
How do Rules Work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
How is an Offense Created from a Rule? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Custom Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
What Are Custom Rules? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Rule Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Managing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Domain-specific Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Rule Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Creating a Custom Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Configuring an Event or Flow As False Positive . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Configuring a Rule Response to Add Data to a Reference Data Collection . . . . . 198
Editing Building Blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Chapter 12
Historical Correlation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Historical Correlation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Historical Correlation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Data Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Rule Selection and Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Offense Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Creating a Historical Correlation Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Viewing Information About Historical Correlation Runs . . . . . . . . . . . . . . . . . . . . 204
Chapter 13
Juniper Networks X-Force Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Juniper Networks X-Force Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Internet Threat Information Center Dashboard Widget . . . . . . . . . . . . . . . . . . . . 207
IBM Security Threat Content Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Enabling X-Force Rules in JSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
IP Address and URL Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Finding IP Address and URL Information in X-Force Exchange . . . . . . . . . . 209
Creating a URL Categorization Rule to Monitor Access to Certain Types Of
Websites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Confidence Factor and IP Address Reputation . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Determining a Threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Tuning False Positives with the Confidence Factor Setting . . . . . . . . . . . . . . 212
Searching Data from Juniper X-Force Exchange with Advanced Search
Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Chapter 14
Report Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Report Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Timezone Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Report Tab Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
viii
Copyright © 2017, Juniper Networks, Inc.
Table of Contents
Report Tab Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Report Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Chart Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Report Tab Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Graph Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Creating Custom Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Editing a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Viewing Generated Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Deleting Generated Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Manually Generating a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Duplicating a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Sharing a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Branding Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Report Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Creating a Report Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Editing a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Sharing Report Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Assign a Report to a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Copying a Report to Another Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Removing a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Copyright © 2017, Juniper Networks, Inc.
ix
Juniper Secure Analytics Users Guide
x
Copyright © 2017, Juniper Networks, Inc.
List of Figures
Chapter 4
Offense Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Figure 1: Offense Summary View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Chapter 7
Asset Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Figure 2: Asset Data Workflow Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Copyright © 2017, Juniper Networks, Inc.
xi
Juniper Secure Analytics Users Guide
xii
Copyright © 2017, Juniper Networks, Inc.
List of Tables
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
Chapter 2
About JSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Table 3: Comparison Of JSA Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Table 4: Supported Web Browsers for JSA Products . . . . . . . . . . . . . . . . . . . . . . . 25
Table 5: Default Login Information for JSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Table 6: Functions Available in the Messages Window . . . . . . . . . . . . . . . . . . . . . 30
Table 7: IP Addresses Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Table 8: Menu Options for User Name Investigation . . . . . . . . . . . . . . . . . . . . . . . 33
Chapter 3
Dashboard Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Table 9: Default Dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Table 10: Offense Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Table 11: Log Activity Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Table 12: Configuring Charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Chapter 5
Log Activity Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Table 13: Log Activity Toolbar Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Table 14: Right-click Menu Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Table 15: Log Activity Tab - Default (Normalized) Parameters . . . . . . . . . . . . . . . . 77
Table 16: Raw Event Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Table 17: Grouped Events Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Table 18: Grouped Event Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Table 19: Event Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Table 20: Event Details Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Chapter 6
Network Activity Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Table 21: Network Activity Tab Toolbar Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Table 22: Right-click Menu Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Table 23: Parameters for the Network Activity Tab . . . . . . . . . . . . . . . . . . . . . . . . 100
Table 24: Grouped Flow Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Table 25: Grouped Flow Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Table 26: Flow Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Table 27: Description Of the Flow Details Toolbar . . . . . . . . . . . . . . . . . . . . . . . . 108
Chapter 7
Asset Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Table 28: Rule Tests and Responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Table 29: Reference Collection Names for Asset Blacklist Data . . . . . . . . . . . . . . 122
Table 30: Reference Collection Name for Asset Whitelist Data . . . . . . . . . . . . . . 123
Table 31: Asset Profile Page Toolbar Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Copyright © 2017, Juniper Networks, Inc.
xiii
Juniper Secure Analytics Users Guide
Table 32: Asset Search Groups Window Toolbar Functions . . . . . . . . . . . . . . . . . 133
Chapter 8
Chart Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Table 33: Time Series Charts Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Chapter 9
Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Table 34: Search Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Table 35: Examples Of AQL Search Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Table 36: Examples Of AQL Search Strings for X-Force . . . . . . . . . . . . . . . . . . . . 157
Table 37: Quick Filter Syntax Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Table 38: My Offenses and All Offenses Page Search Options . . . . . . . . . . . . . . 163
Table 39: Offense Type Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Table 40: By Source IP Page Search Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Table 41: By Destination IP Page Search Options . . . . . . . . . . . . . . . . . . . . . . . . . 169
Table 42: Search Options for Search Offense Data on the By Networks Page . . . 171
Table 43: Search Group Window Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Table 44: Search Group Window Toolbar Functions . . . . . . . . . . . . . . . . . . . . . . . 178
Chapter 10
Custom Event and Flow Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Table 45: Custom Properties Window Parameters (regex) . . . . . . . . . . . . . . . . . 185
Table 46: Custom Property Definition Window Parameters (calculation) . . . . . 186
Table 47: Custom Properties Window Columns . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Table 48: Custom Property Toolbar Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Chapter 13
Juniper Networks X-Force Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Table 49: AlertCon Threat Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Chapter 14
Report Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Table 50: Chart Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Table 51: Chart Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Table 52: Report Toolbar Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Table 53: Graph Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
xiv
Copyright © 2017, Juniper Networks, Inc.
About the Documentation
•
Documentation and Release Notes on page xv
•
Documentation Conventions on page xv
•
Documentation Feedback on page xvii
•
Requesting Technical Support on page xviii
Documentation and Release Notes
®
To obtain the most current version of all Juniper Networks technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/.
If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore the
nuances of network architecture, deployment, and administration. The current list can
be viewed at http://www.juniper.net/books.
Documentation Conventions
Table 1 on page xvi defines notice icons used in this guide.
Copyright © 2017, Juniper Networks, Inc.
xv
Juniper Secure Analytics Users Guide
Table 1: Notice Icons
Icon
Meaning
Description
Informational note
Indicates important features or instructions.
Caution
Indicates a situation that might result in loss of data or hardware damage.
Warning
Alerts you to the risk of personal injury or death.
Laser warning
Alerts you to the risk of personal injury from a laser.
Tip
Indicates helpful information.
Best practice
Alerts you to a recommended use or implementation.
Table 2 on page xvi defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
Convention
Description
Examples
Bold text like this
Represents text that you type.
To enter configuration mode, type the
configure command:
user@host> configure
Fixed-width text like this
Italic text like this
Italic text like this
xvi
Represents output that appears on the
terminal screen.
user@host> show chassis alarms
•
Introduces or emphasizes important
new terms.
•
•
Identifies guide names.
A policy term is a named structure
that defines match conditions and
actions.
•
Identifies RFC and Internet draft titles.
•
Junos OS CLI User Guide
•
RFC 1997, BGP Communities Attribute
Represents variables (options for which
you substitute a value) in commands or
configuration statements.
No alarms currently active
Configure the machine’s domain name:
[edit]
root@# set system domain-name
domain-name
Copyright © 2017, Juniper Networks, Inc.
About the Documentation
Table 2: Text and Syntax Conventions (continued)
Convention
Description
Examples
Text like this
Represents names of configuration
statements, commands, files, and
directories; configuration hierarchy levels;
or labels on routing platform
components.
•
To configure a stub area, include the
stub statement at the [edit protocols
ospf area area-id] hierarchy level.
•
The console port is labeled CONSOLE.
< > (angle brackets)
Encloses optional keywords or variables.
stub <default-metric metric>;
| (pipe symbol)
Indicates a choice between the mutually
exclusive keywords or variables on either
side of the symbol. The set of choices is
often enclosed in parentheses for clarity.
broadcast | multicast
# (pound sign)
Indicates a comment specified on the
same line as the configuration statement
to which it applies.
rsvp { # Required for dynamic MPLS only
[ ] (square brackets)
Encloses a variable for which you can
substitute one or more values.
community name members [
community-ids ]
Indention and braces ( { } )
Identifies a level in the configuration
hierarchy.
; (semicolon)
Identifies a leaf statement at a
configuration hierarchy level.
(string1 | string2 | string3)
[edit]
routing-options {
static {
route default {
nexthop address;
retain;
}
}
}
GUI Conventions
Bold text like this
Represents graphical user interface (GUI)
items you click or select.
> (bold right angle bracket)
Separates levels in a hierarchy of menu
selections.
•
In the Logical Interfaces box, select
All Interfaces.
•
To cancel the configuration, click
Cancel.
In the configuration editor hierarchy,
select Protocols>Ospf.
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can provide feedback by using either of the following
methods:
•
Online feedback rating system—On any page of the Juniper Networks TechLibrary site
at http://www.juniper.net/techpubs/index.html, simply click the stars to rate the content,
and use the pop-up form to provide us with information about your experience.
Alternately, you can use the online feedback form at
http://www.juniper.net/techpubs/feedback/.
Copyright © 2017, Juniper Networks, Inc.
xvii
Juniper Secure Analytics Users Guide
•
E-mail—Send your comments to techpubs-comments@juniper.net. Include the document
or topic name, URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or Partner Support Service
support contract, or are covered under warranty, and need post-sales technical support,
you can access our tools and resources online or open a case with JTAC.
•
JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
•
Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/.
•
JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with the
following features:
•
Find CSC offerings: http://www.juniper.net/customers/support/
•
Search for known bugs: https://prsearch.juniper.net/
•
Find product documentation: http://www.juniper.net/documentation/
•
Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
•
Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
•
Search technical bulletins for relevant hardware and software notifications:
http://kb.juniper.net/InfoCenter/
•
Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
•
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool: https://entitlementsearch.juniper.net/entitlementsearch/
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
xviii
•
Use the Case Management tool in the CSC at http://www.juniper.net/cm/.
•
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
Copyright © 2017, Juniper Networks, Inc.
About the Documentation
For international or direct-dial options in countries without toll-free numbers, see
http://www.juniper.net/support/requesting-support.html.
Copyright © 2017, Juniper Networks, Inc.
xix
Juniper Secure Analytics Users Guide
xx
Copyright © 2017, Juniper Networks, Inc.
CHAPTER 1
What's New for Users in JSA 7.3.0
•
What's New for Users in JSA 7.3.0 on page 21
What's New for Users in JSA 7.3.0
JSA 7.3.0 introduces new capabilities for users in a multi-tenant environment.
Tenant Users Can Create Custom Properties
You can create custom properties to extract or calculate important information from the
event or flow payload without assistance from your Managed Security Service Provider
(MSSP) administrator. With this capability, you can search, view, and report on data that
JSA does not typically normalize and display.
Your MSSP administrator might decide to optimize custom properties that you use
frequently in rules and reports.
“Custom Event and Flow Properties” on page 183
Tenant Users Can Create Reference Data Collections
In JSA 2014.8, you can view reference data that is created by your MSSP administrator.
Now, in 7.3.0, you can create and manage your own reference data collections without
assistance from your MSSP Administrator.
With this capability, you can maintain lists of data that you want to refer to frequently,
such as a list of IP addresses or user names, and use the data in JSA searches, filters, rule
test conditions, and rule responses. For example, a reference set that contains a list of
prohibited URLs can be used to prevent employees from browsing certain websites.
To manage reference data, your MSSP Administrator must assign the Delegated
Administration >Manage Reference Data user role to your account.
To learn more about creating and managing reference data collections, see the Juniper
Secure Analytics Administration Guide.
Copyright © 2017, Juniper Networks, Inc.
21
Juniper Secure Analytics Users Guide
22
Copyright © 2017, Juniper Networks, Inc.
CHAPTER 2
About JSA
•
About JSA on page 23
•
Capabilities in Your JSA Product on page 24
•
Supported Web Browsers on page 25
•
Enabling Document Mode and Browser Mode in Internet Explorer on page 26
•
JSA Login on page 26
•
RESTful API on page 27
•
User Interface Tabs on page 27
•
JSA Common Procedures on page 29
About JSA
JSA is a network security management platform that provides situational awareness and
compliance support through the combination of flow-based network knowledge, security
event correlation, and asset-based vulnerability assessment.
Default License Key
A default license key provides access to the user interface for five weeks. After you log
in to JSA, a window displays the date that the temporary license key expires. For more
information about installing a license key, see the Juniper Secure Analytics Administration
Guide.
Security Exceptions and Certificates
If you are using the Mozilla Firefox web browser, you must add an exception to Mozilla
Firefox to log in to JSA. For more information, see your Mozilla Firefox web browser
documentation.
If you are using the Microsoft Internet Explorer web browser, a website security certificate
message is displayed when you access the JSA system. You must select the Continue to
this website option to log in to JSA.
Navigate the Web-based Application
When you use JSA, use the navigation options available in the JSA user interface instead
of your web browser Back button.
Copyright © 2017, Juniper Networks, Inc.
23
Juniper Secure Analytics Users Guide
Related
Documentation
•
Capabilities in Your JSA Product on page 24
•
Supported Web Browsers on page 25
•
Enabling Document Mode and Browser Mode in Internet Explorer on page 26
Capabilities in Your JSA Product
JSA product documentation describes functionality such as offenses, flows, assets, and
historical correlation, that might not be available in all JSA products. Depending on the
product that you are using, some documented features might not be available in your
deployment. Review the capabilities for each product to guide you to the information
that you need.
•
Log Manager--Log Manager is a basic, high-performance, and scalable solution for
collecting, analyzing, storing, and reporting on large volumes of network and security
event logs.
•
JSA--JSA is an advanced offering that includes the full range of security intelligence
capabilities for on-premises deployments. It consolidates log source and network flow
data from thousands of assets, devices, endpoints, and applications that are distributed
throughout your network, and performs immediate normalization and correlation
activities on the raw data to distinguish real threats from false positives.
JSA Product Capabilities
JSA product documentation describes capabilities, such as offenses, flows, assets, and
historical correlation, that might not be available in all JSA products. Review the following
table to compare the capabilities in each product.
Table 3: Comparison Of JSA Capabilities
Capability
JSA
Log Manager
Full administrative capabilities
Yes
Yes
Supports hosted deployments
No
No
Customizable dashboards
Yes
Yes
Custom rules engine
Yes
Yes
Manage network and security events
Yes
Yes
Manage host and application logs
Yes
Yes
Threshold-based alerts
Yes
Yes
Compliance templates
Yes
Yes
Data archiving
Yes
Yes
24
Copyright © 2017, Juniper Networks, Inc.
Chapter 2: About JSA
Table 3: Comparison Of JSA Capabilities (continued)
Capability
JSA
Log Manager
Juniper X-Force Threat Intelligence IP reputation feed integration
Yes
Yes
WinCollect stand-alone deployments
Yes
Yes
WinCollect managed deployments
Yes
Yes
JSA Vulnerability Manager integration
Yes
Yes
Network activity monitoring
Yes
No
Asset profiling
Yes
No
Offenses management
Yes
No
Network flow capture and analysis
Yes
No
Historical correlation
Yes
No
JSA Risk Manager integration
Yes
No
1
1
Log Manager tracks asset data only if JSA Vulnerability Manager is installed.
Some documentation, such as the Juniper Secure Analytics Administration Guide and the
Juniper Secure Analytics Users Guide, is common across multiple products and might
describe capabilities that are not available in your deployment.
Related
Documentation
•
Supported Web Browsers on page 25
•
Enabling Document Mode and Browser Mode in Internet Explorer on page 26
•
JSA Login on page 26
Supported Web Browsers
For the features in JSA products to work properly, you must use a supported web browser.
The following table lists the supported versions of web browsers.
Table 4: Supported Web Browsers for JSA Products
Web browser
Supported versions
Mozilla Firefox
45.2 Extended Support Release
64-bit Microsoft Internet Explorer with Microsoft Edge mode enabled.
11.0
Copyright © 2017, Juniper Networks, Inc.
25
Juniper Secure Analytics Users Guide
Related
Documentation
•
Enabling Document Mode and Browser Mode in Internet Explorer on page 26
•
JSA Login on page 26
•
RESTful API on page 27
Enabling Document Mode and Browser Mode in Internet Explorer
If you use Microsoft Internet Explorer to access JSA products, you must enable browser
mode and document mode.
1.
In your Internet Explorer web browser, press F12 to open the Developer Tools window.
2. Click Browser Mode and select the version of your web browser.
3. Click Document Mode, and select the Internet Explorer standards for your Internet
Explorer release.
Related
Documentation
•
JSA Login on page 26
•
RESTful API on page 27
•
User Interface Tabs on page 27
JSA Login
JSA is a web-based application. JSA uses default login information for the URL, user
name, and password.
Use the information in the following table when you log in to your JSA console.
Table 5: Default Login Information for JSA
Login information
Default
URL
https://<IP Address>, where <IP Address> is the IP address of the JSA console.
To log in to JSA in an IPv6, wrap the IP address in square brackets:
https://[<IP Address>]
User name
admin
Password
The password that is assigned to JSA during the installation process.
License key
A default license key provides you access to the system for 5 weeks.
Related
Documentation
26
•
RESTful API on page 27
•
User Interface Tabs on page 27
Copyright © 2017, Juniper Networks, Inc.
Chapter 2: About JSA
•
JSA Common Procedures on page 29
RESTful API
The representational state transfer (REST) application programming interface (API) is
useful when you want to integrate JSA with other solutions. You can perform actions on
the JSA console by sending HTTPS requests to specific endpoints (URLs) on the JSA
console.
Each endpoint contains the URL of the resource that you want to access and the action
that you want to complete on that resource. The action is indicated by the HTTP method
of the request: GET, POST, PUT, or DELETE. For more information about the parameters
and responses for each endpoint, see the Juniper Secure Analytics API Guide.
JSA API Forum and Code Samples
The API forum provides more information about the REST API, including the answers to
frequently asked questions and annotated code samples that you can use in a test
environment.
Related
Documentation
•
User Interface Tabs on page 27
•
JSA Common Procedures on page 29
•
JSA Login on page 26
User Interface Tabs
Functionality is divided into tabs. The Dashboard tab is displayed when you log in.
You can easily navigate the tabs to locate the data or functionality you require.
Dashboard Tab
The Dashboard tab is the default tab that is displayed when you log in.
The Dashboard tab provides a workspace environment that supports multiple dashboards
on which you can display your views of network security, activity, or data that JSA collects.
Five default dashboards are available. Each dashboard contains items that provide
summary and detailed information about offenses that occur on your network. You can
also create a custom dashboard to allow you to focus on your security or network
operations responsibilities. For more information about using the Dashboard tab, see
“Dashboard Management” on page 37.
The Dashboard tab is the default tab that is displayed when you log in to Log Manager.
It provides a workspace environment that provides summary and detailed information
on events occurring in your network.
Copyright © 2017, Juniper Networks, Inc.
27
Juniper Secure Analytics Users Guide
Offenses Tab
The Offenses tab will allow you to view offenses that occur on your network, which you
can locate by using various navigation options or through powerful searches.
From the Offenses tab, you can investigate an offense to determine the root cause of an
issue. You can also resolve the issue.
For more information about Offenses tab, see “Offense Management” on page 55.
Log Activity Tab
The Log Activity tab will allow you to investigate event logs being sent to JSA in real-time,
perform powerful searches, and view log activity by using configurable time-series charts.
The Log Activity tab will allow you to perform in-depth investigations on event data.
For more information, see “Log Activity Investigation” on page 73.
Network Activity Tab
Use the Network Activity tab to investigate flows that are sent in real-time, perform
powerful searches, and view network activity by using configurable time-series charts.
A flow is a communication session between two hosts. Viewing flow information will
allow you to determine how the traffic is communicated, what is communicated (if the
content capture option is enabled), and who is communicating. Flow data also includes
details such as protocols, ASN values, IFIndex values, and priorities.
For more information, see “Network Activity Investigation” on page 95.
Assets Tab
JSA automatically discovers assets, servers, and hosts, operating on your network.
Automatic discovery is based on passive flow data and vulnerability data, allowing JSA
to build an asset profile.
Asset profiles provide information about each known asset in your network, including
identity information, if available, and what services are running on each asset. This profile
data is used for correlation purposes to help reduce false positives.
For example, an attack tries to use a specific service that is running on a specific asset.
In this situation, JSA can determine whether the asset is vulnerable to this attack by
correlating the attack to the asset profile. Using the Assets tab, you can view the learned
assets or search for specific assets to view their profiles.
Reports Tab
The Reports tab will allow you to create, distribute, and manage reports for any data
within JSA.
The Reports feature will allow you to create customized reports for operational and
executive use. To create a report, you can combine information (such as, security or
28
Copyright © 2017, Juniper Networks, Inc.
Chapter 2: About JSA
network) into a single report. You can also use preinstalled report templates that are
included with JSA.
The Reports tab also will allow you to brand your reports with customized logos. This
customization is beneficial for distributing reports to different audiences.
For more information about reports, see “Report Management” on page 215.
JSA Risk Manager
JSA Risk Manager is a separately installed appliance for monitoring device configurations,
simulating changes to your network environment, and prioritizing risks and vulnerabilities
in your network.
JSA Risk Manager uses data that is collected by configuration data from network and
security device, such as firewalls, routers, switches, or IPSs, vulnerability feeds, and vendor
security sources. This data is used to identify security, policy, and compliance risks within
your network security infrastructure and the probability of those risks that are being
exploited.
NOTE: For more information about Juniper Secure Analytics Risk Manager,
contact your local sales representative.
Related
Documentation
•
JSA Common Procedures on page 29
•
JSA Login on page 26
•
RESTful API on page 27
JSA Common Procedures
Various controls on the JSA user interface are common to most user interface tabs.
Information about these common procedures is described in the following sections.
Viewing Messages
The Messages menu, which is on the upper right corner of the user interface, provides
access to a window in which you can read and manage your system notifications.
For system notifications to show on the Messages window, the administrator must create
a rule that is based on each notification message type and select the Notify check box
in the Custom Rules Wizard.
The Messages menu indicates how many unread system notifications you have in your
system. This indicator increments the number until you close system notifications. For
each system notification, the Messages window provides a summary and the date stamp
for when the system notification was created. You can hover your mouse pointer over a
notification to view more detail. Using the functions on the Messages window, you can
manage the system notifications.
Copyright © 2017, Juniper Networks, Inc.
29
Juniper Secure Analytics Users Guide
System notifications are also available on the Dashboard tab and on an optional pop-up
window that can be displayed on the lower left corner of the user interface. Actions that
you perform in the Messages window are propagated to the Dashboard tab and the
pop-up window. For example, if you close a system notification from the Messages
window, the system notification is removed from all system notification displays.
For more information about Dashboard system notifications, see “Managing System
Notifications” on page 52.
The Messages window provides the following functions:
Table 6: Functions Available in the Messages Window
Function
Description
All
Click All to view all system notifications. This option is the default, therefore, you click All only if you
selected another option and want to display all system notifications again.
Health
Click Health to view only system notifications that have a severity level of Health.
Errors
Click Errors to view only system notifications that have a severity level of Error.
Warnings
Click Warnings to view only the system notifications that have a severity level of Warning.
Information
Click Information to view only the system notifications that have a severity level of information.
Dismiss All
Click Dismiss All to close all system notifications from your system. If you filtered the list of system
notifications by using the Health, Errors, Warnings, or Information icons, the text on the View All icon
changes to one of the following options:
View All
Dismiss
•
Dismiss All Errors
•
Dismiss All Health
•
Dismiss All Warnings
•
Dismiss All Warnings
•
Dismiss All Info
Click View All to view the system notification events in the Log Activity tab. If you filtered the list of
system notifications by using the Health, Errors, Warnings, or Information icons, the text on the View
All icon changes to one of the following options:
•
View All Errors
•
View All Health
•
View All Warnings
•
View All Info
Click the Dismiss icon beside a system notification to close the system notification from your system.
1.
Log in to JSA .
2. On the upper right corner of the user interface, click Messages.
30
Copyright © 2017, Juniper Networks, Inc.
Chapter 2: About JSA
3. On the Messages window, view the system notification details.
4. Optional. To refine the list of system notifications, click one of the following options:
•
Errors
•
Warnings
•
Information
5. Optional. To close system notifications, choose of the following options:
Dismiss All
Click to close all system notifications.
Dismiss
Click the Dismiss icon next to the system notification that you
want to close.
6. Optional. To view the system notification details, hover your mouse pointer over the
system notification.
Sorting Results
You sort the results in tables by clicking a column heading. An arrow at the top of the
column indicates the direction of the sort.
1.
Log in to JSA.
2. Click the column header once to sort the table in descending order; twice to sort the
table in ascending order.
Refreshing and Pausing the User Interface
You can manually refresh, pause, and play the data that is displayed on tabs.
•
Dashboard tab--The Dashboard tab automatically refreshes every 60 seconds. The
timer, which is on the upper right corner of the interface, indicates the amount of time
that remains until the tab is automatically refreshed.
Click the title bar of any dashboard item to automatically pause the refresh time. The
timer flashes red to indicate that the current display is paused.
•
Log Activity and Network Activity tabs--The Log Activity and Network Activity tabs
automatically refresh every 60 seconds if you are viewing the tab in Last Interval (auto
refresh) mode.
When you view the Log Activity or Network Activity tab in Real Time (streaming) or
Last Minute (auto refresh) mode, you can use the Pause icon to pause the current
display.
•
Offenses tab--The Offenses tab must be refreshed manually. The timer, which is on
the upper right corner of the interface, indicates the amount of time since the data was
last refreshed. The timer flashes red when the timer is paused.
Copyright © 2017, Juniper Networks, Inc.
31
Juniper Secure Analytics Users Guide
1.
Log in to JSA.
2. Click the tab that you want to view.
3. Choose one of the following options:
Refresh
Click Refresh, on the right corner of the tab, to refresh the tab.
Pause
Click to pause the display on the tab.
Play
Click to restart the timer after the timer is paused.
Investigating IP Addresses
You can use several methods to investigate information about IP addresses on the
Dashboard, Log Activity, and Network Activity tabs.
1.
Log in to JSA.
2. Click the tab that you want to view.
3. Move your mouse pointer over an IP address to view the location of the IP address.
4. Right-click the IP address or asset name and select one of the following options:
Table 7: IP Addresses Information
Option
Description
Navigate >View by Network
Displays the networks that are associated with the selected IP address.
Navigate >View Source Summary
Displays the offenses that are associated with the selected source IP address.
Navigate >View Destination
Summary
Displays the offenses that are associated with the selected destination IP address.
Information >DNS Lookup
Searches for DNS entries that are based on the IP address.
Information >WHOIS Lookup
Searches for the registered owner of a remote IP address. The default WHOIS server is
whois.arin.net.
Information >Port Scan
Performs a Network Mapper (NMAP) scan of the selected IP address. This option is only
available if NMAP is installed on your system. For more information about installing NMAP,
see your vendor documentation.
32
Copyright © 2017, Juniper Networks, Inc.
Chapter 2: About JSA
Table 7: IP Addresses Information (continued)
Option
Description
Information >Asset Profile
Displays asset profile information.
This option is displayed if JSA Vulnerability Manager is purchased and licensed. For more
information, see the Juniper Secure Analytics Vulnerability Manager User Guide.
This menu option is available if JSA acquired profile data either actively through a scan or
passively through flow sources.
This menu option is available if JSA acquired profile data actively through a scan.
For information, see the Juniper Secure Analytics Administration Guide.
Information >Search Events
Searches for events that are associated with this IP address.
Information >Search Flows
Searches for flows that are associated with this IP address.
Information >Search Connections
Searches for connections that are associated with this IP address. This option is only
displayed if you purchased JSA Risk Manager and connected JSA and the JSA Risk Manager
appliance. For more information, see the Juniper Secure Analytics Risk Manager User Guide.
Information >Switch Port Lookup
Determines the switch port on a Cisco IOS device for this IP address. This option applies
only to switches that are discovered by using the Discover Devices option on the Risks tab.
NOTE: This menu option isn't available in Log Manager
Information >View Topology
Displays the Risks tab, which depicts the layer 3 topology of your network. This option is
available if you purchased JSA Risk Manager and connected JSA and the JSA Risk Manager
appliance. appliance.
Run Vulnerability Scan
Select the Run Vulnerability Scan option to scan an JSA Vulnerability Manager scan on
this IP address. This option is only displayed when JSA Vulnerability Manager has been
purchased and licensed. For more information, see the Juniper Secure Analytics Vulnerability
Manager User Guide.
Investigate User Names
You can right-click a user name to access more menu options. Use these options to view
more information about the user name or IP address.
You can investigate user names when JSA Vulnerability Manager is purchased and
licensed. For more information, see the Juniper Secure Analytics Vulnerability Manager
User Guide.
When you right-click a user name, you can choose the following menu options.
Table 8: Menu Options for User Name Investigation
Option
Description
View Assets
Displays current assets that are associated to the selected user name.
Copyright © 2017, Juniper Networks, Inc.
33
Juniper Secure Analytics Users Guide
Table 8: Menu Options for User Name Investigation (continued)
Option
Description
View User History
Displays all assets that are associated to the selected user name over the previous 24 hours.
View Events
Displays the events that are associated to the selected user name. For more information
about the List of Events window, see “Log Activity Investigation” on page 73.
For more information about customizing the right-click menu, see the Juniper Secure
Analytics Administration Guide for your product.
System Time
The right corner of the JSA user interface displays system time, which is the time on the
console.
The console time synchronizes JSA systems within the JSA deployment. The console
time is used to determine what time events were received from other devices for correct
time synchronization correlation.
In a distributed deployment, the console might be in a different time zone from your
desktop computer.
When you apply time-based filters and searches on the Log Activity and Network Activity
tabs, you must use the console system time to specify a time range.
When you apply time-based filters and searches on the Log Activity tab, you must use
the console system time to specify a time range.
Updating User Preferences
You can set your user preference, such as locale, in the main JSA user interface.
1.
To access your user information, click Preferences.
2. Update your preferences.
Username
Displays your user name. You cannot edit this field.
Password
JSA user passwords are stored as a salted SHA-256 string.
The password must meet the following criteria:
Password (Confirm)
34
•
Minimum of 6 characters
•
Maximum of 255 characters
•
Contain at least 1 special character
•
Contain 1 uppercase character
Password confirmation
Copyright © 2017, Juniper Networks, Inc.
Chapter 2: About JSA
The email address must meet the following requirements:
Email Address
•
Minimum of 10 characters
•
Maximum of 255 characters
JSA is available in the following languages: English, Simplified
Chinese, Traditional Chinese, Japanese, Korean, French,
German, Italian, Spanish, Russian, and Portuguese (Brazil).
Locale
If you choose a different language, the user interface displays
in English. Other associated cultural conventions, such as,
character type, collation, format of date and time, currency
unit are used.
Select this check box if you want to enable pop-up system
notifications to be displayed on your user interface.
Enable Popup Notifications
Access Online Help
You can access the JSA Online Help through the main JSA user interface.
To access the Online Help, click Help >Help Contents.
Resize Columns
You can resize the columns on several tabs in JSA.
Place the pointer of your mouse over the line that separates the columns and drag the
edge of the column to the new location. You can also resize columns by double-clicking
the line that separates the columns to automatically resize the column to the width of
the largest field.
NOTE: Column resizing does not work in Microsoft Internet Explorer, Version
7.0 web browsers when tabs are displaying records in streaming mode.
Page Size
Users with administrative privileges can configure the maximum number of results that
display in the tables on various tabs in JSA.
Related
Documentation
•
JSA Login on page 26
•
RESTful API on page 27
•
User Interface Tabs on page 27
Copyright © 2017, Juniper Networks, Inc.
35
Juniper Secure Analytics Users Guide
36
Copyright © 2017, Juniper Networks, Inc.
CHAPTER 3
Dashboard Management
•
Dashboard Management on page 37
•
Default Dashboards on page 38
•
Custom Dashboards on page 39
•
Customize Your Dashboard on page 40
•
Creating a Custom Dashboard on page 48
•
Using the Dashboard to Investigate Log or Network Activity on page 48
•
Configuring Charts on page 49
•
Removing Dashboard Items on page 50
•
Detaching a Dashboard Item on page 51
•
Renaming a Dashboard on page 51
•
Deleting a Dashboard on page 52
•
Managing System Notifications on page 52
•
Adding Search-based Dashboard Items to the Add Items List on page 53
Dashboard Management
The Dashboard tab is the default view when you log in.
It provides a workspace environment that supports multiple dashboards on which you
can display your views of network security, activity, or data that is collected.
It provides a workspace environment on which you can display your views of the data
that is collected.
Dashboards allow you to organize your dashboard items into functional views, which
enable you to focus on specific areas of your network.
Use the Dashboard tab to monitor your security event behavior.
You can customize your dashboard. The content that is displayed on the Dashboard tab
is user-specific. Changes that are made within a session affect only your system.
To customize your Dashboard tab, you can perform the following tasks:
•
Add and remove dashboard items from your dashboards.
Copyright © 2017, Juniper Networks, Inc.
37
Juniper Secure Analytics Users Guide
•
Move and position items to meet your requirements. When you position items, each
item is automatically resized in proportion to the dashboard.
•
Add custom dashboard items that are based on any data.
For example, you can add a dashboard item that provides a time series graph or a bar
chart that represents top 10 network activity.
To create custom items, you can create saved searches on the Log Activity tab and
choose how you want the results that are represented in your dashboard. Each
dashboard chart displays real-time up-to-the-minute data. Time series graphs on the
dashboard refresh every 5 minutes.
Default Dashboards
Use the default dashboard to customize your items into functional views. These functional
views focus on specific areas of your network.
The Dashboard tab provides five default dashboards that are focused on security, network
activity, application activity, system monitoring, and compliance.
Each dashboard displays a default that is set of dashboard items. The dashboard items
act as starting point to navigate to more detailed data. The following table defines the
default dashboards.
Table 9: Default Dashboards
Default dashboard
Items
Application Overview
The Application Overview dashboard includes the following default items:
Compliance Overview
38
•
Inbound Traffic by Country (Total Bytes)
•
Outbound Traffic by Country (Total Bytes)
•
Top Applications (Total Bytes)
•
Top Applications Inbound from Internet (Total Bytes)
•
Top Applications Outbound to the Internet (Total Bytes)
•
Top Services Denied through Firewalls (Event Count)
•
DSCP - Precedence (Total Bytes)
The Compliance Overview dashboard includes the following default items:
•
Top Authentications by User (Time Series)
•
Top Authentication Failures by User (Event Count)
•
Login Failures by User (real-time)
•
Compliance: Username Involved in Compliance Rules (time series)
•
Compliance: Source IPs Involved in Compliance Rules (time series)
•
Most Recent Reports
Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Dashboard Management
Table 9: Default Dashboards (continued)
Default dashboard
Items
Network Overview
The Network Overview dashboard includes the following default items:
System Monitoring
Threat and Security
Monitoring
Related
Documentation
•
Top Talkers (real time)
•
ICMP Type/Code (Total Packets)
•
Top Networks by Traffic Volume (Total Bytes)
•
Firewall Deny by DST Port (Event Count)
•
Firewall Deny by DST IP (Event Count)
•
Firewall Deny by SRC IP (Event Count)
•
Top Applications (Total Bytes)
•
Link Utilization (real-time)
•
DSCP - Precedence (Total Bytes)
The System Monitoring dashboard includes the following default items:
•
Top Log Sources (Event Count)
•
Link Utilization (real-time)
•
System Notifications
•
Event Processor Distribution (Event Count)
•
Event Rate (Events per Second Coalesced - Average 1 Min)
•
Flow Rate (Flows per Second - Peak 1 Min)
The Threat and Security Monitoring dashboard includes the following default items:
•
Default-IDS/IPS-All: Top Alarm Signatures (real-time)
•
Top Systems Attacked (Event Count)
•
Top Systems Sourcing Attacks (Event Count)
•
My Offenses
•
Most Severe Offenses
•
Most Recent Offenses
•
Top Services Denied through Firewalls (Event Count)
•
Internet Threat Information Center
•
Flow Bias (Total Bytes)
•
Top Category Types
•
Top Sources
•
Top Local Destinations
•
Custom Dashboards on page 39
•
Customize Your Dashboard on page 40
•
Creating a Custom Dashboard on page 48
Custom Dashboards
You can customize your dashboards. The content that is displayed on the Dashboard tab
is user-specific. Changes that are made within a JSA session affect only your system.
Copyright © 2017, Juniper Networks, Inc.
39
Juniper Secure Analytics Users Guide
To customize your Dashboard tab, you can perform the following tasks:
•
Create custom dashboards that are relevant to your responsibilities. 255 dashboards
per user is the maximum; however, performance issues might occur if you create more
than 10 dashboards.
•
Add and remove dashboard items from default or custom dashboards.
•
Move and position items to meet your requirements. When you position items, each
item automatically resizes in proportion to the dashboard.
•
Add custom dashboard items that are based on any data.
For example, you can add a dashboard item that provides a time series graph or a bar
chart that represents top 10 network activity.
To create custom items, you can create saved searches on the Network Activity or Log
Activity tabs and choose how you want the results that are represented in your dashboard.
Each dashboard chart displays real-time up-to-the-minute data. Time series graphs on
the dashboard refresh every 5 minutes.
Related
Documentation
•
Customize Your Dashboard on page 40
•
Creating a Custom Dashboard on page 48
•
Using the Dashboard to Investigate Log or Network Activity on page 48
Customize Your Dashboard
You can add several dashboard items to your default or custom dashboards.
You can customize your dashboards to display and organize the dashboards items that
meet your network security requirements.
There are 5 default dashboards, which you can access from the Show Dashboard list box
on the Dashboard tab. If you previously viewed a dashboard and returned to the Dashboard
tab, the last dashboard you viewed is displayed.
Flow Search
You can display a custom dashboard item that is based on saved search criteria from
the Network Activity tab.
Flow search items are listed in the Add Item >Network Activity >Flow Searches menu. The
name of the flow search item matches the name of the saved search criteria the item is
based on.
Default saved search criteria is available and is preconfigured to display flow search
items on your Dashboard tab menu. You can add more flow search dashboard items to
your Dashboard tab menu. For more information, see “Adding Search-based Dashboard
Items to the Add Items List” on page 53.
40
Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Dashboard Management
On a flow search dashboard item, search results display real-time last-minute data on
a chart. The supported chart types are time series, table, pie, and bar. The default chart
type is bar. These charts are configurable. For more information about configuring charts,
see “Configuring Charts” on page 144.
Time series charts are interactive. Using the time series charts, you can magnify and scan
through a timeline to investigate network activity.
Offenses
You can add several offense-related items to your dashboard.
NOTE: Hidden or closed offenses are not included in the values that are
displayed in the Dashboard tab. For more information about hidden or closed
events, see “Offense Management” on page 55.
The following table describes the Offense items:
Table 10: Offense Items
Dashboard items
Description
Most Recent Offenses
The five most recent offenses are identified with a magnitude bar to inform you of the importance
of the offense. Point to the offense name to view detailed information for the IP address.
Most Severe Offenses
The five most severe offenses are identified with a magnitude bar to inform you of the importance
of the offense. Point to the offense name to view detailed information for the IP address.
My Offenses
The My Offenses item displays 5 of the most recent offenses that are assigned to you. The
offenses are identified with a magnitude bar to inform you of the importance of the offense.
Point to the IP address to view detailed information for the IP address.
Top Sources
The Top Sources item displays the top offense sources. Each source is identified with a magnitude
bar to inform you of the importance of the source. Point to the IP address to view detailed
information for the IP address.
Top Local Destinations
The Top Local Destinations item displays the top local destinations. Each destination is identified
with a magnitude bar to inform you of the importance of the destination. Point to the IP address
to view detailed information for the IP
Categories
The Top Categories Types item displays the top 5 categories that are associated with the highest
number of offenses.
Log Activity
The Log Activity dashboard items will allow you to monitor and investigate events in real
time.
NOTE: Hidden or closed events are not included in the values that are
displayed in the Dashboard tab.
Copyright © 2017, Juniper Networks, Inc.
41
Juniper Secure Analytics Users Guide
Table 11: Log Activity Items
Dashboard
item
Event Searches
Description
You can display a custom dashboard item that is based on saved search criteria from the Log Activity tab.
Event search items are listed in the Add Item >Network Activity >Event Searches menu. The name of the
event search item matches the name of the saved search criteria the item is based on.
You can display a custom dashboard item that is based on saved search criteria from the Log Activity tab.
Event search items are listed in the Add Item >Log Activity >Event Searches menu. The name of the event
search item matches the name of the saved search criteria the item is based on.
JSA includes default saved search criteria that is preconfigured to display event search items on your
Dashboard tab menu. You can add more event search dashboard items to your Dashboard tab menu. For
more information, see Adding search-based dashboard items to the Add Items list.
On a Log Activity dashboard item, search results display real time last-minute data on a chart. The supported
chart types are time series, table, pie, and bar. The default chart type is bar. These charts are configurable.
Time series charts are interactive. You can magnify and scan through a timeline to investigate log activity.
Events By
Severity
The Events By Severity dashboard item displays the number of active events that are grouped by severity.
This item will allow you to see the number of events that are received by the level of severity assigned.
Severity indicates the amount of threat an offense source poses in relation to how prepared the destination
is for the attack. The range of severity is 0 (low) to 10 (high). The supported chart types are Table, Pie, and
Bar.
Top Log
Sources
The Top Log Sources dashboard item displays the top 5 log sources that sent events to JSA within the last
5 minutes.
The Top Log Sources dashboard item displays the top 5 log sources that sent events to JSA Log Manager
within the last 5 minutes.
The number of events that are sent from the specified log source is indicated in the pie chart. This item will
allow you to view potential changes in behavior, for example, if a firewall log source that is typically not in
the top 10 list now contributes to a large percentage of the overall message count, you should investigate
this occurrence. The supported chart types are Table, Pie, and Bar.
Most Recent Reports
The Most Recent Reports dashboard item displays the top recently generated reports.
The display provides the report title, the time, and date the report was generated, and
the format of the report.
System Summary
The System Summary dashboard item provides a high-level summary of activity within
the past 24 hours.
Within the summary item, you can view the following information:
•
Current Flows Per Second Displays the flow rate per second.
•
Flows (Past 24 Hours) Displays the total number of active flows that are seen within
the last 24 hours.
42
Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Dashboard Management
•
Current Events Per Second Displays the event rate per second.
•
New Events (Past 24 Hours) Displays the total number of new events that are received
within the last 24 hours.
•
Updated Offenses (Past 24 Hours) Displays the total number of offenses that have
been either created or modified with new evidence within the last 24 hours.
•
Data Reduction Ratio Displays the ratio of data reduced based on the total events that
are detected within the last 24 hours and the number of modified offenses within the
last 24 hours.
Risk Monitoring Dashboard
You use the Risk Monitoring dashboard to monitor policy risk and policy risk change for
assets, policies and policy groups.
By default, the Risk Monitoring dashboard displays Risk and Risk Change items that
monitor the policy risk score for assets in the High Vulnerabilities, Medium Vulnerabilities,
and Low Vulnerabilities policy groups, as well as compliance pass rates and historical
changes in policy risk score in the CIS policy group.
The Risk Monitoring dashboard items do not display any results unless JSA Risk Manager
is licensed. For more information, see JSA Risk Manager Users Guide.
To view the default Risk Monitoring dashboard, select Show Dashboard >Risk Monitoring
on the Dashboard tab.
Monitoring Policy Compliance
Create a dashboard item that shows policy compliance pass rates and policy risk score
for selected assets, policies, and policies groups.
1.
Click the Dashboard tab.
2. On the toolbar, click New Dashboard.
3. Type a name and description for your policy compliance dashboard.
4. Click OK.
5. On the toolbar, select Add Item >Risk Manager >Risk.
Risk Manager dashboard items are displayed only when JSA Risk Manager is licensed.
6. On the header of the new dashboard item, click the yellow Settings icon.
7. Use the Chart Type, Display Top, and Sort lists to configure the chart.
Copyright © 2017, Juniper Networks, Inc.
43
Juniper Secure Analytics Users Guide
8. From the Group list, select the group that you want to monitor. For more information,
see the table in step 9.
When you select the Asset option, a link to the Risks >Policy Management >By Asset
page appears at the bottom of the Risk dashboard item. The By Asset page displays
more detailed information about all results that are returned for the selected Policy
Group. For more information on a specific asset, select Table from Chart Type list and
click the link in the Asset column to view details about the asset in the By Asset page.
When you select the Policy option, a link to the Risks >Policy Management >By Policy
page appears at the bottom of the Risk dashboard item. The By Policy page displays
more detailed information about all results that are returned for the selected Policy
Group. For more information on a specific policy, select Table from Chart Type list and
click the link in the Policy column to view details about the policy in the By Policy page.
9. From the Graph list, select the graph type that you want to use. For more information,
see the following table:
Policy Checks
Passed Percentage
Policy Group Passed
Percentage
Returns the average asset
percentage pass rate across
assets, policies, and the policy
group.
Returns the average
policy check
percentage pass rate
across assets, policies,
and the policy group.
Returns the average
policy group pass rate
across all assets,
policies, and the policy
group.
Returns the average
policy risk score across
all assets, policies, and
the policy group.
Returns whether an asset
passes asset compliance
(100%=passed, 0%=failed).
Returns percentage of
policy checks that an
asset passes.
Use this setting to show which
assets associated with a
Policy Group pass
compliance.
Use this setting to
show the percentage
of policy checks that
passed for each asset
that is associated with
the Policy Group.
Returns the percentage
of policy subgroups
that are associated
with the asset that
pass compliance.
Returns the sum of all
importance factor
values for policy
questions that are
associated with each
asset.
Returns whether all the assets
associated with each policy in
a Policy group pass
compliance.
Returns percentage of
policy checks that pass
per policy in the policy
group.
Use this setting to monitor
whether all the assets
associated with each policy in
a Policy Group pass or not.
Use this setting to
monitor how many
policy checks are
failing per policy.
Returns the percentage of
assets that pass compliance
for the selected Policy Group
as a whole.
Returns the percentage
of policy checks that
pass per policy for the
policy group as a
whole.
Group
Asset Passed Percentage
All
Asset
Policy
Policy Group
44
Policy Risk Score
Use this setting to view
the policy risk for each
asset that is
associated with a
selected policy group.
Returns the percentage
of policy subgroups of
which the policy is a
part that pass
compliance.
Returns the
importance factor
values for each policy
question in the Policy
group.
Use this setting to view
the importance factor
for each policy in a
policy group.
Returns the percentage
of policy subgroups
within the Policy Group
that pass compliance.
Returns the sum of all
importance factor
values for all policy
questions in the Policy
group.
Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Dashboard Management
10. From the Policy Group list, select the policy groups that you want to monitor.
11. Click Save.
Monitoring Risk Change
Create a dashboard item that shows policy risk change for selected assets, policies, and
policies groups on a daily, weekly, and monthly basis.
Use this dashboard item to compare changes in the Policy Risk Score, Policies Checks,
and Policies values for a policy group over time.
The Risk Change dashboard item uses arrows to indicate where policy risk for selected
values that increased, decreased, or stayed the same over a chosen time period:
•
The number beneath the red arrow indicates the values that show an increased risk.
•
The number beneath the gray arrows indicates the values where there is no change in
risk.
•
The number beneath the green arrow indicates the values that show a decreased risk.
1.
Click the Dashboard tab.
2. On the toolbar, click New Dashboard.
3. Type a name and description for your historical policy compliance dashboard.
4. Click OK.
5. On the toolbar, select Add Item >Risk Manager >Risk Change.
Risk Manager Dashboard items are displayed only when JSA Risk Manager is licensed.
6. On the header of the new dashboard item, click the yellow Settings icon.
7. From the Policy Group list, select the policy groups that you want to monitor.
8. Select an option from the Value To Compare list:
•
If you want to see the cumulative changes in importance factor for all policy
questions within the selected policy groups, select Policy Risk Score.
•
If you want to see how many policy checks changed within the selected policy
groups, select Policies Checks.
•
If you want to see how many policies changed within the selected policy groups,
select Policies.
9. Select the risk change period that you want to monitor from the Delta Time list:
Copyright © 2017, Juniper Networks, Inc.
45
Juniper Secure Analytics Users Guide
•
If you want to compare risk changes from 12:00 a.m. today with yesterday's risk
changes, select Day.
•
If you want to compare risk changes from Monday 12:00 a.m. this week with last
week's risk changes, select Week.
•
If you want to compare risk changes from the 12:00 a.m. on the first day of the
current month with last month's risk changes, select Month.
10. Click Save.
Vulnerability Management Items
Vulnerability Management dashboard items are only displayed when JSA Vulnerability
Manager is purchased and licensed.
For more information, see the Juniper Secure Analytics Vulnerability Manager User Guide.
You can display a custom dashboard item that is based on saved search criteria from
the Vulnerabilities tab. Search items are listed in the Add Item >Vulnerability Management
>Vulnerability Searches menu. The name of the search item matches the name of the
saved search criteria the item is based on.
JSA includes default saved search criteria that is preconfigured to display search items
on your Dashboard tab menu. You can add more search dashboard items to your
Dashboard tab menu.
The supported chart types are table, pie, and bar. The default chart type is bar. These
charts are configurable.
System Notification
The Systems Notification dashboard item displays event notifications that are received
by your system.
For notifications to show in the System Notification dashboard item, the Administrator
must create a rule that is based on each notification message type and select the Notify
check box in the Custom Rules Wizard.
For more information about how to configure event notifications and create event rules,
see the Juniper Secure Analytics Administration Guide.
On the System Notifications dashboard item, you can view the following information:
•
Flag Displays a symbol to indicate severity level of the notification. Point to the symbol
to view more detail about the severity level.
46
•
Health icon
•
Information icon (?)
Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Dashboard Management
•
Error icon (X)
•
Warning icon (!)
•
Created Displays the amount of time elapsed since the notification was created.
•
Description Displays information about the notification.
•
Dismiss icon (x) Will allow you to close a system notification.
You can point your mouse over a notification to view more details:
•
Host IP Displays the host IP address of the host that originated the notification.
•
Severity Displays the severity level of the incident that created this notification.
•
Low Level Category Displays the low-level category that is associated with the incident
that generated this notification. For example: Service Disruption.
•
Payload Displays the payload content that is associated with the incident that generated
this notification.
•
Created Displays the amount of time elapsed since the notification was created.
When you add the System Notifications dashboard item, system notifications can also
display as pop-up notifications in the JSA user interface. These pop-up notifications are
displayed in the lower right corner of the user interface, regardless of the selected tab.
Pop-up notifications are only available for users with administrative permissions and are
enabled by default. To disable pop-up notifications, select User Preferences and clear
the Enable Pop-up Notifications check box.
In the System Notifications pop-up window, the number of notifications in the queue is
highlighted. For example, if (1 - 12) is displayed in the header, the current notification is 1
of 12 notifications to be displayed.
The system notification pop-up window provides the following options:
•
Next icon (>) Displays the next notification message. For example, if the current
notification message is 3 of 6, click the icon to view 4 of 6.
•
Close icon (X) - Closes this notification pop-up window.
•
(details) Displays more information about this system notification.
Internet Threat Information Center
The Internet Threat Information Center dashboard item is an embedded RSS feed that
provides you with up-to-date advisories on security issues, daily threat assessments,
security news, and threat repositories.
Current advisories are listed in the dashboard item. To view a summary of the advisory,
click the Arrow icon next to the advisory. The advisory expands to display a summary.
Click the Arrow icon again to hide the summary.
Copyright © 2017, Juniper Networks, Inc.
47
Juniper Secure Analytics Users Guide
Related
Documentation
•
Creating a Custom Dashboard on page 48
•
Using the Dashboard to Investigate Log or Network Activity on page 48
•
Configuring Charts on page 49
Creating a Custom Dashboard
You can create a custom dashboard to view a group of dashboard items that meet a
particular requirement.
After you create a custom dashboard, the new dashboard is displayed in the Dashboard
tab and is listed in the Show Dashboard list box. A new custom dashboard is empty by
default; therefore, you must add items to the dashboard.
1.
Click the Dashboard tab.
2. Click the New Dashboard icon.
3. In the Name field, type a unique name for the dashboard. The maximum length is 65
characters.
4. In the Description field, type a description of the dashboard. The maximum length is
255 characters. This description is displayed in the tooltip for the dashboard name in
the Show Dashboard list box.
5. Click OK.
Related
Documentation
•
Using the Dashboard to Investigate Log or Network Activity on page 48
•
Configuring Charts on page 49
•
Removing Dashboard Items on page 50
Using the Dashboard to Investigate Log or Network Activity
Search-based dashboard items provide a link to the Log Activity or Network Activity tabs,
allowing you to further investigate log or network activity.
48
Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Dashboard Management
To investigate flows from a Log Activity dashboard item:
1.
Click the View in Log Activity link. The Log Activity tab is displayed, displaying results
and two charts that match the parameters of your dashboard item.
To investigate flows from a Network Activity dashboard item:
1.
Click the View in Network Activity link. The Network Activity tab is displayed, displaying
results and two charts that match the parameters of your dashboard item.
The Network Activity tab is displayed, displaying results and two charts that match the
parameters of your dashboard item. The chart types that are displayed on the Log activity
or Network Activity tab depend on which chart is configured in the dashboard item:
Chart type
Description
Bar, Pie, and Table
The Log Activity or Network Activity tab displays a bar chart,
pie chart, and table of flow details.
Time Series
The Log Activity or Network Activity tab displays charts
according to the following criteria:
1.
If your time range is less than or equal to 1 hour, a time series
chart, a bar chart, and a table of event or flow details are
displayed.
2. If your time range is more than 1 hour, a time series chart is
displayed and you are prompted to click Update Details.
This action starts the search that populates the event or
flow details and generates the bar chart. When the search
completes, the bar chart and table of event or flow details
are displayed.
Related
Documentation
•
Configuring Charts on page 49
•
Removing Dashboard Items on page 50
•
Detaching a Dashboard Item on page 51
Configuring Charts
You can configure Log Activity, Network Activity, and Connections, if applicable, dashboard
items to specify the chart type and how many data objects you want to view.
Table 12: Configuring Charts
Option
Description
Value to Graph
From the list box, select the object type that you want to graph on the chart. Options include all
normalized and custom event or flow parameters included in your search parameters.
Copyright © 2017, Juniper Networks, Inc.
49
Juniper Secure Analytics Users Guide
Table 12: Configuring Charts (continued)
Option
Description
Chart Type
From the list box, select the chart type that you want to view. Options include:
1.
Bar Chart— Displays data in a bar chart. This option is only available for grouped events or flows.
2. Pie Chart— Displays data in a pie chart. This option is only available for grouped events or flows.
3. Table— Displays data in a table. This option is only available for grouped events or flows.
4. Time Series— Displays an interactive line chart that represents the records that are matched by
a specified time interval.
Display Top
From the list box, select the number of objects you want to view in the chart. Options include 5 and
10. The default is 10.
Capture Time Series Data
Select this check box to enable time series capture. When you select this check box, the chart feature
begins to accumulate data for time series charts. By default, this option is disabled.
Time Range
From the list box, select the time range that you want to view.
Your custom chart configurations are retained, so that they are displayed as configured
each time that you access the Dashboard tab.
Data is accumulates so that when you perform a time series saved search, there is a
cache of event or flows data available to display the data for the previous time period.
Accumulated parameters are indicated by an asterisk (*) in the Value to Graph list box.
If you select a value to graph that is not accumulated (no asterisk), time series data is
not available.
1.
Click the Dashboard tab.
2. From the Show Dashboard list box, select the dashboard that contains the item you
want to customize.
3. On the header of the dashboard item you want to configure, click the Settings icon.
4. Configure the chart parameters.
Related
Documentation
•
Removing Dashboard Items on page 50
•
Detaching a Dashboard Item on page 51
•
Renaming a Dashboard on page 51
Removing Dashboard Items
You can remove items from a dashboard and add the item again at any time.
When you remove an item from the dashboard, the item is not removed completely.
50
Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Dashboard Management
1.
Click the Dashboard tab.
2. From the Show Dashboard list box, select the dashboard from which you want to
remove an item.
3. On the dashboard item header, click the red [x] icon to remove the item from the
dashboard.
Related
Documentation
•
Detaching a Dashboard Item on page 51
•
Renaming a Dashboard on page 51
•
Deleting a Dashboard on page 52
Detaching a Dashboard Item
You can detach an item from your dashboard and display the item in a new window on
your desktop system.
When you detach a dashboard item, the original dashboard item remains on the Dashboard
tab, while a detached window with a duplicate dashboard item remains open and
refreshes during scheduled intervals. If you close the JSA application, the detached
window remains open for monitoring and continues to refresh until you manually close
the window or shut down your computer system.
1.
Click the Dashboard tab.
2. From the Show Dashboard list box, select the dashboard from which you want to
detach an item.
3. On the dashboard item header, click the green icon to detach the dashboard item and
open it in separate window.
Related
Documentation
•
Renaming a Dashboard on page 51
•
Deleting a Dashboard on page 52
•
Managing System Notifications on page 52
Renaming a Dashboard
You can rename a dashboard and update the description.
1.
Click the Dashboard tab.
2. From the Show Dashboard list box, select the dashboard that you want to edit.
Copyright © 2017, Juniper Networks, Inc.
51
Juniper Secure Analytics Users Guide
3. On the toolbar, click the Rename Dashboard icon.
4. In the Name field, type a new name for the dashboard. The maximum length is 65
characters.
5. In the Description field, type a new description of the dashboard. The maximum length
is 255 characters
6. Click OK.
Related
Documentation
•
Deleting a Dashboard on page 52
•
Managing System Notifications on page 52
•
Adding Search-based Dashboard Items to the Add Items List on page 53
Deleting a Dashboard
You can delete a dashboard.
After you delete a dashboard, the Dashboard tab refreshes and the first dashboard that
is listed in the Show Dashboard list box is displayed. The dashboard that you deleted is
no longer displayed in the Show Dashboard list box.
1.
Click the Dashboard tab.
2. From the Show Dashboard list box, select the dashboard that you want to delete.
3. On the toolbar, click Delete Dashboard.
4. Click Yes.
Related
Documentation
•
Managing System Notifications on page 52
•
Adding Search-based Dashboard Items to the Add Items List on page 53
•
Renaming a Dashboard on page 51
Managing System Notifications
You can specify the number of notifications that you want to display on your System
Notification dashboard item and close system notifications after you read them.
Ensure the System Notification dashboard item is added to your dashboard.
1.
52
On the System Notification dashboard item header, click the Settings icon.
Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Dashboard Management
2. From the Display list box, select the number of system notifications you want to view.
•
The options are 5, 10 (default), 20, 50, and All.
•
To view all system notifications that are logged in the past 24 hours, click All.
3. To close a system notification, click the Delete icon.
Related
Documentation
•
Adding Search-based Dashboard Items to the Add Items List on page 53
•
Renaming a Dashboard on page 51
•
Deleting a Dashboard on page 52
Adding Search-based Dashboard Items to the Add Items List
You can add search-based dashboard items to your Add Items menu.
To add an event and flow search dashboard item to the Add Item menu on the Dashboard
tab, you must access the Log Activity or Network Activity tab to create search criteria that
specifies that the search results can be displayed on the Dashboard tab. The search
criteria must also specify that the results are grouped on a parameter.
To add an event dashboard item to the Add Item menu on the Dashboard tab, you must
access the Log Activity tab to create search criteria that specifies that the search results
can be displayed on the Dashboard tab. The search criteria must also specify that the
results are grouped on a parameter.
1.
Choose:
•
To add a flow search dashboard item, click the Network Activity tab.
•
To add an event search dashboard item, click the Log Activity tab.
2. From the Search list box, choose one of the following options:
•
To create a search, select New Search.
•
To edit a saved search, select Edit Search.
3. Configure or edit your search parameters, as required.
•
On the Edit Search pane, select the Include in my Dashboard option.
•
On the Column Definition pane, select a column and click the Add Column icon to
move the column to the Group By list.
4. Click Filter.
The search results are displayed.
5. Click Save Criteria. See Saving search criteria on the Offense tab
6. Click OK.
Copyright © 2017, Juniper Networks, Inc.
53
Juniper Secure Analytics Users Guide
7. Verify that your saved search criteria successfully added the event or flow search
dashboard item to the Add Items list
a. Click the Dashboard tab.
b. Choose one of the following options:
a. To verify an event search item, select Add Item > Log Activity >Event Searches >Add
Item.
b. To verify a flow search item, select Add Item >Network Activity >Flow Searches.
The dashboard item is displayed on the list with the same name as your saved
search criteria.
8. Verify that your saved search criteria successfully added the event or flow search
dashboard item to the Add Items list
9. Click the Dashboard tab.
10. To verify an event search item, select Add Item > Log Activity >Event Searches >Add
Item
Related
Documentation
54
•
Renaming a Dashboard on page 51
•
Deleting a Dashboard on page 52
•
Managing System Notifications on page 52
Copyright © 2017, Juniper Networks, Inc.
CHAPTER 4
Offense Management
•
Offense Management on page 55
•
Offense Prioritization on page 55
•
Offense Chaining on page 56
•
Offense Indexing on page 57
•
Offense Retention on page 58
•
Offense Investigations on page 60
•
Offense Actions on page 65
Offense Management
JSA reduces billions of events and flows into a manageable number of actionable offenses
that are prioritized by their impact on your business operations. Use the Offenses tab to
access all of the data that you need to understand even the most complex threats.
By providing immediate context for the offense, JSA helps you to quickly identify which
offenses are the most important, and to begin an investigation to find the source of the
suspected security attack or policy breach.
NOTE: You cannot manage offenses in Log Manager. For more information
about the differences between JSA and Log Manager, see “Capabilities in
Your JSA Product” on page 24.
Offense Prioritization
The magnitude rating of an offense is a measure of the importance of the offense in your
environment. JSA uses the magnitude rating to prioritize offenses and help you to
determine which offenses to investigate first.
The magnitude rating of an offense is calculated based on relevance, severity, and
credibility.
•
Relevance determines the impact of the offense on your network. For example, if a
port is open, the relevance is high.
Copyright © 2017, Juniper Networks, Inc.
55
Juniper Secure Analytics Users Guide
•
Credibility indicates the integrity of the offense as determined by the credibility rating
that is configured in the log source. Credibility increases as multiple sources report the
same event.
•
Severity indicates the level of threat that a source poses in relation to how prepared
the destination is for the attack.
JSA uses complex algorithms to calculate the offense magnitude rating, and the rating
is re-evaluated when new events are added to the offense and also at scheduled intervals.
The following information is considered when the offense magnitude is calculated:
•
the number of events and flows that are associated with the offense
•
the number of log sources
•
the age of the offense
•
the weight of the network object associated with the offense
•
the categories, severity, relevance, and credibility of the events and flows that contribute
to the offense
•
the vulnerabilities and threat assessment of the hosts that are involved in the offense
The magnitude rating of an offense is different from the magnitude rating for an event.
You can influence the magnitude of an offense by setting the event magnitude in the
rule actions, but you cannot bypass the JSA algorithms to set the offense magnitude
yourself.
Related
Documentation
•
Offense Chaining on page 56
•
Offense Indexing on page 57
•
Offense Retention on page 58
Offense Chaining
JSA chains offenses together to reduce the number of offenses that you need to review,
which reduces the time to investigate and remediate the threat.
Offense chaining helps you find the root cause of a problem by connecting multiple
symptoms together and showing them in a single offense. By understanding how an
offense changed over time, you can see things that might be overlooked during your
analysis. Some events that would not be worth investigating on their own might suddenly
be of interest when they are correlated with other events to show a pattern.
Offense chaining is based on the offense index field that is specified on the rule. For
example, if your rule is configured to use the source IP address as the offense index field,
there is only one offense that has that source IP address for while the offense is active.
You can identify a chained offense by looking for preceded by in the Description field on
the Offense Summary page. In the following example, JSA combined all of the events
that fired for each of the three rules into one offense, and appended the rule names to
the Description field:
56
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Offense Management
Exploit Followed By Suspicious Host Activity - Chained preceded by Local UDP Scanner
Detected preceded by XForce Communication to a known Bot Command and Control
Related
Documentation
•
Offense Indexing on page 57
•
Offense Retention on page 58
•
Offense Investigations on page 60
Offense Indexing
Offense indexing provides the capability to group events or flows from different rules
indexed on the same property together in a single offense.
For example, an offense that has only one source IP address and multiple destination IP
addresses indicates that the threat has a single attacker and multiple victims. If you index
this type of offense by the source IP address, all events and flows that originate from the
same IP address are added to the same offense. JSA uses the offense index parameter
to determine which offenses to chain together.
You can configure rules to index an offense based on any piece of information. JSA
includes a set of predefined, normalized fields that you can use to index your offenses.
If the field that you want to index on is not included in the normalized fields, create a
custom event or a custom flow property to extract the data from the payload and use it
as the offense indexing field in your rule. The custom property that you index on can be
based on either a regular expression or a calculation.
Offense Indexing Considerations
It is important to understand how offense indexing impacts your JSA deployment.
System Performance
Ensure that you optimize and enable all custom properties that are used for offense
indexing. Using properties that are not optimized can have a negative impact on
performance.
When you create a rule, you cannot select non-optimized properties in the Index offense
based on field. However, if an existing rule is indexed on a custom property, and then the
custom property is de-optimized, the property is still available in the offense index list.
Do not de-optimize custom properties that are used in rules.
Rule Action and Response
When the indexed property value is null, an offense is not created, even when you select
the Ensure the detected event is part of an offense check box in the rule action. For example,
if a rule is configured to create an offense that is indexed by host name, but the host
name in the event is empty, an offense is not created even though all of the conditions
in the rule tests are met.
When the response limiter uses a custom property, and the custom property value is null,
the limit is applied to the null value. For example, if the response is Email, and the limiter
Copyright © 2017, Juniper Networks, Inc.
57
Juniper Secure Analytics Users Guide
says Respond no more than 1 time per 1 hour per custom property, if the rule fires a second
time with a null property within 1 hour, an email will not be sent.
When you index using a custom property, the properties that you can use in the rule index
and response limiter field depends on the type of rule that you are creating. An event rule
accepts custom event properties in the rule index and response limiter fields, while a
flow rule accepts only custom flow properties. A common rule accepts either custom
event or custom flow properties in the rule index and response limiter fields.
You cannot use custom properties to index an offense that is created by a dispatched
event.
Example: Detecting Malware Outbreaks Based on the MD5 Signature
As a network security analyst for a large organization, you use JSA to detect when a
malware outbreak occurs. You set the criteria for an outbreak as a threat that occurs
across 10 hosts within 4 hours. You want to use the MD5 signature as the basis for this
threat detection.
You configure JSA to evaluate the incoming logs to determine whether a threat exists,
and then you group all of the fired rules that contain the same MD5 signature into a single
offense.
1.
“Creating a Regex-based Custom Property” on page 185 to extract the MD5 signature
from the logs. Ensure that the custom property is optimized and enabled.
2. “Creating a Custom Rule” on page 196 and configure the rule to create an offense that
uses the MD5 signature custom property as the offense index field. When the rule
fires, an offense is created. All fired rules that have the same MD5 signature are grouped
into one offense.
3. You can “Searching for Offenses That Are Indexed on a Custom Property” on page 172
to find the offenses that are indexed by the MD5 signature custom property.
Related
Documentation
•
Offense Retention on page 58
•
Offense Investigations on page 60
•
Offense Actions on page 65
Offense Retention
The state of an offense determines how long JSA keeps the offense in the system. The
offense retention period determines how long inactive and closed offenses are kept
before they are removed from the JSA console.
58
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Offense Management
•
Active offenses--When a rule triggers an offense, the offense is active. In this state,
JSA is waiting to evaluate new events or flows against the offense rule test. When new
events are evaluated, the offense clock is reset to keep the offense active for another
30 minutes.
•
Dormant offenses--An offense becomes dormant if new events or flows are not added
to the offense within 30 minutes, or if JSA did not process any events within 4 hours.
An offense remains in a dormant state for 5 days. If an event is added while an offense
is dormant, the five-day counter is reset.
•
Inactive offenses--An offense becomes inactive after 5 days in a dormant state. In the
inactive state, new events that trigger the offense rule test do not contribute to the
inactive offense. They are added to a new offense.
Inactive offenses are removed after the offense retention period elapses.
•
Closed offenses--Closed offenses are removed after the offense retention period
elapses. If more events occur for an offense that is closed, a new offense is created.
If you include closed offenses in a search, and the offense wasn't removed from the
JSA console, the offense is displayed in the search results.
The default offense retention period is 30 days. After the offense retention period expires,
closed and inactive offenses are removed from the system. Offenses that are not inactive
or closed are retained indefinitely. You can protect an offense to prevent it from being
removed when the retention period expires.
Protecting Offenses
You might have offenses that you want to retain regardless of the retention period. You
can protect offenses to prevent them from being removed from JSA after the retention
period has elapsed.
By default, offenses are retained for thirty days. For more information about customizing
the offense retention period, see the Juniper Secure Analytics Administration Guide.
1.
Click the Offenses tab, and click All Offenses.
2. Choose one of the following options:
•
Select the offense that you want to protect, and then select Protect from the Actions
list.
•
From the Actions list box, select Protect Listed.
3. Click OK.
The offense is protected and will not be removed from JSA. In the Offense window, the
protected offense is indicated by a Protected icon in the Flag column.
Unprotecting Offenses
You can unprotect offenses that were previously protected from removal after the offense
retention period has elapsed.
Copyright © 2017, Juniper Networks, Inc.
59
Juniper Secure Analytics Users Guide
To list only protected offenses, you can perform a search that filters for only protected
offenses. If you clear the Protected check box and ensure that all other options are
selected under the Excludes option list on the Search Parameters pane, only protected
offenses are displayed.
1.
Click the Offenses tab.
2. Click All Offenses.
3. Optional: Perform a search that displays only protected offenses.
4. Choose one of the following options:
•
Select the offense that you no longer want to protect, and then select Unprotect
from the Actions list box.
•
From the Actions list box, select Unprotect Listed.
5. Click OK.
Related
Documentation
•
Offense Investigations on page 60
•
Offense Actions on page 65
•
Offense Indexing on page 57
Offense Investigations
The Offense Summary window helps you begin your offense investigation by providing
context to help you understand what happened and determine how to isolate and resolve
the problem.
60
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Offense Management
Figure 1: Offense Summary View
JSA does not use device level user permissions to determine which offenses each user
is able to view. All users who have access to the network can view all offenses regardless
of which log source or flow source is associated with the offense. For more information
about restricting network access, see the security profiles documentation in the Juniper
Secure Analytics Administration Guide.
JSA uses rules to monitor the events and flows in your network to detect security threats.
When the events and flows meet the test criteria that is defined in the rules, an offense
is created to show that a security attack or policy breach is suspected. But knowing that
an offense occurred is only the first step; identifying how it happened, where it happened,
and who did it requires some investigation.
Copyright © 2017, Juniper Networks, Inc.
61
Juniper Secure Analytics Users Guide
Selecting an Offense to Investigate
Use the navigation options on the left to view the offenses from different perspectives.
For example, select By Source IP or By Destination IP to view information about repeat
offenders, IP addresses that generate many attacks, or systems that are continually
under attack. You can further refine the offenses in the list by selecting a time period for
the offenses that you want to view or by changing the search parameters.
You can also search for offenses that are based on various criteria. For more information
about searching offenses, see “Offense Searches” on page 163.
1.
Click the Offenses tab.
2. On the navigation menu, select the category of offenses that you want to view.
3. Depending on the category that you selected, you may be able to select the following
filtering options:
a. From the View Offenses list, select an option to filter the list of offenses for a specific
time frame.
b. In the Current Search Parameters pane, click Clear Filter links to refine the list of
offenses.
4. To view all global offenses that are occurring on the network, click All Offenses.
5. To view all offenses that are assigned to you, click My Offenses.
6. To view offenses grouped on the high-level category, click By Category.
a. To view low-level category groups for a particular high-level category, click the
arrow icon next to the high-level category name.
b. To view a list of offenses for a low-level category, double-click the low-level
category.
Count fields, such as Event/Flow Count and Source Count do not consider the
network permissions of the user.
7. To view offenses grouped by source IP address, click By Source IP.
The list of offenses displays only source IP addresses with active offenses.
a. Double-click the Source IP group that you want to view.
b. To view a list of local destination IP addresses for the source IP address, click
Destinations on the Source page toolbar.
c. To view a list of offenses that are associated with this source IP address, click
Offenses on the Source page toolbar.
8. To view offenses grouped by destination IP address, click By Destination IP.
a. Double-click the Source IP address group that you want to view.
62
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Offense Management
b. To view a list of offenses that are associated with the destination IP address, click
Offenses on the Destination page toolbar.
c. To view a list of source IP addresses associated with the destination IP address,
click Sources on the Destination page toolbar.
9. To view offenses grouped by network, click By Network.
a. Double-click the Network that you want to view.
b. To view a list of source IP addresses associated with this network, click Sources
on the Network page toolbar.
c. To view a list of destination IP addresses associated with this network, click
Destinations on the Network page toolbar.
d. To view a list of offenses that are associated with this network, click Offenses on
the Network page toolbar.
10. Double-click the offense to see additional information.
Use the information in the offense summary and details to investigate the offense and
take necessary actions.
Investigating an Offense by Using the Summary Information
The Offense Summary window provides the information that you need to begin to
investigate an offense in JSA. The information that is most important to you during your
investigation might be different, depending on the type of offense that you are
investigating.
To make it easier for you to investigate an offense, the bottom of the Offense Summary
page groups information about top contributors to the offense, and shows only the most
recent or most important pieces of information in that category. Many fields show
additional information when you hover the mouse over it. Some fields have extra right-click
menu options.
1.
Click the Offenses tab and double-click the offense that you want to investigate.
The Offense Summary window opens.
2. Review the first row of data to learn about the level of importance that JSA assigned
to the offense.
3. Review the information in the top portion of the Offense Summary window to learn
more about the type of attack and the time frame when it occurred.
4. In the Offense Source Summary window, review the information about the source of
the offense.
The information that is shown in the Offense Source Summary window depends on
the Offense Type field.
Copyright © 2017, Juniper Networks, Inc.
63
Juniper Secure Analytics Users Guide
When you view the summary information for historical offenses, the Last Known data
fields are not populated.
5. In the bottom portion of the Offense Summary window, review additional information
about the offense top contributors, including notes and annotations that are collected
about the offense.
To see all the information that JSA collected in a category, click the links on the right
side of the category heading.
6. If you installed JSA Risk Manager, click View Attack Path to see which assets in your
network are communicating to allow an offense to travel through the network.
Investigating Events
An event is a record from a log source, such as a firewall or router device, that describes
an action on a network or host. Events that are associated with an offense provide
evidence that suspicious activity is happening on your network. By examining the event
data, you can understand what caused the offense and determine how best to isolate
and mitigate the threat.
Some events are created based on an incoming raw event, while others are created by
the JSA Custom Rule Engine (CRE). Events that are created by JSA do not have a payload
because they are not based on raw events.
1.
In the Offense Summary window, click Events.
The List of Events window shows all events that are associated with the offense.
2. Specify the Start Time, End Time, and View options to view events that occurred within
a specific time frame.
3. Click the event column header to sort the event list.
4. In the list of events, right-click the event name to apply quick filter options to reduce
the number of events to review.
You can apply quick filters to other columns in the event list as well.
5. Double-click an event to view the event details.
The Event Information and the Source and Destination Information window show only
the information that is known about the event. Depending on the type of event, some
fields might be empty.
6. In the Payload Information box, review the raw event for information that JSA did not
normalize.
64
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Offense Management
Information that is not normalized does not appear in the JSA interface, but it may be
valuable to your investigation.
For more information about how to use JSA to review event data, see “Log Activity
Monitoring” on page 76 and “Searches” on page 147.
Investigating Flows
JSA correlates flows into an offense when it identifies suspicious activity in network
communications. The flow analysis provides visibility into layer 7, or the application layer,
for applications such as web browsers, NFS, SNMP, Telnet, and FTP. A flow can include
information such as IP addresses, ports, applications, traffic statistics, and packet payload
from unencrypted traffic.
By default, JSA tries to extract normalized fields and custom flow properties from the
first 64 bytes of flow data, but administrators can increase the content capture length
to collect more data. For more information, see the Juniper Secure Analytics Administration
Guide.
1.
In the Offense Summary window, click Flows in the upper right menu.
The Flow List window shows all flows that are associated with the offense.
2. Specify the Start Time, End Time, and View options to view flows that occurred within
a specific time frame.
3. Click the flow column header to sort the flow list.
4. In the list of flows, right-click the flow name to apply quick filter options to reduce the
number of flows to review.
You can apply quick filters to other columns in the flow list as well.
5. Double-click a flow to review the flow details.
For more information about how to use JSA to review flow data, see “Network Activity
Investigation” on page 95 and “Event and Flow Searches” on page 147.
Related
Documentation
•
Offense Actions on page 65
•
Offense Indexing on page 57
•
Offense Retention on page 58
Offense Actions
JSA provides the capability to act on the offenses as you investigate them. To help you
track offenses that were acted upon, JSA adds an icon to the Flag column when you
Copyright © 2017, Juniper Networks, Inc.
65
Juniper Secure Analytics Users Guide
assign an offense to a user, protect or hide an offense, add notes, or mark the offense
for follow-up.
To perform the same action on multiple offenses, hold the Control key while you select
each offense you want to act on. To view offense details on a new page, press the Ctrl
key while you double-click an offense.
Adding Notes
Add notes to an offense to track information that is collected during an investigation.
Notes can include up to 2000 characters.
1.
Click the Offenses tab.
2. Select the offense to which you want to add the note.
To add the same note to multiple offenses, press the Ctrl key while you select each
offense.
3. From the Actions list, select Add Note.
4. Type the note that you want to include for this offense.
5. Click Add Note.
The note is displayed in the Last 5 Notes pane on the Offense Summary window. A Notes
icon is displayed in the flag column of the offense list.
Hover your mouse over the notes indicator in the Flag column of the Offenses list to view
the note.
Hiding Offenses
Hide an offense to prevent it from being displayed in the offense list. After you hide an
offense, the offense is no longer displayed in any list on the Offenses tab, including the
All Offenses list. However, if you perform a search that includes hidden offenses, the
offense is displayed in the search results.
1.
Click the Offenses tab.
2. Select the offense that you want to hide.
To hide multiple offenses, hold the Control key while you select each offense.
3. From the Actions list box, select Hide.
4. Click OK.
66
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Offense Management
Showing Hidden Offenses
By default, the offense list on the Offenses tab filters to exclude hidden offenses. To view
hidden offenses, clear the filter on the Offenses tab or perform a search that includes
hidden offenses. When you include hidden offenses in the offense list, the offenses show
the Hidden icon in the Flag column.
1.
Click the Offenses tab.
2. To clear the filter on the offense list, click Clear Filter next to the Exclude Hidden
Offenses search parameter.
3. To create a new search that includes hidden offenses, follow these steps:
a. From the Search list box, select New Search.
b. In the Search Parameters window, clear the Hidden Offenses check box in the
Exclude options list.
c. Click Search.
4. To remove the hidden flag from an offense, follow these steps:
a. Select the offense for which you want to remove the hidden flag.
To select multiple offenses, hold the Control key while you click each offense.
b. From the Actions list box, select Show.
The hidden flag is removed and the offense appears in the offense list without having
to clear the Exclude Hidden Offenses filter.
Closing Offenses
Close an offense to remove it completely from your system.
The default offense retention period is 30 days. After the offense retention period expires,
closed offenses are deleted from the system. You can protect an offense to prevent it
from being deleted when the retention period expires.
Closed offenses are no longer displayed in any list on the Offenses tab, including the All
Offenses list. If you include closed offenses in a search, and the offense is still within the
retention period, the offense is displayed in the search results. If more events occur for
an offense that is closed, a new offense is created.
When you close offenses, you must select a reason for closing the offense. If you have
the Manage Offense Closing permission, you can add custom closing reasons. For more
information about user role permissions, see the Juniper Secure Analytics Administration
Guide.
1.
Click the Offenses tab.
2. Select the offense that you want to close.
Copyright © 2017, Juniper Networks, Inc.
67
Juniper Secure Analytics Users Guide
To close multiple offenses, hold the Control key while you select each offense.
3. From the Actions list, select Close.
4. In the Reason for Closing list, specify a closing reason.
To add a close reason, click the icon beside Reason for Closing to open the Custom
Offense Close Reasons dialog box.
5. In the Notes field, type a note to provide more information.
The Notes field displays the note that was entered for the previous offense closing.
Notes must not exceed 2,000 characters.
6. Click OK.
After you close offenses, the counts that are displayed on the By Category window of the
Offenses tab can take several minutes to reflect the closed offenses.
Exporting Offenses
Export offenses when you want to reuse the data or when you want to store the data
externally. For example, you can use the offense data to create reports in a third-party
application. You can also export offenses as a secondary long-term retention strategy.
Customer Support might require you to export offenses for troubleshooting purposes.
You can export offenses in Extensible Markup Language (XML) or comma-separated
values (CSV) format. The resulting XML or CSV file includes the parameters that are
specified in the Column Definition pane of the search parameters. The length of time that
is required to export the data depends on the number of parameters specified.
1.
Click the Offenses tab.
2. Select the offenses that you want to export.
To select multiple offenses, hold the Control key while you select each offense.
3. Choose one of the following options:
•
To export the offenses in XML format, select Actions >Export to XML.
•
To export the offenses in CSV format, select Actions >Export to CSV.
4. Choose one of the following options:
•
To open the file for immediate viewing, select Open with and select an application
from the list.
•
To save the file, select Save File.
5. Click OK.
68
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Offense Management
The file, <date>-data_export.xml.zip, is saved in the default download folder on your
computer.
Assigning Offenses to Users
By default, all new offenses are unassigned. You can assign an offense to an JSA user
for investigation.
When you assign an offense to a user, the offense is displayed on the My Offenses page
for that user. You must have the Assign Offenses to Users permission to assign offenses
to users. For more information about user role permissions, see the Juniper Secure Analytics
Administration Guide.
You can assign offenses to users from either the Offenses tab or Offense Summary pages.
This procedure provides instruction on how to assign offenses from the Offenses tab.
1.
Click the Offenses tab.
2. Select the offense that you want to assign.
To assign multiple offenses, hold the Control key while you select each offense.
3. From the Actions list, select Assign.
4. In the Assign To User list, select the user that you want to assign this offense to.
NOTE: The Assign To User list displays only those users who have privileges
to view the Offenses tab. The security profile settings for the user are
followed as well.
5. Click Save.
The offense is assigned to the selected user. The User icon is displayed in the Flag column
of the Offenses tab to indicate that the offense is assigned. The designated user can see
this offense on the My Offenses page.
Sending Email Notifications
Share the offense summary information with another person by sending an email.
The body of the email message includes the following information, if available:
•
Source IP address
•
Source user name, host name, or asset name
•
Total number of sources
•
Top five sources by magnitude
Copyright © 2017, Juniper Networks, Inc.
69
Juniper Secure Analytics Users Guide
•
Source networks
•
Destination IP address
•
Destination user name, host name, or asset name
•
Total number of destinations
•
Top five destinations by magnitude
•
Destination networks
•
Total number of events
•
Rules that caused the offense or event rule to fire
•
Full description of the offense or event rule
•
Offense ID
•
Top five categories
•
Start time of the offense or the time the event was generated
•
Top five annotations
•
Link to the offense user interface
•
Contributing CRE rules
1.
Click the Offenses tab.
2. Select the offense for which you want to send an email notification.
3. From the Actions list box, select Email.
4. Configure the following parameters:
Parameter
Description
To
Type the email address of the user you want to notify when a
change occurs to the selected offense. Separate multiple email
addresses with a comma.
From
Type the originating email address. The default is
root@localhost.com.
Email Subject
Type the subject for the email. The default is Offense ID.
Email Message
Type the standard message that you want to accompany the
notification email.
5. Click Send.
70
Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Offense Management
Marking an Offense for Follow-up
Mark an offense for follow-up when you want to flag it for further investigation.
1.
Click the Offenses tab.
2. Find the offense that you want to mark for follow-up.
3. Double-click the offense.
4. From the Actions list, select Follow up.
The offense now displays the follow-up icon in the Flag column. To sort the offense list
to show flagged offenses at the top, click the Flags column header.
Related
Documentation
•
Offense Indexing on page 57
•
Offense Retention on page 58
•
Offense Investigations on page 60
Copyright © 2017, Juniper Networks, Inc.
71
Juniper Secure Analytics Users Guide
72
Copyright © 2017, Juniper Networks, Inc.
CHAPTER 5
Log Activity Investigation
•
Log Activity Investigation on page 73
•
Log Activity Tab Overview on page 73
•
Log Activity Monitoring on page 76
•
Viewing Associated Offenses on page 87
•
Modifying Event Mapping on page 88
•
Tuning False Positives on page 89
•
PCAP Data on page 90
•
Exporting Events on page 93
Log Activity Investigation
You can monitor and investigate events in real time or perform advanced searches.
Using the Log Activity tab, you can monitor and investigate log activity (events) in real
time or perform advanced searches.
Related
Documentation
•
Log Activity Tab Overview on page 73
•
Log Activity Monitoring on page 76
•
Viewing Associated Offenses on page 87
Log Activity Tab Overview
An event is a record from a log source, such as a firewall or router device, that describes
an action on a network or host.
The Log Activity tab specifies which events are associated with offenses.
You must have permission to view the Log Activity tab.
Log Activity Tab Toolbar
You can access several options from the Log Activity toolbar
Using the toolbar, you can access the following options:
Copyright © 2017, Juniper Networks, Inc.
73
Juniper Secure Analytics Users Guide
Table 13: Log Activity Toolbar Options
Option
Description
Search
Click Search to perform advanced searches on events. Options include:
•
New Search Select this option to create a new event search.
•
Edit Search Select this option to select and edit an event search.
•
Manage Search Results Select this option to view and manage search results.
Quick Searches
From this list box, you can run previously saved searches. Options are displayed in the Quick Searches list
box only when you have saved search criteria that specifies the Include in my Quick Searches option.
Add Filter
Click Add Filter to add a filter to the current search results.
Save Criteria
Click Save Criteria to save the current search criteria.
Save Results
Click Save Results to save the current search results. This option is only displayed after a search is complete.
This option is disabled in streaming mode.
Cancel
Click Cancel to cancel a search in progress. This option is disabled in streaming mode.
False Positive
Click False Positive to open the False Positive Tuning window, which will allow you to tune out events that
are known to be false positives from creating offenses.
This option is disabled in streaming mode. For more information about tuning false positives, see “Tuning
False Positives” on page 89.
Rules
The Rules option is only visible if you have permission to view rules.
Click Rules to configure custom event rules. Options include:
•
Rules Select this option to view or create a rule. If you only have the permission to view rules, the summary
page of the Rules wizard is displayed. If you have the permission to maintain custom rules, the Rules wizard
is displayed and you can edit the rule.
•
Add Threshold Rule Select this option to create a threshold rule. A threshold rule tests event traffic for
activity that exceeds a configured threshold. Thresholds can be based on any data that is collected JSA.
For example, if you create a threshold rule indicating that no more than 220 clients can log in to the server
between 8 am and 5 pm, the rules generate an alert when the 221st client attempts to log in.
When you select the Add Threshold Rule option, the Rules wizard is displayed, prepopulated with the
appropriate options for creating a threshold rule.
Rules
(continued)
•
Add Behavioral Rule Select this option to create a behavioral rule. A behavioral rule tests event traffic for
abnormal activity, such as the existence of new or unknown traffic, which is traffic that suddenly ceases
or a percentage change in the amount of time an object is active. For example, you can create a behavioral
rule to compare the average volume of traffic for the last 5 minutes with the average volume of traffic
over the last hour. If there is more than a 40% change, the rule generates a response.
When you select the Add Behavioral Rule option, the Rules wizard is displayed, prepopulated with the
appropriate options for creating a behavioral rule.
74
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Log Activity Investigation
Table 13: Log Activity Toolbar Options (continued)
Option
Description
Actions
Click Actions to perform the following actions:
•
Show All Select this option to remove all filters on search criteria and display all unfiltered events.
•
Print Select this option to print the events that are displayed on the page.
•
Export to XML > Visible Columns Select this option to export only the columns that are visible on the Log
Activity tab. This is the recommended option. See Exporting events.
•
Export to XML > Full Export (All Columns) - Select this option to export all event parameters. A full export
can take an extended period of time to complete. See “Exporting Events” on page 93.
•
Export to CSV >Visible Columns Select this option to export only the columns that are visible on the Log
Activity tab. This is the recommended option. See “Exporting Events” on page 93.
•
Export to CSV >Full Export (All Columns) - Select this option to export all event parameters. A full export
can take an extended period of time to complete. See “Exporting Events” on page 93.
•
Delete Select this option to delete a search result. See Managing Search Results on page 176
•
Notify Select this option to specify that you want a notification emailed to you on completion of the
selected searches. This option is only enabled for searches in progress.
NOTE: The Print, Export to XML, and Export to CSV options are disabled in streaming mode and when viewing
partial search results.
Search toolbar
•
Advanced Search--Select Advanced Search from the list box to enter an Ariel Query Language (AQL) search
string to specify the fields that you want returned.
•
View
Quick Filter--Select Quick Filter from the list box to search payloads by using simple words or phrases.
The default view on the Log Activity tab is a stream of real-time events. The View list contains options to
also view events from specified time periods. After you choose a specified time period from the View list,
you can then modify the displayed time period by changing the date and time values in the Start Time and
End Time fields.
Right-click Menu Options
On the Log Activity tab, you can right-click an event to access more event filter information.
The right-click menu options are:
Table 14: Right-click Menu Options
Option
Description
Filter on
Select this option to filter on the selected event, depending on the selected parameter in the event.
False Positive
Select this option to open the False Positive window, which will allow you to tune out events that
are known to be false positives from creating offenses. This option is disabled in streaming mode.
See “Tuning False Positives” on page 89.
More options:
Select this option to investigate an IP address or a user name. For more information about
investigating an IP address, see Investigating IP addresses. For more information about investigating
a user name, see “Investigate User Names” on page 33.
NOTE: This option is not displayed in streaming mode.
Copyright © 2017, Juniper Networks, Inc.
75
Juniper Secure Analytics Users Guide
Table 14: Right-click Menu Options (continued)
Option
Description
Quick Filter
Filter items that match, or do not match the selection.
Status Bar
When streaming events, the status bar displays the average number of results that are
received per second.
This is the number of results the Console successfully received from the Event processors.
If this number is greater than 40 results per second, only 40 results are displayed. The
remainder is accumulated in the result buffer. To view more status information, move
your mouse pointer over the status bar.
When events are not being streamed, the status bar displays the number of search results
that are currently displayed on the tab and the amount of time that is required to process
the search results.
Related
Documentation
•
Log Activity Monitoring on page 76
•
Viewing Associated Offenses on page 87
•
Modifying Event Mapping on page 88
Log Activity Monitoring
By default, the Log Activity tab displays events in streaming mode, allowing you to view
events in real time.
For more information about streaming mode, see “Viewing Streaming Events” on page 76.
You can specify a different time range to filter events by using the View list box.
If you previously configured saved search criteria as the default, the results of that search
are automatically displayed when you access the Log Activity tab. For more information
about saving search criteria, see“Saving Search Criteria” on page 153.
Viewing Streaming Events
Streaming mode will enable you to view event data that enters your system. This mode
provides you with a real-time view of your current event activity by displaying the last 50
events.
If you apply any filters on the Log Activity tab or in your search criteria before enabling
streaming mode, the filters are maintained in streaming mode. However, streaming mode
does not support searches that include grouped events. If you enable streaming mode
on grouped events or grouped search criteria, the Log Activity tab displays the normalized
events. See “Viewing Normalized Events” on page 77
76
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Log Activity Investigation
When you want to select an event to view details or perform an action, you must pause
streaming before you double-click an event. When the streaming is paused, the last 1,000
events are displayed.
1.
Click the Log Activity tab.
2. From the View list box, select Real Time (streaming).
For information about the toolbar options, see Table 4-1. For more information about
the parameters that are displayed in streaming mode, see Table 4-7.
3. Optional. Pause or play the streaming events. Choose one of the following options:
•
To select an event record, click the Pause icon to pause streaming.
•
To restart streaming mode, click the Play icon.
Viewing Normalized Events
Events are collected in raw format, and then normalized for display on the Log Activity
tab.
Normalization involves parsing raw event data and preparing the data to display readable
information about the tab. When events are normalized, the system normalizes the
names as well. Therefore, the name that is displayed on the Log Activity tab might not
match the name that is displayed in the event.
NOTE: If you selected a time frame to display, a time series chart is displayed.
For more information about using time series charts, see “Time Series Chart
Overview” on page 142.
The Log Activity tab displays the following parameters when you view normalized events:
Table 15: Log Activity Tab - Default (Normalized) Parameters
Parameter
Description
Current Filters
The top of the table displays the details of the filters that are applied to the search results. To clear
these filter values, click Clear Filter.
NOTE: This parameter is only displayed after you apply a filter.
View
From this list box, you can select the time range that you want to filter for.
Copyright © 2017, Juniper Networks, Inc.
77
Juniper Secure Analytics Users Guide
Table 15: Log Activity Tab - Default (Normalized) Parameters (continued)
Parameter
Description
Current Statistics
When not in Real Time (streaming) or Last Minute (auto refresh) mode, current statistics are displayed,
including:
NOTE: Click the arrow next to Current Statistics to display or hide the statistics
•
Total Results Specifies the total number of results that matched your search criteria.
•
Data Files Searched Specifies the total number of data files searched during the specified time
span.
•
Compressed Data Files Searched Specifies the total number of compressed data files searched
within the specified time span.
•
Index File Count Specifies the total number of index files searched during the specified time span.
•
Duration Specifies the duration of the search.
NOTE: Current statistics are useful for troubleshooting. When you contact Juniper Customer
Support to troubleshoot events, you might be asked to supply current statistical information.
Charts
Displays configurable charts that represent the records that are matched by the time interval and
grouping option. Click Hide Charts if you want to remove the charts from your display. The charts are
only displayed after you select a time frame of Last Interval (auto refresh) or above, and a grouping
option to display. For more information about configuring charts, see “Chart Management” on page 141.
NOTE: If you use Mozilla Firefox as your browser and an ad blocker browser extension is installed,
charts do not display. To displayed charts, you must remove the ad blocker browser extension. For
more information, see your browser documentation.
Offenses icon
Click this icon to view details of the offense that is associated with this event. For more information,
see “Chart Management” on page 141.
NOTE: Depending on your product, this icon is might not be available. You must have JSA.
Start Time
Specifies the time of the first event, as reported to JSA by the log source.
Event Name
Specifies the normalized name of the event.
Log Source
Specifies the log source that originated the event. If there are multiple log sources that are associated
with this event, this field specifies the term Multiple and the number of log sources.
Event Count
Specifies the total number of events that are bundled in this normalized event. Events are bundled
when many of the same type of event for the same source and destination IP address are detected
within a short time.
Time
Specifies the date and time when JSA received the event.
Low Level Category
Specifies the low-level category that is associated with this event.
For more information about event categories, see the Juniper Secure Analytics Administration Guide.
Source IP
Specifies the source IP address of the event.
Source Port
Specifies the source port of the event.
78
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Log Activity Investigation
Table 15: Log Activity Tab - Default (Normalized) Parameters (continued)
Parameter
Description
Destination IP
Specifies the destination IP address of the event.
Destination Port
Specifies the destination port of the event.
Username
Specifies the user name that is associated with this event. User names are often available in
authentication-related events. For all other types of events where the user name is not available, this
field specifies N/A.
Magnitude
Specifies the magnitude of this event. Variables include credibility, relevance, and severity. Point your
mouse over the magnitude bar to display values and the calculated magnitude.
1.
Click the Log Activity tab.
2. From the Display list box, select Default (Normalized).
3. From the View list box, select the time frame that you want to display.
4. Click the Pause icon to pause streaming.
5. Double-click the event that you want to view in greater detail. For more information,
see “Viewing Event Details” on page 84.
Viewing Raw Events
You can view raw event data, which is the unparsed event data from the log source.
When you view raw event data, the Log Activity tab provides the following parameters
for each event.
Table 16: Raw Event Parameters
Parameter
Description
Current Filters
The top of the table displays the details of the filters that are applied to the search results. To clear
these filter values, click Clear Filter.
NOTE: This parameter is only displayed after you apply a filter.
View
From this list box, you can select the time range that you want to filter for.
Copyright © 2017, Juniper Networks, Inc.
79
Juniper Secure Analytics Users Guide
Table 16: Raw Event Parameters (continued)
Parameter
Description
Current Statistics
When not in Real Time (streaming) or Last Minute (auto refresh) mode, current statistics are displayed,
including:
NOTE: Click the arrow next to Current Statistics to display or hide the statistics
•
Total Results Specifies the total number of results that matched your search criteria.
•
Data Files Searched Specifies the total number of data files searched during the specified time span.
•
Compressed Data Files Searched Specifies the total number of compressed data files searched within
the specified time span.
•
Index File Count Specifies the total number of index files searched during the specified time span.
•
Duration Specifies the duration of the search.
NOTE: Current statistics are useful for troubleshooting. When you contact Juniper Customer Support
to troubleshoot events, you might be asked to supply current statistical information.
Charts
Displays configurable charts that represent the records that are matched by the time interval and
grouping option. Click Hide Charts if you want to remove the charts from your display. The charts are
only displayed after you select a time frame of Last Interval (auto refresh) or above, and a grouping
option to display.
NOTE: If you use Mozilla Firefox as your browser and an ad blocker browser extension is installed, charts
do not display. To displayed charts, you must remove the ad blocker browser extension. For more
information, see your browser documentation.
Offenses icon
Click this icon to view details of the offense that is associated with this event.
Start Time
Specifies the time of the first event, as reported to JSA by the log source.
Log Source
Specifies the log source that originated the event. If there are multiple log sources that are associated
with this event, this field specifies the term Multiple and the number of log sources.
Payload
Specifies the original event payload information in UTF-8 format.
1.
Click the Log Activity tab.
2. From the Display list box, select Raw Events.
3. From the View list box, select the time frame that you want to display.
4. Double-click the event that you want to view in greater detail. See “Viewing Event
Details” on page 84.
Viewing Grouped Events
Using the Log Activity tab, you can view events that are grouped by various options. From
the Display list box, you can select the parameter by which you want to group events.
80
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Log Activity Investigation
The Display list box is not displayed in streaming mode because streaming mode does
not support grouped events. If you entered streaming mode by using non-grouped search
criteria, this option is displayed.
The Display list box provides the following options:
Table 17: Grouped Events Options
Group option
Description
Low Level Category
Displays a summarized list of events that are grouped by the low-level category of the event.
For more information about categories, see the Juniper Secure Analytics Administration Guide.
Event Name
Displays a summarized list of events that are grouped by the normalized name of the event.
Destination IP
Displays a summarized list of events that are grouped by the destination IP address of the
event.
Destination Port
Displays a summarized list of events that are grouped by the destination port address of the
event.
Source IP
Displays a summarized list of events that are grouped by the source IP address of the event.
Custom Rule
Displays a summarized list of events that are grouped by the associated custom rule.
Username
Displays a summarized list of events that are grouped by the user name that is associated
with the events.
Log Source
Displays a summarized list of events that are grouped by the log sources that sent the event
to JSA.
High Level Category
Displays a summarized list of events that are grouped by the high-level category of the event.
Network
Displays a summarized list of events that are grouped by the network that is associated with
the event.
Source Port
Displays a summarized list of events that are grouped by the source port address of the
event.
After you select an option from the Display list box, the column layout of the data depends
on the chosen group option. Each row in the events table represents an event group. The
Log Activity tab provides the following information for each event group
Table 18: Grouped Event Parameters
Parameter
Description
Grouping By
Specifies the parameter that the search is grouped on.
Current Filters
The top of the table displays the details of the filter that is applied to the search results. To clear
these filter values, click Clear Filter.
Copyright © 2017, Juniper Networks, Inc.
81
Juniper Secure Analytics Users Guide
Table 18: Grouped Event Parameters (continued)
Parameter
Description
View
From the list box, select the time range that you want to filter for.
Current Statistics
When not in Real Time (streaming) or Last Minute (auto refresh) mode, current statistics are
displayed, including:
NOTE: Click the arrow next to Current Statistics to display or hide the statistics.
•
Total Results Specifies the total number of results that matched your search criteria.
•
Data Files Searched Specifies the total number of data files searched during the specified time
span.
•
Compressed Data Files Searched Specifies the total number of compressed data files searched
within the specified time span.
•
Index File Count Specifies the total number of index files searched during the specified time
span.
•
Duration Specifies the duration of the search.
NOTE: Current statistics are useful for troubleshooting. When you contact Juniper Customer
Support to troubleshoot events, you might be asked to supply current statistic information.
Charts
Displays configurable charts that represent the records that are matched by the time interval and
grouping option. Click Hide Charts if you want to remove the chart from your display.
Each chart provides a legend, which is a visual reference to help you associate the chart objects
to the parameters they represent. Using the legend feature, you can perform the following actions:
•
Move your mouse pointer over a legend item to view more information about the parameters it
represents.
•
Right-click the legend item to further investigate the item.
•
Click a legend item to hide the item in the chart. Click the legend item again to show the hidden
item. You can also click the corresponding graph item to hide and show the item.
•
Click Legend if you want to remove the legend from your chart display.
NOTE: The charts are only displayed after you select a time frame of Last Interval (auto refresh)
or above, and a grouping option to display.
NOTE: If you use Mozilla Firefox as your browser and an ad blocker browser extension is installed,
charts do not display. To display charts, you must remove the ad blocker browser extension.
For more information, see your browser documentation.
Source IP (Unique Count)
Specifies the source IP address that is associated with this event. If there are multiple IP addresses
that are associated with this event, this field specifies the term Multiple and the number of IP
addresses.
Destination IP (Unique
Count)
Specifies the destination IP address that is associated with this event. If there are multiple IP
addresses that are associated with this event, this field specifies the term Multiple and the number
of IP addresses.
Destination Port (Unique
Count)
Specifies the destination ports that are associated with this event. If there are multiple ports that
are associated with this event, this field specifies the term Multiple and the number of ports.
Event Name
Specifies the normalized name of the event.
82
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Log Activity Investigation
Table 18: Grouped Event Parameters (continued)
Parameter
Description
Log Source (Unique
Count)
Specifies the log sources that sent the event to JSA. If there are multiple log sources that are
associated with this event, this field specifies the term Multiple and the number of log sources.
High Level Category
(Unique Count)
Specifies the high-level category of this event. If there are multiple categories that are associated
with this event, this field specifies the term Multiple and the number of categories.
For more information about categories, see the Log Manager Administration Guide.
Low Level Category
(Unique Count)
Specifies the low-level category of this event. If there are multiple categories that are associated
with this event, this field specifies the term Multiple and the number of categories.
Protocol (Unique Count)
Specifies the protocol ID associated with this event. If there are multiple protocols that are
associated with this event, this field specifies the term Multiple and the number of protocol IDs.
Username (Unique Count)
Specifies the user name that is associated with this event, if available. If there are multiple user
names that are associated with this event, this field specifies the term Multiple and the number
of user names.
Magnitude (Maximum)
Specifies the maximum calculated magnitude for grouped events. Variables that are used to
calculate magnitude include credibility, relevance, and severity.
Event Count (Sum)
Specifies the total number of events that are bundled in this normalized event. Events are bundled
when many of the same type of event for the same source and destination IP address are seen
within a short time.
Count
Specifies the total number of normalized events in this event group.
1.
Click the Log Activity tab.
2. From the View list box, select the time frame that you want to display.
3. From the Display list box, choose which parameter you want to group events on. See
Table 2.
The events groups are listed. For more information about the event group details, see
Table 1.
4. To view the List of Events page for a group, double-click the event group that you want
to investigate.
The List of Events page does not retain chart configurations that you might have
defined on the Log Activity tab. For more information about the List of Events page
parameters, see Table 1.
5. To view the details of an event, double-click the event that you want to investigate.
For more information about event details, see Table 2.
Copyright © 2017, Juniper Networks, Inc.
83
Juniper Secure Analytics Users Guide
Viewing Event Details
You can view a list of events in various modes, including streaming mode or in event
groups. In, whichever mode you choose to view events, you can locate and view the
details of a single event.
The event details page provides the following information:
Table 19: Event Details
Parameter
Description
Event Name
Specifies the normalized name of the event.
Low Level Category
Specifies the low-level category of this event.
For more information about categories, see the Juniper Secure Analytics Administration
Guide.
Event Description
Specifies a description of the event, if available.
Magnitude
Specifies the magnitude of this event.
Relevance
Specifies the relevance of this event.
Severity
Specifies the severity of this event.
Credibility
Specifies the credibility of this event.
Username
Specifies the user name that is associated with this event, if available.
Start Time
Specifies the time of the event was received from the log source.
Storage Time
Specifies the time that the event was stored in the JSA database.
Log Source Time
Specifies the system time as reported by the log source in the event payload.
Source and Destination information
Source IP
Specifies the source IP address of the event.
Destination IP
Specifies the destination IP address of the event.
Source Asset Name
Specifies the user-defined asset name of the event source. For more information about
assets, see Asset management.
Destination Asset Name
Specifies the user-defined asset name of the event destination. For more information
about assets, see Asset management
Source Port
Specifies the source port of this event.
Destination Port
Specifies the destination port of this event.
84
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Log Activity Investigation
Table 19: Event Details (continued)
Parameter
Description
Pre NAT Source IP
For a firewall or another device capable of Network Address Translation (NAT), this
parameter specifies the source IP address before the NAT values were applied. NAT
translates an IP address in one network to a different IP address in another network.
Pre NAT Destination IP
For a firewall or another device capable of NAT, this parameter specifies the destination
IP address before the NAT values were applied.
Pre NAT Source Port
For a firewall or another device capable of NAT, this parameter specifies the source
port before the NAT values were applied.
Pre NAT Destination Port
For a firewall or another device capable of NAT, this parameter specifies the destination
port before the NAT values were applied.
Post NAT Source IP
For a firewall or another device capable of NAT, this parameter specifies the source IP
address after the NAT values were applied.
Post NAT Destination IP
For a firewall or another device capable of NAT, this parameter specifies the destination
IP address after the NAT values were applied.
Post NAT Source Port
For a firewall or another device capable of NAT, this parameter specifies the source
port after the NAT values were applied.
Post NAT Destination Port
For a firewall or another device capable of NAT, this parameter specifies the destination
port after the NAT values were applied.
Post NAT Source Port
For a firewall or another device capable of NAT, this parameter specifies the source
port after the NAT values were applied.
Post NAT Destination Port
For a firewall or another device capable of NAT, this parameter specifies the destination
port after the NAT values were applied.
IPv6 Source
Specifies the source IPv6 address of the event.
IPv6 Destination
Specifies the destination IPv6 address of the event.
Source MAC
Specifies the source MAC address of the event.
Destination MAC
Specifies the destination MAC address of the event.
Payload information
Payload
Specifies the payload content from the event. This field offers 3 tabs to view the payload:
•
Universal Transformation Format (UTF) - Click UTF.
•
Hexadecimal - Click HEX.
•
Base64 - Click Base64.
Additional information
Copyright © 2017, Juniper Networks, Inc.
85
Juniper Secure Analytics Users Guide
Table 19: Event Details (continued)
Parameter
Description
Protocol
Specifies the protocol that is associated with this event.
QID
Specifies the QID for this event. Each event has a unique QID. For more information
about mapping a QID, see “Modifying Event Mapping” on page 88
Log Source
Specifies the log source that sent the event to JSA. If there are multiple log sources
that are associated with this event, this field specifies the term Multiple and the number
of log sources.
Event Count
Specifies the total number of events that are bundled in this normalized event. Events
are bundled when many of the same type of event for the same source and destination
IP address are seen within a short time.
Custom Rules
Specifies custom rules that match this event. .
Custom Rules Partially Matched
Specifies custom rules that partially match this event.
Annotations
Specifies the annotation for this event. Annotations are text descriptions that rules can
automatically add to events as part of the rule response.
Identity information JSA collects identity information, if available, from log source messages. Identity information provides extra
details about assets on your network. Log sources only generate identity information if the log message sent to JSA contains
an IP address and least one of the following items: User name or MAC address. Not all log sources generate identity information.
Identity Username
Specifies the user name of the asset that is associated with this event.
Identity IP
Specifies the IP address of the asset that is associated with this event.
Identity Net Bios Name
Specifies the Network Base Input/Output System (Net Bios) name of the asset that is
associated with this event.
Identity Extended field
Specifies more information about the asset that is associated with this event. The
content of this field is user-defined text and depends on the devices on your network
that are available to provide identity information. Examples include: physical location
of devices, relevant policies, network switch, and port names.
Has Identity (Flag)
Specifies True if JSA has collected identify information for the asset that is associated
with this event.
For more information about which devices send identity information, see the Juniper
Secure Analytics Configuring DSMs.
Identity Host Name
Specifies the host name of the asset that is associated with this event.
Identity MAC
Specifies the MAC address of the asset that is associated with this event.
Identity Group Name
Specifies the group name of the asset that is associated with this event.
86
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Log Activity Investigation
Event Details Toolbar
The events details toolbar provides several functions for viewing events detail.
The event details toolbar provides the following functions:
Table 20: Event Details Toolbar
Return to Events List
Click Return to Events List to return to the list of events.
Offense
Click Offense to display the offenses that are associated with the event.
Map Event
Click Map Event to edit the event mapping. For more information, see “Modifying Event Mapping”
on page 88.
False Positive
Click False Positive to tune JSA to prevent false positive events from generating into offenses.
Extract Property
Click Extract Property to create a custom event property from the selected event.
Previous
Click Previous to view the previous event in the event list.
Next
Click Next to view the next event in the event list.
PCAP Data
NOTE: This option is only displayed if your JSA Console is configured to integrate with the Juniper
Junos OS Platform DSM. For more information about managing PCAP data, see “PCAP Data” on
page 90.
•
View PCAP Information Select this option to view the PCAP information. For more information,
see “Viewing PCAP Information” on page 91.
•
Download PCAP File Select this option to download the PCAP file to your desktop system. For
more information, see “Downloading the PCAP File to Your Desktop System” on page 92.
Click Print to print the event details.
Print
Related
Documentation
•
Viewing Associated Offenses on page 87
•
Modifying Event Mapping on page 88
•
Tuning False Positives on page 89
Viewing Associated Offenses
From the Log Activity tab, you can view the offense that is associated with the event.
If an event matches a rule, an offense can be generated on the Offenses tab.
For more information about rules, see the Juniper Secure Analytics Administration Guide.
When you view an offense from the Log Activity tab, the offense might not display if the
Magistrate has not yet saved the offense that is associated with the selected event to
disk or the offense has been purged from the database. If this occurs, the system notifies
you.
Copyright © 2017, Juniper Networks, Inc.
87
Juniper Secure Analytics Users Guide
1.
Click the Log Activity tab.
2. Optional. If you are viewing events in streaming mode, click the Pause icon to pause
streaming.
3. Click the Offense icon beside the event you want to investigate.
4. View the associated offense.
Related
Documentation
•
Modifying Event Mapping on page 88
•
Tuning False Positives on page 89
•
PCAP Data on page 90
Modifying Event Mapping
You can manually map a normalized or raw event to a high-level and low-level category
(or QID).
This manual action is used to map unknown log source events to known JSA events so
that they can be categorized and processed appropriately.
For normalization purposes, JSA automatically maps events from log sources to highand low-level categories.
For more information about event categories, see the Juniper Secure Analytics
Administration Guide.
If events are received from log sources that the system is unable to categorize, then the
events are categorized as unknown. These events occur for several reasons, including:
•
User-defined Events— Some log sources, such as Snort, allows you to create
user-defined events.
•
New Events or Older Events— Vendor log sources might update their software with
maintenance releases to support new events that JSA might not support.
NOTE: The Map Event icon is disabled for events when the high-level category
is SIM Audit or the log source type is Simple Object Access Protocol (SOAP).
1.
Click the Log Activity tab.
2. Optional. If you are viewing events in streaming mode, click the Pause icon to pause
streaming.
3. Double-click the event that you want to map.
88
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Log Activity Investigation
4. Click Map Event.
5. If you know the QID that you want to map to this event, type the QID in the Enter QID
field.
6. If you do not know the QID you want to map to this event, you can search for a
particular QID:
a. Choose one of the following options: To search for a QID by category, select the
high-level category from the High-Level Category list box. To search for a QID
by category, select the high-level category from the High-Level Category list
box. To search for a QID by log source type, select a log source type from the
Log Source Type list box. To search for a QID by name, type a name in the
QID/Name field.
b. Click Search.
c. Select the QID you want to associate this event with.
7. Click OK.
Related
Documentation
•
Tuning False Positives on page 89
•
PCAP Data on page 90
•
Exporting Events on page 93
Tuning False Positives
You can use the False Positive Tuning function to prevent false positive events from
creating offenses.
You can tune false positive events from the event list or event details page.
You can tune false positive events from the event list or event details page.
You must have appropriate permissions for creating customized rules to tune false
positives.
For more information about roles, see the Juniper Secure Analytics Administration Guide.
1.
Click the Log Activity tab.
2. Optional. If you are viewing events in streaming mode, click the Pause icon to pause
streaming.
3. Select the event that you want to tune.
4. Click False Positive.
Copyright © 2017, Juniper Networks, Inc.
89
Juniper Secure Analytics Users Guide
5. In the Event/Flow Property pane on the False Positive window, select one of the
following options:
•
Event/Flow(s) with a specific QID of <Event>
•
Any Event/Flow(s) with a low-level category of <Event>
•
Any Event/Flow(s) with a high-level category of <Event>
6. In the Traffic Direction pane, select one of the following options:
•
<Source IP Address> to <Destination IP Address>
•
<Source IP Address> to Any Destination
•
Any Source to <Destination IP Address>
•
Any Source to any Destination
7. Click Tune.
Related
Documentation
•
PCAP Data on page 90
•
Exporting Events on page 93
•
Modifying Event Mapping on page 88
PCAP Data
If your JSA Console is configured to integrate with the Juniper Junos OS Platform DSM,
then Packet Capture (PCAP) can be received, processed, data can be stored from a
Juniper SRX-Series Services Gateway log source.
For more information about the Juniper Junos OS Platform DSM, see the Juniper Secure
Analytics Configuring DSMs.
Displaying the PCAP Data Column
The PCAP Data column is not displayed on the Log Activity tab by default. When you
create search criteria, you must select the PCAP Data column in the Column Definition
pane.
Before you can display PCAP data on the Log Activity tab, the Juniper SRX-Series Services
Gateway log source must be configured with the PCAP Syslog Combination protocol.
For more information about configuring log source protocols, see the Log Sources Users
Guide.
When you perform a search that includes the PCAP Data column, an icon is displayed in
the PCAP Data column of the search results if PCAP data is available for an event. Using
the PCAP icon, you can view the PCAP data or download the PCAP file to your desktop
system.
90
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Log Activity Investigation
1.
Click the Log Activity tab.
2. From the Search list box, select New Search.
3. Optional. To search for events that have PCAP data, configure the following search
criteria:
a. From the first list box, select PCAP data.
b. From the second list box, select Equals.
c. From the third list box, select True.
d. Click Add Filter.
4. Configure your column definitions to include the PCAP Data column:
a. From the Available Columns list in the Column Definition pane, click PCAP Data.
b. Click the Add Column icon on the bottom set of icons to move the PCAP Data
column to the Columns list.
c. Optional. Click the Add Column icon in the top set of icons to move the PCAP Data
column to the Group By list.
5. Click Filter.
6. Optional. If you are viewing events in streaming mode, click the Pause icon to pause
streaming.
7. Double-click the event that you want to investigate.
For more information about viewing and downloading PCAP data, see the following
sections:
•
Viewing PCAP Information on page 91
•
Downloading the PCAP File to Your Desktop System on page 92
Viewing PCAP Information
From the PCAP Data toolbar menu, you can view a readable version of the data in the
PCAP file or download the PCAP file to your desktop system.
Before you can view PCAP information, you must perform or select a search that displays
the PCAP Data column.
Before PCAP data can be displayed, the PCAP file must be retrieved for display on the
user interface. If the download process takes an extended period, the Downloading PCAP
Packet information window is displayed. In most cases, the download process is quick
and this window is not displayed.
Copyright © 2017, Juniper Networks, Inc.
91
Juniper Secure Analytics Users Guide
After the file is retrieved, a pop-up window provides a readable version of the PCAP file.
You can read the information that is displayed on the window, or download the
information to your desktop system
1.
For the event you want to investigate, choose one of the following options:
•
Select the event and click the PCAP icon.
•
Right-click the PCAP icon for the event and select More Options >View PCAP
Information.
•
Double-click the event that you want to investigate, and then select PCAP Data
>View PCAP Information from the event details toolbar.
2. If you want to download the information to your desktop system, choose one of the
following options:
•
Click Download PCAP File to download the original PCAP file to be used in an external
application.
•
Click Download PCAP Text to download the PCAP information in .TXT format
3. Choose one of the following options:
•
If you want to open the file for immediate viewing, select the Open with option and
select an application from the list box.
•
If you want to save the list, select the Save File option.
4. Click OK.
Downloading the PCAP File to Your Desktop System
You can download the PCAP file to your desktop system for storage or for use in other
applications.
Before you can view a PCAP information, you must perform or select a search that displays
the PCAP Data column. See Displaying the PCAP data column.
1.
For the event you want to investigate, choose one of the following options:
•
Select the event and click the PCAP icon.
•
Right-click the PCAP icon for the event and select More Options >Download PCAP
File .
•
Double-click the event you want to investigate, and then select PCAP Data
>Download PCAP File from the event details toolbar.
2. Choose one of the following options:
•
If you want to open the file for immediate viewing, select the Open with option and
select an application from the list box.
•
If you want to save the list, select the Save File option.
3. Click OK.
92
Copyright © 2017, Juniper Networks, Inc.
Chapter 5: Log Activity Investigation
Related
Documentation
•
Exporting Events on page 93
•
Modifying Event Mapping on page 88
•
Tuning False Positives on page 89
Exporting Events
You can export events in Extensible Markup Language (XML) or Comma-Separated
Values (CSV) format.
The length of time that is required to export your data depends on the number of
parameters specified.
1.
Click the Log Activity tab.
2. Optional. If you are viewing events in streaming mode, click the Pause icon to pause
streaming.
3. From the Actions list box, select one of the following options:
•
Export to XML >Visible Columns - Select this option to export only the columns that
are visible on the Log Activity tab. This is the recommended option.
•
Export to XML >Full Export (All Columns) - Select this option to export all event
parameters. A full export can take an extended period of time to complete.
•
Export to CSV >Visible Columns - Select this option to export only the columns that
are visible on the Log Activity tab. This is the recommended option.
•
Export to CSV >Full Export (All Columns) - Select this option to export all event
parameters. A full export can take an extended period of time to complete.
4. If you want to resume your activities while the export is in progress, click Notify When
Done.
When the export is complete, you receive notification that the export is complete. If you
did not select the Notify When Done icon, the status window is displayed.
Related
Documentation
•
Modifying Event Mapping on page 88
•
Tuning False Positives on page 89
•
PCAP Data on page 90
Copyright © 2017, Juniper Networks, Inc.
93
Juniper Secure Analytics Users Guide
94
Copyright © 2017, Juniper Networks, Inc.
CHAPTER 6
Network Activity Investigation
•
Network Activity Investigation on page 95
•
Network Tab Overview on page 95
•
Network Activity Monitoring on page 99
•
Tuning False Positives on page 109
•
Exporting Flows on page 110
Network Activity Investigation
You can use the Network Activity tab to monitor and investigate network activity (flows)
in real time or conduct advanced searches.
Related
Documentation
•
Network Tab Overview on page 95
•
Network Activity Monitoring on page 99
•
Tuning False Positives on page 109
Network Tab Overview
Using the Network Activity tab, you can monitor and investigate network activity (flows)
in real time or conduct advanced searches.
You must have permission to view the Network Activity tab.
For more information about permissions and assigning roles, see the Juniper Secure
Analytics Administration Guide.
Select the Network Activity tab to visually monitor and investigate flow data in real time,
or conduct advanced searches to filter the displayed flows. A flow is a communication
session between two hosts. You can view flow information to determine how the traffic
is communicated, and what was communicated (if the content capture option is enabled).
Flow information can also include such details as protocols, Autonomous System Number
(ASN) values, or Interface Index (IFIndex) values.
Network Activity Tab Toolbar
You can access several options from the Network Activity tab toolbar.
Copyright © 2017, Juniper Networks, Inc.
95
Juniper Secure Analytics Users Guide
You can access the following options from the Network Activity tab toolbar::
Table 21: Network Activity Tab Toolbar Options
Options
Description
Search
Click Search to complete advanced searches on flows. Search options
include:
•
New Search Select this option to create a new flow search.
•
Edit Search Select this option to select and edit a flow search.
•
Manage Search Results Select this option to view and manage search
results.
For more information about the search feature, see “Searches” on
page 147.
Quick Searches
From this list box, you can run previously saved searches. Options are
displayed in the Quick Searches list box only when you have saved
search criteria that specifies the Include in my Quick Searches option.
Add Filter
Click Add Filter to add a filter to the current search results.
Save Criteria
Click Save Criteria to save the current search criteria.
Save Results
Click Save Results to save the current search results. This option is only
displayed after a search is complete. This option is disabled in
streaming mode.
Cancel
Click Cancel to cancel a search in progress. This option is disabled in
streaming mode.
False Positive
Click False Positive to open the False Positive Tuning window, to tune
out flows that are known to be false positives from creating offenses.
This option is disabled in streaming mode. See “Exporting Flows” on
page 110.
96
Copyright © 2017, Juniper Networks, Inc.
Chapter 6: Network Activity Investigation
Table 21: Network Activity Tab Toolbar Options (continued)
Options
Description
Rules
The Rules option is visible only if you have permission to view custom
rules.
Select one of the following options:
Rules to view or create a rule. If you have the permission to view rules,
the summary page of the Rules wizard is displayed. If you have the
permission to maintain custom rules, you can edit the rule.
Add Threshold Rule to create a threshold rule. A threshold rule tests
flow traffic for activity that exceeds a configured threshold. Thresholds
can be based on any data that is collected. For example, if you create
a threshold rule indicating that no more than 220 clients can log in to
the server between 8 am and 5 pm, the rules generate an alert when
the 221st client attempts to log in.
Add Behavioral Rule to create a behavioral rule. A behavior rule tests
flow traffic for volume changes in behavior that occurs in regular
seasonal patterns. For example, if a mail server typically communicates
with 100 hosts per second in the middle of the night and then suddenly
starts communicating with 1,000 hosts a second, a behavioral rule
generates an alert.
For more information, see the Juniper Secure Analytics Administration
Guide.
Actions
Click Actions to complete the following actions:
•
Show All Select this option to remove all filters on search criteria
and display all unfiltered flows.
•
Print Select this option to print the flows that are displayed on the
page.
•
Export to XML Select this option to export flows in XML format. See
“Exporting Flows” on page 110.
•
Export to CSV Select this option to export flows in CSV format. See
Exporting Flows on page 110
•
Delete Select this option to delete a search result. See “Searches”
on page 147.
•
Notify Select this option to specify that you want a notification
emailed to you on completion of the selected searches. This option
is only enabled for searches in progress.
NOTE: The Print, Export to XML, and Export to CSV options are
disabled in streaming mode and when you are viewing partial search
results.
Search toolbar
•
Advanced search--Select Advanced Search from the list box and
then enter an Ariel Query Language (AQL) search string to specify
the fields that you want returned.
•
Quick filter--Select Quick Filter from the list box to search payloads
by using simple words or phrases.
Copyright © 2017, Juniper Networks, Inc.
97
Juniper Secure Analytics Users Guide
Table 21: Network Activity Tab Toolbar Options (continued)
Options
Description
View
The default view on the Network Activity tab is a stream of real-time
events. The View list contains options to also view events from
specified time periods. After you choose a specified time period from
the View list, you can then modify the displayed time period by changing
the date and time values in the Start Time and End Time fields.
Right-click Menu Options
On the Network Activity tab, you can right-click a flow to access more flow filter criteria.
The right-click menu options are:
Table 22: Right-click Menu Options
Option
Description
Filter on
Select this option to filter on the selected flow, depending on the selected parameter in the flow.
False Positive
Select this option to open the False Positive Tuning window, which allows you to tune out flows
that are known to be false positives from creating offenses. This option is disabled in streaming
mode. See “Exporting Flows” on page 110.
More options:
Select this option to investigate an IP address. See “Investigating IP Addresses” on page 32.
NOTE: This option is not displayed in streaming mode.
Quick Filter
Filter items that match, or do not match the selection.
Status Bar
When streaming flows, the status bar displays the average number of results that are
received per second.
This is the number of results the Console successfully received from the Event processors.
If this number is greater than 40 results per second, only 40 results are displayed. The
remainder is accumulated in the result buffer. To view more status information, move
your mouse pointer over the status bar.
When flows are not streaming, the status bar displays the number of search results that
are currently displayed and the amount of time that is required to process the search
results.
OverFlow Records
With administrative permissions, you can specify the maximum number of flows you
want to send from the JSA flow processor to the Event processors.
If you have administrative permissions, you can specify the maximum number of flows
you want to send from the JSA flow processor to the Event processors. All data that is
98
Copyright © 2017, Juniper Networks, Inc.
Chapter 6: Network Activity Investigation
collected after the configured flow limit has been reached is grouped into one flow record.
This flow record is then displayed on the Network Activity tab with a source IP address
of 127.0.0.4 and a destination IP address of 127.0.0.5. This flow record specifies OverFlow
on the Network Activity tab.
Related
Documentation
•
Network Activity Monitoring on page 99
•
Tuning False Positives on page 109
•
Exporting Flows on page 110
Network Activity Monitoring
By default, the Network Activity tab displays flows in streaming mode, allowing you to
view flows in real time.
For more information about streaming mode, see“Viewing Streaming Flows” on page 99.
You can specify a different time range to filter flows using the View list box.
If you previously configured a saved search as the default, the results of that search are
automatically displayed when you access the Network Activity tab. For more information
about saving search criteria, see “Saving Search Criteria” on page 153.
Viewing Streaming Flows
Streaming mode enables you to view flow data entering your system. This mode provides
you with a real-time view of your current flow activity by displaying the last 50 flows.
If you apply any filters on the Network Activity tab or in your search criteria before enabling
streaming mode, the filters are maintained in streaming mode. However, streaming mode
does not support searches that include grouped flows. If you enable streaming mode on
grouped flows or grouped search criteria, the Network Activity tab displays the normalized
flows. See Viewing normalized flows.
When you want to select a flow to view details or perform an action, you must pause
streaming before you double-click an event. When streaming is paused, the last 1,000
flows are displayed.
1.
Click the Network Activity tab.
2. From the View list box, select Real Time (streaming).
For information about the toolbar options, see Table 5-1. For more information about
the parameters that are displayed in streaming mode, see Table 5-3.
3. Optional. Pause or play the streaming flows. Choose one of the following options:
•
To select an event record, click the Pause icon to pause streaming.
•
To restart streaming mode, click the Play icon.
Copyright © 2017, Juniper Networks, Inc.
99
Juniper Secure Analytics Users Guide
Viewing Normalized Flows
Data flow is collected, normalized and then displayed on the Network Activity tab.
Normalization involves preparing flow data to display readable information about the
tab.
NOTE: If you select a time frame to display, a time series chart is displayed.
For more information about using the time series charts, see “Time Series
Chart Overview” on page 142.
The Network Activity tab displays the following parameters when you view normalized
flows:
Table 23: Parameters for the Network Activity Tab
Parameter
Description
Current Filters
The top of the table displays the details of the filters that are applied to the search results. To
clear these filter values, click Clear Filter.
NOTE: This parameter is only displayed after you apply a filter.
View
From the list box, you can select the time range that you want to filter for.
Current Statistics
When not in Real Time (streaming) or Last Minute (auto refresh) mode, current statistics are
displayed, including:
NOTE: Click the arrow next to Current Statistics to display or hide the statistics.
•
Total Results Specifies the total number of results that matched your search criteria.
•
Data Files Searched Specifies the total number of data files searched during the specified time
span.
•
Compressed Data Files Searched Specifies the total number of compressed data files searched
within the specified time span.
•
Index File Count Specifies the total number of index files searched during the specified time
span.
•
Duration Specifies the duration of the search.
NOTE: Current statistics are useful for troubleshooting. When you contact Juniper Customer
Support to troubleshoot flows, you might be asked to supply current statistical information.
Charts
Displays configurable charts that represent the records that are matched by the time interval
and grouping option. Click Hide Charts if you want to remove the charts from your display.
The charts are only displayed after you select a time frame of Last Interval (auto refresh) or
above, and a grouping option to display. For more information about configuring charts, see
“Configuring Charts” on page 144.
NOTE: If you use Mozilla Firefox as your browser and an ad blocker browser extension is installed,
charts do not display. To display charts, you must remove the ad blocker browser extension. For
more information, see your browser documentation.
100
Copyright © 2017, Juniper Networks, Inc.
Chapter 6: Network Activity Investigation
Table 23: Parameters for the Network Activity Tab (continued)
Parameter
Description
Offense icon
Click the Offenses icon to view details of the offense that is associated with this flow.
Flow Type
Specifies the flow type. Flow types are measured by the ratio of incoming activity to outgoing
activity. Flow types include:
•
Standard Flow Bidirectional traffic
•
Type A Single-to-Many (unidirectional), for example, a single host that performs a network
scan.
•
Type B Many-to-Single (unidirectional), for example, a Distributed DoS (DDoS) attack.
•
Type C Single-to-Single (unidirectional), for example, a host to host port scan.
First Packet Time
Specifies the date and time that flow is received.
Storage time
Specifies the time that the flow is stored in the JSA database.
Source IP
Specifies the source IP address of the flow.
Source Port
Specifies the source port of the flow.
Destination IP
Specifies the destination IP address of the flow.
Destination Port
Specifies the destination port of the flow.
Source Bytes
Specifies the number of bytes sent from the source host.
Destination Bytes
Specifies the number of bytes sent from the destination host.
Total Bytes
Specifies the total number of bytes associated with the flow.
Source Packets
Specifies the total number of packets that are sent from the source host.
Destination Packets
Specifies the total number of packets that are sent from the destination host.
Total Packets
Specifies the total number of packets that are associated with the flow.
Protocol
Specifies the protocol that is associated with the flow.
Application
Specifies the detected application of the flow. For more information about application detection,
see the Juniper Secure Analytics Application Configuration Guide.
ICMP Type/Code
Specifies the Internet Control Message Protocol (ICMP) type and code, if applicable.
If the flow has ICMP type and code information in a known format, this field displays as Type
<A>. Code <B>, where <A> and <B> are the numeric values of the type and code.
Source Flags
Specifies the Transmission Control Protocol (TCP) flags detected in the source packet, if
applicable.
Destination Flags
Specifies the TCP flags detected in the destination packet, if applicable.
Copyright © 2017, Juniper Networks, Inc.
101
Juniper Secure Analytics Users Guide
Table 23: Parameters for the Network Activity Tab (continued)
Parameter
Description
Source QoS
Specifies the Quality of Service (QoS) service level for the flow. QoS enables a network to provide
various levels of service for flows. QoS provides the following basic service levels:
•
Best Effort This service level does not guarantee delivery. The delivery of the flow is considered
best effort.
•
Differentiated Service Certain flows are granted priority over other flows. This priority is granted
by classification of traffic.
•
Guaranteed Service This service level guarantees the reservation of network resources for
certain flows.
Destination QoS
Specifies the QoS level of service for the destination flow.
Flow Source
Specifies the system that detected the flow.
Flow Interface
Specifies the interface that received the flow.
Source If Index
Specifies the source Interface Index (IFIndex) number.
Destination If Index
Specifies the destination IFIndex number.
Source ASN
Specifies the source Autonomous System Number (ASN) value.
Destination ASN
Specifies the destination ASN value.
1.
Click the Network Activity tab.
2. From the Display list box, select Default (Normalized).
3. From the View list box, select the time frame that you want to display.
4. Click the Pause icon to pause streaming.
5. Double-click the flow that you want to view in greater detail. See “Flow Details” on
page 105.
Viewing Grouped Flows
Using the Network Activity tab, you can view flows that are grouped by various options.
From the Display list box, you can select the parameter by which you want to group flows.
The Display list box is not displayed in streaming mode because streaming mode does
not support grouped flows. If you entered streaming mode using non-grouped search
criteria, this option is displayed.
The Display list box provides the following options:
102
Copyright © 2017, Juniper Networks, Inc.
Chapter 6: Network Activity Investigation
Table 24: Grouped Flow Options
Group option
Description
Source or Destination IP
Displays a summarized list of flows that are grouped by the IP address that is associated
with the flow.
Source IP
Displays a summarized list of flows that are grouped by the source IP address of the flow.
Destination IP
Displays a summarized list of flows that are grouped by the destination IP address of the
flow.
Source Port
Displays a summarized list of flows that are grouped by the source port of the flow.
Destination Port
Displays a summarized list of flows that are grouped by the destination port of the flow.
Source Network
Displays a summarized list of flows that are grouped by the source network of the flow.
Destination Network
Displays a summarized list of flows that are grouped by the destination network of the
flow.
Application
Displays a summarized list of flows that are grouped by the application that originated
the flow.
Geographic
Displays a summarized list of flows that are grouped by geographic location.
Protocol
Displays a summarized list of flows that are grouped by the protocol that is associated
with the flow.
Flow Bias
Displays a summarized list of flows that are grouped by the flow direction.
ICMP Type
Displays a summarized list of flows that are grouped by the ICMP type of the flow.
After you select an option from the Display list box, the column layout of the data depends
on the chosen group option. Each row in the flows table represents a flow group. The
Network Activity tab provides the following information for each flow group.
Table 25: Grouped Flow Parameters
Header
Description
Grouping By
Specifies the parameter that the search is grouped on.
Current Filters
The top of the table displays the details of the filter that is applied to the search results. To
clear these filter values, click Clear Filter.
View
From the list box, select the time range that you want to filter for.
Copyright © 2017, Juniper Networks, Inc.
103
Juniper Secure Analytics Users Guide
Table 25: Grouped Flow Parameters (continued)
Header
Description
Current Statistics
When not in Real Time (streaming) or Last Minute (auto refresh) mode, current statistics
are displayed, including:
NOTE: Click the arrow next to Current Statistics to display or hide the statistics.
•
Total Results Specifies the total number of results that matched your search criteria.
•
Data Files Searched Specifies the total number of data files searched during the specified
time span.
•
Compressed Data Files Searched Specifies the total number of compressed data files
searched within the specified time span.
•
Index File Count Specifies the total number of index files searched during the specified
time span.
•
Duration Specifies the duration of the search.
NOTE: Current Statistics are useful for troubleshooting. When you contact Juniper
Customer Support to troubleshoot flows, you might be asked to supply current statistical
information.
Charts
Displays configurable charts representing the records that are matched by the time interval
and grouping option. Click Hide Charts if you want to remove the graph from your display.
The charts are only displayed after you select a time frame of Last Interval (auto refresh)
or above, and a grouping option to display. For more information about configuring charts,
see “Configuring Charts” on page 144.
NOTE: If you use Mozilla Firefox as your browser and an ad blocker browser extension is
installed, charts do not display. To display charts, you must remove the ad blocker browser
extension. For more information, see your browser documentation.
Source IP (Unique Count)
Specifies the source IP address of the flow.
Destination IP (Unique Count)
Specifies the destination IP address of the flow. If there are multiple destination IP addresses
associated with this flow, this field specifies the term Multiple and the number of IP
addresses.
Source Port (Unique Count)
Displays the source port of the flow.
Destination Port (Unique Count)
Specifies the destination port of the flow. If there are multiple destination ports that are
associated with this flow, this field specifies the term Multiple and the number of ports.
Source Network (Unique Count)
Specifies the source network of the flow. If there are multiple source networks that are
associated with this flow, this field specifies the term Multiple and the number of networks.
Destination Network (Unique
Count)
Specifies the destination network of the flow. If there are multiple destination networks that
are associated with this flow, this field specifies the term Multiple and the number of
networks.
Application (Unique Count)
Specifies the detected application of the flows. If there are multiple applications that are
associated with this flow, this field specifies the term Multiple and the number of applications.
Source Bytes (Sum)
Specifies the number of bytes from the source.
104
Copyright © 2017, Juniper Networks, Inc.
Chapter 6: Network Activity Investigation
Table 25: Grouped Flow Parameters (continued)
Header
Description
Destination Bytes (Sum)
Specifies the number of bytes from the destination.
Total Bytes (Sum)
Specifies the total number of bytes associated with the flow.
Source Packets (Sum)
Specifies the number of packets from the source.
Source Packets (Sum)
Specifies the number of packets from the source.
Source Packets (Sum)
Specifies the number of packets from the source.
Destination Packets (Sum)
Specifies the number of packets from the destination.
Total Packets (Sum)
Specifies the total number of packets that are associated with the flow.
Count
Specifies the number of flows that are sent or received.
1.
Click the Network Activity tab.
2. From the View list box, select the time frame that you want to display.
3. From the Display list box, choose which parameter you want to group flows on. See
Table 2.
The flow groups are listed. For more information about the flow group details. See
Table 1.
4. To view the List of Flows page for a group, double-click the flow group that you want
to investigate.
The List of Flows page does not retain chart configurations that you might have defined
on the Network Activity tab. For more information about the List of Flows parameters,
see Table 2.
5. To view the details of a flow, double-click the flow that you want to investigate. For
more information about the flow details page, see Table 1.
Flow Details
You can view a list of flows in various modes, including streaming mode or in flow groups.
In whichever mode you choose to view flows, you can locate and view the details of a
single flow.
The flow details page provides the following information:
Copyright © 2017, Juniper Networks, Inc.
105
Juniper Secure Analytics Users Guide
Table 26: Flow Details
Parameter
Description
Flow information
Protocol
Specifies the protocol that is associated with this flow.
For more information about protocols, see the Juniper Secure Analytics Application
Configuration Guide.
Application
Specifies the detected application of the flow. For more information about application
detection, see the Juniper Secure Analytics Application Configuration Guide.
Magnitude
Specifies the magnitude of this flow.
Relevance
Specifies the relevance of this flow.
Severity
Specifies the severity of this flow.
Credibility
Specifies the credibility of this flow.
First Packet Time
Specifies the start time of the flow, as reported by the flow source.
For more information about flow sources, see the Juniper Secure Analytics Administration
Guide.
Last Packet Time
Specifies the end time of the flow, as reported by the flow source.
Storage Time
Specifies the time that the flow was stored in the JSA database.
Event Name
Specifies the normalized name of the flow.
Low Level Category
Specifies the low-level category of this flow.
For more information about categories, see the Juniper Secure Analytics Administration
Guide.
Event Description
Specifies a description of the flow, if available.
Source and Destination information
Source IP
Specifies the source IP address of the flow.
Destination IP
Specifies the destination IP address of the flow.
Source Asset Name
Specifies the source asset name of the flow.
Destination Asset Name
Specifies the destination asset name of the flow.
IPv6 Source
Specifies the source IPv6 address of the flow.
IPv6 Destination
Specifies the destination IPv6 address of the flow.
106
Copyright © 2017, Juniper Networks, Inc.
Chapter 6: Network Activity Investigation
Table 26: Flow Details (continued)
Parameter
Description
Source Port
Specifies the source port of the flow.
Destination Port
Specifies the destination port of the flow.
Source QoS
Specifies the QoS level of service for the source flow.
Destination QoS
Specifies the QoS level of service for the destination flow.
Source ASN
Specifies the source ASN number.
NOTE: If this flow has duplicate records from multiple flow sources, the corresponding
source ASN numbers are listed.
Destination ASN
Specifies the destination ASN number.
NOTE: If this flow has duplicate records from multiple flow sources, the corresponding
destination ASN numbers are listed.
Source If Index
Specifies the source IFIndex number.
NOTE: If this flow has duplicate records from multiple flow sources, the corresponding
source IFIndex numbers are listed.
Destination If Index
Specifies the destination IFIndex number.
NOTE: If this flow has duplicate records from multiple flow sources, the corresponding
source IFIndex numbers are listed.
Source Payload
Specifies the packet and byte count for the source payload.
Destination Payload
Specifies the packet and byte count for the destination payload.
Payload information
Source Payload
Specifies source payload content from the flow. This field offers 3 formats to view the
payload:
•
Universal Transformation Format (UTF) - Click UTF.
•
Hexidecimal - Click HEX.
•
Base64 - Click Base64.
NOTE: If your flow source is Netflow v9 or IPFIX, unparsed fields from these sources
might be displayed in the Source Payload field. The format of the unparsed field is
<name>=<value>. For example, MN_TTL=x
Destination Payload
Copyright © 2017, Juniper Networks, Inc.
Specifies destination payload content from the flow. This field offers 3 formats to view the
payload:
•
Universal Transformation Format (UTF) - Click UTF.
•
Hexidecimal - Click HEX.
•
Base64 - Click Base64.
107
Juniper Secure Analytics Users Guide
Table 26: Flow Details (continued)
Parameter
Description
Additional information
Flow Type
Specifies the flow type. Flow types are measured by the ratio of incoming activity to outgoing
activity. Flow types include:
Flow Direction
•
Standard - Bidirectional traffic
•
Type A - Single-to-Many (unidirectional)
•
Type B - Many-to-Single (unidirectional)
•
Type C - Single-to-Single (unidirectional)
Specifies the direction of the flow. Flow directions include:
Custom Rules
•
L2L - Internal traffic from a local network to another local network.
•
L2R - Internal traffic from a local network to a remote network.
•
R2L - Internal traffic from a remote network to a local network.
•
R2R - Internal traffic from a remote network to another remote network.
Specifies custom rules that match this flow.
For more information about rules, see the Juniper Secure Analytics Administration Guide.
Custom Rules Partially Matched
Specifies custom rules that partially match to this flow.
Flow Source/Interface
Specifies the flow source name of the system that detected the flow.
NOTE: If this flow has duplicate records from multiple flow sources, the corresponding
flow sources are listed.
Annotations
Specifies the annotation or notes for this flow. Annotations are text descriptions that rules
can automatically add to flows as part of the rule response.
Flow Details Toolbar
The flow details toolbar provides various functions.
The flow details toolbar provides the following functions
Table 27: Description Of the Flow Details Toolbar
Function
Description
Return to Results
Click Return to Results to return to the list of flows.
Extract Property
Click Extract Property to create a custom flow property from the selected flow. For more
information, see Custom event and flow properties.
False Positive
Click False Positive to open the False Positive Tuning window, which allows you to tune out
flows that are known to be false positives from creating offenses. This option is disabled in
streaming mode. See“Exporting Flows” on page 110
108
Copyright © 2017, Juniper Networks, Inc.
Chapter 6: Network Activity Investigation
Table 27: Description Of the Flow Details Toolbar (continued)
Function
Description
Previous
Click Previous to view the previous flow in the flow list.
Next
Click Next to view the next flow in the flow list.
Print
Click Print to print the flow details.
Offense
If Offense is available, click to view the Offense Summary page.
Related
Documentation
•
Tuning False Positives on page 109
•
Exporting Flows on page 110
•
Network Tab Overview on page 95
Tuning False Positives
You can use the False Positive Tuning function to prevent false positive flows from
creating offenses. You can tune false positive flows from the flow list or flow details
page.
NOTE: You can tune false positive flows from the summary or details page.
You must have appropriate permissions for creating customized rules to tune false
positives.
1.
Click the Network Activity tab.
2. Optional. If you are viewing flows in streaming mode, click the Pause icon to pause
streaming.
3. Select the flow that you want to tune.
4. Click False Positive.
5. In the Event/Flow Property pane on the False Positive window, select one of the
following options:
•
Event/Flow(s) with a specific QID of <Event>
•
Any Event/Flow(s) with a low-level category of <Event>
•
Any Event/Flow(s) with a high-level category of <Event>
6. In the Traffic Direction pane, select one of the following options:
Copyright © 2017, Juniper Networks, Inc.
109
Juniper Secure Analytics Users Guide
•
<Source IP Address> to <Destination IP Address>
•
<Source IP Address> to any Destination
•
Any Source to <Destination IP Address>
•
Any Source to any Destination
7. Click Tune.
Related
Documentation
•
Exporting Flows on page 110
•
Network Tab Overview on page 95
•
Network Activity Monitoring on page 99
Exporting Flows
You can export flows in Extensible Markup Language (XML) or Comma Separated Values
(CSV) format. The length of time that is required to export your data depends on the
number of parameters specified.
1.
Click the Network Activity tab.
2. Optional. If you are viewing flows in streaming mode, click the Pause icon to pause
streaming.
3. From the Actions list box, select one of the following options:
•
Export to XML >Visible Columns - Select this option to export only the columns that
are visible on the Log Activity tab. This is the recommended option.
•
Export to XML >Full Export (All Columns) - Select this option to export all flow
parameters. A full export can take an extended period of time to complete.
•
Export to CSV >Visible Columns - Select this option to export only the columns that
are visible on the Log Activity tab. This is the recommended option.
•
Export to CSV >Full Export (All Columns) - Select this option to export all flow
parameters. A full export can take an extended period of time to complete.
4. If you want to resume your activities, click Notify When Done.
When the export is complete, you receive notification that the export is complete. If you
did not select the Notify When Done icon, the Status window is displayed.
Related
Documentation
110
•
Network Tab Overview on page 95
•
Network Activity Monitoring on page 99
•
Tuning False Positives on page 109
Copyright © 2017, Juniper Networks, Inc.
CHAPTER 7
Asset Management
•
Asset Management on page 111
•
Sources Of Asset Data on page 112
•
Incoming Asset Data Workflow on page 113
•
Updates to Asset Data on page 115
•
Identification Of Asset Growth Deviations on page 118
•
Asset Blacklists and Whitelists on page 121
•
Asset Profiles on page 124
Asset Management
Collecting and viewing asset data helps you to identify threats and vulnerabilities. An
accurate asset database makes it easier to connect offenses that are triggered in your
system to physical or virtual assets in your network.
NOTE: Log Manager only tracks asset data if JSA Vulnerability Manager is
installed. For more information about the differences between JSA and Log
Manager, see “Capabilities in Your JSA Product” on page 24.
Asset Data
An asset is any network endpoint that sends or receives data across your network
infrastructure. For example, notebooks, servers, virtual machines, and handheld devices
are all assets. Every asset in the asset database is assigned a unique identifier so that it
can be distinguished from other asset records.
Detecting devices is also useful in building a data set of historical information about the
asset. Tracking asset information as it changes helps you monitor asset usage across
your network.
Asset Profiles
An asset profile is a collection of all information that JSA collected over time about a
specific asset. The profile includes information about the services that are running on
the asset and any identity information that is known.
Copyright © 2017, Juniper Networks, Inc.
111
Juniper Secure Analytics Users Guide
JSA automatically creates asset profiles from identity events and bidirectional flow data
or, if they are configured, vulnerability assessment scans. The data is correlated through
a process that is called asset reconciliation and the profile is updated as new information
comes into JSA. The asset name is derived from the information in the asset update in
the following order of precedence:
•
Given name
•
NETBios host name
•
DNS host name
•
IP address
Collecting Asset Data
Asset profiles are built dynamically from identity information that is passively absorbed
from event or flow data, or from data that JSA actively looks for during a vulnerability
scan. You can also import asset data or edit the asset profile manually.
Sources Of Asset Data
Asset data is written to the asset database incrementally, usually 2 or 3 pieces of data
at a time. With exception of updates from network vulnerability scanners, each asset
update contains information about only one asset at a time.
Asset data usually comes from one of the following asset data sources:
•
Events--Event payloads, such as those created by DHCP or authentication servers,
often contain user logins, IP addresses, host names, MAC addresses, and other asset
information. This data is immediately provided to the asset database to help determine
which asset the asset update applies to.
Events are the primary cause for asset growth deviations.
•
Flows--Flow payloads contain communication information such as IP address, port,
and protocol that is collected over regular, configurable intervals. At the end of each
interval, the data is provided to the asset database, one IP address at a time.
Because asset data from flows is paired with an asset based on a single identifier, the
IP address, flow data is never the cause of asset growth deviations.
•
Vulnerability scanners--JSA integrates with both Juniper Networks and third-party
vulnerability scanners that can provide asset data such as operating system, installed
software, and patch information. The type of data varies from scanner to scanner and
can vary from scan to scan. As new assets, port information, and vulnerabilities are
discovered, data is brought into the asset profile based on the CIDR ranges that are
defined in the scan.
It is possible for scanners to introduce asset growth deviations but it is rare.
•
User interface--Users who have the Assets role can import or provide asset information
directly to the asset database. Asset updates that are provided directly by a user are
for a specific asset. Therefore the asset reconciliation stage is bypassed.
112
Copyright © 2017, Juniper Networks, Inc.
Chapter 7: Asset Management
Asset updates that are provided by users do not introduce asset growth deviations.
Domain-aware Asset Data
When an asset data source is configured with domain information, all asset data that
comes from that data source is automatically tagged with the same domain. Because
the data in the asset model is domain-aware, the domain information is applied to all
JSA components, including identities, offenses, asset profiles, and server discovery.
When you view the asset profile, some fields might be blank. Blank fields exist when the
system did not receive this information in an asset update, or the information exceeded
the asset retention period. The default retention period is 120 days. An IP address that
appears as 0.0.0.0 indicates that the asset does not contain IP address information.
Related
Documentation
•
Incoming Asset Data Workflow on page 113
•
Updates to Asset Data on page 115
•
Identification Of Asset Growth Deviations on page 118
Incoming Asset Data Workflow
JSA uses identity information in an event payload to determine whether to create a new
asset or update an existing asset.
Copyright © 2017, Juniper Networks, Inc.
113
Juniper Secure Analytics Users Guide
Figure 2: Asset Data Workflow Diagram
1.
JSA receives the event. The asset profiler examines the event payload for identity
information.
2. If the identity information includes a MAC address, a NetBIOS host name, or a DNS
host name that are already associated with an asset in the asset database, then that
asset is updated with any new information.
3. If the only available identity information is an IP address, the system reconciles the
update to the existing asset that has the same IP address.
114
Copyright © 2017, Juniper Networks, Inc.
Chapter 7: Asset Management
4. If an asset update has an IP address that matches an existing asset but the other
identity information does not match, the system uses other information to rule out a
false-positive match before the existing asset is updated.
5. If the identity information does not match an existing asset in the database, then a
new asset is created based on the information in the event payload.
Related
Documentation
•
Updates to Asset Data on page 115
•
Identification Of Asset Growth Deviations on page 118
•
Asset Blacklists and Whitelists on page 121
Updates to Asset Data
Each asset update must contain trusted information about a single asset. When JSA
receives an asset update, the system determines which asset to which the update applies.
Asset reconciliation is the process of determining the relationship between asset updates
and the related asset in the asset database. Asset reconciliation occurs after JSA receives
the update but before the information is written to the asset database.
Identity Information
Every asset must contain at least one piece of identity data. Subsequent updates that
contain one or more pieces of that same identity data are reconciled with the asset that
owns that data. Updates that are based on IP addresses are handled carefully to avoid
false-positive asset matches. False positive asset matches occur when one physical
asset is assigned ownership of an IP address that was previously owned by another asset
in the system.
When multiple pieces of identity data are provided, the asset profiler prioritizes the
information from the most deterministic to the least in the following order:
•
MAC address
•
NetBIOS host name
•
DNS host name
•
IP address
MAC addresses, NetBIOS host names, and DNS host names are unique and therefore
are considered as definitive identity data. Incoming updates that match an existing asset
only by the IP address are handled differently than updates that match more definitive
identity data.
Asset Reconciliation Exclusion Rules
By default, each piece of asset data is tracked over a two-hour period. If any one piece
of identity data in the asset update exhibits suspicious behavior two or more times within
2 hours, that piece of data is added to the asset blacklists. Each type of identity asset
data that is tested results in a new blacklist.
Copyright © 2017, Juniper Networks, Inc.
115
Juniper Secure Analytics Users Guide
In domain-aware environments, the asset reconciliation exclusion rules track the behavior
of asset data separately for each domain.
The asset reconciliation exclusion rules test the following scenarios:
Table 28: Rule Tests and Responses
Scenario
Rule response
When a MAC address is associated to three or more different IP
addresses in 2 hours or less
Add the MAC address to the Asset Reconciliation Domain
MAC blacklist
When a DNS host name is associated to three or more different IP
addresses in 2 hours or less
Add the DNS host name to the Asset Reconciliation
Domain DNS blacklist
When a NetBIOS host name is associated to three or more different
IP addresses in 2 hours or less
Add the NetBIOS host name to the Asset Reconciliation
Domain NetBIOS blacklist
When an IPv4 address is associated to three or more different MAC
addresses in 2 hours or less
Add the IP address to the Asset Reconciliation Domain
IPv4 blacklist
When a NetBIOS host name is associated to three or more different
MAC addresses in 2 hours or less
Add the NetBIOS host name to the Asset Reconciliation
Domain NetBIOS blacklist
When a DNS host name is associated to three or more different
MAC addresses in 2 hours or less
Add the DNS host name to the Asset Reconciliation
Domain DNS blacklist
When an IPv4 address is associated to three or more different DNS
host names in 2 hours or less
Add the IP address to the Asset Reconciliation Domain
IPv4 blacklist
When a NetBIOS host name is associated to three or more different
DNS host names in 2 hours or less
Add the NetBIOS host name to the Asset Reconciliation
Domain NetBIOS blacklist
When a MAC address is associated to three or more different DNS
host names in 2 hours or less
Add the MAC address to the Asset Reconciliation Domain
MAC blacklist
When an IPv4 address is associated to three or more different
NetBIOS host names in 2 hours or less
Add the IP address to the Asset Reconciliation Domain
IPv4 blacklist
When a DNS host name is associated to three or more different
NetBIOS host names in 2 hours or less
Add the DNS host name to the Asset Reconciliation
Domain DNS blacklist
When a MAC address is associated to three or more different
NetBIOS host names in 2 hours or less
Add the MAC address to the Asset Reconciliation Domain
MAC blacklist
You can view these rules on the Offenses tab by clicking Rules and then selecting the
asset reconciliation exclusion group in the drop-down list.
Example: Asset Exclusion Rules That Are Tuned to Exclude IP Addresses from the Blacklist
You can exclude IP addresses from being blacklisted by tuning the asset exclusion rules.
As the Network security administrator, you manage a corporate network that includes a
public wifi network segment where IP address leases are typically short and frequent.
116
Copyright © 2017, Juniper Networks, Inc.
Chapter 7: Asset Management
The assets on this segment of the network tend to be transient, primarily notebooks and
hand-held devices that log in and out of the public wifi frequently. Commonly, a single
IP address is used multiple times by different devices over a short time.
In the rest of your deployment, you have a carefully managed network that consists only
of inventoried, well-named company devices. IP address leases are much longer in this
part of the network, and IP addresses are accessed by authentication only. On this network
segment, you want to know immediately when there are any asset growth deviations
and you want to keep the default settings for the asset reconciliation exclusion rules.
Blacklisting IP Addresses
In this environment, the default asset reconciliation exclusion rules inadvertently blacklist
the entire network in a short time.
Your security team finds the asset-related notifications that are generated by the wifi
segment are a nuisance. You want to prevent the wifi from triggering any more deviating
asset growth notifications.
Tuning Asset Reconciliation Rules to Ignore Some Asset Updates
You review the Asset deviation by log source report in the last system notification. You
determine that the blacklisted data is coming from the DHCP server on your wifi.
The values in the Event Count column, Flow Count column and the Offenses column for
the row corresponding to the AssetExclusion: Exclude IP By MAC Address rule indicate
that your wifi DHCP server is triggering this rule.
You add a test to the existing asset reconciliation exclusion rules to stop rules from adding
wifi data to the blacklist.
Apply AssetExclusion:Exclude IP by MAC address on events which are detected by the Local
system and NOT when the event(s) were detected by one or more of MicrosoftDHCP @
microsoft.dhcp.test.com and NOT when any of Domain is the key and any of Identity IP is
the value in any of Asset Reconciliation Domain IPv4 Whitelist - IP Asset Reconciliation
Domain IPv4 Blacklist - IP and when at least 3 events are seen with the same Identity IP
and different Identity MAC in 2 hours.
The updated rule tests only the events from the log sources that are not on your wifi
DHCP server. To prevent wifi DHCP events from undergoing more expensive reference
set and behavior analysis tests, you also moved this test to the top of the test stack.
Asset Merging
Asset merging is the process where the information for one asset is combined with the
information for another asset under the premise that they are actually the same physical
asset.
Asset merging occurs when an asset update contains identity data that matches two
different asset profiles. For example, a single update that contains a NetBIOS host name
that matches one asset profile and a MAC address that matches a different asset profile
might trigger an asset merge.
Copyright © 2017, Juniper Networks, Inc.
117
Juniper Secure Analytics Users Guide
Some systems can cause high volumes of asset merging because they have asset data
sources that inadvertently combine identity information from two different physical
assets into a single asset update. Some examples of these systems include the following
environments:
•
Central syslog servers that act as an event proxy
•
Virtual machines
•
Automated installation environments
•
Non-unique host names, common with assets like iPads and iPhones.
•
Virtual private networks that have shared MAC addresses
•
Log source extensions where the identity field is OverrideAndAlwaysSend=true
Assets that have many IP addresses, MAC addresses, or host names show deviations in
asset growth and can trigger system notifications.
Related
Documentation
•
Identification Of Asset Growth Deviations on page 118
•
Asset Blacklists and Whitelists on page 121
•
Asset Profiles on page 124
Identification Of Asset Growth Deviations
Asset growth deviations occur when the number of asset updates for a single device
grows beyond the limit that is set by the retention threshold for a specific type of the
identity information. Proper handling of asset growth deviations is critical to maintaining
an accurate asset model.
At the root of every asset growth deviation is an asset data source whose data is
untrustworthy for updating the asset model. When a potential asset growth deviation is
identified, you must look at the source of the information to determine whether there is
a reasonable explanation for the asset to accumulate large amounts of identity data.
The cause of an asset growth deviation is specific to an environment.
DHCP Server Example Of Unnatural Asset Growth in an Asset Profile
Consider a virtual private network (VPN) server in a Dynamic Host Configuration Protocol
(DHCP) network. The VPN server is configured to assign IP addresses to incoming VPN
clients by proxying DHCP requests on behalf of the client to the network's DHCP server.
From the perspective of the DHCP server, the same MAC address repeatedly requests
many IP address assignments. In the context of network operations, the VPN server is
delegating the IP addresses to the clients, but the DHCP server can't distinguish when a
request is made by one asset on behalf of another.
The DHCP server log, which is configured as a JSA log source, generates a DHCP
acknowledgment (DHCP ACK) event that associates the MAC address of the VPN server
with the IP address that it assigned to the VPN client. When asset reconciliation occurs,
118
Copyright © 2017, Juniper Networks, Inc.
Chapter 7: Asset Management
the system reconciles this event by MAC address, which results in a single existing asset
that grows by one IP address for every DHCP ACK event that is parsed.
Eventually, one asset profile contains every IP address that was allocated to the VPN
server. This asset growth deviation is caused by asset updates that contain information
about more than one asset.
Threshold Settings
When an asset in the database reaches a specific number of properties, such as multiple
IP addresses or MAC addresses, JSA blocks that asset from receiving more updates.
The Asset Profiler threshold settings specify the conditions under which an asset is
blocked from updates. The asset is updated normally up to the threshold value. When
the system collects enough data to exceed the threshold, the asset shows an asset
growth deviation. Future updates to the asset are blocked until the growth deviation is
rectified.
System Notifications That Indicate Asset Growth Deviations
JSA generates system notifications to help you identify and manage the asset growth
deviations in your environment.
The following system messages indicate that JSA identified potential asset growth
deviations:
•
The system detected asset profiles that exceed the normal size threshold
•
The asset blacklist rules have added new asset data to the asset blacklists
The system notification messages include links to reports to help you identify the assets
that have growth deviations.
Asset Data That Changes Frequently
Asset growth can be caused by large volumes of asset data that changes legitimately,
such as in these situations:
•
A mobile device that travels from office-to-office frequently and is assigned a new IP
address whenever it logs in.
•
A device that connects to a public wifi with short IP addresses leases, such as at a
university campus, might collect large volumes of asset data over a semester.
Example: How Configuration Errors for Log Source Extensions Can Cause Asset Growth
Deviations
Customized log source extensions that are improperly configured can cause asset growth
deviations.
You configure a customized log source extension to provide asset updates to JSA by
parsing user names from the event payload that is on a central log server. You configure
the log source extension to override the event host name property so that the asset
Copyright © 2017, Juniper Networks, Inc.
119
Juniper Secure Analytics Users Guide
updates that are generated by the custom log source always specify the DNS host name
of the central log server.
Instead of JSA receiving an update that has the host name of the asset that the user
logged in to, the log source generates many asset updates that all have the same host
name.
In this situation, the asset growth deviation is caused by one asset profile that contains
many IP addresses and user names.
Troubleshooting Asset Profiles That Exceed the Normal Size Threshold
JSA generates the following system notification when the accumulation of data under
a single asset exceeds the configured threshold limits for identity data.
The system detected asset profiles that exceed the normal size threshold
Explanation
The payload of the notification shows a list of the top five most frequently deviating
assets and why the system marked each asset as a growth deviation. As shown in the
following example, the payload also shows the number of times that the asset attempted
to grow beyond the asset size threshold.
Feb 13 20:13:23 127.0.0.1 [AssetProfilerLogTimer]
com.q1labs.assetprofile.updateresolution.UpdateResolutionManager: [INFO]
[NOT:0010006101][9.21.118.83/- -] [-/- -] The top five most frequently deviating asset
profiles between Feb 13, 2015 8:10:23 PM AST and Feb 13, 2015 8:13:23 PM AST: [ASSET
ID:1003, REASON:Too Many IPs, COUNT:508], [ASSET ID:1002, REASON:Too many DNS
Names, COUNT:93], [ASSET ID:1001, REASON:Too many MAC Addresses, COUNT:62]
When the asset data exceeds the configured threshold, JSA blocks the asset from future
updates. This intervention prevents the system from receiving more corrupted data and
mitigates the performance impacts that might occur if the system attempts to reconcile
incoming updates against an abnormally large asset profile.
Required User Action
Use the information in the notification payload to identify the assets that are contributing
to the asset growth deviation and determine what is causing the abnormal growth. The
notification provides a link to a report of all assets that experienced deviating asset
growth over the past 24 hours.
After you resolve the asset growth deviation in your environment, you can run the report
again.
1.
Click the Log Activity tab and click Search >New Search.
2. Select the Deviating Asset Growth: Asset Report saved search.
3. Use the report to identify and repair inaccurate asset data that was created during
the deviation.
120
Copyright © 2017, Juniper Networks, Inc.
Chapter 7: Asset Management
If the asset data is valid, JSA administrators can increase the threshold limits for IP
addresses, MAC addresses, NetBIOS host names, and DNS host names in the Asset
Profiler Configuration on the JSA Admin tab.
New Asset Data is Added to the Asset Blacklists
JSA generates the following system notification when a piece of asset data exhibits
behavior that is consistent with deviating asset growth.
The asset blacklist rules have added new asset data to the asset blacklists
Explanation
Asset exclusion rules monitor asset data for consistency and integrity. The rules track
specific pieces of asset data over time to ensure that they are consistently being observed
with the same subset of data within a reasonable time.
For example, if an asset update includes both a MAC address and a DNS host name, the
MAC address is associated with that DNS host name for a sustained period. Subsequent
asset updates that contain that MAC address also contain that same DNS host name
when one is included in the asset update. If the MAC address suddenly is associated with
a different DNS host name for a short period, the change is monitored. If the MAC address
changes again within a short period, the MAC address is flagged as contributing to an
instance of deviating or abnormal asset growth.
Required User Action
Use the information in the notification payload to identify the rules that are used to
monitor asset data. Click the Asset deviations by log source link in the notification to see
the asset deviations that occurred in the last 24 hours.
If the asset data is valid, JSA administrators can configure JSA to resolve the problem.
Related
Documentation
•
If your blacklists are populating too aggressively, you can tune the asset reconciliation
exclusion rules that populate them.
•
If you want to add the data to the asset database, you can remove the asset data from
the blacklist and add it to the corresponding asset whitelist. Adding asset data to the
whitelist prevents it from inadvertently reappearing on the blacklist.
•
Asset Blacklists and Whitelists on page 121
•
Asset Profiles on page 124
•
Updates to Asset Data on page 115
Asset Blacklists and Whitelists
JSA uses a group of asset reconciliation rules to determine if asset data is trustworthy.
When asset data is questionable, JSA uses asset blacklists and whitelists to determine
whether to update the asset profiles with the asset data.
Copyright © 2017, Juniper Networks, Inc.
121
Juniper Secure Analytics Users Guide
An asset blacklist is a collection of data that JSA considers untrustworthy. Data in the
asset blacklist is likely to contribute to asset growth deviations and JSA prevents the
data from being added to the asset database.
An asset whitelist is a collection of asset data that overrides the asset reconciliation
engine logic about which data is added to an asset blacklist. When the system identifies
a blacklist match, it checks the whitelist to see whether the value exists. If the asset
update matches data that is on the whitelist, the change is reconciled and the asset is
updated. Whitelisted asset data is applied globally for all domains.
Your JSA administrator can modify the asset blacklist and whitelist data to prevent future
asset growth deviations.
Asset Blacklists
An asset blacklist is a collection of data that JSA considers untrustworthy based on the
asset reconciliation exclusion rules. Data in the asset blacklist is likely to contribute to
asset growth deviations and JSA prevents the data from being added to the asset
database.
Every asset update in JSA is compared to the asset blacklists. Blacklisted asset data is
applied globally for all domains. If the asset update contains identity information (MAC
address, NetBIOS host name, DNS host name, or IP address) that is found on a blacklist,
the incoming update is discarded and the asset database is not updated.
The following table shows the reference collection name and type for each type of identity
asset data.
Table 29: Reference Collection Names for Asset Blacklist Data
Type of identity data
Reference collection name
Reference collection type
IP addresses (v4)
Asset Reconciliation IPv4 Blacklist
Reference Set [Set Type: IP]
DNS host names
Asset Reconciliation DNS Blacklist
Reference Set [Set Type: ALNIC*]
NetBIOS host names
Asset Reconciliation NetBIOS Blacklist
Reference Set [Set Type: ALNIC*]
MAC Addresses
Asset Reconciliation MAC Blacklist
Reference Set [Set Type: ALNIC*]
* ALNIC is an alphanumeric type that can accommodate both host name and MAC address values.
Your JSA administrator can modify the blacklist entries to ensure that new asset data is
handled correctly.
Asset Whitelists
You can use asset whitelists to keep JSA asset data from inadvertently reappearing in
the asset blacklists.
An asset whitelist is a collection of asset data that overrides the asset reconciliation
engine logic about which data is added to an asset blacklist. When the system identifies
122
Copyright © 2017, Juniper Networks, Inc.
Chapter 7: Asset Management
a blacklist match, it checks the whitelist to see whether the value exists. If the asset
update matches data that is on the whitelist, the change is reconciled and the asset is
updated. Whitelisted asset data is applied globally for all domains.
Your JSA administrator can modify the whitelist entries to ensure that new asset data is
handled correctly.
Example Of a Whitelist Use Case
The whitelist is helpful if you have asset data that continues to show up in the blacklists
when it is a valid asset update. For example, you might have a round robin DNS load
balancer that is configured to rotate across a set of five IP addresses. The Asset
Reconciliation Exclusion rules might determine that the multiple IP addresses associated
with the same DNS host name are indicative of an asset growth deviation, and the system
might add the DNS load balancer to the blacklist. To resolve this problem, you can add
the DNS host name to the Asset Reconciliation DNS Whitelist.
Mass Entries to the Asset Whitelist
An accurate asset database makes it easier to connect offenses that are triggered in
your system to physical or virtual assets in your network. Ignoring asset deviations by
adding mass entries to the asset whitelist is not helpful in building an accurate asset
database. Instead of adding mass whitelist entries, review the asset blacklist to determine
what is contributing to the deviating asset growth and then determine how to fix it.
Types Of Asset Whitelists
Each type of identity data is kept in a separate whitelist. The following table shows the
reference collection name and type for each type of identity asset data.
Table 30: Reference Collection Name for Asset Whitelist Data
Type of data
Reference collection name
Reference collection type
IP addresses
Asset Reconciliation IPv4 Whitelist
Reference Set [Set Type: IP]
DNS host names
Asset Reconciliation DNS Whitelist
Reference Set [Set Type: ALNIC*]
NetBIOS host names
Asset Reconciliation NetBIOS Whitelist
Reference Set [Set Type: ALNIC*]
MAC addresses
Asset Reconciliation MAC Whitelist
Reference Set [Set Type: ALNIC*]
* ALNIC is an alphanumeric type that can accommodate host name and MAC address values.
Related
Documentation
•
Asset Profiles on page 124
•
Updates to Asset Data on page 115
•
Identification Of Asset Growth Deviations on page 118
Copyright © 2017, Juniper Networks, Inc.
123
Juniper Secure Analytics Users Guide
Asset Profiles
Asset profiles provide information about each known asset in your network, including
what services are running on each asset.
Asset profile information is used for correlation purposes to help reduce false positives.
For example, if a source attempts to exploit a specific service running on an asset, then
JSA determines if the asset is vulnerable to this attack by correlating the attack to the
asset profile.
Asset profiles are automatically discovered if you have flow data or vulnerability
assessment (VA) scans configured. For flow data to populate asset profiles, bidirectional
flows are required. Asset profiles can also be automatically created from identity events.
For more information about VA, see the Vulnerability Assessment Configuration Guide.
For more information about flow sources, see the Juniper Secure Analytics Administration
Guide.
Asset profiles are automatically discovered if you have vulnerability assessment (VA)
scans configured.
Vulnerabilities
You can use JSA Vulnerability Manager and third-party scanners to identify vulnerabilities.
Third-party scanners identify and report discovered vulnerabilities using external
references, such as the Open Source Vulnerability Database (OSVDB), National
Vulnerability Database (NVDB), and Critical Watch. Examples of third-party scanners
include QualysGuard and nCircle ip360. The OSVDB assigns a unique reference identifier
(OSVDB ID) to each vulnerability. External references assign a unique reference identifier
to each vulnerability. Examples of external data reference IDs include Common
Vulnerability and Exposures (CVE) ID or Bugtraq ID. For more information on scanners
and vulnerability assessment, see the Juniper Secure Analytics Vulnerability Manager User
Guide.
JSA Vulnerability Manager is a component that you can purchase separately and enable
using a license key. JSA Vulnerability Manager is a network scanning platform that provides
awareness of the vulnerabilities that exist within the applications, systems, or devices
on your network. After scans identify vulnerabilities, you can search and review vulnerability
data, remediate vulnerabilities, and rerun scans to evaluate the new level of risk.
When JSA Vulnerability Manager is enabled, you can perform vulnerability assessment
tasks on the Vulnerabilities tab. From the Assets tab, you can run scans on selected assets.
For more information, see the Juniper Secure Analytics Vulnerability Manager User Guide.
Assets Tab Overview
The Assets tab provides you with a workspace from which you can manage your network
assets and investigate an asset's vulnerabilities, ports, applications, history, and other
associations.
124
Copyright © 2017, Juniper Networks, Inc.
Chapter 7: Asset Management
Using the Assets tab, you can:
•
View all the discovered assets.
•
Manually add asset profiles.
•
Search for specific assets.
•
View information about discovered assets.
•
Edit asset profiles for manually added or discovered assets.
•
Tune false positive vulnerabilities.
•
Import assets.
•
Print or export asset profiles.
•
Discover assets.
•
Configure and manage third-party vulnerability scanning.
•
Start JSA Vulnerability Manager scans.
For information about the Server Discovery option in the navigation pane, see the Juniper
Secure Analytics Administration Guide
For more information about the VA Scan option in the navigation pane, see the Juniper
Secure Analytics Risk Manager User Guide.
Viewing an Asset Profile
From the asset list on the Assets tab, you can select and view an asset profile. An asset
profile provides information about each profile.
Asset profile information is automatically discovered through Server Discovery or manually
configured. You can edit automatically generated asset profile information.
The Asset Profile page provides the information about the asset that is organized into
several panes. To view a pane, you can click the arrow (>) on the pane to view more
detail or select the pane from the Display list box on the toolbar.
The Asset Profile page toolbar provides the following functions:
Table 31: Asset Profile Page Toolbar Functions
Options
Description
Return to Asset List
Click this option to return to the asset list.
Display
From the list box, you can select the pane that you want to view on the Asset
Profile pane. The Asset Summary and Network Interface Summary panes are
always displayed.
Edit Asset
Click this option to edit the Asset Profile. See “Adding or Editing an Asset Profile”
on page 127.
Copyright © 2017, Juniper Networks, Inc.
125
Juniper Secure Analytics Users Guide
Table 31: Asset Profile Page Toolbar Functions (continued)
Options
Description
View by Network
If this asset is associated with an offense, this option will allow you to view the
list of networks that are associated with this asset. When you click View By
Network, the List of Networks window is displayed.
View Source Summary
If this asset is the source of an offense, this option will allow you to view source
summary information. When you click View Source Summary, the List of Offenses
window is displayed.
View Destination Summary
If this asset is the destination of an offense, this option will allow you to view
destination summary information.
When you click View Destination Summary, the List of Destinations window is
displayed.
Click History to view event history information for this asset. When you click
the History icon, the Event Search window is displayed, pre-populated with
event search criteria:
History
You can customize the search parameters, if required. Click Search to view the
event history information.
Click Applications to view application information for this asset. When you click
the Applications icon, the Flow Search window is displayed, pre-populated with
event search criteria.
Applications
You can customize the search parameters, if required. Click Search to view the
application information.
Click Search Connections to search for connections. The Connection Search
window is displayed.
Search Connections
This option is only displayed when JSA Risk Manager is been purchased and
licensed. For more information, see the Juniper Secure Analytics Risk Manager
User Guide.
Click View Topology to further investigate the asset. The Current Topology
window is displayed.
View Topology
This option is only displayed when JSA Risk Manager is been purchased and
licensed. For more information, see the Juniper Secure Analytics Risk Manager
User Guide.
From the Actions list, select Vulnerability History.
Actions
This option is only displayed when JSA Risk Manager is been purchased and
licensed. For more information, see the Juniper Secure Analytics Risk Manager
User Guide.
1.
Click the Assets tab.
2. On the navigation menu, click Asset Profiles
126
Copyright © 2017, Juniper Networks, Inc.
Chapter 7: Asset Management
3. Double-click the asset that you want to view.
4. Use the options on the toolbar to display the various panes of asset profile information.
See “Adding or Editing an Asset Profile” on page 127.
5. To research the associated vulnerabilities, click each vulnerability in the Vulnerabilities
pane. See Table 10-10
6. If required, edit the asset profile. See “Adding or Editing an Asset Profile” on page 127.
7. Click Return to Assets List to select and view another asset, if required.
Adding or Editing an Asset Profile
Asset profiles are automatically discovered and added; however, you might be required
to manually add a profile
When assets are discovered using the Server Discovery option, some asset profile details
are automatically populated. You can manually add information to the asset profile and
you can edit certain parameters.
You can only edit the parameters that were manually entered. Parameters that were
system generated are displayed in italics and are not editable. You can delete system
generated parameters, if required.
1.
Click the Assets tab.
2. On the navigation menu, click Asset Profiles.
3. Choose one of the following options:
•
To add an asset, click Add Asset and type the IP address or CIDR range of the asset
in the New IP Address field.
•
To edit an asset, double-click the asset that you want to view and click Edit Asset
.
4. Configure the parameters in the MAC & IP Address pane. Configure one or more of
the following options:
•
Click the New MAC Address icon and type a MAC Address in the dialog box.
•
Click the New IP Address icon and type an IP address in the dialog box.
•
If Unknown NIC is listed, you can select this item, click the Edit icon, and type a new
MAC address in the dialog box.
•
Select a MAC or IP address from the list, click the Edit icon, and type a new MAC
address in the dialog box.
•
Select a MAC or IP address from the list and click the Remove icon.
Copyright © 2017, Juniper Networks, Inc.
127
Juniper Secure Analytics Users Guide
5. Configure the parameters in the Names & Description pane. Configure one or more
of the following options:
Parameter
Description
DNS
Choose one of the following options:
NetBIOS
•
Type a DNS name and click Add.
•
Select a DNS name from the list and click Edit.
•
Select a DNS name from the list and click Remove.
Choose one of the following options:
•
Type a NetBIOS name and click Add.
•
Select a NetBIOS name from the list and click Edit.
•
Select a NetBIOS name from the list and click Remove.
Given Name
Type a name for this asset profile.
Location
Type a location for this asset profile.
Description
Type a description for the asset profile.
Wireless AP
Type the wireless Access Point (AP) for this asset profile.
Wireless SSID
Type the wireless Service Set Identifier (SSID) for this asset profile.
Switch ID
Type the switch ID for this asset profile.
Switch Port ID
Type the switch port ID for this asset profile.
6. Configure the parameters in the Operating System pane:
a. From the Vendor list box, select an operating system vendor.
b. From the Product list box, select the operating system for the asset profile.
c. From the Version list box, select the version for the selected operating system.
d. Click the Add icon.
e. From the Override list box, select one of the following options:
•
Until Next Scan Select this option to specify that the scanner provides operating
system information and the information can be temporarily edited. If you edit
the operating system parameters, the scanner restores the information at its
next scan.
•
Forever Select this option to specify that you want to manually enter operating
system information and disable the scanner from updating the information.
f. Select an operating system from the list.
g. Select an operating system and click the Toggle Override icon.
128
Copyright © 2017, Juniper Networks, Inc.
Chapter 7: Asset Management
7. Configure the parameters in the CVSS & Weight pane. Configure one or more of the
following options:
Parameter
Description
Collateral Damage
Potential
Configure this parameter to indicate the potential for loss of life or physical assets through damage
or theft of this asset. You can also use this parameter to indicate potential for economic loss of
productivity or revenue. Increased collateral damage potential increases the calculated value in the
CVSS Score parameter.
From the Collateral Damage Potential list box, select one of the following options:
•
None
•
Low
•
Low-medium
•
Medium-high
•
High
•
Not defined
When you configure the Collateral Damage Potential parameter, the Weight parameter is automatically
updated.
Confidentiality
Requirement
Configure this parameter to indicate the impact on confidentiality of a successfully exploited
vulnerability on this asset. Increased confidentiality impact increases the calculated value in the
CVSS Score parameter.
From the Confidentiality Requirement list box, select one of the following options:
Availability
Requirement
•
Low
•
Medium
•
High
•
Not defined
Configure this parameter to indicate the impact to the asset's availability when a vulnerability is
successfully exploited. Attacks that consume network bandwidth, processor cycles, or disk space
impact the availability of an asset. Increased availability impact increases the calculated value in
the CVSS Score parameter.
From the Availability Requirement list box, select one of the following options:
Integrity Requirement
•
Low
•
Medium
•
High
•
Not defined
Configure this parameter to indicate the impact to the asset's integrity when a vulnerability is
successfully exploited. Integrity refers to the trustworthiness and guaranteed veracity of information.
Increased integrity impact increases the calculated value in the CVSS Score parameter.
From the Integrity Requirement list box, select one of the following options:
•
Low
•
Medium
•
High
•
Not defined
Copyright © 2017, Juniper Networks, Inc.
129
Juniper Secure Analytics Users Guide
Parameter
Description
Weight
From the Weight list box, select a weight for this asset profile. The range is 0 - 10.
When you configure the Weight parameter, the Collateral Damage Potential parameter is automatically
updated.
8. Configure the parameters in the Owner pane. Choose one or more of the following
options:
Parameter
Description
Business Owner
Type the name of the business owner of the asset. An example of a business owner is a
department manager. The maximum length is 255 characters.
Business Owner Contact
Type the contact information for the business owner. The maximum length is 255 characters.
Technical Owner
Type the technical owner of the asset. An example of a business owner is the IT manager
or director. The maximum length is 255 characters.
Technical Owner Contact
Type the contact information for the technical owner. The maximum length is 255 characters.
Technical User
From the list box, select the username that you want to associate with this asset profile.
You can also use this parameter to enable automatic vulnerability remediation for Juniper
Secure Analytics Vulnerability Manager. For more information about automatic remediation,
see the Juniper Secure Analytics Vulnerability Manager User Guide.
9. Click Save.
Searching Asset Profiles
You can configure search parameters to display only the asset profiles you want to
investigate from the Asset page on the Assets tab.
When you access the Assets tab, the Asset page is displayed populated with all discovered
assets in your network. To refine this list, you can configure search parameters to display
only the asset profiles you want to investigate.
From the Asset Search page, you can manage Asset Search Groups. For more information
about Asset Search Groups. “Asset Search Groups” on page 132.
The search feature will allow you to search host profiles, assets, and identity information.
Identity information provides more detail about log sources on your network, including
DNS information, user logins, and MAC addresses.
Using the asset search feature, you can search for assets by external data references to
determine whether known vulnerabilities exist in your deployment.
For example:
130
Copyright © 2017, Juniper Networks, Inc.
Chapter 7: Asset Management
You receive a notification that CVE ID: CVE-2010-000 is being actively used in the field.
To verify whether any hosts in your deployment are vulnerable to this exploit, you can
select Vulnerability External Reference from the list of search parameters, select CVE,
and then type the
2010-000
To view a list of all hosts that are vulnerable to that specific CVE ID.
NOTE: For more information about OSVDB, see http://osvdb.org/ . For more
information about NVDB, see http://nvd.nist.gov/ .
1.
Click the Assets tab.
2. On the navigation menu, click Asset Profiles.
3. On the toolbar, click Search >New Search.
4. Choose one of the following options:
•
To load a previously saved search, go to Step 5.
•
To create a new search, go to Step 6.
5. Select a previously saved search:
a. Choose one of the following options:
•
Optional. From the Group list box, select the asset search group that you want
to display in the Available Saved Searches list.
•
From the Available Saved Searches list, select the saved search that you want
to load.
•
In the Type Saved Search or Select from List field, type the name of the search
you want to load.
b. Click Load .
6. In the Search Parameters pane, define your search criteria:
a. From the first list box, select the asset parameter that you want to search for. For
example, Hostname, Vulnerability Risk Classification, or Technical Owner.
b. From the second list box, select the modifier that you want to use for the search.
c. In the entry field, type specific information that is related to your search parameter.
d. Click Add Filter.
e. Repeat these steps for each filter that you want to add to the search criteria.
7. Click Search.
Copyright © 2017, Juniper Networks, Inc.
131
Juniper Secure Analytics Users Guide
You can save your asset search criteria. See “Saving Asset Search Criteria” on page 132.
Saving Asset Search Criteria
On the Asset tab, you can save configured search criteria so that you can reuse the criteria.
Saved search criteria does not expire.
1.
Click the Assets tab.
2. On the navigation menu, click Asset Profiles.
3. Perform a search.
4. Click Save Criteria .
5. Enter values for the parameters:
Parameter
Description
Enter the name of this search
Type the unique name that you want to assign to this search criteria.
Manage Groups
Click Manage Groups to manage search groups. This option is only displayed if you
have administrative permissions.
Assign Search to Group(s)
Select the check box for the group you want to assign this saved search. If you do not
select a group, this saved search is assigned to the Other group by default.
Include in my Quick Searches
Select this check box to include this search in your Quick Search list box, which is on
the Assets tab toolbar.
Set as Default
Select this check box to set this search as your default search when you access the
Assets tab.
Share with Everyone
Select this check box to share these search requirements with all users.
Asset Search Groups
Using the Asset Search Groups window, you can create and manage asset search groups.
These groups allow you to easily locate saved search criteria on the Assets tab.
Viewing Search Groups
Use the Asset Search Groups window to view a list group and subgroups.
From the Asset Search Groups window, you can view details about each group, including
a description and the date the group was last modified.
All saved searches that are not assigned to a group are in the Other group.
The Asset Search Groups window displays the following parameters for each group:
132
Copyright © 2017, Juniper Networks, Inc.
Chapter 7: Asset Management
Table 32: Asset Search Groups Window Toolbar Functions
Function
Description
New Group
To create a new search group, you can click New Group. “Creating a New Search Group” on page 133.
Edit
To edit an existing search group, you can click Edit. “Editing a Search Group” on page 134.
Copy
To copy a saved search to another search group, you can click Copy. “Copying a Saved Search to
Another Group” on page 134.
Remove
To remove a search group or a saved search from a search group, select the item that you want to
remove, and then click Remove. “Removing a Group or a Saved Search from a Group” on page 135.
1.
Click the Assets tab.
2. On the navigation menu, click Asset Profiles.
3. Select Search >New Search.
4. Click on Manage Groups.
5. View the search groups.
Creating a New Search Group
On the Asset Search Groups window, you can create a new search group.
1.
Click the Assets tab.
2. On the navigation menu, click Asset Profiles.
3. Select Search >New Search.
4. Click Manage Groups.
5. Select the folder for the group under which you want to create the new group.
6. Click New Group.
7. In the Name field, type a unique name for the new group.
8. Optional. In the Description field, type a description.
9. Click OK.
Copyright © 2017, Juniper Networks, Inc.
133
Juniper Secure Analytics Users Guide
Editing a Search Group
You can edit the Name and Description fields of a search group.
1.
Click the Assets tab.
2. On the navigation menu, click Asset Profiles.
3. Select Search >New Search.
4. Click Manage Groups.
5. Select the group that you want to edit.
6. Click Edit.
7. Type a new name in the Name field.
8. Type a new description in the Description field.
9. Click OK.
Copying a Saved Search to Another Group
You can copy a saved search to another group. You can also copy the saved search to
more than one group.
1.
Click the Assets tab.
2. On the navigation menu, click Asset Profiles.
3. Select Search >New Search.
4. Click Manage Groups.
5. Select the saved search that you want to copy.
6. Click Copy.
7. On the Item Groups window, select the check box for the group you want to copy the
saved search to.
8. Click Assign Groups.
134
Copyright © 2017, Juniper Networks, Inc.
Chapter 7: Asset Management
Removing a Group or a Saved Search from a Group
You can use the Remove icon to remove a search from a group or remove a search group.
When you remove a saved search from a group, the saved search is not deleted from
your system. The saved search is removed from the group and automatically moved to
the Other group.
You cannot remove the following groups from your system:
•
Asset Search Groups
•
Other
1.
Click the Assets tab.
2. On the navigation menu, click Asset Profiles.
3. Select Search >New Search .
4. Click Manage Groups.
5. Select the saved search that you want to remove from the group:
•
Select the saved search that you want to remove from the group.
•
Select the group that you want to remove.
Asset Profile Management Tasks
You can delete, import, and export asset profiles using the Assets tab.
Using the Assets tab, you can delete, import, and export asset profiles.
Deleting Assets
You can delete specific assets or all listed asset profiles.
1.
Click the Assets tab.
2. On the navigation menu, click Asset Profiles.
3. Select the asset that you want to delete, and then select Delete Asset from the Actions
list box.
4. Click OK.
Importing Asset Profiles
You can import asset profile information.
Copyright © 2017, Juniper Networks, Inc.
135
Juniper Secure Analytics Users Guide
The imported file must be a CSV file in the following format:
ip,name,weight,description
Where:
•
IP Specifies any valid IP address in the dotted decimal format. For example: 192.168.5.34.
•
Name Specifies the name of this asset up to 255 characters in length. Commas are not
valid in this field and invalidate the import process. For example: WebServer01 is correct.
•
Weight Specifies a number from 0 to 10, which indicates the importance of this asset
on your network. A value of 0 denotes low importance and 10 is very high.
•
Description Specifies a textual description for this asset up to 255 characters in length.
This value is optional.
For example, the following entries might be included in a CSV file:
•
192.168.5.34,WebServer01,5,Main Production Web Server
•
192.168.5.35,MailServ01,0,
The import process merges the imported asset profiles with the asset profile information
you have currently stored in the system.
1.
Click the Assets tab.
2. On the navigation menu, click Asset Profiles.
3. From the Actions list box, select Import Assets.
4. Click Browse to locate and select the CSV file that you want to import.
5. Click Import Assets to begin the import process.
Exporting Assets
You can export listed asset profiles to an Extended Markup Language (XML) or
Comma-Separated Value (CSV) file.
1.
Click the Assets tab.
2. On the navigation menu, click Asset Profiles.
3. From the Actions list box, select one of the following options:
•
Export to XML
•
Export to CSV
4. View the status window for the status of the export process.
136
Copyright © 2017, Juniper Networks, Inc.
Chapter 7: Asset Management
5. If you want to use other tabs and pages while the export is in progress, click the Notify
When Done link.
When the export is complete, the File Download window is displayed.
6. On the File Download window, choose one of the following options:
•
Open Select this option to open the export results in your choice of browser.
•
Save Select this option to save the results to your desktop.
7. Click OK.
Research Asset Vulnerabilities
You can double-click the vulnerability to display more vulnerability details.
The Research Vulnerability Details window provides the following details:
Parameter
Description
Vulnerability ID
Specifies the ID of the vulnerability. The Vuln ID is a unique identifier that is generated by Vulnerability
Information System (VIS).
Published Date
Specifies the date on which the vulnerability details were published on the OSVDB.
Name
Specifies the name of the vulnerability.
Assets
Specifies the number of assets in your network that have this vulnerability. Click the link to view the
list of assets.
Assets, including
exceptions
Specifies the number of assets in your network that have vulnerability exceptions. Click the link to
view the list of assets.
CVE
Specifies the CVE identifier for the vulnerability. CVE identifiers are provided by the NVDB.
Click the link to obtain more information. When you click the link, the NVDB website is displayed in
a new browser window.
xforce
Specifies the X-Force identifier for the vulnerability.
Click the link to obtain more information. When you click the link, the Internet Security Systems
website is displayed in a new browser window.
OSVDB
Specifies the OSVDB identifier for the vulnerability.
Click the link to obtain more information. When you click the link, the OSVDB website is displayed in
a new browser window.
Copyright © 2017, Juniper Networks, Inc.
137
Juniper Secure Analytics Users Guide
Parameter
Description
Plugin Details
Specifies the JSA Vulnerability Manager ID.
Click the link to view Oval Definitions, Windows Knowledge Base entries, or UNIX advisories for the
vulnerability.
This feature provides information on how JSA Vulnerability Manager checks for vulnerability details
during a patch scan. You can use it to identify why a vulnerability was raised on an asset or why it
was not.
CVSS Score Base
Displays the aggregate Common Vulnerability Scoring System (CVSS) score of the vulnerabilities
on this asset. A CVSS score is an assessment metric for the severity of a vulnerability. You can use
CVSS scores to measure how much concern a vulnerability warrants in comparison to other
vulnerabilities.
The CVSS score is calculated using the following user-defined parameters:
•
Collateral Damage Potential
•
Confidentiality Requirement
•
Availability Requirement
•
Integrity Requirement
For more information about how to configure these parameters, see “Adding or Editing an Asset
Profile” on page 127.
For more information about CVSS, see http://www.first.org/cvss/ .
Impact
Displays the type of harm or damage that can be expected if this vulnerability is exploited.
CVSS Base Metrics
Displays the metrics that are used to calculate the CVSS base score, including:
•
Access Vector
•
Access complexity
•
Authentication
•
Confidentiality impact
•
Integrity impact
•
Availability impact
Description
Specifies a description of the detected vulnerability. This value is only available when your system
integrates VA tools.
Concern
Specifies the effects that the vulnerability can have on your network.
Solution
Follow the instructions that are provided to resolve the vulnerability.
Virtual Patching
Displays virtual patch information that is associated with this vulnerability, if available. A virtual patch
is a short-term mitigation solution for a recently discovered vulnerability. This information is derived
from Intrusion Protection System (IPS) events. If you want to install the virtual patch, see your IPS
vendor information.
138
Copyright © 2017, Juniper Networks, Inc.
Chapter 7: Asset Management
Parameter
Description
Reference
Displays a list of external references, including:
•
Reference Type Specifies the type of reference that is listed, such as an advisory URL or mail post
list.
•
URL Specifies the URL that you can click to view the reference.
Click the link to obtain more information. When you click the link, the external resource is displayed
in a new browser window.
Products
Displays a list of products that are associated with this vulnerability.
•
Vendor Specifies the vendor of the product.
•
Product Specifies the product name.
•
Version Specifies the version number of the product.
1.
Click the Assets tab.
2. On the navigation menu, click Asset Profiles .
3. Select an asset profile.
4. In the Vulnerabilities pane, click the ID or Vulnerability parameter value for the
vulnerability you want to investigate.
Related
Documentation
•
Updates to Asset Data on page 115
•
Identification Of Asset Growth Deviations on page 118
•
Asset Blacklists and Whitelists on page 121
Copyright © 2017, Juniper Networks, Inc.
139
Juniper Secure Analytics Users Guide
140
Copyright © 2017, Juniper Networks, Inc.
CHAPTER 8
Chart Management
•
Chart Management on page 141
•
Chart Management on page 141
•
Time Series Chart Overview on page 142
•
Chart Legends on page 143
•
Configuring Charts on page 144
Chart Management
You can view your data using various chart configuration options.
Using the charts on the Log Activity and Network Activity tabs, you can view your data
using various chart configuration options.
Chart Management
You can use various chart configuration options to view your data.
If you select a time frame or a grouping option to view your data, then the charts display
above the event or flow list.
If you select a time frame or a grouping option to view your data, then the charts display
above the event list.
Charts do not display while in streaming mode.
You can configure a chart to select what data you want to plot. You can configure charts
independently of each other to display your search results from different perspectives.
Chart types include:
•
Bar Chart - Displays data in a bar chart. This option is only available for grouped events.
•
Pie Chart - Displays data in a pie chart. This option is only available for grouped events.
•
Table - Displays data in a table. This option is only available for grouped events.
•
Time Series - Displays an interactive line chart that represents the records that are
matched by a specified time interval. For information about configuring time series
search criteria, see “Time Series Chart Overview” on page 142.
Copyright © 2017, Juniper Networks, Inc.
141
Juniper Secure Analytics Users Guide
After you configure a chart, your chart configurations are retained when you:
•
Change your view by using the Display list box.
•
Apply a filter.
•
Save your search criteria.
Your chart configurations are not retained when you:
•
Start a new search.
•
Access a quick search.
•
View grouped results in a branch window.
•
Save your search results.
NOTE: If you use the Mozilla Firefox web browser and an ad blocker browser
extension is installed, charts do not display. To display charts, you must
remove the ad blocker browser extension. For more information, see your
browser documentation.
Related
Documentation
•
Time Series Chart Overview on page 142
•
Chart Legends on page 143
•
Configuring Charts on page 144
Time Series Chart Overview
Time series charts are graphical representations of your activity over time.
Peaks and valleys that are displayed in the charts depict high and low volume activity.
Time series charts are useful for short-term and long term trending of data.
Using time series charts, you can access, navigate, and investigate log or network activity
from various views and perspectives.
Using time series charts, you can access, navigate, and investigate log or network activity
from various views and perspectives.
NOTE: You must have the appropriate role permissions to manage and view
time series charts.
To display time series charts, you must create and save a search that includes time series
and grouping options. You can save up to 100 time series searches.
Default time series saved searches are accessible from the list of available searches on
the event or flow search page.
142
Copyright © 2017, Juniper Networks, Inc.
Chapter 8: Chart Management
Default time series saved searches are accessible from the list of available searches on
the event search page.
You can easily identify saved time series searches on the Quick Searches menu, because
the search name is appended with the time range specified in the search criteria.
If your search parameters match a previously saved search for column definition and
grouping options, a time series chart might automatically display for your search results.
If a time series chart does not automatically display for your unsaved search criteria, no
previously saved search criteria exists to match your search parameters. If this occurs,
you must enable time series data capture and save your search criteria.
You can magnify and scan a timeline on a time series chart to investigate activity. The
following table provides functions that you can use to view time series charts.
Table 33: Time Series Charts Functions
Function
Description
View data in greater detail
Using the zoom feature, you can investigate smaller time segments of event traffic.
•
Move your mouse pointer over the chart, and then use your mouse wheel to magnify the chart
(roll the mouse wheel up).
•
Highlight the area of the chart you want to magnify. When you release your mouse button, the
chart displays a smaller time segment. Now you can click and drag the chart to scan the chart.
When you magnify a time series chart, the chart refreshes to display a smaller time segment.
View a larger time span of
data
Using the zoom feature, you can investigate larger time segments or return to the maximum time
range. You can expand a time range using one of the following options:
Scan the chart
Related
Documentation
•
Click Zoom Reset at the upper left corner of the chart.
•
Move your mouse pointer over the chart, and then use your mouse wheel to expand the view
(roll the mouse wheel down).
When you have magnified a time series chart, you can click and drag the chart to the left or right
to scan the timeline.
•
Chart Legends on page 143
•
Configuring Charts on page 144
•
Chart Management on page 141
Chart Legends
Each chart provides a legend, which is a visual reference to help you associate the chart
objects to the parameters they represent.
Using the legend feature, you can perform the following actions:
Copyright © 2017, Juniper Networks, Inc.
143
Juniper Secure Analytics Users Guide
Related
Documentation
•
Move your mouse pointer over a legend item or the legend color block to view more
information about the parameters it represents.
•
Right-click the legend item to further investigate the item.
•
Click a pie or bar chart legend item to hide the item in the chart. Click the legend item
again to show the hidden item. You can also click the corresponding graph item to hide
and show the item.
•
Click Legend, or the arrow beside it, if you want to remove the legend from your chart
display.
•
Configuring Charts on page 144
•
Chart Management on page 141
•
Time Series Chart Overview on page 142
Configuring Charts
You use configuration options to change the chart type, the object type you want to chart,
and the number of objects that are represented on the chart. For time series charts, you
can also select a time range and enable time series data capture.
Data can be accumulated so that when you perform a time series search, a cache of data
is available to display data for the previous time period. After you enable time series data
capture for a selected parameter, an asterisk (*) is displayed next to the parameter in
the Value to Graph list box.
NOTE: Charts are not displayed when you view events or flows in Real Time
(streaming) mode. To display charts, you must access the Log Activity or
Network Activity tab and perform a grouped search that specifies a time range.
1.
Click the Log Activity or Network Activity tab.
2. To create a grouped search, follow these steps:
a. On the toolbar, click Search >New Search.
b. From the Available Saved Searches, select a search and click Load.
c. Go to the Column Definition pane and if the Group By list box is empty, from the
Available Columns list, select a column.
d. Click Search.
3. To use a grouped search, on the toolbar, click Quick Searches and select a grouped
search.
4. In the Charts pane, click the Configure icon (
144
).
Copyright © 2017, Juniper Networks, Inc.
Chapter 8: Chart Management
5. Configure the following parameters:
Parameter
Description
Value to Graph
The object type that you want to graph on the Y axis of the
chart.
Options include all normalized and custom event or flow
parameters that are included in your search parameters.
Display Top
The number of objects that you want to view in the chart. The
default is 10. If you include more than 10 items in your chart,
your data might be illegible.
Chart Type
If your bar, pie, or table chart is based on saved search criteria
with a time range of more than 1 hour, you must click Update
Details to update the chart and populate the event details.
Capture Time Series Data
Enables time series data capture. When you select this check
box, the chart begins accumulating data for time series charts.
By default, this option is disabled.
This option is available only on Time Series charts.
Time Range
The time range that you want to view.
This option is only available on Time Series charts.
6. If you selected the Time Series chart option and enabled the Capture Time Series Data
option, in the Charts pane, click Save .
7. To view the list of events or flows if your time range is greater than 1 hour, click Update
Details.
Related
Documentation
•
Chart Management on page 141
•
Time Series Chart Overview on page 142
•
Chart Legends on page 143
Copyright © 2017, Juniper Networks, Inc.
145
Juniper Secure Analytics Users Guide
146
Copyright © 2017, Juniper Networks, Inc.
CHAPTER 9
Searches
•
Searches on page 147
•
Event and Flow Searches on page 147
•
Offense Searches on page 163
•
Finding IOCs Quickly with Lazy Search on page 173
•
Deleting Search Criteria on page 174
•
Using a Subsearch to Refine Search Results on page 175
•
Managing Search Results on page 176
•
Managing Search Groups on page 177
•
Search Example: Daily Employee Reports on page 181
Searches
Use search and index options JSA that improve search performance and return quicker
results. To find specific criteria, advanced searches use AQL search strings.
On the Log Activity, Network Activity, and Offenses tabs, you can specify filter criteria to
search for events, flows, and offenses.
Event and Flow Searches
You can perform searches on the Log Activity, Network Activity, and Offenses tabs.
If your JSA administrator configured resource restrictions to set time or data limitations
on event and flow searches, the resource restriction icon (
search criteria.
) appears next to the
After you perform a search, you can save the search criteria and the search results.
Creating a Customized Search
You can search for data that match your criteria by using more specific search options.
For example, you can specify columns for your search, which you can group and reorder
to more efficiently browse your search results.
Copyright © 2017, Juniper Networks, Inc.
147
Juniper Secure Analytics Users Guide
The duration of your search varies depending on the size of your database.
You can add new search options to filter through search results to find a specific event
or flow that you are looking for.
The following table describes the search options that you can use to search event and
flow data:
Table 34: Search Options
Options
Description
Group
Select an event search group or flow search group to view in the Available Saved Searches list.
Select an event search group to view in the Available Saved Searches list.
Type Saved Search or Select
from List
Type the name of a saved search or a keyword to filter the Available Saved Searches list.
Available Saved Searches
This list displays all available searches, unless you use Group or Type Saved Search or Select
from List options to apply a filter to the list. You can select a saved search on this list to display
or edit.
Search
The Search icon is available in multiple panes on the search page. You can click Search when
you are finished configuring the search and want to view the results.
Include in my Quick Searches
Select this check box to include this search in your Quick Search menu.
Include in my Dashboard
Select this check box to include the data from your saved search on the Dashboard tab. For
more information about the Dashboard tab, see “Dashboard Management” on page 37.
NOTE: This parameter is only displayed if the search is grouped.
Set as Default
Select this check box to set this search as your default search.
Share with Everyone
Select this check box to share this search with all other users.
Real Time (streaming)
Displays results in streaming mode.
NOTE: When Real Time (streaming) is enabled, you are unable to group your search results.
If you select any grouping option in the Column Definition pane, an error message opens.
Last Interval (auto refresh)
The Log Activity and Network Activity tabs are refreshed at one-minute intervals to display the
most recent information.
Recent
After you select this option, you must select a time range option from the list.
NOTE: The results from the last minute might not be available. Select the <Specific Interval>
option if you want to see all results.
Specific Interval
148
After you select this option, you must select the date and time range from the Start Time and
End Time calendars.
Copyright © 2017, Juniper Networks, Inc.
Chapter 9: Searches
Table 34: Search Options (continued)
Options
Description
Data Accumulation
Displayed when you load a saved search.
If no data is accumulating for this saved search, the following information message is displayed:
Data is not being accumulated for this search.
If data is accumulating for this saved search, the following options are displayed:
When you click or hover your mouse over the column link, a list of the columns that are
accumulating data opens.
Use the Enable Unique Counts/Disable Unique Counts link to display unique event and flow
counts instead of average counts over time. After you click the Enable Unique Counts link, a
dialog box opens and indicates which saved searches and reports share the accumulated data.
Use the Enable Unique Counts/Disable Unique Counts link to display unique event counts instead
of average counts over time. After you click the Enable Unique Counts link, a dialog box opens
and indicates which saved searches and reports share the accumulated data.
Current Filters
Displays the filters that are applied to this search.
Save results when the search
is complete
Saves the search results.
Display
Species a predefined column that is set to display in the search results.
Name
The name of your custom column layout.
Save Column Layout
Saves a custom column layout that you modified.
Delete Column Layout
Deletes a saved custom column layout.
Type Column or Select from
List
Filter the columns that are listed in the Available Columns list.
For example, type Device to display a list of columns that include Device in the column name.
Available Columns
Columns that are currently in use for this saved search are highlighted and displayed in the
Columns list.
Add and remove column
arrows (top set)
Use the top set of arrows to customize the Group By list.
Add and remove column
arrows (bottom set)
•
To add a column, select one or more columns from the Available Columns list and click the
right arrow.
•
To remove a column, select one or more columns from the Group By list and click the left
arrow.
Use the bottom set of arrows to customize the Columns list.
•
To add a column, select one or more columns from the Available Columns list and click the
right arrow.
•
To remove a column, select one or more columns from the Columns list and click the left
arrow.
Copyright © 2017, Juniper Networks, Inc.
149
Juniper Secure Analytics Users Guide
Table 34: Search Options (continued)
Options
Description
Group By
Specifies the columns on which the saved search groups the results.
•
To move a column up the priority list, select a column and click the up arrow. You can also
drag the column up the list.
•
To move a column down the priority list, select a column and click the down arrow. You can
also drag the column down the list.
The priority list specifies in which order the results are grouped. The search results are grouped
by the first column in the Group By list and then grouped by the next column on the list.
Columns
Specifies columns that are chosen for the search. You can select more columns from the
Available Columns list. You can further customize the Columns list by using the following options:
•
To move a column up the priority list, select a column and click the up arrow. You can also
drag the column up the list.
•
To move a column down the priority list, select a column and click the down arrow. You can
also drag the column down the list.
If the column type is numeric or time-based and an entry is in the Group By list, then the column
includes a list. Use the list to choose how you want to group the column.
If the column type is group, the column includes a list to choose how many levels that you want
to include for the group.
Move columns between the
Group By list and the
Columns list
Move columns between the Group By list and the Columns list by selecting a column in one list
and dragging it to the other.
Order By
From the first list, select the column by which you want to sort the search results. Then, from
the second list, select the order that you want to display for the search results.
Results Limit
Specifies the number of rows that a search returns on the Edit Search window. The Results Limit
field also appears on the Results window.
1.
•
For a saved search, the limit is stored in the saved search and re-applied when search is
loaded.
•
When you are sorting a column in the search result that has a row limit, sorting is done within
the limited rows, which are shown in the data grid.
•
For a grouped by search where time series chart is turned on, the row limit applies only to the
data grid. The Top N list in the time series chart controls how many time series are drawn in
the chart.
Choose a search option:
•
To search events, click the Log Activity tab.
•
To search flows, click the Network Activity tab.
2. From the Search list, select New Search.
3. Select a previously saved search.
150
Copyright © 2017, Juniper Networks, Inc.
Chapter 9: Searches
4. To create a search, in the Time Range pane, select the options for the time range that
you want to capture for this search.
NOTE: The time range that you select might impact performance, when
the time range is large.
5. Enable unique counts in the Data Accumulation pane.
NOTE: Enabling unique counts on accumulated data, which is shared with
many other saved searches and reports might decrease system
performance.
6. In the Search Parameters pane, define your search criteria.
a. From the first list, select a parameter that you want to search for.
b. From the second list, select the modifier that you want to use for the search.
c. From the entry field, type specific information that is related to your search
parameter.
d. Click Add Filter.
e. Repeat these steps for each filter that you are adding to the search criteria.
7. To automatically save the search results when the search is complete, select the Save
results when search is complete check box, and then type a name for the saved search.
8. In the Column Definition pane, define the columns and column layout that you want
to use to view the results:
a. From the Display list, select the preconfigured column that is set to associate with
this search.
b. Click the arrow next to Advanced View Definition to display advanced search
parameters.
c. Customize the columns to display in the search results.
d. In the Results Limit field, type the number of rows that you want the search to
return.
9. Click Filter.
Creating a Custom Column Layout
Create a custom column layout by adding or removing columns in an existing layout.
Copyright © 2017, Juniper Networks, Inc.
151
Juniper Secure Analytics Users Guide
1.
On the Log Activity or the Network Activity tab, click Search >Edit Search.
2. In the Column Definition pane, select an existing column layout in the Display list.
When you modify the layout, the name in the Display list is automatically changed to
Custom.
3. Modify your search grouping.
a. To add a column to your search group, select a column from the Available Columns
list and click the right arrow to move the column to the Group By list.
b. To move a column from the Columns list to your search group, select a column
from the Columns list and drag it to the Group By list.
c. To remove a column from your search group, select the column from the Group By
list and click the left arrow.
d. To change the order of your column groupings, use the up and down arrows or drag
the columns into place.
4. Modify your column layout.
a. To add a column to your custom layout, select a column from the Available Columns
list and click the right arrow to move the column to the Columns list.
b. To move a column from the Group By list to your custom layout, select a column
from the Group By list and drag it to the Columns list.
c. To remove a column from your custom layout, select the column from the Columns
list and click the left arrow.
d. To change the order of your columns, use the up and down arrows or drag the
columns into place.
5. In the Name field, enter the name of your custom column layout.
6. Click Save Column Layout.
Deleting a Custom Column Layout
You can delete an existing user-created column layout.
1.
On the Log Activity or the Network Activity tab, click Search >Edit Search.
2. In the Column Definition pane, select an existing user-created column layout in the
Display list.
3. Click Delete Column Layout.
152
Copyright © 2017, Juniper Networks, Inc.
Chapter 9: Searches
Saving Search Criteria
You can save configured search criteria so that you can reuse the criteria and use the
saved search criteria in other components, such as reports. Saved search criteria does
not expire.
If you specify a time range for your search, then your search name is appended with the
specified time range. For example, a saved search named Exploits by Source with a time
range of Last 5 minutes becomes Exploits by Source - Last 5 minutes.
If you change a column set in a previously saved search, and then save the search criteria
using the same name, previous accumulations for time series charts are lost.
1.
Choose one of the following options:
•
Click the Log Activity tab.
•
Click the Network Activity tab.
2. Click the Log Activity tab.
3. Perform a search.
4. Click Save Criteria.
5. Enter values for the parameters:
Parameter
Description
Search Name
Type the unique name that you want to assign to this search
criteria.
Assign Search to Group(s)
Select the check box for the group you want to assign this
saved search. If you do not select a group, this saved search is
assigned to the Other group by default. For more information,
see “Managing Search Groups” on page 177.
Manage Groups
Click Manage Groups to manage search groups. For more
information, see “Managing Search Groups” on page 177.
Copyright © 2017, Juniper Networks, Inc.
153
Juniper Secure Analytics Users Guide
Timespan options:
Choose one of the following options:
•
Real Time (streaming) - Select this option to filter your search
results while in streaming mode.
•
Last Interval (auto refresh) Select this option to filter your
search results while in auto-refresh mode. The Log Activity
and Network Activity tabs refreshes at one-minute intervals
to display the most recent information.
•
Last Interval (auto refresh) Select this option to filter your
search results while in auto-refresh mode. The Log Activity
and Network Activity tabs refreshes at one-minute intervals
to display the most recent information.
•
Recent Select this option and, from this list box, select the
time range that you want to filter for.
•
Specific Interval- Select this option and, from the calendar,
select the date and time range you want to filter for.
Include in my Quick Searches
Select this check box to include this search in your Quick Search
list box on the toolbar.
Include in my Dashboard
Select this check box to include the data from your saved
search on the Dashboard tab. For more information about the
Dashboard tab, see “Dashboard Management” on page 37.
NOTE: This parameter is only displayed if the search is
grouped.
Set as Default
Select this check box to set this search as your default search.
Share with Everyone
Select this check box to share these search requirements with
all users.
6. Click OK.
Scheduled Search
Use the Scheduled search option to schedule a search and view the results.
You can schedule a search that runs at a specific time of day or night.
If you schedule a search to run in the night, you can investigate in the morning. Unlike
reports, you have the option of grouping the search results and investigating further. You
can search on number of failed logins in your network group. If the result is typically 10
and the result of the search is 100, you can group the search results for easier investigating.
To see which user has the most failed logins, you can group by user name. You can
continue to investigate further.
You can schedule a search on events or flows from the Reports tab. You must select a
previously saved set of search criteria for scheduling.
1.
Create a report
Specify the following information in the Report Wizard window:
154
Copyright © 2017, Juniper Networks, Inc.
Chapter 9: Searches
•
The chart type is Events/Logs or Flows.
•
The report is based on a saved search.
•
Generate an offense.
You can choose the create an individual offense option or the add result to an existing
offense option.
You can also generate a manual search.
2. View search results
You can view the results of your scheduled search from the Offenses tab.
•
Scheduled search offenses are identified by the Offense Type column.
If you create an individual offense, an offense is generated each time that the report
is run. If you add the saved search result to an existing offense, an offense is created
the first time that the report runs. Subsequent report runs append to this offense. If no
results are returned, the system does not append or create an offense.
•
To view the most recent search result in the Offense Summary window, double-click
a scheduled search offense in the offense list. To view the list of all scheduled search
runs, click Search Results in the Last 5 Search Results pane.
You can assign a Scheduled search offense to a user.
Advanced Search Options
Use the Advanced Search field to enter an Ariel Query Language (AQL) that specifies the
fields that you want and how you want to group them to run a query.
NOTE: When you type an AQL query, use single quotation marks for a string
comparison, and use double quotation marks for a property value comparison.
The Advanced Search field has auto completion and syntax highlighting.
Use auto completion and syntax highlighting to help create queries. For information about
supported web browsers, see “Supported Web Browsers” on page 25
NOTE: If you use a quick filter on the Log Activity tab, you must refresh your
browser window before you run an advanced search.
Accessing Advanced Search
Access the Advanced Search option from the Search toolbar that is on the Network Activity
and Log Activity tabs to type an AQL query.
Access the Advanced Search option from the Search toolbar that is on the Log Activity
tab to type an AQL query.
Copyright © 2017, Juniper Networks, Inc.
155
Juniper Secure Analytics Users Guide
Select Advanced Search from the list box on the Search toolbar.
Expand the Advanced Search field by following these steps:
1.
Drag the expand icon that is at the right of the field.
2. Press Shift + Enter to go to the next line.
3. Press Enter.
You can right-click any value in the search result and filter on that value.
Double-click any row in the search result to see more detail.
All searches, including AQL searches, are included in the audit log.
AQL Search String Examples
The following table provides examples of AQL search strings.
Table 35: Examples Of AQL Search Strings
Description
Example
Select default columns from events.
SELECT * FROM events
Select default columns from flows.
SELECT * FROM flows
Select default columns from events.
SELECT * FROM events
Select specific columns.
SELECT sourceip, destinationip FROM events
Select specific columns and order the results.
SELECT sourceip, destinationip FROM events ORDER BY
destinationip
Run an aggregated search query.
SELECT sourceip, SUM(magnitude) AS magsum FROM
events GROUP BY sourceip
Run a function call in a SELECT clause.
SELECT CATEGORYNAME(category) AS namedCategory
FROM events
Filter the search results by using a WHERE clause.
SELECT CATEGORYNAME(category) AS namedCategory,
magnitude FROM events WHERE magnitude > 1
Search for events that triggered a specific rule, which is based
on the rule name or partial text in the rule name.
SELECT LOGSOURCENAME(logsourceid), * from events
where RULENAME(creeventlist) ILIKE '%suspicious%'
Reference field names that contain special characters, such
as arithmetic characters or spaces, by enclosing the field name
in double quotation marks.
SELECT sourceip, destinationip, "+field/name+" FROM
events WHERE "+field/name+" LIKE '%test%'
The following table provides examples of AQL search strings for X-Force.
156
Copyright © 2017, Juniper Networks, Inc.
Chapter 9: Searches
Table 36: Examples Of AQL Search Strings for X-Force
Description
Example
Check an IP address against an X-Force category with a
confidence value.
select * from events where
XFORCE_IP_CONFIDENCE('Spam',sourceip)>3
Search for X-Force URL categories associated with a URL.
select url, XFORCE_URL_CATEGORY(url) as myCategories
from events where XFORCE_URL_CATEGORY(url) IS NOT
NULL
Retrieve X-Force IP categories that are associated with an IP.
select sourceip, XFORCE_IP_CATEGORY(sourceip) as
IPcategories from events where
XFORCE_IP_CATEGORY(sourceip) IS NOT NULL
For more information about functions, search fields and operators, see the Ariel Query
Language guide.
AQL Search String Examples
Use the Ariel Query Language (AQL) to retrieve specific fields from the events, flows,
and simarc tables in the Ariel database.
NOTE: When you build an AQL query, if you copy text that contains single
quotation marks from any document and paste the text into JSA, your query
will not parse. As a workaround, you can paste the text into JSA and retype
the single quotation marks.
Reporting Account Usage
Different user communities can have different threat and usage indicators.
Use reference data to report on several user properties, for example, department, location,
or manager. You can use external reference data.
The following query returns metadata information about the user from their login events.
SELECT REFERENCETABLE('user_data','FullName',username) as 'Full Name',
REFERENCETABLE('user_data','Location',username) as 'Location',
REFERENCETABLE('user_data','Manager',username) as 'Manager',
UNIQUECOUNT(username) as 'Userid Count', UNIQUECOUNT(sourceip) as 'Source IP
Count', COUNT(*) as 'Event Count' FROM events WHERE qidname(qid) ILIKE '%logon%'
GROUP BY 'Full Name', 'Location', 'Manager' LAST 1 days
Insight Across Multiple Account Identifiers
In this example, individual users have multiple accounts across the network. The
organization requires a single view of a users activity.
Use reference data to map local user IDs to a global ID.
Copyright © 2017, Juniper Networks, Inc.
157
Juniper Secure Analytics Users Guide
The following query returns the user accounts that are used by a global ID on events that
are flagged as suspicious.
SELECT REFERENCEMAP('GlobalID Mapping',username) as 'Global ID',
REFERENCETABLE('user_data','FullName', 'Global ID') as 'Full Name',
UNIQUECOUNT(username), COUNT(*) as 'Event count' FROM events WHERE
RULENAME(creEventlist) ILIKE '%suspicious%' GROUP BY 'Global ID' LAST 1 days
The following query shows the activities that are completed by a global ID.
SELECT QIDNAME(qid) as 'Event name', starttime as 'Time', sourceip as 'Source IP',
destinationip as 'Destination IP', username as 'Event Username',
REFERENCEMAP('GlobalID_Mapping', username)as 'Global User' FROM events WHERE
'Global User' = 'John Doe' LAST 1 days
Identify Suspicious Long-term Beaconing
Many threats use command and control to communicate periodically over days, weeks,
and months.
Advanced searches can identify connection patterns over time. For example, you can
query consistent, short, low volume, number of connections per day/week/month between
IP addresses, or an IP address and geographical location.
The following query detects potential instances of hourly beaconing.
SELECT sourceip, destinationip, UNIQUECOUNT(DATEFORMAT(starttime,'HH')) as
'different hours', COUNT(*) as 'total flows' FROM flows WHERE flowdirection = 'L2R'
GROUP BY sourceip, destinationip HAVING "different hours" > 20 AND "total flows" < 25
LAST 24 hours
TIP: You can modify this query to work on proxy logs and other event types.
The following query detects potential instances of daily beaconing.
SELECT sourceip, destinationip, UNIQUECOUNT(DATEFORMAT(starttime,'dd'))as 'different
days', COUNT(*) as 'total flows' FROM flows WHERE flowdirection='L2R' GROUP BY
sourceip, destinationip HAVING "different days" > 4 AND "total flows" < 14 LAST 7 days
The following query detects daily beaconing between a source IP and a destination IP.
The beaconing times are not at the same time each day. The time lapse between beacons
is short.
SELECT sourceip, LONG(DATEFORMAT(starttime,'hh')) as hourofday, (AVG(
hourofday*hourofday) - (AVG(hourofday)^2))as variance, COUNT(*) as 'total flows' FROM
flows GROUP BY sourceip, destinationip HAVING variance < 01 and "total flows" < 10 LAST
7 days
The following query detects daily beaconing to a domain by using proxy log events. The
beaconing times are not at the same time each day. The time lapse between beacons
is short.
158
Copyright © 2017, Juniper Networks, Inc.
Chapter 9: Searches
SELECT sourceip, LONG(DATEFORMAT(starttime,'hh')) as hourofday,
(AVG(hourofday*hourofday) - (AVG(hourofday)^2)) as variance, COUNT(*) as 'total
events' FROM events WHERE LOGSOURCEGROUPNAME(devicegrouplist) ILIKE '%proxy%'
GROUP BY url_domain HAVING variance < 0.1 and "total events" < 10 LAST 7 days
The url_domain property is a custom property from proxy logs.
External Threat Intelligence
Usage and security data that is correlated with external threat intelligence data can
provide important threat indicators.
Advanced searches can cross-reference external threat intelligence indicators with other
security events and usage data.
This query shows how you can profile external threat data over many days, weeks, or
months to identify and prioritize the risk level of assets and accounts.
Select REFERENCETABLE('ip_threat_data','Category',destinationip) as 'Category',
REFERENCETABLE('ip_threat_data','Rating', destinationip) as 'Threat Rating',
UNIQUECOUNT(sourceip) as 'Source IP Count', UNIQUECOUNT(destinationip) as
'Destination IP Count' FROM events GROUP BY 'Category', 'Threat Rating' LAST 1 days
Asset Intelligence and Configuration
Threat and usage indicators vary by asset type, operating system, vulnerability posture,
server type, classification, and other parameters.
In this query, advanced searches and the asset model provide operational insight into a
location.
The Assetproperty function retrieves property values from assets, which enables you to
include asset data in the results.
SELECT ASSETPROPERTY('Location',sourceip) as location, COUNT(*) as 'event count'
FROM events GROUP BY location LAST 1 days
The following query shows how you can use advanced searches and user identity tracking
in the asset model.
The AssetUser function retrieves the user name from the asset database.
SELECT APPLICATIONNAME(applicationid) as App, ASSETUSER(sourceip, now()) as
srcAssetUser, COUNT(*) as 'Total Flows' FROM flows WHERE srcAssetUser IS NOT NULL
GROUP BY App, srcAssetUser ORDER BY "Total Flows" DESC LAST 3 HOURS
Network LOOKUP Function
You can use the Network LOOKUP function to retrieve the network name that is associated
with an IP address.
SELECT NETWORKNAME(sourceip) as srcnet, NETWORKNAME(destinationip) as dstnet
FROM events
Copyright © 2017, Juniper Networks, Inc.
159
Juniper Secure Analytics Users Guide
Rule LOOKUP Function
You can use the Rule LOOKUP function to retrieve the name of a rule by its ID.
SELECT RULENAME(123) FROM events
The following query returns events that triggered a specific rule name.
SELECT * FROM events WHERE RULENAME(creEventList) ILIKE '%my rule name%'
Full TEXT SEARCH
You can use the TEXT SEARCH operator to do full text searches by using the Advanced
search option.
In this example, there are a number of events that contain the word "firewall" in the
payload. You can search for these events by using the Quick filter option and the Advanced
search option on the Log Activity tab.
•
To use the Quick filter option, type the following text in the Quick filter box: 'firewall'
•
To use the Advanced search option, type the following query in the Advanced search
box:
SELECT QIDNAME(qid) AS EventName, * from events where TEXT SEARCH 'firewall'
Custom Property
You can access custom properties for events and flows when you use the Advanced
search option.
The following query uses the custom property "MyWebsiteUrl" to sort events by a
particular web URL:
SELECT "MyWebsiteUrl", * FROM events ORDER BY "MyWebsiteUrl"
Quick Filter Search Options
Search event and flow payloads by typing a text search string that uses simple words or
phrases.
Quick filter is one of the fastest methods that you use to search for event or flow payloads
for specific data. For example, you can use quick filter to find these types of information:
•
Every firewall device that is assigned to a specific address range in the past week
•
A series of PDF files that were sent by a Gmail account in the past five days
•
All records in a two-month period that exactly match a hyphenated user name
•
A list of website addresses that end in .ca
You can filter your searches from these locations:
160
Copyright © 2017, Juniper Networks, Inc.
Chapter 9: Searches
•
Log Activity toolbar and Network Activity toolbars--Select Quick Filter from the list box
on the Search toolbar to type a text search string. Click the Quick Filter icon to apply
your Quick Filter to the list of events or flows.
•
Add Filter Dialog box--Click the Add Filter icon on the Log Activity or Network Activity
tab.Select Quick Filter as your filter parameter and type a text search string.
•
Flow search pages --Add a quick filter to your list of filters.
When you view flows in real-time (streaming) or last interval mode, you can type only
simple words or phrases in the Quick Filter field. When you view events or flows in a
time-range, follow these syntax guidelines:
Table 37: Quick Filter Syntax Guidelines
Description
Example
Include any plain text that you expect to find in the payload.
Firewall
Search for exact phrases by including multiple terms in double quotation marks.
“Firewall deny"
Include single and multiple character wildcards. The search term cannot start
with a wildcard.
F?rewall or F??ew*
Group terms with logical expressions, such as AND, OR, and NOT. To be recognized
as logical expressions and not as search terms, the syntax and operators must
be uppercase.
(%PIX* AND ("Accessed URL" OR "Deny
udp src") AND 10.100.100.*)
When you create search criteria that includes the NOT logical expression, you
must include at least one other logical expression type, otherwise, no results are
returned.
(%PIX* AND ("Accessed URL" OR "Deny
udp src") NOT 10.100.100.*)
Precede the following characters by a backslash to indicate that the character
is part of your search term: + - && || ! () {} [] ^ " ~ * ? : \.
"%PIX\-5\-304001"
Limitations
Quick filter searches operate on raw event or flow log data and don't distinguish between
the fields. For example, quick filter searches return matches for both source IP address
and destination IP address, unless you include terms that can narrow the results.
Search terms are matched in sequence from the first character in the payload word or
phrase. The search term user matches user_1 and user_2, but does not match the following
phrases: ruser, myuser, or anyuser.
Quick filter searches use the English locale. Locale is a setting that identifies language
or geography and determines formatting conventions such as collation, case conversion,
character classification, the language of messages, date and time representation, and
numeric representation.
The locale is set by your operating system. You can configure JSA to override the operating
system locale setting. For example, you can set the locale to English and the JSA console
can be set to Italiano (Italian).
Copyright © 2017, Juniper Networks, Inc.
161
Juniper Secure Analytics Users Guide
If you use Unicode characters in your quick filter search query, unexpected search results
might be returned.
If you choose a locale that is not English, you can use the Advanced search option in JSA
for searching event and payload data.
How Does Quick Filter Search and Payload Tokens Work?
Text that is in the payload is split into words, phrases, symbols, or other elements. These
tokens are delimited by space and punctuation. The tokens don't always match
user-specified search terms, which cause some search terms not to be found when they
don't match the generated token. The delimiter characters are discarded but exceptions
exist such as the following exceptions:
•
Periods that are not followed by white space are included as part of the token.
For example, 1.2.3.4:56 is tokenized as host token 1.2.3.4 and port token 56.
•
Words are split at hyphens, unless the word contains a number, in which case, the
token is not split and the numbers and hyphens are retained as one token.
•
Internet domain names and email addresses are preserved as a single token.
1.2.3.4/home/www is tokenized as one token and the URL is not separated.
1.2.3.7:/calling1/www2/scp4/path5/fff is tokenized as host 1.2.3.7 and the remainder
is one token /calling1/www2/scp4/path5/fff
File names and URL names that contain more than one underscore are split before a
period (.).
Example of multiple underscores in a file name:
If you use hurricane_katrina_ladm118.jpg as a search term, it is split into the following
tokens:
•
hurricane
•
katrina_ladm118.jpg
Search the payload for the full search term by placing double quotation marks around
the search term: "hurricane_katrina_ladm118.jpg"
Example of multiple underscores in a relative file path:
The thumb.ladm1180830/thumb.ladm11808301806.hurricane_katrina_ladm118.jpg is split
into the following tokens:
•
thumb.ladm1180830/thumb.ladm11808301806.hurricane
•
katrina_ladm118.jpg
To search for hurricane_katrina_ladm118.jpg, which consists of one partial and one full
token, place an asterisk in front of the query term, *hurricane_katrina_ladm118.jpg
162
Copyright © 2017, Juniper Networks, Inc.
Chapter 9: Searches
Related
Documentation
•
Offense Searches on page 163
•
Finding IOCs Quickly with Lazy Search on page 173
•
Deleting Search Criteria on page 174
Offense Searches
You can search offenses using specific criteria to display offenses that match the search
criteria in a results list.
You can create a new search or load a previously saved set of search criteria.
Searching Offenses on the My Offenses and All Offenses Pages
On the My Offenses and All Offenses pages of the Offense tab, you can search for offenses
that match your criteria.
The following table describes the search options that you can use to search offense data
on the My Offenses and All Offenses pages.
For information about categories, see the Juniper Secure Analytics Administration Guide.
Table 38: My Offenses and All Offenses Page Search Options
Options
Description
Group
This list box allows you to select an offense Search Group to view in the Available Saved Searches
list.
Type Saved Search or
Select from List
This field allows you to type the name of a saved search or a keyword to filter the Available Saved
Searches list.
Available Saved Searches
This list displays all available searches, unless you apply a filter to the list using the Group or Type
Saved Search or Select from List options. You can select a saved search on this list to display or
edit.
All Offenses
This option allows you to search all offenses regardless of time range.
Recent
This option allows you to select a pre-defined time range you want to filter for. After you select
this option, you must select a time range option from the list box.
Specific Interval
This option allows you to configure a custom time range for your search. After you select this
option, you must select one of the following options.
•
Start Date between Select this check box to search offenses that started during a certain time
period. After you select this check box, use the list boxes to select the dates you want to search.
•
Last Event/Flow between Last Event between Select this check box to search offenses for which
the last detected event occurred within a certain time period. After you select this check box,
use the list boxes to select the dates you want to search.
Search
The Search icon is available in multiple panes on the search page. You can click Search when you
are finished configuring the search and want to view the results.
Copyright © 2017, Juniper Networks, Inc.
163
Juniper Secure Analytics Users Guide
Table 38: My Offenses and All Offenses Page Search Options (continued)
Options
Description
Offense Id
In this field, you can type the Offense ID you want to search for.
Description
In this field, you can type the description that you want to search for.
Assigned to user
From this list box, you can select the user name that you want to search for.
Direction
From this list box, you can select the offense direction that you want to search for. Options include:
•
Local to Local
•
Local to Remote
•
Remote to Local
•
Remote to Remote
•
Local to Remote or Local
•
Remote to Remote or Local
Source IP
In this field, you can type the source IP address or CIDR range you want to search for.
Destination IP
In this field, you can type the destination IP address or CIDR range you want to search for.
Magnitude
From this list box, you can specify a magnitude and then select to display only offenses with a
magnitude that is equal to, less than, or greater than the configured value. The range is 0 - 10.
Severity
From this list box, you can specify a severity and then select to display only offenses with a severity
that is equal to, less than, or greater than the configured value. The range is 0 - 10.
Credibility
From this list box, you can specify a credibility and then select to display only offenses with a
credibility that is equal to, less than, or greater than the configured value. The range is 0 - 10.
Relevance
From this list box, you can specify a relevance and then select to display only offenses with a
relevance that is equal to, less than, or greater than the configured value. The range is 0 - 10.
Contains Username
In this field, you can type a regular expression (regex) statement to search for offenses containing
a specific user name. When you define custom regex patterns, adhere to regex rules as defined
by the Java programming language. For more information, you can refer to regex tutorials available
on the web.
Source Network
From this list box, you can select the source network that you want to search for.
Destination Network
From this list box, you can select the destination network that you want to search for.
High Level Category
From this list box, you can select the high-level category that you want to search for. .
Low Level Category
From this list box, you can select the low-level category that you want to search for.
164
Copyright © 2017, Juniper Networks, Inc.
Chapter 9: Searches
Table 38: My Offenses and All Offenses Page Search Options (continued)
Options
Description
Exclude
The options in this pane allow you to exclude offenses from the search results. The options include:
Close by User
•
Active Offenses
•
Hidden Offenses
•
Closed Offenses
•
Inactive offenses
•
Protected Offense
This parameter is only displayed when the Closed Offenses check box is cleared in the Exclude
pane.
From this list box, you can select the user name that you want to search closed offenses for or
select Any to display all closed offenses.
Reason For Closing
This parameter is only displayed when the Closed Offenses check box is cleared in the Exclude
pane.
From this list box, you can select a reason that you want to search closed offenses for or select
Any to display all closed offenses.
Events
From this list box, you can specify an event count and then select to display only offenses with an
event count that is equal to, less than, or greater than the configured value.
Flows
From this list box, you can specify a flow count and then select to display only offenses with a
flow count that is equal to, less than, or greater than the configured value.
Total Events/Flows Total
Events
From this list box, you can specify a total event and flow count and then select to display only
offenses with a total event and flow count that is equal to, less than, or greater than the configured
value.
Destinations
From this list box, you can specify a destination IP address count and then select to display only
offenses with a destination IP address count that is equal to, less than, or greater than the
configured value.
Log Source Group
From this list box, you can select a log source group that contains the log source you want to
search for. The Log Source list box displays all log sources that are assigned to the selected log
source group.
Log Source
From this list box, you can select the log source that you want to search for.
Rule Group
From this list box, you can select a rule group that contains the contributing rule that you want to
search for. The Rule list box displays all rules that are assigned to the selected rule group.
Rule
From this list box, you can select the contributing rule that you want to search for.
Offense Type
From this list box, you can select an offense type that you want to search for. For more information
about the options in the Offense Type list box, see Table 2.
The following table describes the options available in the Offense Type list box:
Copyright © 2017, Juniper Networks, Inc.
165
Juniper Secure Analytics Users Guide
Table 39: Offense Type Options
Offense types
Description
Any
This option searches all offense sources.
Source IP
To search for offenses with a specific source IP address, you can select this option, and then type
the source IP address that you want to search for.
Destination IP
To search for offenses with a specific destination IP address, you can select this option, and then
type the destination IP address that you want to search for.
Event Name
To search for offenses with a specific event name, you can click the Browse icon to open the Event
Browser and select the event name (QID) you want to search for.
You can search for a particular QID using one of the following options:
•
To search for a QID by category, select the Browse by Category check box and select the high- or
low-level category from the list boxes.
•
To search for a QID by log source type, select the Browse by Log Source Type check box and select
a log source type from the Log Source Type list box.
•
To search for a QID by log source type, select the Browse by Log Source Type check box and select
a log source type from the Log Source Type list box.
•
To search for a QID by name, select the QID Search check box and type a name in the QID/Name
field.
Username
To search for offenses with a specific user name, you can select this option, and then type the user
name that you want to search for.
Source MAC Address
To search for offenses with a specific source MAC address, you can select this option, and then type
the source MAC address that you want to search for.
Destination MAC Address
To search for offenses with a specific destination MAC address, you can select this option, and then
type the destination MAC address that you want to search for.
Log Source
From the Log Source Group list box, you can select the log source group that contains the log source
you want to search for. The Log Source list box displays all log sources that are assigned to the
selected log source group.
From the Log Source list box, select the log source that you want to search for.
Host Name
To search for offenses with a specific host name, you can select this option, and then type the host
name that you want to search for.
Source Port
To search for offenses with a specific source port, you can select this option, and then type the source
port that you want to search for.
Destination Port
To search for offenses with a specific destination port, you can select this option, and then type the
destination port that you want to search for.
Source IPv6
To search for offenses with a specific source IPv6 address, you can select this option, and then type
the source IPv6 address that you want to search for.
Destination IPv6
To search for offenses with a specific destination IPv6 address, you can select this option, and then
type the destination IPv6 address that you want to search for.
166
Copyright © 2017, Juniper Networks, Inc.
Chapter 9: Searches
Table 39: Offense Type Options (continued)
Offense types
Description
Source ASN
To search for offenses with a specific Source ASN, you can select the source ASN from the Source
ASN list box.
Destination ASN
To search for offenses with a specific destination ASN, you can select the destination ASN from the
Destination ASN list box.
Rule
To search for offenses that are associated with a specific rule, you can select the rule group that
contains the rule you want to search from the Rule Group list box. The Rule Group list box displays
all rules that are assigned to the selected rule group. From the Rule list box, you select the rule that
you want to search for.
App ID
To search for offenses with an application ID, you can select the application ID from the App ID list
box.
1.
Click the Offenses tab.
2. From the Search list box, select New Search.
3. Choose one of the following options:
•
To load a previously saved search, go to Step 4.
•
To create a new search, go to Step 7.
4. Select a previously saved search using one of the following options:
•
From the Available Saved Searches list, select the saved search that you want to
load.
•
In the Type Saved Search or Select from List field, type the name of the search you
want to load.
5. Click Load.
6. Optional. Select the Set as Default check box in the Edit Search pane to set this search
as your default search. If you set this search as your default search, the search
automatically performs and displays results each time you access the Offenses tab.
7. On the Time Range pane, select an option for the time range you want to capture for
this search. See Table 1.
8. On the Search Parameters pane, define your specific search criteria. See Table 1.
9. On the Offense Source pane, specify the offense type and offense source you want
to search:
a. From the list box, select the offense type that you want to search for.
Copyright © 2017, Juniper Networks, Inc.
167
Juniper Secure Analytics Users Guide
b. Type your search parameters. See Table 2.
10. In the Column Definition pane, define the order in which you want to sort the results:
a. From the first list box, select the column by which you want to sort the search
results.
b. From the second list box, select the order that you want to display for the search
results. Options include Descending and Ascending.
11. Click Search.
“Saving Search Criteria on the Offenses Tab” on page 171
Searching Offenses on the By Source IP Page
This topic provides the procedure for how to search offenses on the By Source IP page
of the Offense tab.
The following table describes the search options that you can use to search offense data
on the By Source IP page:
Table 40: By Source IP Page Search Options
Options
Description
All Offenses
You can select this option to search all source IP addresses regardless of time range.
Recent
You can select this option and, from this list box, select the time range that you want to search for.
Specific Interval
To specify an interval to search for, you can select the Specific Interval option and then select one of
the following options:
•
Start Date between Select this check box to search source IP addresses associated with offenses
that started during a certain time period. After you select this check box, use the list boxes to select
the dates you want to search for.
•
Last Event/Flow between Last Event between Select this check box to search source IP addresses
associated with offenses for which the last detected event occurred within a certain time period.
After you select this check box, use the list boxes to select the dates you want to search for.
Search
The Search icon is available in multiple panes on the search page. You can click Search when you are
finished configuring the search and want to view the results.
Source IP
In this field, you can type the source IP address or CIDR range you want to search for.
Magnitude
From this list box, you can specify a magnitude and then select display only offenses with a magnitude
that is equal to, less than, or greater than the configured value. The range is 0 - 10.
VA Risk
From this list box, you can specify a VA risk and then select display only offenses with a VA risk that
is equal to, less than, or greater than the configured value. The range is 0 - 10.
Events/Flows Events
From this list box, you can specify an event or flow count and then select display only offenses with
a magnitude that is equal to, less than, or greater than the configured value.
168
Copyright © 2017, Juniper Networks, Inc.
Chapter 9: Searches
Table 40: By Source IP Page Search Options (continued)
Options
Description
Exclude
You can select the check boxes for the offenses you want to exclude from the search results. The
options include:
•
Active Offenses
•
Hidden Offenses
•
Closed Offenses
•
Inactive offenses
•
Protected Offense
1.
Click the Offenses tab.
2. Click By Source IP.
3. From the Search list box, select New Search.
4. On the Time Range pane, select an option for the time range you want to capture for
this search. See Table 1.
5. On the Search Parameters pane, define your specific search criteria. See Table 1.
6. On the Column Definition pane, define the order in which you want to sort the results:
a. From the first list box, select the column by which you want to sort the search
results.
b. From the second list box, select the order that you want to display for the search
results. Options include Descending and Ascending.
7. Click Search.
“Saving Search Criteria on the Offenses Tab” on page 171
Searching Offenses on the By Destination IP Page
On the By Destination IP page of the Offense tab, you can search offenses that are grouped
by the destination IP address.
The following table describes the search options that you can use to search offenses on
the By Destination IP page:
Table 41: By Destination IP Page Search Options
Options
Description
All Offenses
You can select this option to search all destination IP addresses regardless of time range.
Copyright © 2017, Juniper Networks, Inc.
169
Juniper Secure Analytics Users Guide
Table 41: By Destination IP Page Search Options (continued)
Options
Description
Recent
You can select this option and, From this list box, select the time range that you want to search for.
Specific Interval
To specify a particular interval to search for, you can select the Specific Interval option, and then
select one of the following options:
•
To specify a particular interval to search for, you can select the Specific Interval option, and then
select one of the following options:
•
Last Event/Flow between Last Event between Select this check box to search destination IP
addresses associated with offenses for which the last detected event occurred within a certain
time period. After you select this check box, use the list boxes to select the dates you want to
search
Search
The Search icon is available in multiple panes on the search page. You can click Search when you
are finished configuring the search and want to view the results.
Destination IP
You can type the destination IP address or CIDR range you want to search for.
Magnitude
From this list box, you can specify a magnitude, and then select display only offenses with a magnitude
that is equal to, less than, or greater than the configured value.
VA Risk
From this list box, you can specify a VA risk, and then select display only offenses with a VA risk that
is equal to, less than, or greater than the configured value. The range is 0 - 10.
Events/Flows Events
From this list box, you can specify an event or flow count magnitude, and then select display only
offenses with an event or flow count that is equal to, less than, or greater than the configured value.
1.
Click the Offenses tab.
2. On the navigation menu, click By Destination IP.
3. From the Search list box, select New Search.
4. On the Time Range pane, select an option for the time range you want to capture for
this search. See Table 1.
5. On the Search Parameters pane, define your specific search criteria. See Table 1.
6. On the Column Definition pane, define the order in which you want to sort the results:
a. From the first list box, select the column by which you want to sort the search
results.
b. From the second list box, select the order in which you want to display the search
results. Options include Descending and Ascending.
7. Click Search.
170
Copyright © 2017, Juniper Networks, Inc.
Chapter 9: Searches
“Saving Search Criteria on the Offenses Tab” on page 171
Searching Offenses on the By Networks Page
On the By Network page of the Offense tab, you can search offenses that are grouped by
the associated networks.
The following table describes the search options that you can use to search offense data
on the By Networks page:
Table 42: Search Options for Search Offense Data on the By Networks Page
Option
Description
Network
From this list box, you can select the network that you want to search for.
Magnitude
From this list box, you can specify a magnitude, and then select display only offenses with a
magnitude that is equal to, less than, or greater than the configured value.
VA Risk
From this list box, you can specify a VA risk, and then select display only offenses with a VA risk
that is equal to, less than, or greater than the configured value.
Event/Flows Event
From this list box, you can specify an event or flow count, and then select display only offenses
with an event or flow count that is equal to, less than, or greater than the configured value.
1.
Click the Offenses tab.
2. Click By Networks.
3. From the Search list box, select New Search.
4. On the Search Parameters pane, define your specific search criteria. See Table 1.
5. On the Column Definition pane, define the order in which you want to sort the results:
a. From the first list box, select the column by which you want to sort the search
results.
b. From the second list box, select the order in which you want to display the search
results. Options include Descending and Ascending.
6. Click Search.
“Saving Search Criteria on the Offenses Tab” on page 171
Saving Search Criteria on the Offenses Tab
On the Offenses tab, you can save configured search criteria so that you can reuse the
criteria for future searches. Saved search criteria does not expire.
Copyright © 2017, Juniper Networks, Inc.
171
Juniper Secure Analytics Users Guide
1.
Procedure
2. Perform a search. See Offense searches.
3. Click Save Criteria.
4. Enter values for the following parameters:
Parameter
Description
Search Name
Type a name you want to assign to this search criteria.
Manage Groups
Click Manage Groups to manage search groups. See “Managing
Search Groups” on page 177.
Timespan options:
Choose one of the following options:
•
All Offenses Select this option to search all offenses
regardless of time range.
•
Recent Select the option and, from this list box, select the
time range that you want to search for.
•
Specific Interval - To specify a particular interval to search
for, select the Specific Interval option, and then select one
of the following options:
Start Date between - Select this check box to search
offenses that started during a certain time period. After you
select this check box, use the list boxes to select the dates
you want to search for. Last Event/Flow between - Select
this check box to search offenses for which the last detected
event occurred within a certain time period. After you select
this check box, use the list boxes to select the dates you
want to search. Last Event between - Select this check box
to search offenses for which the last detected event
occurred within a certain time period. After you select this
check box, use the list boxes to select the dates you want
to search.
Select this check box to set this search as your default search.
Set as Default
5. Click OK.
Searching for Offenses That Are Indexed on a Custom Property
Define search criteria to filter the offense list and make it easier to see which offenses
you need to investigate. You can use the offense type in your search criteria to find all
offenses that are based on a custom property. You can filter the query results to show
offenses that have a specific custom property capture result.
The custom property must be used as a rule index. For more information, see “Offense
Indexing” on page 57.
172
Copyright © 2017, Juniper Networks, Inc.
Chapter 9: Searches
1.
Click the Offenses tab.
2. From the Search list, select New Search.
3. On the Offense Source pane, select the custom property in the Offense Type list.
The Offense Type list shows only normalized fields and custom properties that are
used as rule indexes. You cannot use Offense Source to search DateTime properties.
4. To search for offenses that have a specific value in the custom property capture result,
type the value that you want to search for in the filter box.
5. Configure other search parameters to satisfy your search requirements.
6. Click Search.
All offenses that meet the search criteria are shown in the offense list. When you view
the offense summary, the custom property that you searched on is shown in the Offense
Type field. The custom property capture result is shown in the Custom Property Value
field in the Offense Source Summary pane.
Related
Documentation
•
Finding IOCs Quickly with Lazy Search on page 173
•
Deleting Search Criteria on page 174
•
Using a Subsearch to Refine Search Results on page 175
Finding IOCs Quickly with Lazy Search
You use the JSAlazy search to search for an indicator of compromise (IOC), such as
unusual outbound network traffic or anomalies in privileged user account activity.
Lazy search returns the first 1000 events that are related to the search criterion. For
example, if you need to search for a particular MD5 as part of a malware outbreak
investigation, you do not need to review every related event. Do a lazy search to quickly
return a limited result set.
To take advantage of the lazy search, you must have the Admin security profile, or a
non-administrator security profile that is configured in the following way:
•
Permission precedence set to No Restrictions.
•
Access to all networks and log sources.
Lazy search cannot be used by users with non-administrator security profiles on networks
where domains are configured.
1.
To do a lazy search for quick filters, do these steps:
a. On the Log Activity tab, in the Quick Filter field, enter a value.
Copyright © 2017, Juniper Networks, Inc.
173
Juniper Secure Analytics Users Guide
b. From the View list, select a time range.
2. To do a lazy search for basic searches, do these steps:
a. On the Log Activity tab, click Search >New Search.
b. Select a Recent time range or set a Specific Interval.
c. Ensure that Order by field value is set to Start Time and the Results Limit field value
is 1000 or less. Aggregated columns must not be included in the search.
d. Enter a value for the Quick Filter parameter and click Add Filter.
3. To disable lazy search completely, do these steps:
a. Click the System Settings on the Admin tab.
b. In the System Settings window, remove any values from the Default Search Limit
field.
Related
Documentation
•
Deleting Search Criteria on page 174
•
Using a Subsearch to Refine Search Results on page 175
•
Managing Search Results on page 176
Deleting Search Criteria
You can delete search criteria.
When you delete a saved search, then objects that are associated with the saved search
might not function. Reports are JSA objects that use saved search criteria. After you
delete a saved search, edit the associated objects to ensure that they continue to function.
1.
Choose one of the following options:
•
Click the Log Activity tab.
•
Click the Network Activity tab.
2. Click the Log Activity tab.
3. From the Search list box, select New Search or Edit Search.
4. In the Saved Searches pane, select a saved search from the Available Saved Searches
list box.
5. Click Delete.
174
•
If the saved search criteria is not associated with other JSA objects, a confirmation
window is displayed.
•
If the saved search criteria is associated with other objects, the Delete Saved Search
window is displayed. The window lists objects that are associated with the saved
search that you want to delete. Note the associated objects.
Copyright © 2017, Juniper Networks, Inc.
Chapter 9: Searches
6. Click OK.
7. Choose one of the following options:
•
Click OK to proceed.
•
Click Cancel to close the Delete Saved Search window.
If the saved search criteria was associated with other JSA objects, access the associated
objects that you noted and edit the objects to remove or replace the association with
the deleted saved search.
Related
Documentation
•
Using a Subsearch to Refine Search Results on page 175
•
Managing Search Results on page 176
•
Managing Search Groups on page 177
Using a Subsearch to Refine Search Results
You can use a subsearch to search within a set of completed search results. The subsearch
is used to refine search results, without searching the database again.
When you define a search that you want to use as a base for subsearching, make sure
that Real Time (streaming) option is disabled and the search is not grouped.
This feature is not available for grouped searches, searches in progress, or in streaming
mode.
1.
Choose one of the following options:
•
Click the Log Activity tab.
•
Click the Network Activity tab.
2. Click the Log Activity tab.
3. Perform a search.
4. When your search is complete, add another filter:
a. Click Add Filter.
b. From the first list box, select a parameter that you want to search for.
c. From the second list box, select the modifier that you want to use for the search.
The list of modifiers that are available depends on the attribute that is selected in
the first list.
d. In the entry field, type specific information that is related to your search.
e. Click Add Filter.
Copyright © 2017, Juniper Networks, Inc.
175
Juniper Secure Analytics Users Guide
The Original Filter pane specifies the original filters that are applied to the base search.
The Current Filter pane specifies the filters that are applied to the subsearch. You can
clear subsearch filters without restarting the base search. Click the Clear Filter link next
to the filter you want to clear. If you clear a filter from the Original Filter pane, the base
search is relaunched.
If you delete the base search criteria for saved subsearch criteria, you still have access
to saved subsearch criteria. If you add a filter, the subsearch searches the entire database
since the search function no longer bases the search on a previously searched data set.
“Saving Search Criteria” on page 153
Related
Documentation
•
Managing Search Results on page 176
•
Managing Search Groups on page 177
•
Search Example: Daily Employee Reports on page 181
Managing Search Results
You can initiate multiple searches, and then navigate to other tabs to perform other tasks
while your searches complete in the background.
You can configure a search to send you an email notification when the search is complete.
At any time while a search is in progress, you can return to the Log Activity or Network
Activity tabs to view partial or complete search results.
At any time while a search is in progress, you can return to the Log Activity tab to view
partial or complete search results.
Canceling a Search
While a search is queued or in progress, you can cancel the search on the Manage Search
Results page.
If the search is in progress when you cancel it, the results that were accumulated until
the cancellation are maintained.
1.
Choose one of the following options:
•
Click the Log Activity tab.
•
Click the Network Activity tab.
2. Click the Log Activity tab.
3. From the Search menu, select Manage Search Results.
4. Select the queued or in progress search result you want to cancel.
176
Copyright © 2017, Juniper Networks, Inc.
Chapter 9: Searches
5. Click Cancel.
6. Click Yes.
Deleting a Search
If a search result is no longer required, you can delete the search result from the Manage
Search Results page.
1.
Choose one of the following options:
•
Click the Log Activity tab.
•
Click the Network Activity tab.
2. Click the Log Activity tab.
3. From the Search menu, select Manage Search Results.
4. Select the search result that you want to delete.
5. Click Delete.
6. Click Yes.
Related
Documentation
•
Managing Search Groups on page 177
•
Search Example: Daily Employee Reports on page 181
•
Using a Subsearch to Refine Search Results on page 175
Managing Search Groups
Using the Search Groups window, you can create and manage event, flow, and offense
search groups.
These groups allow you to easily locate saved search criteria on the Log Activity, Network
Activity, and Offenses tabs, and in the Report wizard.
These groups allow you to easily locate saved search criteria on the Log Activity tab and
in the Report wizard.
Viewing Search Groups
A default set of groups and subgroups are available.
You can view search groups on the Event Search Group, Flow Search Group, or Offense
Search Group windows.
You can view search groups on the Event Search Group window.
Copyright © 2017, Juniper Networks, Inc.
177
Juniper Secure Analytics Users Guide
All saved searches that are not assigned to a group are in the Other group.
The Event Search Group, Flow Search Group, and Offense Search Group windows display
the following parameters for each group.
The Event Search Group window displays the following parameters for each group.
Table 43: Search Group Window Parameters
Parameter
Description
Name
Specifies the name of the search group.
User
Specifies the name of the user that created the search group.
Description
Specifies the description of the search group.
Date Modified
Specifies the date the search group was modified.
The Event Search Group, Flow Search Group, and Offense Search Group window toolbars
provide the following functions.
The Event Search Group window toolbar provides the following functions.
Table 44: Search Group Window Toolbar Functions
Function
Description
New Group
To create a new search group, you can click New Group. See “Creating a New Search Group” on
page 179.
Edit
To edit an existing search group, you can click Edit. See “Editing a Search Group” on page 179.
Copy
To copy a saved search to another search group, you can click Copy. See “Copying a Saved Search
to Another Group” on page 180.
Remove
To remove a search group or a saved search from a search group, select the item that you want to
remove, and then click Remove. See “Removing a Group or a Saved Search from a Group” on page 180.
1.
Choose one of the following options:
•
Click the Log Activity tab.
•
Click the Network Activity tab.
2. Click the Log Activity tab.
3. >Select Search >>Edit Search.
4. Click Manage Groups.
5. View the search groups.
178
Copyright © 2017, Juniper Networks, Inc.
Chapter 9: Searches
Creating a New Search Group
You can create a new search group.
1.
Choose one of the following options:
•
Click the Log Activity tab.
•
Click the Network Activity tab.
2. Click the Log Activity tab.
3. >Select Search >Edit Search.
4. Click Manage Groups.
5. Select the folder for the group under which you want to create the new group.
6. Click New Group.
7. In the Name field, type a unique name for the new group.
8. Optional. In the Description field, type a description.
9. Click OK.
Editing a Search Group
You can edit the Name and Description fields of a search group.
1.
Choose one of the following options:
•
Click the Log Activity tab.
•
Click the Network Activity tab.
2. Click the Log Activity tab.
3. Select >Search > >Edit Search.
4. Click Manage Groups.
5. Select the group that you want edit.
6. Click Edit.
7. Edit the parameters:
Copyright © 2017, Juniper Networks, Inc.
179
Juniper Secure Analytics Users Guide
•
Type a new name in the Name field.
•
Type a new description in the Description field.
8. Click OK.
Copying a Saved Search to Another Group
You can copy a saved search to one or more groups.
1.
Choose one of the following options:
•
Click the Log Activity tab.
•
Click the Network Activity tab.
2. Click the Log Activity tab.
3. Select >Search > >Edit Search.
4. Click Manage Groups.
5. Select the saved search that you want to copy.
6. Click Copy.
7. On the Item Groups window, select the check box for the group you want to copy the
saved search to.
8. Click Assign Groups.
Removing a Group or a Saved Search from a Group
You can use the Remove icon to remove a search from a group or remove a search group.
When you remove a saved search from a group, the saved search is not deleted from
your system. The saved search is removed from the group and automatically moved to
the Other group.
You cannot remove the following groups from your system:
•
Event Search Groups
•
Flow Search Groups
•
Offense Search Groups
•
Other
You cannot remove Event Search Groups from your system.
180
Copyright © 2017, Juniper Networks, Inc.
Chapter 9: Searches
1.
Choose one of the following options:
•
Click the Log Activity tab.
•
Click the Network Activity tab.
2. Click the Log Activity tab.
3. Select >Search > >Edit Search.
4. Click Manage Groups.
5. Choose one of the following options:
•
Select the saved search that you want to remove from the group.
•
Select the group that you want to remove.
6. Click Remove.
7. Click OK.
Related
Documentation
•
Search Example: Daily Employee Reports on page 181
•
Using a Subsearch to Refine Search Results on page 175
•
Managing Search Results on page 176
Search Example: Daily Employee Reports
The following example describes how to use a complex advanced search query to see
specific employee information.
For identity management purposes, you decide to generate a daily report of the user
activity in JSA. The report must include information about the employee, such as their
user names, their serial number, their manager, and their activities.
An employee might have multiple user names in JSA. You use the RESTful API to build
a reference map that returns all associated user names to the employee's name,
Global_User. For the serial number and the manager's name, you create another reference
data set and add it to the reference map.
Employee activities can range from login failures to JSA tasks, such as deleting objects.
These events are recorded by JSA. By specifying the frequency of the events in the map,
you can gauge when suspicious activity occurs. You group the data by the employee's
name and the event name, and then sort the data by the highest event frequency within
a 24-hour time frame.
To see this daily report, you log in to JSA console. In the Advanced Search text box on
the Log Activity tab, you type the following search query:
Copyright © 2017, Juniper Networks, Inc.
181
Juniper Secure Analytics Users Guide
select REFERENCEMAP('GlobalID_Mapping', username) as Global_User,
QIDNAME(qid) as 'Event Name', count(*) as 'Event Count', FIRST(username) as
UserId, REFERENCETABLE('employee_data','SerialNum', Global_user) as 'Serial
Number', REFERENCETABLE('employee_data','Manager',Global_User) as Manager
from events where (Global_User IS NOT NULL) GROUP BY Global_user,'Event Name'
ORDER BY 'Event Count' DESC last 1 DAYS
Related
Documentation
182
•
Using a Subsearch to Refine Search Results on page 175
•
Managing Search Results on page 176
•
Managing Search Groups on page 177
Copyright © 2017, Juniper Networks, Inc.
CHAPTER 10
Custom Event and Flow Properties
•
Custom Event and Flow Properties on page 183
•
Required Permissions on page 183
•
Custom Property Types on page 184
•
Creating a Regex-based Custom Property on page 185
•
Creating a Calculation-based Custom Property on page 186
•
Modifying a Custom Property on page 188
•
Copying a Custom Property on page 190
•
Deleting a Custom Property on page 191
Custom Event and Flow Properties
Use Custom event and flow properties to search, view, and report on information in logs
that JSA does not typically normalize and display.
You can create custom event and flow properties from several locations on the Log
Activityor Network Activity tabs:
•
From the Log Activity tab, double-click an event and click Extract Property.
•
From the Network Activity tab, double-click a flow and click Extract Property.
•
You can create or edit a custom event or flow property from the Search page. When
you create a custom property from the Search page, the property is not derived from
any particular event or flow; therefore, the Custom Event Properties window does not
prepopulate. You can copy and paste payload information from another source.
Required Permissions
To create custom properties if you have the correct permission.
You must have the User Defined Event Properties or the User Defined Flow Properties
permission.
If you have Administrative permissions, you can also create and modify custom properties
from the Admin tab.
Copyright © 2017, Juniper Networks, Inc.
183
Juniper Secure Analytics Users Guide
Click Admin >Data Sources >Custom Event Properties > or Admin >Data Sources >Custom
Flow Properties.
Check with your administrator to ensure that you have the correct permissions.
For more information, see the Juniper Secure Analytics Administration Guide.
Related
Documentation
•
Custom Property Types on page 184
•
Creating a Regex-based Custom Property on page 185
•
Creating a Calculation-based Custom Property on page 186
Custom Property Types
You can create a custom property type.
When you create a custom property, you can choose to create a Regex or a calculated
property type.
Using regular expression (Regex) statements, you can extract unnormalized data from
event or flow payloads.
For example, a report is created to report all users who make user permission changes
on an Oracle server. A list of users and the number of times they made a change to the
permission of another account is reported. However, typically the actual user account
or permission that was changed cannot display. You can create a custom property to
extract this information from the logs, and then use the property in searches and reports.
Use of this feature requires advanced knowledge of regular expressions (regex).
Regex defines the field that you want to become the custom property. After you enter a
regex statement, you can validate it against the payload. When you define custom regex
patterns, adhere to regex rules as defined by the Java programming language.
For more information, you can refer to regex tutorials available on the web. A custom
property can be associated with multiple regular expressions.
When an event or flow is parsed, each regex pattern is tested on the event or flow until
a regex pattern matches the payload. The first regex pattern to match the event or flow
payload determines the data to be extracted.
Using calculation-based custom properties, you can perform calculations on existing
numeric event or flow properties to produce a calculated property.
For example, you can create a property that displays a percentage by dividing one numeric
property by another numeric property.
Related
Documentation
184
•
Creating a Regex-based Custom Property on page 185
•
Creating a Calculation-based Custom Property on page 186
•
Modifying a Custom Property on page 188
Copyright © 2017, Juniper Networks, Inc.
Chapter 10: Custom Event and Flow Properties
Creating a Regex-based Custom Property
You can create a regex-based custom property to match event or flow payloads to a
regular expression.
When you configure a regex-based custom property, the Custom Event Property or Custom
Flow Property windows provide parameters. The following table describes some of these
parameters.
Table 45: Custom Properties Window Parameters (regex)
Parameter
Description
Test field
Specifies the payload that was extracted from the unnormalized event or flow.
New Property
The new property name cannot be the name of a normalized property, such as username, Source IP,
or Destination IP.
NOTE: The following characters cause an error if they are used in creating a new property name:
Backslash ( \ ), comma (,), period (.), ampersand (&), single quotation mark ( ' ), double quotation
mark ( " ), parentheses (()), and double brackets ([]).
NOTE: For CEPs and CFPs that include the denoted characters, you need to create a duplicate of the
property and save the new property name without using the denoted characters. Then, change all of
the dependents of the old property to reference the new property. Finally, delete the old property.
Optimize parsing for
rules, reports, and
searches
Parses and stores the property the first time that the event or flow is received. When you select the
check box, the property does not require more parsing for reporting, searching, or rule testing.
If you clear this check box, the property is parsed each time a report, search, or rule test is applied.
Log Source
If multiple log sources are associated with this event, this field specifies the term Multiple and the
number of log sources.
RegEx
The regular expression that you want to use for extracting the data from the payload. Regular
expressions are case-sensitive.
The following examples show sample regular expressions:
•
Email: (.+@[^\.].*\.[a-z]{2,}$)
•
URL: (http\://[a-zA-Z0-9\-\.]+\.[a-zA-Z]{2,3}(/\S*)?$)
•
Domain Name: (http[s]?://(.+?)["/?:])
•
Floating Point Number: ([-+]?\d*\.?\d*$)
•
Integer: ([-+]?\d*$)
•
IP address: (\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)
Capture groups must be enclosed in parentheses.
Capture Group
Capture groups treat multiple characters as a single unit. In a capture group, characters are grouped
inside a set of parentheses.
Enabled
If you clear the check box, this custom property does not display in search filters or column lists and
the property is not parsed from payloads.
Copyright © 2017, Juniper Networks, Inc.
185
Juniper Secure Analytics Users Guide
1.
Click the Log Activity tab.
2. If you are viewing the events in streaming mode, click the Pause icon to pause
streaming.
3. Double-click the event that you want to base the custom property on.
4. Click Extract Property.
5. In the Property Type Selection pane, select the Regex Based option.
6. Configure the custom property parameters.
7. Click Test to test the regular expression against the payload.
8. Click Save.
The custom property is displayed as an option in the list of available columns on the
search page. To include a custom property in an event or flows list, you must select the
custom property from the list of available columns when you create a search.
Related
Documentation
•
Creating a Calculation-based Custom Property on page 186
•
Modifying a Custom Property on page 188
•
Copying a Custom Property on page 190
Creating a Calculation-based Custom Property
You can create a calculation-based customer property to match payloads to a regular
expression.
When you configure a calculation-based custom property, the Custom Event Propertyor
Custom Flow Property windows provide the parameters listed in table 1:
Table 46: Custom Property Definition Window Parameters (calculation)
Parameter
Description
Property Definition
186
Copyright © 2017, Juniper Networks, Inc.
Chapter 10: Custom Event and Flow Properties
Table 46: Custom Property Definition Window Parameters (calculation) (continued)
Parameter
Description
Property Name
Type a unique name for this custom property. The new property name cannot be the name of a
normalized property, such as Username, Source IP, or Destination IP.
NOTE: The following characters cause an error if they are used in creating a new property name:
Backslash ( \ ), comma (,), period (.), ampersand (&), single quotation mark ( ' ), double quotation
mark ( " ), parentheses (()), and double brackets ([]).
NOTE: For CEPs and CFPs that include the denoted characters, you need to create a duplicate of the
property and save the new property name without using the denoted characters. Then, change all of
the dependents of the old property to reference the new property. Finally, delete the old property.
Description
Type a description of this custom property.
Property Calculation Definition
Property 1
From the list box, select the first property that you want to use in your calculation. Options include all
numeric normalized and numeric custom properties.
You can also specify a specific numeric value. From the Property 1 list box, select the User Defined option.
The Numeric Property parameter is displayed. Type a specific numeric value.
Operator
Property 2
From the list box, select the operator that you want to apply to the selected properties in the calculation.
Options include:
•
Add
•
Subtract
•
Multiply
•
Divide
From the list box, select the second property that you want to use in your calculation. Options include
all numeric normalized and numeric custom properties.
You can also specify a specific numeric value. From the Property 1 list box, select the User Defined option.
The Numeric Property parameter is displayed. Type a specific numeric value.
Enabled
Select this check box to enable this custom property.
If you clear the check box, this custom property does not display in event or flow search filters or column
lists and the event or flow property is not parsed from payloads.
If you clear the check box, this custom property does not display in event search filters or column lists
and the event or flow property is not parsed from payloads.
1.
Choose one of the following: Click the Log Activity tab.
2. Optional. If you are viewing events or flows in streaming mode, click the Pause icon
to pause streaming.
3. Double-click the event or flow that you want to base the custom property on.
Copyright © 2017, Juniper Networks, Inc.
187
Juniper Secure Analytics Users Guide
4. Double-click the event that you want to base the custom property on.
5. Click Extract Property.
6. In the Property Type Selection pane, select the Calculation Based option.
7. Configure the custom property parameters.
8. Click Test to test the regular expression against the payload.
9. Click Save.
The custom property is now displayed as an option in the list of available columns on
the search page. To include a custom property in an events or flows list, you must select
the custom property from the list of available columns when you are creating a search.
Related
Documentation
•
Modifying a Custom Property on page 188
•
Copying a Custom Property on page 190
•
Deleting a Custom Property on page 191
Modifying a Custom Property
You can modify a custom property.
You can use the Custom Event Properties or Custom Flow Properties window to modify
a custom property.
You can use the Custom Event Properties window to modify a custom property.
The custom properties are described in the following table.
Table 47: Custom Properties Window Columns
Column
Description
Property Name
Specifies a unique name for this custom property.
Type
Specifies the type for this custom property.
Property Description
Specifies a description for this custom property.
Log Source Type
Specifies the name of the log source type to which this custom
property applies.
This column is only displayed on the Custom Event Properties
window.
188
Copyright © 2017, Juniper Networks, Inc.
Chapter 10: Custom Event and Flow Properties
Table 47: Custom Properties Window Columns (continued)
Column
Description
Log Source
Specifies the log source to which this custom property applies.
If there are multiple log sources that are associated with this
event or flow, this field specifies the term Multiple and the
number of log sources.
If there are multiple log sources that are associated with this
event, this field specifies the term Multiple and the number of
log sources.
This column is only displayed on the Custom Event Properties
window.
Expression
Specifies the expression for this custom property. The
expression depends on the custom property type:
For a regex-based custom property, this parameter specifies
the regular expression that you want to use for extracting the
data from the payload.
For a calculation-based custom property, this parameter
specifies the calculation that you want to use to create the
custom property value.
Username
Specifies the name of the user who created this custom
property.
Enabled
Specifies whether this custom property is enabled. This field
specifies either True or False.
Creation Date
Specifies the date this custom property was created.
Modification Date
Specifies the last time this custom property was modified.
The Custom Event Property and Custom Flow Property toolbars provide the following
functions:
Table 48: Custom Property Toolbar Options
Option
Description
Add
Click Add to add a new custom property.
Edit
Click Edit to edit the selected custom property.
Copy
Click Copy to copy selected custom properties.
Delete
Click Delete to delete selected custom properties.
Enable/Disable
Click Enable/Disable to enable or disable the selected custom properties for parsing and
viewing in the search filters or column lists.
Copyright © 2017, Juniper Networks, Inc.
189
Juniper Secure Analytics Users Guide
1.
Choose one of the following:
•
Click the Log Activity tab.
•
Click the Network Activity tab.
2. Click the Log Activity tab.
3. From the Search list box, select Edit Search.
4. Click Manage Custom Properties.
5. Select the custom property that you want to edit and click Edit.
6. Edit the necessary parameters.
7. Optional. If you edited the regular expression, click Test to test the regular expression
against the payload.
8. Click Save.
Related
Documentation
•
Copying a Custom Property on page 190
•
Deleting a Custom Property on page 191
•
Creating a Calculation-based Custom Property on page 186
Copying a Custom Property
To create a new custom property that is based an existing custom property, you can copy
the existing custom property, and then modify the parameters.
1.
Choose one of the following:
•
Click the Log Activity tab.
•
Click the Network Activity tab.
2. Click the Log Activity tab.
3. From the Search list box, select Edit Search.
4. Click Manage Custom Properties.
5. Select the custom property that you want to copy and click Copy.
6. Edit the necessary parameters.
190
Copyright © 2017, Juniper Networks, Inc.
Chapter 10: Custom Event and Flow Properties
7. Optional. If you edited the regular expression, click Test to test the regular expression
against the payload.
8. Click Save.
Related
Documentation
•
Deleting a Custom Property on page 191
•
Creating a Calculation-based Custom Property on page 186
•
Modifying a Custom Property on page 188
Deleting a Custom Property
You can delete any custom property, provided the custom property does not have any
dependencies.
1.
Choose one of the following:
•
Click the Log Activity tab.
•
Click the Network Activity tab.
2. Click the Log Activity tab.
3. From the Search list box, select Edit Search.
4. Click Manage Custom Properties.
5. Select the custom property that you want to delete and click Delete.
6. Click Yes.
Related
Documentation
•
Creating a Calculation-based Custom Property on page 186
•
Modifying a Custom Property on page 188
•
Copying a Custom Property on page 190
Copyright © 2017, Juniper Networks, Inc.
191
Juniper Secure Analytics Users Guide
192
Copyright © 2017, Juniper Networks, Inc.
CHAPTER 11
Rules
•
Rules on page 193
•
Custom Rules on page 194
•
Creating a Custom Rule on page 196
•
Configuring an Event or Flow As False Positive on page 197
•
Configuring a Rule Response to Add Data to a Reference Data Collection on page 198
•
Editing Building Blocks on page 199
Rules
Rules, sometimes called correlation rules are applied to events, flows, or offenses to
search for or detect anomalies. If all the conditions of a test are met, the rule generates
response.
What Are Rules?
Custom rules test events, flow, and offenses to detect unusual activity in your network.
You create new rules by using AND and OR combinations of existing rules.
JSA Event Collectors gather events from local and remote sources, normalizes these
events, and classifies them into low-level and high-level categories. For flows, JSA Flow
Processor read packets from the wire or receive flows from other devices and then
converts the network data to flow records. Each Event Processor processes events or
flow data from the JSA Event Collectors. Event Processors examine and correlate the
information to indicate behavioral changes or policy violations. The custom rules engine
(CRE) processes events and compares them against defined rules to search for anomalies.
When a rule condition is met, the Event Processor generates an action that is defined in
the rule response. The CRE keeps track of the systems that are involved in incidents,
contributes events to offenses, and generates notifications.
What Are Building Blocks?
A building block is a collection of tests that don't result in a response or an action.
A building block groups commonly used tests to build complex logic, so that it can be
reused in rules. A building block often tests for IP addresses, privileged user names, or
collections of event names. For example, a building block can include the IP addresses
of all DNS servers. Rules can then use this building block.
Copyright © 2017, Juniper Networks, Inc.
193
Juniper Secure Analytics Users Guide
JSA has default rules and you can also download more rules from the Juniper App Exchange
to create new rules.
How do Rules Work?
JSA Event Collectors gather events from local and remote sources, normalizes these
events, and classifies them into low-level and high-level categories. For flows, JSA Flow
Processor read packets from the wire or receive flows from other devices and then
converts the network data to flow records. Each Event Processor processes events or
flow data from the JSA Event Collectors. Flow Processors examine and correlate the
information to indicate behavioral changes or policy violations. The custom rules engine
(CRE) processes events and compares them against defined rules to search for anomalies.
When a rule condition is met, the Event Processor generates an action that is defined in
the rule response. The CRE keeps track of the systems that are involved in incidents,
contributes events to offenses, and generates notifications.
How is an Offense Created from a Rule?
JSA creates an offense when events, flows, or both meet the test criteria that is specified
in the rules.
JSA analyzes the following information:
•
Incoming events and flows
•
Asset information
•
Known vulnerabilities
The rule that created the offense determines the offense type.
The magistrate prioritizes the offenses and assigns the magnitude value based on several
factors, including number of events, severity, relevance, and credibility.
Custom Rules
JSA includes rules that detect a wide range of activities, including excessive firewall
denies, multiple failed login attempts, and potential botnet activity. You can also create
your own rules to detect unusual activity.
What Are Custom Rules?
Customize default rules to detect unusual activity in your network.
Rule Types
Each of the event, flow, common, and offense rule types test against incoming data from
different sources in real time. There are multiple types of rule tests. Some check for simple
properties from the data set. Other rule tests are more complicated. They track multiple,
event, flow, and offense sequences over a period of time and use "counter" that is on
one or more parameters before a rule response is triggered.
194
Copyright © 2017, Juniper Networks, Inc.
Chapter 11: Rules
•
Event rules--Test against incoming log source data that is processed in real time by
the JSA Event Processor. You create an event rule to detect a single event or event
sequences. For example, to monitor your network for unsuccessful login attempts,
access multiple hosts, or a reconnaissance event followed by an exploit, you create
an event rule. It is common for event rules to create offenses as a response.
•
Flow rules--Test against incoming flow data that is processed by the JSA Flow
Processor. You can create a flow rule to detect a single flow or flow sequences. It is
common for flow rules to create offenses as a response.
•
Common rules--Test against event and flow data. For example, you can create a
common rule to detect events and flows that have a specific source IP address. It is
common for common rules to create offenses as a response.
•
Offense rules--Test the parameters of an offense to trigger more responses. For
example, a response generates when an offense occurs during a specific date and
time. An offense rule processes offenses only when changes are made to the offense.
For example, when new events are added, or the system scheduled the offense for
reassessment. It is common for offense rules to email a notification as a response.
Managing Rules
You can create, edit, assign rules to groups, and delete groups of rules. By categorizing
your rules or building blocks into groups, you can efficiently view and track your rules. For
example, you can view all rules that are related to compliance.
Domain-specific Rules
If a rule has a domain test, you can restrict that rule so that it is applied only to events
that are happening within a specified domain. An event that has a domain tag that is
different from the domain that is set on, the rule does not trigger a response.
To create a rule that tests conditions across the entire system, set the domain condition
to Any Domain.
Rule Conditions
Most rule tests evaluate a single condition, like the existence of an element in a reference
data collection or testing a value against a property of an event. For complex comparisons,
you can test event rules by building an Ariel Query Language (AQL) query with WHERE
clause conditions. You can use all of the WHERE clause functions to write complex criteria
that can eliminate the need to run numerous individual tests. For example, use an AQL
WHERE clause to check whether inbound SSL or web traffic is being tracked on a reference
set.
You can run tests on the property of an event, flow, or offense, such as source IP address,
severity of event, or rate analysis.
With functions, you can use building blocks and other rules to create a multi-event,
multi-flow, or multi-offense function. You can connect rules by using functions that
support Boolean operators, such as OR and AND. For example, if you want to connect
event rules, you can use when an event matches any|all of the following rules function.
Copyright © 2017, Juniper Networks, Inc.
195
Juniper Secure Analytics Users Guide
Related
Documentation
•
Creating a Custom Rule on page 196
•
Configuring an Event or Flow As False Positive on page 197
•
Configuring a Rule Response to Add Data to a Reference Data Collection on page 198
Creating a Custom Rule
JSA includes rules that detect a wide range of activities, including excessive firewall
denies, multiple failed login attempts, and potential botnet activity. You can also create
your own rules to detect unusual activity.
Before you begin to create a new rule, you must have the Offenses >Maintain Custom
Rules permission.
When you define rule tests, test against the smallest data possible. Testing in this way
helps rule test performance and ensures that you don't create expensive rules. To optimize
performance, start with broad categories that narrow the data that is evaluated by the
rule test. For example, start with a rule test for a specific log source type, network location,
flow source, or context (R2L, L2R, L2L). Any mid-level tests might include IP addresses,
port traffic, or any other associated test. Payload and regex tests should be the last rule
test.
Similar rules are grouped by category. For example, Audit, Exploit, DDoS, Recon, and
more. When you delete an item from a group, the rule or building block is only deleted
from the group; it remains available on the Rules page. When you delete a group, the
rules or building blocks of that group remain available on the Rules page.
1.
From the Offenses, Log Activity, or Network Activity tabs, click Rules.
2. From the Display list, select Rules to create a new rule.
3. From the Display list, select Building Blocks to create a new rule by using building
blocks.
4. From the Actions list, select a rule type.
Each rule type tests against incoming data from different sources in real time. For
example, event rules test incoming log source data and offense rules test the
parameters of an offense to trigger more responses.
5. On the Rule Test Stack Editor page, in the Rule pane, type a unique name that you
want to assign to this rule in the Apply text box.
6. From the list box, select Local or Global.
•
196
If you select Local, all rules are processed on the Event Processor on which they
were received and offenses are created only for the events that are processed
locally.
Copyright © 2017, Juniper Networks, Inc.
Chapter 11: Rules
•
If you select Global, all matching events are sent to the JSA console for processing
and therefore, the JSA console uses more bandwidth and processing resources.
7. From the Test Group list, select one or more tests that you want to add to this rule.
The CRE evaluates rule tests line-by-line in order. The first test is evaluated and when
true, the next line is evaluated until the final test is reached.
If you select the when the event matches this AQL filter query test for a new event rule,
enter an AQL WHERE clause query in the Enter an AQL filter query text box.
8. To export the configured rule as a building block to use with other rules, click Export
as Building Block.
9. On the Rule Responses page, configure the responses that you want this rule to
generate.
Related
Documentation
•
Configuring an Event or Flow As False Positive on page 197
•
Configuring a Rule Response to Add Data to a Reference Data Collection on page 198
•
Editing Building Blocks on page 199
Configuring an Event or Flow As False Positive
You might have legitimate network traffic that triggers false positive flows and events
that makes it difficult to identify true security incidents. You can prevent events and flows
from correlating into offenses by configuring them as false positives.
1.
From the, Log Activity, or Network Activity tabs, click the pause on the upper right to
stop real-time streaming of events or flows.
2. Select the event that you want to tune.
3. Click False Positive.
4. Select an event or flow property option.
5. Select a traffic direction option.
6. Click Tune.
The event or flow that matches the specified criteria will no longer correlates into offenses.
To edit false positive tuning, use the User-BB_FalsePositive: User Defined Positive Tunings
building block in the Rules section on the Offenses tab.
Related
Documentation
•
Creating a Custom Rule on page 196
Copyright © 2017, Juniper Networks, Inc.
197
Juniper Secure Analytics Users Guide
•
Configuring a Rule Response to Add Data to a Reference Data Collection on page 198
•
Editing Building Blocks on page 199
Configuring a Rule Response to Add Data to a Reference Data Collection
Set up rules that use reference data to alert you to suspicious activity. For example,
include a list of privileged users into reference data and then set up a rule that is triggered
to alert you when privileged user anomalies occur.
Before you send data to a reference set, your JSA administrator must create the reference
set.
JSA supports the following data collection types:
•
Reference set--A set of elements, such as a list of IP addresses or user names, that are
derived from events and flows that are occurring on your network.
•
Reference map--Data is stored in records that map a key to a value. For example, to
correlate user activity on your network, you create a reference map that uses the
Username parameter as a key and the user’s Global ID as a value.
•
Reference map of sets--Data is stored in records that map a key to multiple values. For
example, to test for authorized access to a patent, use a custom event property for
Patent ID as the key and the Username parameter as the value. Use a map of sets to
populate a list of authorized users.
•
Reference map of maps--Data is stored in records that map one key to another key,
which is then mapped to single value. For example, to test for network bandwidth
violations, you create a map of maps. Use the Source IP parameter as the first key, the
Application parameter as the second key, and the Total Bytes parameter as the value.
•
Reference table--In a reference table, data is stored in a table that maps one key to
another key, which is then mapped to single value. The second key has an assigned
type. This mapping is similar to a database table where each column in the table is
associated with a type. For example, you create a reference table that stores the
Username parameter as the first key, and has multiple secondary keys that have a
user-defined assigned type such as IP Type with the Source IP or Source Port parameter
as a value. You can configure a rule response to add one or more keys that are defined
in the table. You can also add custom values to the rule response. The custom value
must be valid for the secondary key's type.
1.
Create the reference data collection by using the Reference Set Management widget
on the Admin tab.
You can also create a reference data collection by using the ReferenceDataUtil.sh
script.
2. Create a rule by using the Rules wizard.
198
Copyright © 2017, Juniper Networks, Inc.
Chapter 11: Rules
3. Create a rule response that sends data to a reference data collection. You can add
the data as either shared data or domain-specific data.
Related
Documentation
•
Editing Building Blocks on page 199
•
Configuring an Event or Flow As False Positive on page 197
•
Creating a Custom Rule on page 196
Editing Building Blocks
You can edit any of the default building blocks to use it in multiple rules or to build complex
rules or logic. You can save a group of tests as building blocks for use with rules.
For example, you can edit the BB:HostDefinition: Mail Servers building block to identify
all mail servers in your deployment. Then, you can configure any rule to exclude your mail
servers from the rule tests.
1.
Click the Offenses or Network Activity tab.
2. Click Rules.
3. From the Display list, select Building Blocks.
4. Double-click the building block that you want to edit.
5. Update the building block, as necessary.
6. Click Next.
7. Continue through the wizard.
8. Click Finish.
Related
Documentation
•
Configuring an Event or Flow As False Positive on page 197
•
Configuring a Rule Response to Add Data to a Reference Data Collection on page 198
•
Creating a Custom Rule on page 196
Copyright © 2017, Juniper Networks, Inc.
199
Juniper Secure Analytics Users Guide
200
Copyright © 2017, Juniper Networks, Inc.
CHAPTER 12
Historical Correlation
•
Historical Correlation on page 201
•
Historical Correlation Overview on page 202
•
Creating a Historical Correlation Profile on page 203
•
Viewing Information About Historical Correlation Runs on page 204
Historical Correlation
Use historical correlation to run past events and flows through the custom rules engine
(CRE) to identify threats or security incidents that already occurred.
NOTE: You cannot use historical correlation in Log Manager. For more
information about the differences between JSA and Log Manager, see
“Capabilities in Your JSA Product” on page 24.
By default, an JSA deployment analyzes information that is collected from log sources
and flow sources in near real-time. With historical correlation, you can correlate by either
the start time or the device time. Start time is the time that the event was received by
JSA. Device time is the time that the event occurred on the device.
Historical correlation can be useful in the following situations:
•
Analyzing bulk data--If you bulk load data into your JSA deployment, you can use
historical correlation to correlate the data against data that was collected in real-time.
For example, to avoid performance degradation during normal business hours, you
load events from multiple log sources every night at midnight. You can use historical
correlation to correlate the data by device time to see the sequence of network events
as they occurred in the last 24 hours.
•
Testing new rules--You can run historical correlation to test new rules. For example,
one of your servers was recently attacked by new malware for which you do not have
rules in place. You can create a rule to test for that malware. Then, you can use historical
correlation to check the rule against historical data to see whether the rule would
trigger a response if it were in place at the time of the attack. Similarly, you can use
historical correlation to determine when the attack first occurred or the frequency of
the attack. You can continue to tune the rule and then move it into a production
environment.
Copyright © 2017, Juniper Networks, Inc.
201
Juniper Secure Analytics Users Guide
•
Re-creating offenses that were lost or purged--If your system lost offenses because of
an outage or other reason, you can re-create the offenses by running historical
correlation on the events and flows that came in during that time.
•
Identifying previously hidden threats--As information becomes known about the latest
security threats, you can use historical correlation to identify network events that
already occurred but did not trigger an event. You can quickly test for threats that have
already compromised your organization's system or data.
Historical Correlation Overview
You configure a historical correlation profile to specify the historical data that you want
to analyze and the rule set that you want to test against. When a rule is triggered, an
offense is created. You can assign the offense for investigation and remediation.
Data Selection
The profile uses a saved search to collect the historical event and flow data to use in the
run. Ensure that your security profile grants permission to view the events and flows that
you want to include in the historical correlation run.
Rule Selection and Handling
The JSA console processes data against only the rules that are specified in the historical
correlation profile.
Common rules test data in both events and flows. You must have permission to view
both events and flows before you can add common rules to the profile. When a profile
is edited by a user who doesn't have permission to view both events and flows, the
common rules are automatically removed from the profile.
You can include disabled rules in a historical correlation profile. When the profile runs,
the disabled rule is evaluated against the incoming events and flows. If the rule is triggered,
and the rule action is to generate an offense, the offense is created even when the rule
is disabled. To avoid generating unnecessary distractions, rule responses, such as report
generation and mail notifications, are ignored during historical correlation.
Because historical correlation processing occurs in a single location, the rules that are
included in the profile are treated as global rules. The processing does not change the
rule from local to global, but handles the rule as if it were global during the historical
correlation run. Some rules, such as stateful rules, might not trigger the same response
as they would in a normal correlation that is run on a local event processor. For example,
a local stateful rule that tracks five failed logins in 5 minutes from the same user name
behaves differently under normal and historical correlation runs. Under normal correlation,
this local rule maintains a counter for the number of failed logins that are received by
each local event processor. In historical correlation, this rule maintains a single counter
for the entire JSA system. In this situation, offenses might be created differently compared
to a normal correlation run.
202
Copyright © 2017, Juniper Networks, Inc.
Chapter 12: Historical Correlation
Offense Creation
Historical correlation runs create offenses only when a rule is triggered and the rule action
specifies that an offense must be created. A historical correlation run does not contribute
to a real-time offense, nor does it contribute to an offense that was created from an
earlier historical correlation run, even when the same profile is used.
The maximum number of offenses that can be created by a historical correlation run is
100. The historical correlation run stops when the limit is reached.
You can view historical offenses on the Threat and Security Monitoring dashboard and
on the Offenses tab at the same time that you review real-time offenses.
Related
Documentation
•
Creating a Historical Correlation Profile on page 203
•
Viewing Information About Historical Correlation Runs on page 204
Creating a Historical Correlation Profile
You create a historical correlation profile to rerun past events and flows through the
custom rules engine (CRE). The profile includes information about the data set and the
rules to use during the run.
NOTE: You can create historical profiles only in JSA. You cannot create
historical profiles in Log Manager.
Common rules test data in both events and flows. You must have permission to view
both events and flows before you can add common rules to the profile. When a profile
is edited by a user who doesn't have permission to view both events and flows, the
common rules are automatically removed from the profile.
You can configure a profile to correlate by either start time or device time. Start time is
the time when the events arrive at the event collector. Device time is the time that the
event occurred on the device. Events can be correlated by start time or device time. Flows
can be correlated by start time only.
You can include disabled rules in the profile. Rules that are disabled are indicated in the
rules list with (Disabled) after the rule name.
A historical correlation run does not contribute to a real-time offense, nor does it contribute
to an offense that was created from an earlier historical correlation run, even when the
same profile is used.
Copyright © 2017, Juniper Networks, Inc.
203
Juniper Secure Analytics Users Guide
1.
Open the Historical Correlation dialog box.
•
On the Log Activity tab, click Actions >Historical Correlation.
•
On the Network Activity tab, click Actions >Historical Correlation.
•
On the Offenses tab, click Rules >Actions >Historical Correlation.
2. Click Add and select Event Profile or Flow Profile.
3. Type a name for the profile and select a saved search.
You can use only non-aggregated saved searches.
4. On the Rules tab, select the rules to be run against the historical data, and choose the
correlation time.
If you select the Use all enabled rules check box, you cannot include disabled rules in
the profile. If you want to include both enabled and disabled rules in the profile, you
must select them individually from the rules list and click Add Selected.
5. On the Schedule tab, enter the time range for the saved search and set the profile
schedule settings.
6. On the Summary tab, review the configuration and choose whether to run the profile
immediately.
7. Click Save.
The profile is put into a queue to be processed. Queued profiles that are based on a
schedule take priority over manual runs.
Related
Documentation
•
Viewing Information About Historical Correlation Runs on page 204
•
Historical Correlation Overview on page 202
Viewing Information About Historical Correlation Runs
View the history of a historical correlation profile to see information about past runs for
the profile. You can see the list of offenses that were created during the run and the
catalog of events or flows that match the triggered the rules in the profile. You can view
the history for historical correlation runs that are queued, running, complete, complete
with errors, and canceled.
A historical correlation catalog is created for each rule that is triggered for each unique
source IP address during the run, even if an offense was not created. The catalog contains
all the events or flows that either fully or partially match the triggered rule.
You cannot build reports on historical correlation data directly from JSA. If you want to
use third-party programs to build reports, you can export the data from JSA.
204
Copyright © 2017, Juniper Networks, Inc.
Chapter 12: Historical Correlation
1.
Open the Historical Correlation dialog box.
•
On the Log Activity tab, click Actions >Historical Correlation.
•
On the Network Activity tab, click Actions >Historical Correlation.
•
On the Offenses tab, click Rules >Actions >Historical Correlation.
2. Select a profile and click View History.
a. If the historical correlation run status is Completed and the Offense Count is 0, the
profile rules did not trigger any offenses.
b. If the historical correlation run created offenses, in the Offense Count column, click
the link to see a list of the offenses that were created.
If only one offense was created, the offense summary is shown.
3. In the Catalogs column, click the links to see the list of events that either fully or partially
match the profile rules.
The StartTime column in the event list represents the time that JSA received the event.
4. Click Close.
Related
Documentation
•
Historical Correlation Overview on page 202
•
Creating a Historical Correlation Profile on page 203
Copyright © 2017, Juniper Networks, Inc.
205
Juniper Secure Analytics Users Guide
206
Copyright © 2017, Juniper Networks, Inc.
CHAPTER 13
Juniper Networks X-Force Integration
•
Juniper Networks X-Force Integration on page 207
•
Internet Threat Information Center Dashboard Widget on page 207
•
IBM Security Threat Content Application on page 208
•
IP Address and URL Categories on page 209
•
Confidence Factor and IP Address Reputation on page 212
•
Searching Data from Juniper X-Force Exchange with Advanced Search
Criteria on page 213
Juniper Networks X-Force Integration
Juniper NetworksX-Force security experts use a series of international data centers to
collect tens of thousands of malware samples, to analyze web pages and URLs, and to
run analysis to categorize potentially malicious IP addresses and URLs. You can use this
data to identify and remediate undesirable activity in your environment before it threatens
the stability of your network.
For example, you can identify and prioritize these types of incidents:
•
A series of attempted logins for a dynamic range of IP addresses
•
An anonymous proxy connection to a Business Partner portal
•
A connection between an internal endpoint and a known botnet command and control
•
Communication between an endpoint and a known malware distribution site
Internet Threat Information Center Dashboard Widget
The Internet Threat Information Center widget on the Threat and Security Monitoring
dashboard uses X-Force data to provide up-to-date advisories on security issues, daily
threat assessments, security news, and threat repositories.
The dashboard widget uses an embedded RSS feed to display X-Force data in the
dashboard widget. The JSA console must have access to the internet to receive data
from the X-Force update server (www.iss.net).
Copyright © 2017, Juniper Networks, Inc.
207
Juniper Secure Analytics Users Guide
The dashboard uses four AlertCon threat level images to provide a visual indicator of the
current threat level.
Table 49: AlertCon Threat Levels
Level
Type
Description
1
Normal threats
Ordinary activity that compromises unprotected networks, minutes to hours
after JSA connects to the internet.
2
Increased vigilance
Vulnerabilities or online threats to computer networks that requires vulnerability
assessment and corrective action.
3
Focused attacks
Specific weakness and vulnerabilities that are the target of internet attacks
and require immediate defensive action.
4
Catastrophic threats
Critical security situations within a network that dictate an immediate and
focused defensive action. This condition might be imminent or ongoing.
For more information about the current threat level, click the Learn More link to open the
Current Threat Activity page on the Juniper X-Force Exchange website.
To view a summary of the current advisories, click the arrow icon next to the advisory.
To investigate the full advisory, click the advisory link.
Related
Documentation
•
Security Threat Content Application on page 208
•
IP Address and URL Categories on page 209
•
Confidence Factor and IP Address Reputation on page 212
IBM Security Threat Content Application
The X-Force data includes a list of potentially malicious IP addresses and URLs with a
corresponding threat score. You use the X-Force rules to automatically flag any security
event or network activity data that involves the addresses, and to prioritize the incidents
before you begin to investigate them.
The following list shows examples of the types of incidents that you can identify using
the X-Force rules:
•
when the [source IP|destinationIP|anyIP] is part of any of the following [remote network
locations]
•
when [this host property] is categorized by X-Force as [Anonymization Servers|Botnet
C&C|DynamicIPs|Malware|ScanningIPs|Spam] with confidence value [equal to] [this
amount]
•
when [this URL property] is categorized by X-Force as [Gambling|Auctions|Job
Search|Alcohol|Social Networking|Dating]
208
Copyright © 2017, Juniper Networks, Inc.
Chapter 13: Juniper Networks X-Force Integration
Your JSA administrator must install the IBM Security Threat Content application in order
for the rules to appear in the Threats group in the Rules List window. The rules must be
enabled before you can use them.
Enabling X-Force Rules in JSA
By adding the IBM Security Threat Content application to your JSA system, X-Force rules
are added to the Rules List. The rules must be enabled before you can use them.
1.
Click the Log Activity tab.
2. On the toolbar, click Rules >Rules.
3. From the Group menu, click Threats.
The Group column might show both legacy and enhanced rules. By default, X-Force
legacy rules are disabled. However, you might see legacy rules that are enabled. Use
the newer enhanced rules in the Threat group, and not the legacy rules that use the
remote nets.
4. Select the X-Force rules in the Threat group and click Actions >Enable/Disable.
Related
Documentation
•
IP Address and URL Categories on page 209
•
Confidence Factor and IP Address Reputation on page 212
•
Searching Data from Juniper X-Force Exchange with Advanced Search Criteria on
page 213
IP Address and URL Categories
X-Force Threat Intelligence categorizes IP address and URL information.
The IP addresses are grouped into the following categories:
•
Malware hosts
•
Spam sources
•
Dynamic IP addresses
•
Anonymous proxies
•
Botnet Command and Control
•
Scanning IP addresses
The X-Force Threat Intelligence feed also categorizes URL addresses.
Finding IP Address and URL Information in X-Force Exchange
Use right-click menu options in JSA to find information about IP addresses and URLs
that is found on X-Force Exchange. You can use the information from your JSA searches,
Copyright © 2017, Juniper Networks, Inc.
209
Juniper Secure Analytics Users Guide
offenses, and rules to research further or to add information about IP addresses or URLs
to an X-Force Exchange collection.
You can contribute either public or private information to track data in collections when
you research security issues.
A collection is a repository where you store the information that is found during an
investigation. You can use a collection to save X-Force Exchange reports, comments, or
any other content. An X-Force Exchange report contains both a version of the report from
the time when it was saved, and a link to the current version of the report. The collection
contains a section that has a wiki-style notepad where you can add comments that are
relevant to the collection.
1.
To look up an IP address in X-Force Exchange from JSA, follow these steps:
a. Select the Log Activity or the Network Activity tab.
b. Right-click the IP address that you want to view in X-Force Exchange and select
More Options >Plugin Options >X-Force Exchange Lookup to open the X-Force
Exchange interface.
2. To look up a URL in X-Force Exchange from JSA, follow these steps:
a. Select either the Offenses tab, or the event details windows available on the
Offenses.
b. Right-click the URL you want to look up in X-Force Exchange and select >Plugin
Options > X-Force Exchange Lookup to open the X-Force Exchange interface.
Creating a URL Categorization Rule to Monitor Access to Certain Types Of Websites
You can create a rule that sends an email notification if users of the internal network
access URL addresses that are categorized as gambling websites.
To use X-Force data in rules, your administrator must configure JSA to load data from
the X-Force servers.
To create a new rule, you must have the Offenses >Maintain Custom Rules permission.
1.
Click the Offenses tab.
2. On the navigation menu, click Rules.
3. From the Actions list, select New Event Rule.
4. Read the introductory text on the Rule wizard and click Next.
5. Click Events and click Next.
6. From the Test Group list box, select X-Force Tests.
210
Copyright © 2017, Juniper Networks, Inc.
Chapter 13: Juniper Networks X-Force Integration
7. Click the plus (+) sign beside the when URL (custom) is categorized by X-Force as one
of the following categories test.
8. In the enter rule name here field in the Rule pane, type a unique name that you want
to assign to this rule.
9. From the list box, select Local or Global.
10. Click the underlined configurable parameters to customize the variables of the test.
a. Click URL (custom).
b. Select the URL property that contains the URL that was extracted from the payload
and click Submit.
c. Click one of the following categories.
d. Select Gambling / Lottery from the X-Force URL categories, click Add + and click
Submit.
11. To export the configured rule as a building block to use with other rules:
a. Click Export as Building Block.
b. Type a unique name for this building block.
c. Click Save.
12. On the Groups pane, select the check boxes of the groups to which you want to assign
this rule.
13. In the Notes field, type a note that you want to include for this rule, and click Next.
14. On the Rule Responses page, click Email and type the email addresses that receive
the notification.
15. Click Next.
16. If the rule is accurate, click Finish.
Related
Documentation
•
Confidence Factor and IP Address Reputation on page 212
•
Searching Data from Juniper X-Force Exchange with Advanced Search Criteria on
page 213
•
Security Threat Content Application on page 208
Copyright © 2017, Juniper Networks, Inc.
211
Juniper Secure Analytics Users Guide
Confidence Factor and IP Address Reputation
IP address reputation data is evaluated on the time that it is seen and the volume of
messages or data. X-Force categorizes IP address reputation data and assigns a
confidence factor value 0 - 100, where 0 represents no confidence and 100 represents
certainty. For example, X-Force might categorize a source IP address as a scanning IP
with a confidence factor of 75, which is a moderately high level of confidence.
Determining a Threshold
As an example, spam messages with an IP address reputation entry of 0 indicates that
the source IP traffic is not spam, whereas an entry of 100 indicates definite spam traffic.
Thus, values less than 50 indicate less probability that the message is spam, and values
greater than 50 indicate more probability that the message is spam. A value of 50 or
higher is the threshold where you might consider action on a triggered rule.
These probabilities are based on ongoing web-based data that Juniper X-Force Threat
Intelligence continuously collects and analyzes from around the world in X-Force data
centers. As data is collected, the system evaluates how much spam is received from a
particular IP address, or how frequently the flagged IP address is in the IP address
reputation category. The more times, the higher the system scores the confidence factor.
Tuning False Positives with the Confidence Factor Setting
Use the confidence factor to limit the number of offenses that are created by triggered
rules. Depending on the level of protection that you want, you adjust the confidence
values to a level that best matches your network environment.
When you tune rules, consider a scale where 50 is the tipping point. On assets of lower
importance, you might weigh an X-Force rule to trigger at a higher confidence factor for
specific categories, like spam. For example, tuning a rule to a confidence factor of 75
means the rule triggers only when X-Force sees an IP address at or above a confidence
factor of 75. This tuning reduces the number of offenses that are generated on lower
priority systems and non-critical assets. However, an important system or critical business
asset with a confidence factor of 50 triggers an offense at a lower level and brings
attention to an issue more quickly.
For your DMZ, choose a higher confidence value such as 95% or higher. You do not need
to investigate many offenses in this area. With a high confidence level, the IP addresses
are more likely to match the category that is listed. If it is 95% certain that a host is serving
malware, then you need to know about it.
For more secure areas of the network, like a server pool, lower the confidence value. More
potential threats are identified and you spend less effort investigating because the threat
pertains to a specific network segment.
For optimum false positive tuning, manage your rule triggers by segment. Look at your
network infrastructure and decide which assets need a high level of protection, and which
assets do not. You can apply different confidence values for the different network
segments. Use building blocks for grouping commonly used tests so that they can be
used in rules.
212
Copyright © 2017, Juniper Networks, Inc.
Chapter 13: Juniper Networks X-Force Integration
1.
Click the Log Activity tab.
2. On the toolbar, click Rules >Rules.
3. Double-click a rule to start the Rule wizard.
4. In the filter box, type the following text:
when this host property is categorized by X-Force as this category with confidence
value equal to this amount
5. Click the Add test to rule (+) icon.
6. In the Rule section, click the this amount link.
7. Enter a confidence value.
8. Click Submit.
9. Click Finish to exit the Rules wizard.
Related
Documentation
•
Searching Data from Juniper X-Force Exchange with Advanced Search Criteria on
page 213
•
Security Threat Content Application on page 208
•
IP Address and URL Categories on page 209
Searching Data from Juniper X-Force Exchange with Advanced Search Criteria
For complex queries, you can search and filter data from X-Force Exchange by using
Advanced Search expressions.
Advanced searches return data from the Log Activity or the Network Activity tab in JSA.
URL searches cannot be returned from the Network Activity tab because the URL
information is provided by the event data.
1.
Click the Log Activity tab.
2. On the Search toolbar, select the Advanced Search.
3. Type an AQL query expression.
4. Click Search.
Copyright © 2017, Juniper Networks, Inc.
213
Juniper Secure Analytics Users Guide
Related
Documentation
214
•
Security Threat Content Application on page 208
•
IP Address and URL Categories on page 209
•
Confidence Factor and IP Address Reputation on page 212
Copyright © 2017, Juniper Networks, Inc.
CHAPTER 14
Report Management
•
Report Management on page 215
•
Report Layout on page 216
•
Chart Types on page 216
•
Report Tab Toolbar on page 218
•
Graph Types on page 219
•
Creating Custom Reports on page 221
•
Editing a Report on page 225
•
Viewing Generated Reports on page 225
•
Deleting Generated Content on page 226
•
Manually Generating a Report on page 227
•
Duplicating a Report on page 227
•
Sharing a Report on page 228
•
Branding Reports on page 228
•
Report Groups on page 229
Report Management
You can use the Reports tab to create, edit, distribute, and manage reports.
Detailed, flexible reporting options satisfy your various regulatory standards, such as PCI
compliance.
You can create your own custom reports or use a default reports. You can customize and
rebrand default reports and distribute these to other users.
The Reports tab might require an extended period of time to refresh if your system includes
many reports.
NOTE: If you are running Microsoft Exchange Server 5.5, unavailable font
characters might be displayed in the subject line of emailed reports. To resolve
this, download and install Service Pack 4 of Microsoft Exchange Server 5.5.
For more information, contact Microsoft support.
Copyright © 2017, Juniper Networks, Inc.
215
Juniper Secure Analytics Users Guide
Timezone Considerations
To ensure that the Reports feature uses the correct date and time for reporting data,
your session must be synchronized with your timezone.
During the installation and setup of JSA products, the time zone is configured. Check with
your administrator to ensure your JSA session is synchronized with your timezone.
Report Tab Permissions
Administrative users can view all reports that are created by other users.
Non-administrative users can view reports that they created only or reports that are
shared by other users.
Report Tab Parameters
The Reports tab displays a list of default and custom reports.
From the Reports tab, you can view statistical information about the reports template,
perform actions on the report templates, view the generated reports, delete generated
content.
If a report does not specify an interval schedule, you must “Manually Generating a Report”
on page 227.
You can point your mouse over any report to preview a report summary in a tooltip. The
summary specifies the report configuration and the type of content the report generates.
Report Layout
A report can consist of several data elements and can represent network and security
data in various styles, such as tables, line charts, pie charts, and bar charts.
When you select the layout of a report, consider the type of report you want to create.
For example, do not choose a small chart container for graph content that displays many
objects. Each graph includes a legend and a list of networks from which the content is
derived; choose a large enough container to hold the data. To preview how each chart
displays a data, see “Graph Types” on page 219.
Related
Documentation
•
Chart Types on page 216
•
Report Tab Toolbar on page 218
•
Graph Types on page 219
Chart Types
When you create a report, you must choose a chart type for each chart you include in
your report.
The chart type determines how the data and network objects appear in your report.
216
Copyright © 2017, Juniper Networks, Inc.
Chapter 14: Report Management
You can use any of the following types of charts:
Table 50: Chart Types
Chart Type
Description
None
Use this option if you need white space in your report. If you
select the None option for any container, no further
configuration is required for that container.
Asset Vulnerabilities
Use this chart to view vulnerability data for each defined asset
in your deployment. You can generate Asset Vulnerability
charts when vulnerabilities have been detected by a VA scan.
This chart is available after you install JSA Vulnerability
Manager.
Connections
This chart option is only displayed if you purchased and
licensed JSA Risk Manager. For more information, see the
Juniper Secure Analytics Risk Manager User Guide.
Device Rules
This chart option is only displayed if you purchased and
licensed JSA Risk Manager. For more information, see the
Juniper Secure Analytics Risk Manager User Guide.
Device Unused Objects
This chart option is only displayed if you purchased and
licensed JSA Risk Manager. For more information, see the
Juniper Secure Analytics Risk Manager User Guide.
Events/Logs
Use this chart to view event information. You can base a chart
on data from saved searches on the Log Activity tab. You can
configure the chart to plot data over a configurable period of
time to detect event trends. For more information about saved
searches, see “Searches” on page 147
Log Sources
Use this chart to export or report on log sources. Select the log
sources and log source groups that you want to appear in the
report. Sort log sources by report columns. Include log sources
that are not reported for a defined time period. Include log
sources that were created in a specified time period.
Flows
Use this chart to view flow information. You can base a chart
on data from saved searches on the Network Activity tab. You
can configure the chart to plot flow data over a configurable
period of time to detect flow trends. For more information
about saved searches, see “Searches” on page 147
Top Destination IPs
Use this chart to display the top destination IPs in the network
locations you select.
Top Offenses
Use this chart to display the top offenses that occur at present
time for the network locations you select.
Offenses Over Time
Use this chart to display all offenses that have a start time
within a defined time span for the network locations you select.
Copyright © 2017, Juniper Networks, Inc.
217
Juniper Secure Analytics Users Guide
Table 50: Chart Types (continued)
Chart Type
Description
Top Source IPs
Use this chart to display and sort the top offense sources (IP
addresses) that attack your network or business assets.
Vulnerabilities
The Vulnerabilities option is only displayed when the JSA
Vulnerability Manager was purchased and licensed. For more
information, see the Juniper Secure Analytics Vulnerability
Manager User Guide.
Table 51: Chart Types
Chart Type
Description
None
Use this option if you need white space in your report. If you
select the None option for any container, no further
configuration is required for that container.
Asset Vulnerabilities
Use this chart to view vulnerability data for each defined asset
in your deployment. You can generate Asset Vulnerability
charts when vulnerabilities have been detected by a VA scan.
This chart is available after you install JSA Vulnerability
Manager.
Vulnerabilities
The Vulnerabilities option is only displayed when the JSA
Vulnerability Manager was purchased and licensed. For more
information, see the Juniper Secure Analytics Vulnerability
Manager User Guide.
Related
Documentation
•
Report Tab Toolbar on page 218
•
Graph Types on page 219
•
Creating Custom Reports on page 221
Report Tab Toolbar
You can use the toolbar to perform a number of actions on reports.
The following table identifies and describes the Reports toolbar options.
Table 52: Report Toolbar Options
Option
Description
Group
Manage Groups
218
Click Manage Groups to manage “Report Groups” on page 229. Using the Manage Groups feature, you can
organize your reports into functional groups. You can share report groups with other users.
Copyright © 2017, Juniper Networks, Inc.
Chapter 14: Report Management
Table 52: Report Toolbar Options (continued)
Option
Description
Actions
Click Actions to perform the following actions:
•
Create— Select this option to create a new report.
•
Edit— Select this option to edit the selected report. You can also double-click a report to edit the content.
•
Duplicate— Select this option to “Duplicating a Report” on page 227 the selected report.
•
Assign Groups— Select this option to assign the selected report to a “Assign a Report to a Group” on
page 232.
•
Share— Select this option to share the selected report with other users. You must have administrative
privileges to“Sharing a Report” on page 228.
•
Toggle Scheduling— Select this option to toggle the selected report to the Active or Inactive state.
•
Run Report— Select this option to “Manually Generating a Report” on page 227. To generate multiple
reports, hold the Control key and click on the reports you want to generate.
•
Run Report on Raw Data— Select this option to generate the selected report using raw data. This option
is useful when you want to generate a report before the required accumulated data is available. For
example, if you want to run a weekly report before a full week has elapsed since you created the report,
you can generate the report using this option.
•
Delete Report— Select this option to delete the selected report. To delete multiple reports, hold the
Control key and click on the reports you want to delete.
•
Delete Generated Content— Select this option to delete all generated content for the selected rows. To
delete multiple generated reports, hold the Control key and click on the generate reports you want to
delete.
Hide Interactive
Reports
Select this check box to hide inactive report templates. The Reports tab automatically refreshes and displays
only active reports. Clear the check box to show the hidden inactive reports.
Search Reports
Type your search criteria in the Search Reports field and click the Search Reports icon. A search is run on
the following parameters to determine which match your specified criteria:
•
Report Title
•
Report Description
•
Report Group
•
Report Groups
•
Report Author User Name
Related
Documentation
•
Graph Types on page 219
•
Creating Custom Reports on page 221
•
Editing a Report on page 225
Graph Types
Each chart type supports various graph types that you can use to display data.
The network configuration files determine the colors that the charts use to depict network
traffic. Each IP address is depicted by using a unique color. The following table provides
examples of how network and security data is used in charts. The table describes the
chart types that are available for each type of graph.
Copyright © 2017, Juniper Networks, Inc.
219
Juniper Secure Analytics Users Guide
Table 53: Graph Types
Graph type
Available chart types
Line
•
Events/Logs
•
Flows
•
Connections
•
Vulnerabilities
•
Events/Logs
•
Flows
•
Connections
•
Vulnerabilities
•
Events/Logs
•
Flows
•
Asset Vulnerabilities Connections
•
Connections
•
Vulnerabilities
•
Top Source IPs
•
Top Offenses
•
Offenses Over Time
•
Top Destination IPs
•
Events/Logs
•
Flows
•
Connections
•
Events/Logs
•
Flows
•
Asset Vulnerabilities
•
Connections
•
Vulnerabilities
•
Events/Logs
•
Flows
•
Top Source IPs
•
Top Offenses
•
Offenses Over Time
•
Top Destination IPs
•
Connections
•
Vulnerabilities
Stacked Line
Bar
Horizontal Bar
Stacked Bar
Pie
Table
To display content in a table, you must design the report with a full page width container.
Aggregate Table
Available with the Asset Vulnerabilities chart.
To display content in a table, you must design the report with a full page width container.
The following graph types are available for JSA Log Manager reports:
220
Copyright © 2017, Juniper Networks, Inc.
Chapter 14: Report Management
•
Line
•
Stacked Line
•
Bar
•
Stacked Bar
•
Pie
•
Table
NOTE: When you create bar and stacked bar graph reports, the legend is
presented in a fixed format and the bars or bar sections are represented by
color coded labels in most cases. If you select time as the value for the x axis,
you can create time intervals on the x axis.
To display content in a table, you must design a report with a full page width container.
Related
Documentation
•
Creating Custom Reports on page 221
•
Editing a Report on page 225
•
Viewing Generated Reports on page 225
Creating Custom Reports
Use the Report wizard to create and customize a new report.
You must have appropriate network permissions to share a generated report with other
users.
For more information about permissions, see the Juniper Secure Analytics Administration
Guide.
The Report wizard provides a step-by-step guide on how to design, schedule, and generate
reports.
The wizard uses the following key elements to help you create a report:
•
Layout— Position and size of each container
•
Container— Placeholder for the featured content
•
Content— Definition of the chart that is placed in the container
After you create a report that generates weekly or monthly, the scheduled time must
elapse before the generated report returns results. For a scheduled report, you must wait
the scheduled time period for the results to build. For example, a weekly search requires
seven days to build the data. This search will return results after 7 days.
Copyright © 2017, Juniper Networks, Inc.
221
Juniper Secure Analytics Users Guide
When you specify the output format for the report, consider that the file size of generated
reports can be one to 2 megabytes, depending on the selected output format. PDF format
is smaller in size and does not use a large quantity of disk storage space.
1.
Click the Reports tab.
2. From the Actions list box, select Create.
3. On the Welcome to the Report wizard! window, click Next.
4. Select one of the following options:
Manually
By default, the report generates 1 time. You can generate the
report as often as you want.
Hourly
Schedules the report to generate at the end of each hour. The
data from the previous hour is used.
From the list boxes, select a time frame to begin and end the
reporting cycle. A report is generated for each hour within this
time frame. Time is available in half-hour increments. The
default is 1:00 a.m for both the From and To fields.
Daily
Schedules the report to generate at the end of each day. The
data from the previous day is used.
From the list boxes, select the time and the days of the week
that you want the report to run.
Weekly
Schedules the report to generate weekly using the data from
the previous week.
Select the day that you want to generate the report. The
default is Monday. From the list box, select a time to begin the
reporting cycle. Time is available in half-hour increments. The
default is 1:00 a.m.
Monthly
Schedules the report to generate monthly using the data from
the previous month.
From the list box, select the date that you want to generate
the report. The default is the first day of the month. Select a
time to begin the reporting cycle. Time is available in half-hour
increments. The default is 1:00 a.m.
5. In the Allow this report to generate manually pane, Yes or No.
6. Configure the layout of your report:
a. From the Orientation list box, select Portrait or Landscape for the page orientation.
b. Select one of the six layout options that are displayed on the Report wizard.
222
Copyright © 2017, Juniper Networks, Inc.
Chapter 14: Report Management
c. Click Next .
7. Specify values for the following parameters:
Parameter
Values
Report Title
The title can be up to 100 characters in length. Do not use
special characters.
Logo
From the list box, select a logo.
Pagination Options
From the list box, select a location for page numbers to display
on the report. You can choose not to have page numbers
display.
Report Classification
Type a classification for this report. You can type up to 75
characters in length. You can use leading spaces, special
characters, and double byte characters. The report
classification displays in the header and footer of the report.
You might want to classify your report as confidential, highly
confidential, sensitive, or internal.
8. Configure each container in the report:
a. From the Chart Type list box, select a chart type.
b. On the Container Details window, configure the chart parameters.
NOTE: You can also create asset saved searches. From the Search to
use list box, select your saved search.
c. Click Save Container Details.
d. If you selected more than one container, repeat steps a to c.
e. Click Next .
9. Preview the Layout Preview page, and then click Next.
10. Select the check boxes for the report formats you want to generate, and then click
Next.
NOTE: Extensible Markup Language is only available for tables.
11. Select the distribution channels for your report, and then click Next. Options include
the following distribution channels:
Report Console
Copyright © 2017, Juniper Networks, Inc.
Select this check box to send the generated report to the
Reports tab. Report Console is the default distribution channel.
223
Juniper Secure Analytics Users Guide
Select the users that should be able to view the generated report.
This option displays after you select the Report Console check
box.
From the list of users, select the users that you want to grant
permission to view the generated reports.
This option is only displayed after you select the Report Console
check box. Select this check box if you want to grant permission
to all users to view the generated reports.
Select all users
You must have appropriate network permissions to share the
generated report with other users.
Email
Select this check box if you want to distribute the generated
report by email.
Enter the report distribution email address(es)
This option is only displayed after you select the Email check
box.
Type the email address for each generated report recipient;
separate a list of email addresses with commas. The maximum
characters for this parameter are 255.
Include Report as attachment (non-HTML only)
This option is only displayed after you select the Email check
box. Select this check box to send the generated report as an
attachment.
Include link to Report Console
This option is only displayed after you select the Email check
box. Select this check box to include a link to the Report
Console in the email.
12. On the Finishing Up page, enter values for the following parameters.
Report Description
Type a description for this report. The description is displayed
on the Report Summary page and in the generated report
distribution email.
Please select any groups you would like this report to be a
member of
Select the groups to which you want to assign this report. For
more information about groups, see “Report Groups” on
page 229.
Would you like to run the report now?
Select this check box if you want to generate the report when
the wizard is complete. By default, the check box is selected.
13. Click Next to view the report summary.
14. On the Report Summary page, select the tabs available on the summary report to
preview your report configuration.
The report immediately generates. If you cleared the Would you like to run the report now
check box on the final page of the wizard, the report is saved and generates at the
224
Copyright © 2017, Juniper Networks, Inc.
Chapter 14: Report Management
scheduled time. The report title is the default title for the generated report. If you
reconfigure a report to enter a new report title, the report is saved as a new report with
the new name; however, the original report remains the same.
Related
Documentation
•
Editing a Report on page 225
•
Viewing Generated Reports on page 225
•
Deleting Generated Content on page 226
Editing a Report
Using the Report wizard, you can edit any default or custom report to change.
You can use or customize a significant number of default reports. The default Reports
tab displays the list of reports. Each report captures and displays the existing data.
NOTE: When you customize a scheduled report to generate manually, select
the time span End Date before you select the Start Date.
1.
Click the Reports tab.
2. Double-click the report that you want to customize.
3. On the Report wizard, change the parameters to customize the report to generate the
content you require.
If you reconfigure a report to enter a new report title, the report is saved as a new report
with the new name; however, the original report remains the same.
Related
Documentation
•
Viewing Generated Reports on page 225
•
Deleting Generated Content on page 226
•
Manually Generating a Report on page 227
Viewing Generated Reports
On the Reports tab, an icon is displayed in the Formats column if a report has generated
content. You can click the icon to view the report.
When a report has generated content, the Generated Reports column displays a list box.
The list box displays all generated content, which is organized by the time-stamp of the
report. The most recent reports are displayed at the top of the list. If a report has no
generated content, the None value is displayed in the Generated Reports column.
Copyright © 2017, Juniper Networks, Inc.
225
Juniper Secure Analytics Users Guide
Icons representing the report format of the generated report are displayed in the Formats
column.
Reports can be generated in PDF, HTML, RTF, XML, and XLS formats.
NOTE: The XML and XLS formats are available only for reports that use a
single chart table format (portrait or landscape).
You can view only the reports to which you have been given access from the administrator.
Administrative users can access all reports.
If you use the Mozilla Firefox web browser and you select the RTF report format, the
Mozilla Firefox web browser starts a new browser window. This new window launch is
the result of the Mozilla Firefox web browser configuration and does not affect JSA. You
can close the window and continue with your JSA session.
1.
Click the Reports tab.
2. From the list box in the Generated Reports column, select the time-stamp of report
you want to view.
3. Click the icon for the format you want to view.
Related
Documentation
•
Deleting Generated Content on page 226
•
Manually Generating a Report on page 227
•
Duplicating a Report on page 227
Deleting Generated Content
When you delete generated content, all reports that have generated from the report
template are deleted, but the report template is retained.
1.
Click the Reports tab.
2. Select the reports for which you want to delete the generated content.
3. From the Actions list box, click Delete Generated Content.
Related
Documentation
226
•
Manually Generating a Report on page 227
•
Duplicating a Report on page 227
•
Sharing a Report on page 228
Copyright © 2017, Juniper Networks, Inc.
Chapter 14: Report Management
Manually Generating a Report
A report can be configured to generate automatically, however, you can manually generate
a report at any time.
While a report generates, the Next Run Time column displays one of the three following
messages:
•
Generating— The report is generating.
•
Queued (position in the queue)— The report is queued for generation. The message
indicates the position that the report is in the queue. For example, 1 of 3.
•
(x hour(s) x min(s) y sec(s))— The report is scheduled to run. The message is a
count-down timer that specifies when the report will run next.
You can select the Refresh icon to refresh the view, including the information in the Next
Run Time column.
1.
Click the Reports tab.
2. Select the report that you want to generate.
3. Click Run Report.
After the report generates, you can “Viewing Generated Reports” on page 225 from the
Generated Reports column.
Related
Documentation
•
Duplicating a Report on page 227
•
Sharing a Report on page 228
•
Branding Reports on page 228
Duplicating a Report
To create a report that closely resembles an existing report, you can duplicate the report
that you want to model, and then customize it.
1.
Click the Reports tab.
2. Select the report that you want to duplicate.
3. From the Actions list box, click Duplicate.
4. Type a new name, without spaces, for the report.
You can “Editing a Report” on page 225 the duplicated report.
Copyright © 2017, Juniper Networks, Inc.
227
Juniper Secure Analytics Users Guide
Related
Documentation
•
Sharing a Report on page 228
•
Branding Reports on page 228
•
Report Groups on page 229
Sharing a Report
You can share reports with other users. When you share a report, you provide a copy of
the selected report to another user to edit or schedule.
Any updates that the user makes to a shared report does not affect the original version
of the report.
You must have administrative privileges to share reports. Also, for a new user to view
and access reports, an administrative user must share all the necessary reports with the
new user.
You can only share the report with users that have the appropriate access.
1.
Click the Reports tab.
2. Select the reports that you want to share.
3. From the Actions list box, click Share.
4. From the list of users, select the users with whom you want to share this report.
Related
Documentation
•
Branding Reports on page 228
•
Report Groups on page 229
•
Duplicating a Report on page 227
Branding Reports
To brand reports, you can import logos and specific images. To brand reports with custom
logos, you must upload and configure the logos before you begin using the Report wizard.
Ensure that the graphic you want to use is 144 x 50 pixels with a white background.
To make sure that your browser displays the new logo, clear your browser cache.
Report branding is beneficial for your enterprise if you support more than one logo. When
you upload an image, the image is automatically saved as a Portable Network Graphic
(PNG).
When you upload a new image and set the image as your default, the new default image
is not applied to reports that have been previously generated. Updating the logo on
228
Copyright © 2017, Juniper Networks, Inc.
Chapter 14: Report Management
previously generated reports requires you to manually generate new content from the
report.
If you upload an image that is larger in length than the report header can support, the
image automatically resizes to fit the header; this is approximately 50 pixels in height.
1.
Click the Reports tab.
2. On the navigation menu, click Branding.
3. Click Browse to browse the files that are located on your system.
4. Select the file that contains the logo you want to upload. Click Open.
5. Click Upload Image.
6. Select the logo that you want to use as the default and click Set Default Image.
Related
Documentation
•
Report Groups on page 229
•
Duplicating a Report on page 227
•
Sharing a Report on page 228
Report Groups
You can sort reports into functional groups. If you categorize reports into groups, you can
efficiently organize and find reports.
For example, you can view all reports that are related to Payment Card Industry Data
Security Standard (PCIDSS) compliance.
By default, the Reports tab displays the list of all reports, however, you can categorize
reports into groups such as:
•
Compliance
•
Executive
•
Log Sources
•
Network Management
•
Security
•
VoIP
•
Other
When you create a new report, you can assign the report to an existing group or create
a new group. You must have administrative access to create, edit, or delete groups.
Copyright © 2017, Juniper Networks, Inc.
229
Juniper Secure Analytics Users Guide
For more information about user roles, see the Juniper Secure Analytics Administration
Guide.
Creating a Report Group
You can create new groups.
1.
Click the Reports tab.
2. Click Manage Groups.
3. Using the navigation tree, select the group under which you want to create a new
group.
4. Click New Group.
5. Enter values for the following parameters:
•
Name Type the name for the new group. The name can be up to 255 characters in
length.
•
Description Optional. Type a description for this group. The description can be up
to 255 characters in length.
6. Click OK.
7. To change the location of the new group, click the new group and drag the folder to
the new location on the navigation tree.
8. Close the Report Groups window.
Editing a Group
You can edit a report group to change the name or description.
1.
Click the Reports tab.
2. Click Manage Groups.
3. From the navigation tree, select the group that you want to edit.
4. Click Edit.
5. Update values for the parameters, as necessary:
•
Name Type the name for the new group. The name can be up to 255 characters in
length.
230
Copyright © 2017, Juniper Networks, Inc.
Chapter 14: Report Management
•
Description Optional. Type a description for this group. The description can be up
to 255 characters in length. This field is optional.
6. Click OK.
7. Close the Report Groups window.
Sharing Report Groups
You can share report groups with other users.
You must have administrative permissions to share a report group with other users.
For more information about permissions, see the Juniper Secure Analytics Administration
Guide.
You cannot use the Content Management Tool (CMT) to share report groups.
For more information about the CMT, see the Juniper Secure Analytics Administration
Guide.
On the Report Groups window, shared users can see the report group in the report list.
Any updates that the user makes to a shared report group does not affect the original
version of the report. Only the owner can delete or modify.
A copy of the report is created when a user duplicates or runs the shared report. The user
can edit or schedule reports within the copied report group.
The group sharing option overrides previous report sharing options that were configured
for reports in the group.
1.
Click the Reports tab.
2. On the Reports window, click Manage Groups.
3. On the Report Groups window, select the report group that you want to share and
click Share.
4. On the Sharing Options window, select one of the following options.
Default (inherit from parent)
The report group is not shared.
Any copied report group or generated report remains in the
users report list.
Each report in the group is assigned any parent report sharing
option that was configured.
Share with Everyone
Copyright © 2017, Juniper Networks, Inc.
The report group is shared with all users.
231
Juniper Secure Analytics Users Guide
Share with users matching the following criteria...
The report group is shared with specific users.
•
User Roles--Select from the list of user roles and press the
add icon (+).
•
Security Profiles--Select from the list of security profiles and
press the add icon (+).
5. Click Save.
On the Report Groups window, shared users see the report group in the report list.
Generated reports display content based on security profile setting.
Assign a Report to a Group
You can use the Assign Groups option to assign a report to another group.
1.
Click the Reports tab.
2. Select the report that you want to assign to a group.
3. From the Actions list box, select Assign Groups.
4. From the Item Groups list, select the check box of the group you want to assign to this
report.
5. Click Assign Groups.
Copying a Report to Another Group
Use the Copy icon to copy a report to one or more report groups.
1.
Click the Reports tab.
2. Click Manage Groups.
3. From the navigation tree, select the report that you want to copy.
4. Click Copy.
5. Select the group or groups to which you want to copy the report.
6. Click Assign Groups.
7. Close the Report Groups window.
232
Copyright © 2017, Juniper Networks, Inc.
Chapter 14: Report Management
Removing a Report
Use the Remove icon to remove a report from a group.
When you remove a report from a group, the report still exists on the Reports tab. The
report is not removed from your system.
1.
Click the Reports tab.
2. Click Manage Groups.
3. From the navigation tree, navigate to the folder that contains the report you want to
remove.
4. From the list of groups, select the report that you want to remove.
5. Click Remove.
6. Click OK.
7. Close the Report Groups window.
Related
Documentation
•
Duplicating a Report on page 227
•
Sharing a Report on page 228
•
Branding Reports on page 228
Copyright © 2017, Juniper Networks, Inc.
233
Juniper Secure Analytics Users Guide
234
Copyright © 2017, Juniper Networks, Inc.
Download PDF
Similar pages