Juniper Secure Analytics Release Notes 2014.4 November 2015
Juniper Secure Analytics (JSA) 2014.4 Release Notes provides new features, known issues and limitations, and fixes to known issues.
Contents
New and Updated Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Installing JSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Known Issues and Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Copyright © 2015, Juniper Networks, Inc.
1
Juniper Secure Analytics Release Notes
New and Updated Functionality This section describes the new features and enhancements of Juniper Secure Analytics (JSA) for the 2014.4 release. For installers in high availability deployments in JSA 2014.4 •
JSA 2014.4 high availability deployments include configuration options for crossover cables and IPv6 support Configuring a crossover cable—In a high volume high availability deployment, the
interfaces on both the primary and secondary high availability hosts can become saturated. If performance is impacted, you can use a second pair of interfaces on the primary and secondary high availability hosts to manage high availability and data replication. IPv6—You can configure IPv6 hosts for high availability. For administrators in high availability deployments in JSA 2014.4 •
JSA 2014.4 introduces archiving Data Node content, saving event processor data to a Data Node appliance, forwarding profiles, and more features Specify the event data properties to send to other systems—Configure forwarding profiles
for event data that is sent in JSON format to forwarding destinations. Save event processor data to a Data Node appliance—Improve event processor
performance by saving all data to a Data Node appliance, rather than to the event processor itself. Archive Data Node content—You can store historic data separately and deliver historic
searches and analytics without impacting real-time security operations. Use the updated Network Hierarchy design to prevent false offenses—The relevance of
an offense, which is a security or compliance breach, indicates the importance of a destination. Less important areas of the network have a lower relevance. determines the relevance of an offense by the weight of the networks and assets. Domain-specific rules in JSA Log Manager—If a rule has a domain test, you can restrict
that rule so that it is applied only to events that occur within a specified domain. Flow burst handling minimizes data loss—Flow burst handling ensures that data loss
is minimized during high bursts of network flow data. Security profiles in authentication services—When you add an authorized service, you
can assign a security profile to the authentication services. Security profiles determine the networks and log sources that a user can access on the JSA user interface. For RESTful APIs in JSA 2014.4 •
JSA 2014.4 introduces V3.0 of API endpoints. Ariel command-line query—JSA 2014.4 includes an ariel_query script, which is located
/opt//bin directory on the console. The script provides command-line access to create a synchronous Ariel query through the REST API. The query blocks until the search is
2
Copyright © 2015, Juniper Networks, Inc.
New and Updated Functionality
complete and results are returned. Results can be requested to be returned in JSON, CSV, XML, or Table format. RESTful API user interface documentation page is enhanced to support field, paging, and filter parameters—Most of API endpoints now support common fields, paging, and filter
parameters. These parameters are used to request partial results from an API endpoint. Reference Data API security profile restrictions are enhanced—A general restriction is
removed that required users and authentication tokens to have security profiles with access to all networks and all log sources to be able to use an API endpoint. Security profile processing is performed as necessary for each endpoint. All reference data API endpoints were updated to remove restrictions that are based on security profiles. Updated 404 error message—The 404 error message is updated to be more generic.
The Please refer to the documentation for the list of resources sentence is removed and the error message now states We could not find the resource you requested. Updated endpoints
The following endpoints are updated: POST /api/ariel/searches The start_time and end_time parameters were removed. You can specify time windows for searches by using the appropriate AQL syntax in the query_expression parameter. POST api/referencedata_sets/bulkLoad/{name} When invalid data is provided in the request, the 422 error response code is returned instead of the 500 error response code. GET /api/siem/offenses This endpoint includes the following updates:
•
•
Returns offenses from only the network that is specified in the security profile that is assigned to the user.
•
Custom paging is removed and replaced with standard API paging.
The Offense close time parameter is now returned in milliseconds instead of seconds.
New endpoints •
GET /api/siem/offense_closing_reasons
•
POST /api/siem/offense_closing_reasons
•
GET /api/siem/offense_closing_reasons/{closing_reason_id}
•
GET /api/siem/offenses/{offense_id}
•
POST /api/siem/offenses/{offense_id}
•
GET /api/siem/offenses/{offense_id}/notes
•
POST /api/siem/offenses/{offense_id}/notes
•
GET /api/siem/offenses/{offense_id}/notes/{note_id}
Copyright © 2015, Juniper Networks, Inc.
3
Juniper Secure Analytics Release Notes
Deprecated endpoints
You can use deprecated endpoints in JSA 2014.4, but they will be removed in a future release, so upgrade any integrations that use this endpoint to API V3. The api/ariel/databass/{database_name} (V2.0) endpoint is deprecated in JSA 2014.4. Use the patch compliance dashboard to identify quickly the most significant patches that are missing in your environment—To identify easily which patches are missing in your
environment, create a patch compliance dashboard. View detailed patch information for vulnerabilities—This feature provides information on
how JSA checks for vulnerability details during a patch scan. You can now access Oval Definitions, Windows Knowledge Base entries, and UNIX advisories for Vulnerabilities from the Research Vulnerability Details window. Related Documentation
•
Installing JSA on page 4
•
Known Issues and Limitations on page 4
•
Resolved Issues on page 6
Installing JSA To install JSA:
Related Documentation
•
System Requirements—For information about hardware and software compatibility, see the detailed system requirements in the Juniper Security Analytics Installation Guide.
•
Installing JSA—For installation instructions, see the Juniper Security Analytics Installation Guide.
•
New and Updated Functionality on page 2
•
Known Issues and Limitations on page 4
•
Resolved Issues on page 6
Known Issues and Limitations This section describes the known issues in JSA 2014.4.
4
Copyright © 2015, Juniper Networks, Inc.
Known Issues and Limitations
•
The selected menu option is not highlighted using the up or down arrow keys when configuring the JSA appliance—In the JSA console during configuration, using up or down arrow keys to select a menu option does not highlight the selected option. For more information, see the KB article KB28225 at https://kb.juniper.net/KB28225. Workaround: Although your current position is not highlighted, use tab to navigate to the option and then use up or down arrow keys to select an option. Use left or right arrow keys to select Next. Choose any option from the time zone list and proceed with the configuration process. After the setup, you can change the time zone in the WebUI.
•
Interfaces swapped for secondary JSA3500 appliances—Upon choosing the secondary device installation option (5056) during setup, the interfaces get swapped; eth0 swaps with eth3 and eth1 swaps with eth2. This results in the management port not showing link connectivity on the JSA3500 appliance, even when the port is connected. Workaround: See the KB article KB17314 at https://kb.juniper.net/KB17314.
•
Filtering on the version number does not work correctly in the RESTful API technical documentation interface—When you type a version number in the Version field and press Enter, all endpoints with versions up to and including the version that you specified are listed.
•
Vulnerabilities Report tables do not display correctly in PDF and RTF—Columns in some Vulnerabilities Report tables are cut off in PDF and RTF documents. RESTful APIs
Related Documentation
•
Previously, if you ran a large number Ariel searches through the POST /api/ariel/searches endpoint in a short period, the Ariel server to get overloaded. This issue no longer occurs.
•
Previously, Ariel queries did not support Unicode characters. This release supports the use of quotation column names that include Unicode characters, for example, Select sourceIP, “transação” from events.
•
New and Updated Functionality on page 2
•
Installing JSA on page 4
•
Resolved Issues on page 6
Copyright © 2015, Juniper Networks, Inc.
5
Juniper Secure Analytics Release Notes
Resolved Issues This section describes the issues resolved in JSA 2014.4:
6
•
Rapid7 NeXpose scanner displays an error when the site name pattern field contains an ampersand (&) character.
•
The Test field in the Custom Properties window might not display special characters as intended.
•
No notification that events are dropped by a routing rule.
•
The License Details screen may show license details for another host in the deployment.
•
Backup archives fail to generate due to a missing RPM dependency caused by automatic updates.
•
Asset search with OS information is slow.
•
User profiles with only access to reports will throw 404 when accessing reports in IE.
•
After an upgrade to JSA 2014.1 patch, a log source extension might display invalid character symbols.
•
Deploys may fail when an encrypted connection exists for an unassigned component.
•
Rule responses that send an Offense summary e-mail notification might include an unresolvable address in the URL.
•
Risk Score filter not filtering - returning all assets.
•
Network hierarchy tree shows Undefined when network group has depth greater than 9 levels.
•
Improperly formatted system events are being picked up by the CRE Log Source.
•
Offense rule condition log source type(s) that detected the offense does not fire due to log source mismatch.
•
Non-admin users unable to view full rule details.
•
Notification QID value is incorrect.
•
Improve CRE performance against ports and large database tables.
•
Excessive SIM audit events for high availability SSH activity.
•
Routing rules filter returning unexpected results.
•
Filtering payload by ReGex ending with \ interferes with the Log Activity view.
•
Sorting in asset details - user list does not work.
•
JSA shows a timestamp for Last Seen Passive even if all flow sources are disabled.
•
Rule test to not create offense if 2 rules are matched is creating an offense.
•
Column sorting not sorting in the Log Source window.
•
Rule information is missing from the audit log when rules are modified.
Copyright © 2015, Juniper Networks, Inc.
Resolved Issues
•
Manual carriage returns used in the Text field of an Offense note cause incomplete note output in the audit logs.
•
WinCollect Log Source display sorting returns no results in 2013.1.
•
UI problem in Firefox 30 - unable to select level on source network group.
•
Asset table export shows 0.0.0.0 for the IP at times when the GUI displays a real IP.
•
Vulnerability details not shown for non-admin user.
•
Rule counting is not working using specific Palo Alto configuration.
•
Memory leak in bandwidth manager.
•
When sharing a saved search, Include in my dashboard is selected by default.
•
Grouped event searches containing numeric custom properties may return incorrect sum calculations.
•
When a high availability failover occurs, additional bonded interfaces will be removed.
•
Active Directory login fails when trying to authenticate to the API.
•
PDF report filenames with Chinese characters that are mailed do not retain correct Chinese characters in the attachment name.
•
The Wrap Text check box does not work when selected for viewing Cisco IDs event payloads.
•
Tunnelrdate warning messages generated even when not using encryption between console and managed host.
•
BB:CategoryDefinition: Countries/Regions with no Remote Access contains an incorrect
location name. •
Selecting a language option other than English for JSA Log Manager does not work.
•
The destination IP source port is appended to the destination IP when querying type-b superflows.
•
Network Activity search right click filter options for application is or is not other not returning correct
•
Change in locale settings from English to any other language causes no data results from flow data Application searches.
•
The number of data variables in an offense CRE SNMP trap does not match that of the associated JSA file.
•
Reference map of maps does not work as described in the JSA Admin guide documentation.
•
Flow process stops and then fails to start 3.
•
Log Activity advanced search that specifies using LOGSOURCEGROUPNAME only returns results from group Other.
•
JSA VM - JSA system notification that refers to JSAVMSCANCOMPLETELISTENER has reached full capacity.
Copyright © 2015, Juniper Networks, Inc.
7
Juniper Secure Analytics Release Notes
Related Documentation
•
Multiple vulnerabilities in JSA (CVE-2014-0075, CVE-2014-0096, CVE-2014-0119).
•
Multiple vulnerabilities in JSA (CVE-2014-3508, CVE-2014-3511).
•
No files to download message when performing an export as pcap.
•
The License info page shows Database not enabled.
•
Rules no longer firing after a reference set is found to be empty or does not exist.
•
The partition /store/ariel/persistent_data is not monitored by disk sentinel.
•
No flow information is displayed when using non English locale in some instances.
•
The Admin tab, Remote Networks and Services Configuration page does not load correctly in the JSA UI.
•
New and Updated Functionality on page 2
•
Installing JSA on page 4
•
Known Issues and Limitations on page 4
Documentation Feedback We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can provide feedback by using either of the following methods: •
Online feedback rating system—On any page at the Juniper Networks Technical Documentation site at http://www.juniper.net/techpubs/index.html, simply click the stars to rate the content, and use the pop-up form to provide us with information about your experience. Alternately, you can use the online feedback form at http://www.juniper.net/techpubs/feedback/.
•
E-mail—Send your comments to
[email protected]. Include the document or topic name, URL or page number, and software version (if applicable).
Revision History November 2015—Revision 4, for JSA Release 2014.4 June 2015—Revision 3, for JSA Release 2014.4 April 2015—Revision 2, for JSA Release 2014.4 March 2015—Revision 1, for JSA Release 2014.4 Copyright © 2015, Juniper Networks, Inc. All rights reserved. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
8
Copyright © 2015, Juniper Networks, Inc.
