Juniper Secure Analytics Release Notes · Title: Juniper Secure Analytics Release Notes Author:...

Juniper Secure Analytics Release Notes

7.3.1March 2018

Juniper Networks is pleased to introduce Juniper Secure Analytics 7.3.1.

JSA 7.3.1 Release Notes provides new features, known issues and limitations, and fixes

to known issues.

Contents What's New in JSA 7.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Juniper Secure Analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

JSA Core Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Ariel Query Language (AQL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

JSA Vulnerability Manager and JSA Risk Manager . . . . . . . . . . . . . . . . . . . . . . 10

JSA Vulnerability Manager Custom Risk Classification . . . . . . . . . . . . . . . 10

JSA Risk Manager migration from Configuration Source Management

to Configuration Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Improved JSA Risk Manager topology Searches and Views . . . . . . . . . . . 11

Enhanced Support for CIS Benchmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Installing JSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Known Issues and Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

1Copyright © 2018, Juniper Networks, Inc.

What's New in JSA 7.3.1

Juniper Secure Analytics 7.3.1 family of products includes newnavigation features, tighter

IPv6 integration, more health metrics data for diagnosing issues, andmore.

Juniper Secure Analytics

JSA 7.3.1 family of products includes enhancements to its core capabilities, RESTful APIs,

and the Ariel Query Language (AQL).

JSA Core Capabilities

AQL-based Custom Properties

WithAQL-basedcustomeventor customflowproperties, youcanuseanAQLexpression

to extract data from the event or flow payload that JSA does not typically normalize and

display.

For example, you can create anAQL-based propertywhen youwant to combinemultiple

extraction and calculation-based properties, such as URLs, virus names, or secondary

user names, intoasingleproperty. Youcanuse thenewproperty in customrules, searches,

reports, or you can use it for indexing offenses.

Formore information about creating and using customproperties, see the Juniper Secure

Analytics User Guide.

Identifying Flow Direction Reversal

As you are viewing a flow in the JSA Console, youmight want to knowwhether JSA

modified the flowdirection, andwhetheranyprocessingoccurred.Thisalgorithmprovides

information on how the traffic originally appeared on the network and which traffic

features caused it to be reversed, if at all.

When the Flow Collector detects flows, it checks some of the flow properties before it

acts. In some cases, the communication or flows between devices is bidirectional (the

client communicateswith theserverand theserver responds to theclient). In this scenario,

both the client and the server operate as though they are the source and the other is the

destination. In reality, JSA normalizes the communication, and all flows between these

two entities then follow the same convention: destination always refers to the server,

and source always refers to the client.

Formore information, see Identifyingwhether a flow's directionwas reversed in the Juniper

Secure Analytics User Guide.

Identifying How Application Fields are set for Flows

As you are viewing a flow in the JSA Console, youmight want to knowwhether JSA

modified the flow application name, and whether any processing occurred. You can use

this information to gain insight into which algorithm classified the application, and to

ensure that algorithms are extracting flow features correctly.

Copyright © 2018, Juniper Networks, Inc.2

Juniper Security Analytics Release Notes

When the Flow Collector detects a flow, it uses various algorithms to determine which

application the flow came from. After the FlowCollector identifies the application, it sets

the Application property that appears in the Flow Details window.

Formore information, see Identifying howapplication fields are set for a flow in the Juniper

Secure Analytics User Guide.

Reduced Downtime for Event Collection Services

In earlier versions, deploying changes to your JSA system sometimes resulted in gaps in

data collection while the hostcontext service restarted. Tominimize these interruptions,

the event processor service is nowmanaged separately fromother JSA services. The new

event collection service, ecs-ec-ingress, listens on port 7787.

With the new separation of services, the event collection service does not automatically

restart each time that you deploy changes. The service restarts only when the deployed

changes impact the event collection service directly.

This enhancement significantly reduces interruptions in collecting data, andmakes it

easier for you to comply with your organization's data collection targets.

For more information, seeMaking changes in your JSA environment in the Juniper Secure

Analytics Administration Guide.

Continuous Collection of Events during Minor Patch Updates

You can expect fewer disruptions in event collection when you apply future patches to

JSA 7.3.1 or later. Minor patches that do not require the system to restart will not restart

the event collection service.

Ability to Restart only the Event Collection Service

Fromthe JSAproduct interface, youcan restart theeventcollectionserviceonallmanaged

hosts in your deployment.

This newcapability is usefulwhenyouwant to restart theevent collection servicewithout

impacting other JSA services. For example, after you restore a configuration backup, you

can defer restarting the service to a time that is convenient for you.

Formore information about restarting the event collection service, see the Juniper Secure


Event Collection continues when you Install or Update a Protocol RPM

Before JSA 7.3.1, installing or updating a protocol RPM required a full deployment, which

caused event collection to stop for several minutes for all installed protocols.

Now, protocols are loaded dynamically when you deploy the changes. Only those

protocols that were updated experience a brief outage (in seconds).

New slide-out Navigation Menuwith Favorite Tabs

As the number of apps that are installed in your deployment grows, so does the number

of visible tabs. The new slide-out navigation menumakes it easier for you to find the

apps that you use themost by managing which tabs are visible in JSA.



When you upgrade to JSA 7.3.1, all JSA tabs are available from the slide-out menu ( ).

Eachmenu item is marked as a favorite, which also makes it available as a tab. You can

control which tabs are visible by selecting or clearing the star next to the menu item.

To access the settings that were on the Admin tab in earlier JSA versions, click Admin at

the bottom of the slide-out navigation menu.

Browser-based SystemNotifications

JSA nowuses your browser notification settings to display systemnotifications.With this

enhancement, youcancontinue tomonitor the statusandhealthof your JSAdeployment

even when JSA is not the active browser window. To show system notifications on your

screen, youmust configure your browser to allow notifications from JSA.

Browser notifications are supported for Mozilla Firefox, Google Chrome, and Microsoft

Edge 10. Microsoft Internet Explorer does not support browser-based notifications.

Notifications in Internet Explorer now appear in a restyled JSA notification window.

For more information, see the System notifications topic in the Juniper Secure Analytics

Administration Guide.

More Health Metrics Data

JSA collects up to 60xmore health metrics data than before, making it easier for

administrators to monitor their deployment and diagnose issues when they occur. You

canvisualize thenewhealthmetricsbyusing the JSADeployment Intelligenceapp,which

is available from the Security App Exchange.

The JSA Deployment Intelligence app replaces the SystemHealth information that was

previously available on the Admin tab.

The additional health metrics data increases the size of the JSA log files and the disk

storage requirements for the data. Administratorswho requiremore control over the disk

storage that is required for the accumulated health data can create a retention bucket

that uses Log Source Type = Health Metrics as the criteria.

For more information about working with retention buckets, see the Data retention topic

in the Juniper Secure Analytics Administration Guide.

IPv6 Support

JSA uses the network hierarchy objects and groups to view network activity andmonitor

groups or services in your network. The network hierarchy can be defined by a range of

IP addresses in IPv6 as well as IPv4 format. In addition to Network Hierarchy, Offense

Manager used to only support IPv6 indexing but it now updates and displays all the

appropriate fields for an offense with IPv6 data.

For more information about setting password rules, see the IPv6 addressing in JSA

deployments topic in the Juniper Secure Analytics Administration Guide.

Improved Security with New Password Policy

When using local JSA authentication, you can enforce minimum password length and

complexity, and control password expiry and reuse. The rules that you set are enforced

for administrative and non-administrative users.



For more information about setting password rules, see the Configuring system

authentication topic in the Juniper Secure Analytics Administration Guide.

Create an alias for the User Base DN (distinguished name) that is used for LDAPAuthentication

When you enter your user name on the login page, the Repository ID acts as an alias for

the User Base DN (distinguished name). This use of an alias omits the need for typing a

long distinguished name that might be hard to remember.

For more information about configuring LDAP authentication, see the Juniper Secure


Edit or Create a Login Message that is displayed to Users in JSA

Provide users with important information before they log in to JSA. If needed, you can

force users to consent to the login message terms before they can log in.

For more information about creating and editing login messages, see the Juniper Secure


Monitor successful Login Events by Running Reports in JSA

Easily monitor successful login events for the time period that you configure by running

theWeekly Successful Login Events report template on the JSA Reports tab.

For more information about creating andmanaging reports, see the Juniper Secure


Two New Preinstalled Apps in JSA 7.3.1

App AuthorizationManager - The App AuthorizationManager app provides improved

security for app authorization tokens. Users who have the appropriate permissions can

delete authorization tokens, or change the assigned user level authorization.

JSA Assistant App - The JSA Assistant App provides the following functionality on the

Dashboard tab:

• Recommended apps and content extensions that are based on your configured

preferences.

• JSA Help Center dashboard widget to help you access helpful information about JSA.

• Content update status is highlighted, and then users can download updates from

within JSA.

Formore informationabout thenewapps, see the JuniperSecureAnalyticsAdministration

Guide.

Log Source Auto-detection Configuration

Before JSA7.3.1, log sourceauto-detectionconfigurationwascontrolledbyaconfiguration

file that was editedmanually on each event processor managed host.

As of JSA 7.3.1, global configuration settings are now available. You can use the JSA REST

API or a command line script to enable and disable which log source types are

auto-detected. If you use a smaller number of log source types, you can configure which



log sources are auto-detected to improve the speed of detection. Log source

auto-detection configuration also helps to improve the accuracy of detecting devices

that share a common format, and can improve pipeline performance by avoiding the

creation of incorrectly detected devices.

NOTE: You can still enable per-event processor auto-detection settings byusing theconfiguration filemethod.Youcanmanage themethod that is usedon each event processor in Admin > System& LicenseManagement >

Component Management. Upgrades from previous versions do not enable

global settings, and retain the use of the local configuration files. Freshinstallations of JSA 7.3.1 enable the global auto-detection settings option.

Formore information about configuringmanaged hosts, see the Juniper Secure Analytics


Configuring Auto Property Discovery for Log Source types and a new Configuration Tabin DSM Editor

You can configure the automatic discovery of new properties for a log source type. By

default, the Auto Property Discovery option for a log source type is disabled. When you

enable the option on the new Configuration tab of the DSM Editor, new properties are

automatically generated. The new properties capture all the fields that are present in

the events that are received by the selected log source type. The newly discovered

properties become available in the Properties tab of the DSM Editor.

For more information about using the DSM Editor, see the Juniper Secure Analytics


New JSA Data Store Offering

A new offering, JSA Data Store, normalizes and stores both security and operational log

data for future analysis and review. The offering supports the storage of an unlimited

number of logs without counting against your organization’s Events Per Second JSA

license, and enables your organization to build custom apps and reports based on this

stored data to gain deeper insights into your IT environments.

Enhancements to the routing rules in JSA 7.3.1 require a license for JSA Data Store. After

the license is applied and the routing rule enhancement is selected, events that match

the routing rule will be stored to disk and will be available to view and for searches. The

events bypass the custom rule engine and no real-time correlation or analytics occur.

The events can't contribute to offenses and are ignored when historical correlation runs.

Log Source Extensions can Extract values events in JSON format by key reference

Log Source Extensions can now extract values by using the JsonKeypath.

For aneventdata inanested JSONformat, a valid JSONexpression is in the form/"<name

of top-level field>"/"<name of sub-level field_1>".../"<name of sub-level field_n>".

The following two examples show how to extract data from a JSON record:



• Simple case of an event for a flat JSON record: {"action": "login", "user": "John Doe"}

To extract the 'user' field, use this expression: /"user".

• Complex case of an event for a JSON record with nested objects: { "action": "login",

"user": { "first_name": "John", "last_name": "Doe" } }

To extract just the 'last_name' value from the 'user' subobject, use this expression:

/"user"/"last_name".

Ariel Query Language (AQL)

JSA introduces new AQL functions and enhancements.

PARAMETERSREMOTESERVERSnowincludes theoptiontoselectservers inyoursearchby specifying the ID or name of Event Processors

By using the ARIELSERVERS4EPNAME functionwith PARAMETERS REMOTESERVERS,

you can specify anEventProcessor by name in anAQLquery; for example, PARAMETERS

REMOTESERVERS=ARIELSERVERS4EPNAME(’eventprocessor0’, ’eventprocessor104’)

By using the ARIELSERVERS4EPID function with PARAMETERS REMOTESERVERS; you

can specify an Event Processor by ID in an AQL query, for example, PARAMETERS

REMOTESERVERS=ARIELSERVERS4EPID(102)

By specifying an Event Processor, or servers that are connected to that Event Processor,

you can run AQL queries faster andmore efficiently.

When you havemultiple servers in your organization and you knowwhere the data that

you're looking for is saved, you can fine-tune the search to just the servers, clusters, or

specific servers on Event Processors.

In the following example, you search only the servers that are connected to

'eventprocessor104'.

SELECT processorid,PROCESSORNAME(processorid),LOGSOURCENAME(logsourceid)FROM eventsGROUP BY logsourceidPARAMETERS REMOTESERVERS=ARIELSERVERS4EPNAME (’eventprocessor104’)

You can significantly reduce the load on your servers, run the query regularly, and get

your results faster when you filter your query to search fewer servers.

For more information, see the AQL data retrieval functions topic in the Juniper Secure

Analytics Ariel Query Language Guide.

PARAMETERS EXCLUDESERVERS excludes servers from your AQL search

Avoid having to search all AQL servers by using PARAMETERS EXCLUDESERVERS to

exclude specific servers:

• IP address; for example, PARAMETERS

EXCLUDESERVERS=’177.22.123.246:32006,172.11.22.31:32006’

• Event Processor name; for example, PARAMETERS

EXCLUDESERVERS=ARIELSERVERS4EPNAME(’<eventprocessor_name>’)



• Event Processor ID; for example, PARAMETERS

EXCLUDESERVERS=ARIELSERVERS4EPID(<processor_ID>)

Searching only the servers that have the data that you require speeds up searches and

uses less server resources.

Refine your query to exclude the servers that don't have the data that you're searching

for. In the following example, you exclude servers that are connected to

'eventprocessorABC':

SELECT processorid,PROCESSORNAME(processorid),LOGSOURCENAME(logsourceid)FROM eventsGROUP BY logsourceidPARAMETERS EXCLUDESERVERS=ARIELSERVERS4EPNAME (’eventprocessorABC’)

If you refinemultiple queries by using PARAMETERSEXCLUDESERVERS, you can reduce

the load on your servers and get your results faster.



Specify theEventProcessorname inanAQLquerybyusingtheARIELSERVERS4EPNAMEfunction with PARAMETERS REMOTESERVERS or PARAMETERS EXCLUDESERVERS

In an AQL query, you can include or exclude the servers that are connected to an Event

Processor by using the ARIELSERVERS4EPNAME function to name an Event Processor

in thequery. Forexample, use theARIELSERVERS4EPNAMEfunctionwithPARAMETERS

REMOTESERVERS to include eventprocessor_ABC in the query.

PARAMETERS REMOTESERVERS=ARIELSERVERS4EPNAME(’eventprocessor_ABC’)

Forexample, youmightwant thesearch toexcludeall serversonanamedEventProcessor

byusing theARIELSERVERS4EPNAME functionwithPARAMETERSEXCLUDESERVERS.

In the following example eventprocessor_XYZ is excluded in the query

PARAMETERS EXCLUDESERVERS=ARIELSERVERS4EPNAME (’eventprocessor_XYZ’)



Specify the Event Processor ID in an AQL query by using the ARIELSERVERS4EPIDfunction with PARAMETERS REMOTESERVERS or PARAMETERS EXCLUDESERVERS

In an AQL query, you can include or exclude servers connected to an Event Processor by

using the ARIELSERVERS4EPID function to specify the ID of an Event Processor in the

query.

For example, include servers on the Event Processor that has the ID 101, PARAMETERS

REMOTESERVERS=ARIELSERVERS4EPID(101)

For example, exclude servers on the Event Processor that has the ID 102, PARAMETERS

EXCLUDESERVERS=ARIELSERVERS4EPID(102)





Filter your search by using the ARIELSERVERS4EPID function with the PARAMETERSREMOTESERVERS or PARAMETERS EXCLUDESERVERS to specify Event Processorsby ID and their Ariel servers

You can use the ARIELSERVERS4EPID function with PARAMETERS REMOTESERVERS

and PARAMETERS EXCLUDESERVERS to specify Ariel servers that you want to include

or exclude from your search.

You can also use the following query to list Ariel servers by Event Processor ID.

SELECT processorid, ARIELSERVERS4EPNAME(PROCESSORNAME(processorid)) from events

Returns Ariel servers that are associated with an Event Processor that is identified by ID.

Here's an example of the output for the query, which shows the ID of the processor and

the servers for that processor:

localhost:32011,172.16.158.95:32006



In an AQL query, you can specify Ariel servers that are connected to a named EventProcessor by using the ARIELSERVERS4EPNAME function

Use the ARIELSERVERS4EPNAME function with PARAMETERS REMOTESERVERS or

PARAMETERS EXCLUDESERVERS to specify Ariel servers that you want to include or

exclude from your search.

You can also use the following query to list Ariel servers by Event Processor name.

SELECT PROCESSORNAME(processorid), ARIELSERVERS4EPNAME(PROCESSORNAME(processorid)) from events

Here's an example of the output for the query, which shows the name of the processor

and the servers:

eventprocessorABC localhost:32011,172.16.158.95:32006



Use the COMPONENTID function to retrieve the ID for any named JSA component andreturn data for that component

For example, you can retrieve events for a named Event Processor. In the following

example you retrieve events from eventprocessor0:

SELECT * from events where processorid = COMPONENTID(’eventprocessor0’)

PARSETIMESTAMPfunctionparses thetext representationofdateandtimeandconvertsit to UNIX epoch time

Do time-based calculations easily in AQLwhen you convert time in text format to epoch

time.

Include time-based calculations in your AQLqueries and use the time-based criteria that

you specify to return events that helps to enhance the security of your organization by



making it easier to monitor user activity. For example, youmight want to find out that

the difference between user logout and re-login times is less than 30minutes. If this

timing seems suspicious, you can investigate further.



Retrieve information about the location and distance of IP addresses

Usegeographical data that is providedbyMaxMind to find informationabout the location

and distance between IP addresses in JSA.

The GEO::LOOKUP AQL function returns location data for a selected IP address.

TheGEO::DISTANCEAQL function returns thedistance, in kilometers, of two IPaddresses.

Easily recognize the geographical origin of your data by organizing your data by location

suchascityor country insteadofby IPaddress, anduse thedistancebetween IPaddresses

to evaluate the relative distance between your JSA locations.



Enhanced support for the AQL subquery

In JSA 2014.8 and 7.3.0, the subquery was accessible only by using API.

The subquery is nowavailable for use in searches fromtheLogActivityorNetworkActivity

tabs.

For more information, see the AQL subquery topic in the Juniper Secure Analytics Ariel

Query Language Guide.

Enhanced support for the SESSION BY clause

In JSA 7.3.0 the SESSION BY clause was accessible only by using API.

The SESSION BY clause is now available for use in searches in JSA.

For more information, see the Grouping related events into sessions topic in the Juniper

Secure Analytics Ariel Query Language Guide.

JSA Vulnerability Manager and JSA Risk Manager

JSA Vulnerability Manager 7.3.1 introduces custom risks and enhanced support for CIS

benchmarks. JSA Risk Manager 7.3.1 migrates features from Configuration Source

Management to the Configuration Monitor and improves topology searches and views.

JSA Vulnerability Manager CustomRisk Classification

Classify vulnerabilities with Custom Risk to prioritize the vulnerabilities that posemost

risk to your enterprise.Overridea vulnerability's riskwith your own risk classificationbased

on individual requirements, and add comments to describe why you are changing the

classification. For example, if a new internal policy requires all assets to disable SMBv1,

you can raise the risk to Critical for all SMBv1 required vulnerabilities.



For more information, see the Juniper Secure Analytics Vulnerability Manager User Guide.

JSA Risk Managermigration fromConfiguration SourceManagement toConfigurationMonitor

Several features are migrated from Configuration Source Management to Configuration

Monitor: add a new device, delete a device, back up a device, and discover devices in the

ConfigurationMonitor. Thismigration is in preparation forwhenGoogle Chrome removes

full support for Adobe Flash, and is the first stage in the removal of Flash dependency

from JSA Risk Manager.

For more information, see the Juniper Secure Analytics Risk Manager User Guide.

Improved JSA Risk Manager topology Searches and Views

Each topology searchopensa tabbed view, and results are cached for improved topology

retrieval, resulting in faster processing time.

For more information, see the Juniper Secure Analytics Risk Manager User Guide.

Enhanced Support for CIS Benchmarks

Added CIS Benchmarks profile support for the following platforms:

• Windows 2012 R2

• Red Hat Enterprise Linux 7

• Solaris 10

• Solaris 11

• Solaris 11.1

• Solaris 11.2

• Ubuntu Linux 14

• Ubuntu Linux 15

• CentOS Linux 6

• CentOS Linux 7

RelatedDocumentation

Installing JSA on page 11•

• Known Issues and Limitations on page 12

• Resolved Issues on page 12

Installing JSA

To install JSA software:

• System Requirements — For information about hardware and software compatibility,

see the detailed system requirements in the Juniper Secure Analytics Installation Guide.


Installing JSA

• Upgrading to JSA 7.3.1 —To upgrade to JSA 7.3.1, see the Upgrading Juniper Secure

Analytics to 7.3.1 Guide.

• Installing JSA—For installation instructions, see the Juniper SecureAnalytics Installation

Guide.


What's New in JSA 7.3.1 on page 2•



Known Issues and Limitations

NOTE: None.



• Installing JSA on page 11


Resolved Issues

This section describes the issues resolved in JSA 7.3.1:

• Session leaks can cause the JSA user interface to become repeatedly inaccessible.

• Network Hierarchy API PUT does not allow for multiple CIDR ranges. Error 422 is

returned.

• Adjusting the email size limit in JSA system settings does not work as expected.

• JSAupgrade fails onapplianceswhere twodisk subsystems (sdaand sdb)arepresent.

• Using the pound symbol (#) in a reference set name causes an application error.

• JSA upgrade can fail after reboot with message Exception AttributeError: "NoneType"

object has no attribute....

• Application installation window hangs when attempting to update JSA apps.

• No Flow data received from JSA Flow Collector appliances after upgrading/patching

to JSA 7.3.0 patch 4.

• An Ariel file lock on deleted files can cause Log Activity searching to fail and prevent

Dashboard Time Series loading.

• Locale list is blank in the DSM Editor when creating a new custom property for field

type Date or Number.



• Event droppedwhile attempting to add to Tenant Event Throttle queue. The Tenant

EventThrottle queue... system notification.

• The JSA Assistant app Help Center dashboard (and possibly others) can stop working

unexpectedly.

• JSA storage partitions might get renamed due to the loading order of required drivers

at bootup.

• Hostnames ending with a trailing dot are considered unique by the JSA asset profiler.

• A benign hostcontext NullPointerException can sometimes be written to the JSA logs

following a Deploy function.

• High Availability appliance reporting as failed in the System and LicenseManagement

screen after a Deploy.

• Using the network activity search filter ICMP Type/Code does not work as expected.

• JSAuser interfacesessionsarebecomingdisconnected(session timeout)unexpectedly.

• Performing a search grouping by Log Source displays the parent and child groups in

the results.

• A custom action script using the parameter creeventlist can fail and generate an

exception in JSA logging.

• Custom action response returns null value for some defined parameters.

• Realtime streaming can fail to display events when filtering on eventprocessor.

• Routing rule filter does not display all category options when selecting Low Level

Category as a filter.

• Search filtering for a customevent property that includes non-English characters does

not work as expected.

• Failed replications can leave residual files in /tmp directory.

• Asset searches by network name can return extra, unexpected results.

• Report Wizard can hang when creating a Log Source Report.

• Log Source reports can fail and display no results.

• Some of the JSA last seen rules can fire unexpectedly.

• System notification ...unable to determine associated log source for IP address

<IPaddress>. Unable to automatically....

• The Asset Name field for assets can sometimes be blank.

• LDAP hover text Tooltip displays duplicate values.

• SNMPtrapdoesnot send severity, credibility, relevancemetrics onageneratedoffense

when configured to include property values.

• AdvancedSearch (AQL) functions using LONG function can causemissing information

on the search screen.


Resolved Issues

• Rules with a regex filter on Event Processor can cause performance degradation and

events written to storage.

• Performing anadvanced search (AQL)withSELECT*FROMevents INTO<value> twice

can return an error.

• Aggregated searchesperformedwhendatanodesareattached to the JSAdeployment

display incorrect counts.

• Reference sets associated to rules as a contains rule test are not working as expected.

• Application Errorwhen opening some offenses.

• LogSource reports candisplay incorrect targetdestinations forWinCollect LogSources.

• Drilling into a search that was grouped by a custom event property with parenthesis

does not work as expected.

• Dashboard itemcansometimesdisplaynodata in some instancesofnetworkhierarchy

containing double byte characters.

• Log Source Status can be incorrect for some protocol types.

• Editing an existing report's timespan does not work as expected.

• The Assigned to link in an open offense summary window doesn't work.

• Times series not generated for AQL searches containing mathematical expressions.

• Offense search exclusion filters containing a defined network hierarchy parameter do

not respect the exclusion.

• Attempting to edit a saved search after adding a filter causes the saved searchwindow

to not render properly.

• Unexpected error while retrieving get_logs statuswhen a non-admin user accessessystem and license management.

• ERROR: could not find or loadmain class com.q1labs.core.util.Passwordencryptwhen

configuring LDAP hover feature.

• Ariel searches that are run using API version 7.0+ do not return payload properly for

parsing.

• Rule Response Limiter does not always limit responses as configured.

• Searches using a geographic location filter can return unexpected results.

• Non-admin JSA user can view reports that have not been shared.

• Reports can sometimes fail to complete or complete with incorrect data when using

a top offenses chart.

• AQLqueries (advanced search) can sometimes causeYour browser sent a request that

this server could not understandmessage.

• Results in report data can sometimes not match search results when anOR condition

exists in search filters.

• Residual files froma faileddeploy toamanagedhost canpreventnewdeployattempts

from completing.



• Device stopped sending events rule sometimes does not display the associated log

source when part of an offense.

• Dashboard widgets that are set to Chart Type: Table display Start Time (Minimum) in

Epoch time instead of long format.

• Customized identity changesmade using theDSMEditor forMicrosoft IAS logs are not

honored in the Log Activity tab.

• System and license management can take longer than expected to load large JSA

deployments.

• DSM editor can display regex grabs inconsistently betweenWorkspace field and Log

Activity preview.

• Datanodes may not rebalance correctly if there are multiple destinations.

• Syslogsource payload should not set device time in the future.

• The Asset Details, Asset Summary window of an asset can sometimes bemissing the

Operating System data.

• Event Count displayed for an offense can sometimes fail to match the event count in

related Log Activity search.

• <br/> is displayed in report description hover over where line breaks are expected.

• Events contributing to an offense cannot be displayed after custom event property

OffenseID is created in DSM Editor.

• ECS-EC process can sometimes go out of memory in JSA environments with a very

large number of Log Sources.

• Slow user interface response leading to a Tomcat out of memory can be caused by

adding filters to Scheduled Search results.

• IntermittentTomcatdeadlockcancause the JSAuser interface tobecome inaccessible

without a service rest.

• RuleWizard data validation allows input of invalid AQL syntax

• wget.log file cancontribute to the /var/logpartition runningout of sufficient free space.

• Flow collectors with multi-threading enabled can stop collecting flows after patching.

• MessageTemplatenot found is displayedwhenattempting to view, run, or edit a report.

• Selected event does not display in the DSM Editor Workspace.

• Non-admin users are unable to view Log Sources when filtering on the Log Activity

page.

• Searches can fail with connecting to the query server errors or I/O error occurredwhen

many security profiles exist.

• ApplianceWIPE does not honor the amount of wipes that were entered and always

uses the default of six.

• Hostcontext can runoutofmemorydue to taskmanagementdatabase tablebecoming

corrupted.


Resolved Issues

• Lower than expected performance results when using historical correlation.

• The /store/transient partition does not perform required clean up when running low

on free disk space.

• /var/log/partitioncan runoutof spacedue to logs fillingwithmessagesTheUserSession

object in SessionContext....

• Drop in expected event rate after upgrading to JSA 7.3.0 can be caused by network

interfaces dropping packets.

• Reports run on some AQL searches can return inconsistent column names.

• General Failure. Please try againmessage when a Log Activity search with reference

table filter user specified value is run.

• Console installation of JSA 7.3.0 can fail when UTC timezone is selected.

• Rules and Building Blocks can bemissing from view in the JSA user interface while still

being installed or enabled.

• Relevancevaluedisplayedby theRESTAPI varies fromwhat isdisplayed in theOffenses

tab.

• Theserverencounteredanerror readingoneormore fileswhenperformingaLogActivity

search.

• Searches can fail or cancel when amaximum number of results is reached.

• ManageSearchResultspage fails to loadwithGeneralFailure.Pleasetryagainmessage.

• Report output data does not adhere to the security profile of the report creator.

• Non-admin JSA users are unable to perform various right click and API call functions.

• NFSmount fails to mount after High Availability (HA) failover.

• Using Clean Vulnerability Ports can result in vulnerability data not being imported into

the asset model.

• Invocation was successful, but transformation to content type

\'APPLICATION_JSON'failedwhen pulling from the API.

• Application Error during server discovery when there is more than a default domain in

JSA.

• RedHat Enterprise Linux cifs-utils package is not included on JSA appliances installed

at, or upgraded to, 7.3.0.

• Creating a global view based on a search containing a quick filter does not work as

expected.

• Rule response limiter for Username sometimes can't work as expected.

• JSA7.3.0upgradeprocessdoesnot verify thepresenceof ISOprior to setup installation

process starting.

• Flows received when using flow forwarding Offsite Source/Target or Routing Rules

are incorrect.



• Tunnel connections remain after a data node or event collector are removed from a

JSA deployment.

• DNS lookups for internal IP network ranges not working.

• Using Rule Response Execute CustomAction can sometimes not work as expected.

• JSA user interface can become unresponsive whenmultiple users are working with

JSA reports.

• AutoUpdatecancausean interruption in flowcollectionandaperformancedegradation

system notification in the User Interface.

• In progress searches that run longer than the configured search results retention period

are deleted prior to completion.

• Attempting to obfuscate a large volume of username field based events can cause

obfuscated events to be dropped.

• Addinga regex filter toa searchcangenerateerror fatalexception inValidationException:

this is not a valid....

• Commas are treated asOR in quick filter searches causing varied search results.

• Deployment actions - Edit Host Connection option is not enabled after Event and/or

Flow Processor is added to deployment.

• JSA application environment variables are not updated after qchange_netsetup.py is

used to change the IP address of a JSA Console.

• JSA user interface becomes unresponsive linked to logrotate of httpd files.

• Asset Profiler out of memory or AssetCleanupThread TxSentry can occur on systems

with a large amount of assets.

• Ariel searches that domany string comparisons can run slower than expected in low

memory scenarios.

• Tomcat service can fail to load due to deadlock, causing the JSA user interface to

become inaccessible.

• Attempting to use the valid regex (?i) (for case insensitive) in a custom property fails

with regex is invalid.

• Missing files in /storetmp/upgrade errors when running /root/complete_upgrade.sh

script after a failed upgrade.

• An attempt to cancel a duplicate Log Activity search in progress can display error

...WARN_QUERY_COLLECT_DATA_LIMIT.

• Upgrading JSA can hang or fail during the 71-qdocker_upgrade.sh script.

• Themessage There was an error downloading this item can sometimes be displayed

in a dashboard widget.

• JSA upgrade process can fail after reboot on appliances with PCI networking cards.

• JSA upgrade process can sometimes fail at the pre-boot phase, and the ' / ' partition

fills to 100%.


Resolved Issues

• Configuration restore onto a console with a different IP address causes JSA apps to

no longer work.

• Triggermatchcount rule wording can sometimes bemisinterpreted.

• JSA 7.3.0 upgrade can fail while running or re-running the upgrade_stage_iso.sh script.

JSA Vulnerability Manager

• The fusionvm database is not backed up when the qvmprocessor it is located on a

manged host instead of the console.

• Newly configured vulnerability exceptions can sometimes be duplicated.

• Unable to add new CIDR ranges in Vulnerability Assignment screen.

• JSA appliance attempts communication with unexpected IP address when JSA

Vulnerability Manager is installed.

• Scan result data can sometimes fail to be updated in the JSA asset model.

• The Vulnerability ID field results contained in a scan that was exported to CSV can be

incorrect.

JSA Risk Manager

• Juniper Junos device backup failure can occur due to an Out of Memory condition.

• Network labels are not displaying on the connection graph in JSA Risk Manager.

• JSA Risk Manager Topology page can take a longer than expected time to load.

• JSA Risk Manager simulation ignores changes made to the topology model.

• Default rules with action NONE are incorrectly listed in the configuration monitor rules

list.

JSA LogManager

• Additional rule tests cannot be added to current rules and new rules cannot be created

when using JSA Log Manager.



• Installing JSA on page 11


Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can

improve the documentation. You can send your comments to

[email protected], or fill out the documentation feedback form at

https://www.juniper.net/cgi-bin/docbugreport/. If you are using e-mail, be sure to include

the following information with your comments:



mailto:[email protected]?subject=

https://www.juniper.net/cgi-bin/docbugreport/

• Document or topic name

• URL or page number

• Software release version (if applicable)

Requesting Technical Support

Technical product support is available through the JuniperNetworksTechnicalAssistance

Center (JTAC). If you are a customer with an active J-Care or Partner Support Service

support contract, or are covered under warranty, and need post-sales technical support,

you can access our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at

https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

• Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/.

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,

7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online

self-service portal called the Customer Support Center (CSC) that provides youwith the

following features:

• Find CSC offerings: https://www.juniper.net/customers/support/

• Find product documentation: https://www.juniper.net/documentation/

• Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/

• Download the latest versions of software and review release notes:

https://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

https://kb.juniper.net/InfoCenter/

• Join and participate in the Juniper Networks Community Forum:

https://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool: https://www.juniper.net/cm/

Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement

(SNE) Tool: https://entitlementsearch.juniper.net/entitlementsearch/

Opening a Casewith JTAC

You can open a case with JTAC on theWeb or by telephone.

• Use the Case Management tool in the CSC at https://www.juniper.net/cm/.

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).


Requesting Technical Support

https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf

https://www.juniper.net/support/warranty/

https://www.juniper.net/customers/support/

https://www.juniper.net/documentation/

https://kb.juniper.net/

https://www.juniper.net/customers/csc/software/

https://kb.juniper.net/InfoCenter/

https://www.juniper.net/company/communities/

https://www.juniper.net/cm/

https://entitlementsearch.juniper.net/entitlementsearch/

https://www.juniper.net/cm/

For international or direct-dial options in countries without toll-free numbers, see

https://www.juniper.net/support/requesting-support.html.

Revision History

March 2018—Revision 1, for JSA Release 7.3.1

Copyright © 2018 Juniper Networks, Inc. All rights reserved.

Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. and/or its affiliates inthe United States and other countries. All other trademarks may be property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.



https://www.juniper.net/support/requesting-support.html

Juniper Secure Analytics Release Notes · Title: Juniper Secure Analytics Release Notes Author:...

Documents

Transcript of Juniper Secure Analytics Release Notes · Title: Juniper Secure Analytics Release Notes Author:...