Release Notes for Juniper Security Director Insights
This section describes the new features in Juniper Security Director Insights Release 20.3R1.
Log collection—The log analytics module receives system logs, normalizes the log data, and permits you to define actions for the collected log data. The log analytics functionality is available in addition to the existing Security Director log collector.
You can use the following capabilities to process log data:
Flexible parser—Use the flexible log parser to define how the system log data must be parsed. The flexible parser enables you to provide a sample of your logs, parse the logs, normalize the fields, filter based on your configured criteria, and assign severity and semantics to various fields. You can create multiple parsers for different log sources. You can also import the parsers from a file or export the parsers to a standard file that can be saved and shared.
User identity—Juniper Security Director Insights interfaces with JIMS to map the endpoint IP addresses in events or logs to the corresponding usernames and hostnames. To use JIMS, you must setup JIMS separately and provide access permission to Juniper Security Director Insights.
User timeline view—View all received events pertaining to an endpoint on a user timeline view in the Juniper Security Director Insights UI. If you have configured the user identity through JIMS, the user timeline will be based on hostnames.
Event correlation and incident processing—An incident is a correlated set of events or logs that represents a security event. Incidents are received from the Juniper Security Director Insights analysis pipeline. These events are correlated into an incident based on the following criteria:
Events that are related to a single endpoint
Events that occur within 5 minutes time interval
The security severity of each event is calculated based on the rules specified and the log field mapping configuration.
You can perform the following activities on incidents:
Threat intelligence—Look up your trusted threat intelligence providers for indicators of compromise to confirm the maliciousness of the reported event. Indicators of compromise include IP addresses, URLs, and File hash observed in the log data. What is considered malicious is based on our knowledge of the threat intelligence provider’s output.
The following threat intelligence sources are supported by Juniper Security Director Insights:
IP addresses and File hash
File hash and URL lookup
File hash, URL lookup, and IP lookup
Rules Engine—You can use Rules Engine to customize the log event and incidence processing to match your SOC processes. Rules are divided into following elements:
Condition—The rules engine supports match operations for different field types. You can combine multiple matching criteria in an ANY (OR) configuration or a ALL (AND) configuration. To apply a condition, select a normalized field from the event and match the criteria that triggers the rule.
Action—Respond to an event or incident. You can configure, increase, or lower the severity or look up a threat intelligence source.
Mitigation—In response to an incident, you can either isolate or quarantine an infected endpoint based on its IP address and block the threat source IP address. This prevents you from downloading files that are known to be harmful or suspicious.
The Juniper Security Director Insights Mitigation UI provides a list of endpoints and threat sources that can be mitigated. You can choose one or more endpoints or threat sources and trigger the mitigation. The endpoint or threat sources IP addresses that need to be quarantined or blocked are sent to Juniper ATP Cloud or Policy Enforcer.
This section describes the supported hardware and software versions for Juniper Security Director Insights. For Security Director requirements, see the Security Director 20.3R1 Release Notes.
Supported Security Director Software Versions
Security Director Insights is supported only on specific Security Director software versions as shown in Table 1.
Table 1: Supported Security Director Software Versions
Security Director Insights Software Version
Compatible with Security Director Software Version
The times zones set for Security Director and Security Director Insights must be the same.
Virtual Machine Specification
Security Director Insights requires VMware ESXi server version 6.0 or later that can support a virtual machine (VM) with the following configuration:
1.2-TB disk space
Supported Browser Versions
Security Director and Juniper Security Director Insights are best viewed on the following browsers.
Microsoft Internet Explorer 11
For more information about installing Security Director Insights 20.3R1, see Deploy and Configure Security Director Insights with Open Virtualization Appliance (OVA) Files.
This section lists the known issues in Security Director Insights Release 20.3R1.
For the most complete and latest information about known issues, use the Juniper Networks online Junos Problem Report Search application.
When you clear an existing Insights node and add a new Insights node, opening the other Security Director Insights pages might throw the invalid csrf token error.
Workaround: Log out of the Security Director application and log in again.
After a new Security Director Insights OVA is deployed, configuring the outgoing e-mail settings under the System Settings page will reset the already configured e-mail settings.
Workaround: Configure the outgoing e-mail settings again and refresh the page.
If the Security Director Insights VM is assigned with a new IP address because of DHCP, Security Director cannot communicate with the Security Director Insights VM because of the change in the IP address. You will see a Specify the Insights Virtual Machine IP and Credentials to use Insights message.
Workaround: Use the static IP address whenever possible or configure Security Director again with the new IP address that is assigned to the Security Director Insights VM.