Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Release Notes for Juniper Security Director Insights

 

New Features

This section describes the new features in Juniper Security Director Insights Release 20.3R1.

  • Log collection—The log analytics module receives system logs, normalizes the log data, and permits you to define actions for the collected log data. The log analytics functionality is available in addition to the existing Security Director log collector.

    You can use the following capabilities to process log data:

    • Flexible parser—Use the flexible log parser to define how the system log data must be parsed. The flexible parser enables you to provide a sample of your logs, parse the logs, normalize the fields, filter based on your configured criteria, and assign severity and semantics to various fields. You can create multiple parsers for different log sources. You can also import the parsers from a file or export the parsers to a standard file that can be saved and shared.

    • User identity—Juniper Security Director Insights interfaces with JIMS to map the endpoint IP addresses in events or logs to the corresponding usernames and hostnames. To use JIMS, you must setup JIMS separately and provide access permission to Juniper Security Director Insights.

    • User timeline view—View all received events pertaining to an endpoint on a user timeline view in the Juniper Security Director Insights UI. If you have configured the user identity through JIMS, the user timeline will be based on hostnames.

  • Event correlation and incident processing—An incident is a correlated set of events or logs that represents a security event. Incidents are received from the Juniper Security Director Insights analysis pipeline. These events are correlated into an incident based on the following criteria:

    • Events that are related to a single endpoint

    • Events that occur within 5 minutes time interval

    The security severity of each event is calculated based on the rules specified and the log field mapping configuration.

    You can perform the following activities on incidents:

    • Threat intelligence—Look up your trusted threat intelligence providers for indicators of compromise to confirm the maliciousness of the reported event. Indicators of compromise include IP addresses, URLs, and File hash observed in the log data. What is considered malicious is based on our knowledge of the threat intelligence provider’s output.

      The following threat intelligence sources are supported by Juniper Security Director Insights:

      Source

      Data

      IBM X-Force

      IP addresses and File hash

      VirusTotal

      File hash and URL lookup

      Opswat

      File hash, URL lookup, and IP lookup

    • Rules Engine—You can use Rules Engine to customize the log event and incidence processing to match your SOC processes. Rules are divided into following elements:

      • Condition—The rules engine supports match operations for different field types. You can combine multiple matching criteria in an ANY (OR) configuration or a ALL (AND) configuration. To apply a condition, select a normalized field from the event and match the criteria that triggers the rule.

      • Action—Respond to an event or incident. You can configure, increase, or lower the severity or look up a threat intelligence source.

  • Mitigation—In response to an incident, you can either isolate or quarantine an infected endpoint based on its IP address and block the threat source IP address. This prevents you from downloading files that are known to be harmful or suspicious.

    The Juniper Security Director Insights Mitigation UI provides a list of endpoints and threat sources that can be mitigated. You can choose one or more endpoints or threat sources and trigger the mitigation. The endpoint or threat sources IP addresses that need to be quarantined or blocked are sent to Juniper SkyATP or Policy Enforcer.

Product Compatibility

This section describes the supported hardware and software versions for Juniper Security Director Insights. For Security Director requirements, see the Security Director 20.3R1 Release Notes.

Supported Security Director Software Versions

Juniper Security Director Insights is supported only on specific Security Director software versions as shown in Table 1.

Table 1: Supported Security Director Software Versions

Juniper Security Director Insights Software Version

Compatible with Security Director Software Version

20.3R1

20.3R1

Note

The times zones set for Security Director and Juniper Security Director Insights must be the same.

Virtual Machine Specification

Juniper Security Director Insights is delivered as an ISO image to be deployed inside your VMware ESXi network with the following configuration:

  • 8 CPU

  • 24-GB RAM

  • 1.2-TB disk space

Table 2: Supported Virtual Machine Versions

Virtual Machine

Version

VMWare

VMware ESXi server version 6.0 or later

Supported Browser Versions

Security Director and Juniper Security Director Insights are best viewed on the following browsers.

  • Mozilla Firefox

  • Google Chrome

  • Microsoft Internet Explorer 11

Installation Instructions

For more information about installing Security Director Insight 20.3R1, see Deploy and Configure Security Director Insights with OVA Files.

Known Issues

This section lists the known issues in Security Director Insights Release 20.3R1.

For the most complete and latest information about known issues, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues

This section lists the issues fixed in Junos Space Security Director and Policy Enforcer Release 20.3R1.

For the most complete and latest information about resolved issues , use the Juniper Networks online Junos Problem Report Search application.