Release Notes for Juniper Security Director Insights
This section describes the new features in Juniper Security Director Insights Release 20.3R1.
Log collection—The log analytics module receives system logs, normalizes the log data, and permits you to define actions for the collected log data. The log analytics functionality is available in addition to the existing Security Director log collector.
You can use the following capabilities to process log data:
Flexible parser—Use the flexible log parser to define how the system log data must be parsed. The flexible parser enables you to provide a sample of your logs, parse the logs, normalize the fields, filter based on your configured criteria, and assign severity and semantics to various fields. You can create multiple parsers for different log sources. You can also import the parsers from a file or export the parsers to a standard file that can be saved and shared.
User identity—Juniper Security Director Insights interfaces with JIMS to map the endpoint IP addresses in events or logs to the corresponding usernames and hostnames. To use JIMS, you must setup JIMS separately and provide access permission to Juniper Security Director Insights.
User timeline view—View all received events pertaining to an endpoint on a user timeline view in the Juniper Security Director Insights UI. If you have configured the user identity through JIMS, the user timeline will be based on hostnames.
Event correlation and incident processing—An incident is a correlated set of events or logs that represents a security event. Incidents are received from the Juniper Security Director Insights analysis pipeline. These events are correlated into an incident based on the following criteria:
Events that are related to a single endpoint
Events that occur within 5 minutes time interval
The security severity of each event is calculated based on the rules specified and the log field mapping configuration.
You can perform the following activities on incidents:
Threat intelligence—Look up your trusted threat intelligence providers for indicators of compromise to confirm the maliciousness of the reported event. Indicators of compromise include IP addresses, URLs, and File hash observed in the log data. What is considered malicious is based on our knowledge of the threat intelligence provider’s output.
The following threat intelligence sources are supported by Juniper Security Director Insights:
IP addresses and File hash
File hash and URL lookup
File hash, URL lookup, and IP lookup
Rules Engine—You can use Rules Engine to customize the log event and incidence processing to match your SOC processes. Rules are divided into following elements:
Condition—The rules engine supports match operations for different field types. You can combine multiple matching criteria in an ANY (OR) configuration or a ALL (AND) configuration. To apply a condition, select a normalized field from the event and match the criteria that triggers the rule.
Action—Respond to an event or incident. You can configure, increase, or lower the severity or look up a threat intelligence source.
Mitigation—In response to an incident, you can either isolate or quarantine an infected endpoint based on its IP address and block the threat source IP address. This prevents you from downloading files that are known to be harmful or suspicious.
The Juniper Security Director Insights Mitigation UI provides a list of endpoints and threat sources that can be mitigated. You can choose one or more endpoints or threat sources and trigger the mitigation. The endpoint or threat sources IP addresses that need to be quarantined or blocked are sent to Juniper SkyATP or Policy Enforcer.
This section describes the supported hardware and software versions for Juniper Security Director Insights. For Security Director requirements, see the Security Director 20.3R1 Release Notes.
Supported Security Director Software Versions
Juniper Security Director Insights is supported only on specific Security Director software versions as shown in Table 1.
Table 1: Supported Security Director Software Versions
Juniper Security Director Insights Software Version
Compatible with Security Director Software Version
The times zones set for Security Director and Juniper Security Director Insights must be the same.
Virtual Machine Specification
Juniper Security Director Insights is delivered as an ISO image to be deployed inside your VMware ESXi network with the following configuration:
1.2-TB disk space
Table 2: Supported Virtual Machine Versions
VMware ESXi server version 6.0 or later
Supported Browser Versions
Security Director and Juniper Security Director Insights are best viewed on the following browsers.
Microsoft Internet Explorer 11
For more information about installing Security Director Insight 20.3R1, see Deploy and Configure Security Director Insights with OVA Files.
This section lists the known issues in Security Director Insights Release 20.3R1.
For the most complete and latest information about known issues, use the Juniper Networks online Junos Problem Report Search application.
This section lists the issues fixed in Junos Space Security Director and Policy Enforcer Release 20.3R1.
For the most complete and latest information about resolved issues , use the Juniper Networks online Junos Problem Report Search application.