Juniper Secure Analytics

(1)

Juniper Secure Analytics

Administration Guide

Release

2014.2

(2)

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at

(3)

List of Tables

About the Documentation . . . xv

Table 1: Notice Icons . . . xvi

Table 2: Text and Syntax Conventions . . . xvi

Part 1 JSA Administration

Chapter 1 Overview . . . 3

Table 3: Supported Web Browsers . . . 3

Table 4: Admin Tab Menu Options . . . 5

Table 5: Main User Detail Interface . . . 6

Table 6: SIM Resetting Options . . . 7

Chapter 2 User Management . . . 11

Table 7: Security Profile Data Options . . . 17

Table 8: Description of authentication types . . . 24

Table 9: Description of authentication types . . . 25

Table 10: Active Directory Parameters . . . 26

Table 11: LDAP Authentication Parameters . . . 27

Table 12: User Role Management Window Parameters . . . 28

Table 13: Security Profile Management Window Parameters . . . 31

Table 14: User Management window parameters . . . 31

Table 15: User Management window toolbar functions . . . 32

Table 16: User Details window parameters . . . 32

Chapter 3 Managing the System and Licenses . . . 35

Table 17: System and License Management toolbar functions . . . 36

Table 18: Deployment Details pane . . . 37

Table 19: System and License Management Window Parameters - Systems View . . . 37

Table 20: System and License Management Window Parameters - Licenses View . . . 38

Table 21: License parameters . . . 43

Table 22: Device Access Parameters . . . 47

Table 23: System administration web control parameter . . . 47

Table 24: Time server parameters . . . 51

Chapter 4 User Information Source Configuration . . . 53

Table 25: Supported Information Sources . . . 54

Table 26: Certification Configuration Parameters . . . 58

Table 27: Supported User Interface Property Values . . . 61

(12)

Table 28: Example of Multiple CIDRs and subnets in a Single Network Group . . . 66

Table 29: Example of an All-Encompassing Group . . . 66

Table 30: Acceptable CIDR Values . . . 67

Table 31: Check for Updates Toolbar Functions . . . 71

Table 32: System Settings Window Parameters . . . 79

Table 33: Retention Window Parameters . . . 87

Table 34: Retention Window Toolbar . . . 87

Table 35: Retention Bucket Parameters . . . 88

Table 36: Global System Notifications Window Parameters . . . 91

Table 37: Console Settings . . . 92

Table 38: Custom Close Reasons Window Parameters . . . 95

Table 39: Index Management Window Parameters . . . 97

Table 40: Index Management Window Parameters . . . 98

Chapter 6 Managing Reference Sets . . . 99

Table 41: Reference Set Parameters . . . 100

Table 42: Reference Set Parameters . . . 101

Table 43: Content Tab Parameters . . . 102

Table 44: Content Tab Parameters . . . 103

Table 45: Reference Set Pameters . . . 104

Chapter 7 Reference Data Collections . . . 107

Table 46: Reference Data Collection Types . . . 107

Chapter 8 Managing Authorized Services . . . 115

Table 47: Parameters for Authorized Services . . . 115

Table 48: Query String Parameters for the Customer Support Service . . . 118

Chapter 9 Managing Backup and Recovery . . . 121

Table 51: Backup Recovery Configuration Parameters . . . 124

Table 52: On-demand Configuration Parameters . . . 126

Table 53: Restore a Backup Parameters . . . 127

Table 54: Restore a Backup (Managed Host Accessibility) Parameters . . . 129

Table 55: Restore a Backup Parameters . . . 129

Table 56: Description of File Name Variables . . . 131

Chapter 10 Deployment Editor . . . 133

Table 57: Description of Supported Component Connections . . . 139

Table 58: Parameters for the Managed Host . . . 145

Table 59: Parameters for a NAT-Enabled Network . . . 145

Table 60: Parameters for the Managed Host . . . 146

Table 61: Parameters for a NAT-Enabled Network . . . 147

Table 62: Host Context Parameters . . . 148

Table 63: Accumulator Parameters . . . 150

Table 64: Nat-enabled Network Parameters . . . 152

Table 65: Advanced Flow Processor parameters . . . 153

(13)

Table 69: Parameter Values for the Event Processor . . . 158

Table 70: Event Processor Advanced Parameters . . . 159

Table 71: Off-site Source Parameters . . . 160

Table 72: Off-site Target Parameters . . . 161

Chapter 11 Managing Flow Sources . . . 163

Table 73: Internal and External Flow Sources . . . 163

Table 74: Spoofing and Non-Spoofing Methods . . . 164

Chapter 12 Remote Networks and Services Configuration . . . 173

Table 75: Default Remote Network Groups . . . 173

Table 76: Default Remote Service Groups . . . 175

Chapter 14 Data Forwarding . . . 181

Table 77: Forwarding Destinations Parameters . . . 182

Table 78: Routing Rules Window Parameters . . . 183

Table 79: Description of the Forwarding Destination Toolbar Actions . . . 188

Chapter 15 Event Store and Forward . . . 191

Table 80: Store and Forward Window Parameters . . . 192

Chapter 16 Data Obfuscation . . . 197

Table 81: Command Options for Generating the RSA Private Key . . . 198

Table 82: Options to Format the Private Key . . . 199

Table 83: Command Options for Generating the Public Key . . . 199

Table 84: Attributes of the obfuscation_expressions.xml File . . . 201

Table 85: Example Regex Patterns that can Parse User Names . . . 202

Table 86: Options for the Obfuscation_decoder.sh Script . . . 203

Chapter 17 Content Management Tool . . . 205

Table 87: Custom Content Types . . . 206

Table 88: Custom Content Types . . . 209

Chapter 18 Audit Logs . . . 211

Table 89: Description of the Parts of the Log File Format . . . 211

Table 90: Logged Action Categories . . . 212

Chapter 19 Event Categories . . . 217

Table 91: Low-level Categories and Severity Levels for the Recon Events Category . . . 218

Table 92: Low-level Categories and Severity Levels for the DoS Events Category . . . 219

Table 93: Low-level Categories and Severity Levels for the Authentication Events Category . . . 222

Table 94: Low-level Categories and Severity Levels for the Access Events Category . . . 229

Table 95: Low-level Categories and Severity Levels for the Exploit Events Category . . . 231

Table 96: Low-level categories and Severity Levels for the Malware Events Category . . . 233

Table 97: Low-level Categories and Severity Levels for the Suspicious Activity Events Category . . . 234

(14)

Table 98: Low-level Categories and Severity Levels for the System Events

Category . . . 238 Table 99: Low-level Categories and Severity Levels for the Policy Category . . . . 242 Table 100: Low-level categories and Severity Levels for the Unknown

Category . . . 243 Table 101: Low-level Categories and Severity Levels for the CRE Category . . . 244 Table 102: Low-level categories and Severity Levels for the Potential Exploit

Category . . . 245 Table 103: Low-level Categories and Severity Levels for the User Defined

Category . . . 246 Table 104: Low-level Categories and Severity Levels for the VIS Host Discovery

Category . . . 248 Table 105: Low-level Categories and Severity Levels for the Application

Category . . . 249 Table 106: Low-level Categories and Severity Levels for the Audit Category . . . 269 Table 107: Low-Level Categories and Severity Levels for the Control

Category . . . 270 Table 108: Low-level Categories and Severity Levels for the Asset Profiler

(15)

About the Documentation

• Documentation and Release Notes on page xv • Documentation Conventions on page xv • Documentation Feedback on page xvii • Requesting Technical Support on page xviii

Documentation and Release Notes

To obtain the most current version of all Juniper Networks®technical documentation, see the product documentation page on the Juniper Networks website at

http://www.juniper.net/techpubs/.

If the information in the latest release notes differs from the information in the documentation, follow the product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration. The current list can be viewed athttp://www.juniper.net/books.

Documentation Conventions

(16)

Table 1: Notice Icons

Description Meaning

Icon

Indicates important features or instructions. Informational note

Indicates a situation that might result in loss of data or hardware damage. Caution

Alerts you to the risk of personal injury or death. Warning

Alerts you to the risk of personal injury from a laser. Laser warning

Indicates helpful information. Tip

Alerts you to a recommended use or implementation. Best practice

Table 2 on page xvidefines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

Examples Description

Convention

To enter configuration mode, type the configure command:

user@host> configure Represents text that you type.

Bold text like this

user@host> show chassis alarms No alarms currently active Represents output that appears on the

terminal screen. Fixed-width text like this

• A policy term is a named structure that defines match conditions and actions.

• Junos OS CLI User Guide

• RFC 1997, BGP Communities Attribute • Introduces or emphasizes important

new terms.

• Identifies guide names.

• Identifies RFC and Internet draft titles. Italic text like this

Configure the machine’s domain name: [edit]

root@# set system domain-name domain-name

Represents variables (options for which you substitute a value) in commands or configuration statements.

(17)

Table 2: Text and Syntax Conventions (continued)

Examples Description

Convention

• To configure a stub area, include the stubstatement at the[edit protocols ospf area area-id]hierarchy level. • The console port is labeledCONSOLE. Represents names of configuration

statements, commands, files, and directories; configuration hierarchy levels; or labels on routing platform

components. Text like this

stub <default-metric metric>; Encloses optional keywords or variables.

< > (angle brackets)

broadcast | multicast

(string1 | string2 | string3) Indicates a choice between the mutually

exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity. | (pipe symbol)

rsvp { # Required for dynamic MPLS only Indicates a comment specified on the

same line as the configuration statement to which it applies.

# (pound sign)

community name members [ community-ids ]

Encloses a variable for which you can substitute one or more values. [ ] (square brackets) [edit] routing-options { static { route default { nexthop address; retain; } } } Identifies a level in the configuration

hierarchy. Indention and braces ( { } )

Identifies a leaf statement at a configuration hierarchy level. ; (semicolon)

GUI Conventions

• In the Logical Interfaces box, select All Interfaces.

• To cancel the configuration, click Cancel.

Represents graphical user interface (GUI) items you click or select.

Bold text like this

In the configuration editor hierarchy, select Protocols>Ospf.

Separates levels in a hierarchy of menu selections.

> (bold right angle bracket)

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can provide feedback by using either of the following methods:

• Online feedback rating system—On any page of the Juniper Networks TechLibrary site athttp://www.juniper.net/techpubs/index.html, simply click the stars to rate the content, and use the pop-up form to provide us with information about your experience. Alternately, you can use the online feedback form at

http://www.juniper.net/techpubs/feedback/.

(18)

• E-mail—Send your comments to techpubs-comments@juniper.net. Include the document or topic name, URL or page number, and software version (if applicable).

Requesting Technical Support

Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or Partner Support Service support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

• Product warranties—For product warranty information, visit http://www.juniper.net/support/warranty/.

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:

• Find CSC offerings:http://www.juniper.net/customers/support/ • Search for known bugs:http://www2.juniper.net/kb/

• Find product documentation:http://www.juniper.net/techpubs/

• Find solutions and answer questions using our Knowledge Base:http://kb.juniper.net/ • Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications: http://kb.juniper.net/InfoCenter/

• Join and participate in the Juniper Networks Community Forum: http://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool:http://www.juniper.net/cm/ To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool:https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

(19)

For international or direct-dial options in countries without toll-free numbers, see http://www.juniper.net/support/requesting-support.html.

(20)

(21)

PART 1

JSA Administration

• Overview on page 3

• User Management on page 11

• Managing the System and Licenses on page 35 • User Information Source Configuration on page 53 • Set up JSA on page 65

• Managing Reference Sets on page 99 • Reference Data Collections on page 107 • Managing Authorized Services on page 115 • Managing Backup and Recovery on page 121 • Deployment Editor on page 133

• Managing Flow Sources on page 163

• Remote Networks and Services Configuration on page 173 • Server Discovery on page 179

• Data Forwarding on page 181 • Event Store and Forward on page 191 • Data Obfuscation on page 197

• Content Management Tool on page 205 • Audit Logs on page 211

(22)

(23)

CHAPTER 1

Overview

This chapter provides information on how to access and use the Juniper Secure Analytics (JSA) user interface and the Admin tab.

• Supported Web Browsers on page 3 • Admin Tab Overview on page 4 • Deploying Changes on page 5 • Updating User Details on page 6 • Resetting SIM on page 7

• Monitoring Systems With SNMP on page 8 • Managing Aggregated Data Views on page 8

Supported Web Browsers

For the features in Juniper Secure Analytics (JSA) to work properly, you must use a supported web browser.

When you access the system, a prompt is displayed asking for a user name and a password. The user name and password must be configured in advance by the administrator.

Table 3 on page 3describes the supported web browsers.

Table 3: Supported Web Browsers

Supported version Web browser

• 17.0 Extended Support Release • 24.0 Extended Support Release

Mozilla Firefox has a short release cycle. We cannot commit to testing on the latest versions of the Mozilla Firefox browser. However, we are fully committed to investigating any issues that are reported.

Mozilla Firefox

• 8.0

• 9.0

32-bit Microsoft Internet Explorer, with document mode and browser mode enabled

(24)

Admin Tab Overview

Administrators use the Admin tab in Juniper Secure Analytics (JSA) to manage dashboards, offenses, log activity, network activity, assets, and reports. The Admin tab provides several tab and menu options that allow you to configure JSA.

You must have Administrative privileges to access Administrative functions. To access Administrative functions, click the Admin tab on the user interface.

The Admin tab provides access to the following functions:

• Manage users. See“User Management” on page 11.

• Manage your network settings. See“Managing the System and Licenses” on page 35.

• Manage high availability. See the High Availability Guide.

• Manage references sets. See“Reference Set Management Overview” on page 99.

• Manage authorized services. See“Managing Authorized Services” on page 115.

• Backup and recover your data. See“Understanding Backup and Recovery Components” on page 121.

• Manage your deployment views. See“Deployment Editor” on page 133.

• Manage flow sources. See“Flow Sources Overview” on page 163.

• Configure remote networks and remote services. See “Remote Networks and Services Configuration” on page 173.

• Discover servers. See“Server Discovery” on page 179.

• Configure data forwarding. See“Data Forwarding” on page 181.

• Managing vulnerability scanners. For more information, see the Managing Vulnerability

Assessment Guide.

• Configure plug-ins. For more information, see the Associated Documentation.

(25)

Table 4: Admin Tab Menu Options

Description Menu option

Opens the Deployment Editor window. For more information, see

“Deployment Editor” on page 133. Deployment Editor

Deploys any configuration changes from the current session to your deployment. For more information, see“Deploying Changes” on page 5.

Deploy Changes

TheAdvancedmenu provides the following options:

• Clean SIM Model—Resets the SIM module. See“Resetting SIM” on page 7.

• Deploy Full Configuration—Deploys all configuration changes. For more information, see

“Deploying Changes” on page 5. Advanced

Supported Web Browsers on page 3 •

• Deploying Changes on page 5 • Updating User Details on page 6 • Resetting SIM on page 7

Deploying Changes

You can update your configuration settings from the Admin tab. Your changes are saved to a staging area where they are stored until you manually deploy the changes.

Each time that you access the Admin tab and each time you close a window on the Admin tab, a banner at the top of the Admin tab displays the following message: Checking for undeployed changes. If undeployed changes are found, the banner updates to provide information about the undeployed changes.

If the list of undeployed changes is lengthy, a scroll bar is provided. Scroll through the list.

The banner message also suggests which type of deployment change to make. Choose one of the two options:

• Deploy Changes—Click the Deploy Changes icon on the Admin tab toolbar to deploy any configuration changes from the current session to your deployment.

• Deploy Full Configuration—Select Advanced > Deploy Full Configuration from the Admin tab menu to deploy all configuration settings to your deployment. All deployed changes are then applied throughout your deployment.

NOTE: When you click Deploy Full Configuration, JSA restarts all services, which result in a gap in data collection until deployment completes.

(26)

After you deploy your changes, the banner clears the list of undeployed changes and checks the staging area again for any new undeployed changes. If none are present, the following message is displayed: There are no changes to deploy.

1. Click View Details.

2. Choose one of the following options:

a. To expand a group to display all items, click the plus sign (+) beside the text. When done, you can click the minus sign (-).

b. To expand all groups, click Expand All. When done, you can click Collapse All. c. Click Hide Details to hide the details from view again.

3. Perform the suggested task:

a. From the Admin tab menu, click Deploy Changes.

b. From the Admin tab menu, click Advanced > Deploy Full Configuration.

Updating User Details on page 6 •

• Resetting SIM on page 7

• Monitoring Systems With SNMP on page 8 • Managing Aggregated Data Views on page 8 • Supported Web Browsers on page 3

• Admin Tab Overview on page 4

Updating User Details

You can access your administrative user details through the main user interface. To update the user details:

1. Click Preferences.

2. Optional. Update the configurable user details by referring theTable 5 on page 6.

Table 5: Main User Detail Interface

Description Option

Type a new email address Email

Type a new password Password

Type the new password again Password (Confirm)

(27)

Table 5: Main User Detail Interface (continued)

Description

Option

JSA is available in the following languages: English, Simplified Chinese, Traditional Chinese, Japanese, Korean, French, German, Italian, Spanish, Russian, and Portuguese (Brazil).

If a locale is not listed, the user interface is not translated into the associated language. However, other associated cultural conventions, such as, character type, collation, format of date and time, currency unit are supported.

Locale

3. Click Save.

Resetting SIM on page 7 •

• Monitoring Systems With SNMP on page 8 • Managing Aggregated Data Views on page 8 • Supported Web Browsers on page 3

• Admin Tab Overview on page 4

Resetting SIM

Use the Admin to reset the SIM module. This allows you to remove all offense, source IP address, and destination IP address information from the database and the disk. This option is useful after you tune your deployment to avoid receiving any additional false positive information.

The SIM reset process can take several minutes, depending on the amount of data in your system. If you attempt to move to other areas of the JSA user interface during the SIM reset process, an error message is displayed.

To reset the SIM: 1. Click the Admin tab.

2. From the Advanced menu, select Clean SIM Model.

3. Read the information on the Reset SIM Data Module window. 4. Select one of the options as described in theTable 6 on page 7.

Table 6: SIM Resetting Options

Description Option

Closes all offenses in the database. If you select theSoft Cleanoption, you can also select the Deactivate all offensescheck box.

Soft Clean

Purges all current and historical SIM data, which includes offenses, source IP addresses, and destination IP addresses.

Hard Clean

(28)

5. If you want to continue, select the Are you sure you want to reset the data model? check box.

6. Click Proceed.

7. When the SIM reset process is complete, click Close. 8. When the SIM reset process is complete, reset your browser.

Monitoring Systems With SNMP on page 8 •

• Updating User Details on page 6

• Managing Aggregated Data Views on page 8 • Admin Tab Overview on page 4

• Supported Web Browsers on page 3

Monitoring Systems With SNMP

This topic provides information about the monitoring of appliances through SNMP polling. Juniper Secure Analytics (JSA) uses the Net-SNMP agent, which supports various system resource monitoring MIBs. They can be polled by Network Management solutions for the monitoring and alerting of system resources. For more information about Net- SNMP, see Net-SNMP documentation.

Deploying Changes on page 5 •

• Updating User Details on page 6 • Resetting SIM on page 7

• Managing Aggregated Data Views on page 8 • Admin Tab Overview on page 4

Managing Aggregated Data Views

A large volume of data aggregation can decrease system performance. To improve system performance, you can disable, enable, or delete aggregated data views. Time series charts, report charts, and report charts use aggregated data views.

1. Click the Admin tab.

(29)

• Select an option from one of the following lists: View, Database, Show, or Display.

• Type an aggregated data ID, report name, chart name, or saved search name in the search field.

5. To manage an aggregated data view, select the view, and then the appropriate action from the toolbar:

• If you select Disable View or Delete View, a window displays content dependencies for the aggregated data view. After you disable or delete the aggregated data view, the dependent components no longer use aggregated data.

• If you enable a disabled aggregated data view, the aggregated data from the deleted view is restored.

• Deploying Changes on page 5 • Updating User Details on page 6 • Resetting SIM on page 7

• Monitoring Systems With SNMP on page 8 • Supported Web Browsers on page 3 • Admin Tab Overview on page 4

(30)

(31)

CHAPTER 2

User Management

This chapter provides information and procedures for configuring and managing user accounts.

When you initially configure Juniper Secure Analytics (JSA), you must create user accounts for all users that require access to JSA. After initial configuration, you can edit user accounts to ensure that user information is current. You can also add and delete user accounts as required.

• User Management Overview on page 11 • Role Management on page 12

• Creating a User Role on page 12 • Editing a User Role on page 13 • Deleting a user role on page 13 • Managing Security Profiles on page 14

User Management Overview

A user account defines the user name, default password, and email address for a user. Assign the following items for each new user account you create:

• User role—Determines the privileges that the user is granted to access functions and information in Juniper Secure Analytics (JSA). JSA includes two default user roles: Admin and All. Before you add user accounts, you must create more user roles to meet the specific permissions requirement of your users.

• Security profile—Determines the networks and log sources the user is granted access to. JSA includes one default security profile for administrative users. The Admin security profile includes access to all networks and log sources. Before you add user accounts, you must create more security profiles to meet the specific access requirements of your users.

User Management Overview on page 11 •

(32)

• Deleting a User Role on page 13 • Permission Precedences on page 14

Role Management

Using the User Roles window, you can create and manage user roles.

Creating a User Role

Use this task to create the user roles that are required for your deployment.

By default, your system provides a default administrative user role, which provides access to all areas of Log Analytics. Users who are assigned an administrative user role cannot edit their own account. This restriction applies to the default Admin user role. Another administrative user must make any account changes.

Users who are assigned an administrative user role cannot edit their own account. This restriction applies to the default Admin user role. Another administrative user must make any account changes.

To create a User Role: 1. Click the Admin tab.

2. On the navigation menu, click System Configuration > User Management. 3. Click the User Roles icon.

4. On the toolbar, click New.

5. Configure the following parameters:

a. In the User Role Name field, type a unique name for this user role. b. Select the permissions that you want to assign to this user role. 6. Click Save.

7. Close the User Role Management window. 8. On the Admin tab menu, click Deploy Changes.

Editing a User Role on page 13 •

(33)

Editing a User Role

You can edit an existing role to change the permissions that are assigned to the role. To quickly locate the user role you want to edit on the User Role Management window, you can type a role name in the Type to filter text box. This box is located above the left pane.

To edit a user role: 1. Click the Admin tab.

2. On the navigation menu, click System Configuration > User Management. 3. Click the User Roles icon.

4. In the left pane of the User Role Management window, select the user role that you want to edit.

5. On the right pane, update the permissions, as necessary. 6. Click Save.

Creating a User Role on page 12 •

• Deleting a User Role on page 13 • User Management Overview on page 11 • Permission Precedences on page 14

Deleting a user role

If a user role is no longer required, you can delete the user role.

If user accounts are assigned to the user role you want to delete, you must reassign the user accounts to another user role. The system automatically detects this condition and prompts you to update the user accounts.

You can quickly locate the user role that you want to delete on the User Role Management window. Type a role name in the Type to filter text box, which is located above the left pane.

To delete a user role: 1. Click the Admin tab.

2. On the Navigation menu, click System Configuration > User Management. 3. Click the User Roles icon.

(34)

4. In the left pane of the User Role Management window, select the user role that you want to delete.

5. On the toolbar, click Delete. 6. Click OK.

• If user accounts are assigned to this user role, the Users are Assigned to this User Role window opens. Go to Step7.

• If no user accounts are assigned to this role, the user role is successfully deleted. Go to Step8.

7. Reassign the listed user accounts to another user role:

• From the User Role to assign list, select a user role.

• Click Confirm.

Creating a User Role on page 12 •

• Editing a User Role on page 13

• User Management Overview on page 11 • Permission Precedences on page 14

Managing Security Profiles

Security profiles define which networks and log sources a user can access and the permission precedence.

Using the Security Profile Management window, you can view, create, update, and delete security profiles.

• Permission Precedences on page 14 • Creating a Security Profile on page 15 • Editing a Security Profile on page 17 • Duplicating a Security Profile on page 17 • Deleting a Security Profile on page 18 • User Account Management on page 19 • Authentication Management on page 21

Permission Precedences

(35)

Make sure that you understand the following restrictions:

• No Restrictions—This option does not place restrictions on which events are displayed in the Log Activity tab and which flows are displayed in the Network Activity tab.

• Network Only—This option restricts the user to view only events and flows that are associated with the networks specified in this security profile.

• Log Sources Only—This option restricts the user to view only events that are associated with the log sources specified in this security profile.

• Networks AND Log Sources—This option allows the user to view only events and flows that are associated with the log sources and networks that are specified in this security profile.

For example, if an event is associated with a log source the security profile allows access to, but the destination network is restricted, the event is not displayed in the Log Activity tab. The event must match both requirements.

• Networks OR Log Sources—This option allows the user to view only events and flows that are associated with the log sources or networks that are specified in this security profile.

For example, if an event is associated with a log source the security profile allows access to, but the destination network is restricted, the event is displayed in the Log Activity tab. The event must match one requirement.

Creating a Security Profile on page 15 •

• Editing a Security Profile on page 17 • Duplicating a Security Profile on page 17 • Deleting a Security Profile on page 18 • User Management Overview on page 11

Creating a Security Profile

To add user accounts, you must first create security profiles to meet the specific access requirements of your users.

Juniper Secure Analytics (JSA) includes one default security profile for administrative users. The Admin security profile includes access to all networks and log sources. To select multiple items on the Security Profile Management window, hold the Control key while you select each network or network group that you want to add.

If after you add log sources or networks, you want to remove one or more before you save the configuration, you can select the item and click the Remove (<) icon. To remove all items, click Remove All.

(36)

To create a security profile: 1. Click the Admin tab.

2. On the Navigation menu, click System Configuration > User Management. 3. Click the Security Profiles icon.

4. On the Security Profile Management toolbar, click New. 5. Configure the following parameters:

a. In the Security Profile Name field, type a unique name for the security profile. The security profile name must meet the following requirements: minimum of 3 characters and maximum of 30 characters.

b. Optional: Type a description of the security profile. The maximum number of characters is 255.

6. Click the Permission Precedence tab.

7. In the Permission Precedence Setting pane, select a permission precedence option. See“Permission Precedences” on page 14.

8. Configure the networks that you want to assign to the security profile: a. Click the Networks tab.

b. From the navigation tree in the left pane of the Networks tab, select the network that you want this security profile to have access to.

c. Click the Add (>) icon to add the network to the Assigned Networks pane. d. Repeat for each network you want to add.

9. Configure the log sources that you want to assign to the security profile: a. Click the Log Sources tab.

b. From the navigation tree in the left pane, select the log source group or log source you want this security profile to have access to.

c. Click the Add (>) icon to add the log source to the Assigned Log Sources pane. d. Repeat for each log source you want to add.

10.Click Save.

11. Close the User Role Management window. 12.On the Admin tab menu, click Deploy Changes.

Editing a Security Profile on page 17 •

(37)

Editing a Security Profile

You can edit an existing security profile to update which networks and log sources a user can access and the permission precedence.

To quickly locate the security profile you want to edit on the Security Profile Management window, type the security profile name in the Type to filter text box. It is located above the left pane.

To edit a security profile: 1. Click the Admin tab.

2. On the Navigation menu, click System Configuration > User Management. 3. Click the Security Profiles icon.

4. In the left pane, select the security profile you want to edit. 5. On the toolbar, click Edit.

6. Update the parameters as required. 7. Click Save.

8. If the Security Profile Has Time Series Data window opens, select one of the following options described inTable 7 on page 17:

Table 7: Security Profile Data Options

Description Option

Select this option to keep previously accumulated time series data. If you choose this option, issues might occur when users associated with this security profile views time series charts. Keep Old Data and Save

Select this option to hide the time-series data. If you choose this option, time series data accumulation restarts after you deploy your configuration changes.

Hide Old Data and Save

9. Close the Security Profile Management window. 10.On the Admin tab menu, click Deploy Changes.

• Deleting a Security Profile on page 18 • Duplicating a Security Profile on page 17 • User Management Overview on page 11 • Permission Precedences on page 14

Duplicating a Security Profile

If you want to create a new security profile that closely matches an existing security profile, you can duplicate the existing security profile and then modify the parameters.

(38)

To quickly locate the security profile you want to duplicate on the Security Profile Management window, you can type the security profile name in the Type to filter text box, which is located above the left pane.

To duplicate a security profile: 1. Click the Admin tab.

2. On the navigation menu, click System Configuration User Management. 3. Click the Security Profiles icon.

4. In the left pane, select the security profile you want to duplicate. 5. On the toolbar, click Duplicate.

6. In the Confirmation window, type a unique name for the duplicated security profile. 7. Click OK.

8. Update the parameters as required.

9. Close the Security Profile Management window. 10.On the Admin tab menu, click Deploy Changes.

• Editing a Security Profile on page 17 • Deleting a Security Profile on page 18 • User Management Overview on page 11 • Permission Precedences on page 14

Deleting a Security Profile

If a security profile is no longer required, you can delete the security profile.

If user accounts are assigned to the security profiles you want to delete, you must reassign the user accounts to another security profile. Juniper Secure Analytics (JSA) automatically detects this condition and prompts you to update the user accounts.

To quickly locate the security profile you want to delete on the Security Profile

Managementwindow, you can type the security profile name in the Type to filter text box. It is located above the left pane.

To delete a security profile: 1. Click the Admin tab.

(39)

6. Click OK.

• If user accounts are assigned to this security profile, the Users are Assigned to this Security Profilewindow opens. Go to“Deleting a User Role” on page 13.

• If no user accounts are assigned to this security profile, the security profile is successfully deleted. Go to“Deleting a User Role” on page 13.

7. Reassign the listed user accounts to another security profile:

a. From the User Security Profile to assign list, select a security profile. b. Click Confirm.

8. Close the Security Profile Management window. 9. On the Admin tab menu, click Deploy Changes.

• Editing a Security Profile on page 17 • Deleting a User Role on page 13 • User Management Overview on page 11 • Permission Precedences on page 14

User Account Management

This topic provides information about managing user accounts.

When you initially configure your system, you must create user accounts for each of your users. After initial configuration, you might be required to create more user accounts and manage existing user accounts.

• Creating a User Account on page 19 • Editing a User Account on page 20 • Deleting a User Account on page 21

Creating a User Account

You can create new user accounts.

Before you can create a user account, you must ensure that the required user role and security profile are created.

When you create a new user account, you must assign access credentials, a user role, and a security profile to the user. User Roles define what actions the user has permission to perform. Security Profiles define what data the user has permission to access. You can create multiple user accounts that include administrative privileges; however, any Administrator Manager user accounts can create other administrative user accounts.

(40)

To create a user account: 1. Click the Admin tab.

2. On the navigation menu, click System Configuration > User Management. 3. Click the Users icon.

4. On the User Management toolbar, click New. 5. Enter values for the following parameters:

a. In the Username field, type a unique user name for the new user. The user name must contain a maximum 30 characters.

b. In the Password field, type a password for the user to gain access. The password must meet the following criteria:

• Minimum of 5 characters

• Maximum of 255 characters 6. Click Save.

7. Close the User Details window. 8. Close the User Management window.

9. On the Admin tab menu, click Deploy Changes.

Editing a User Account

You can quickly locate the user account that you want to edit on the User Management window. Type the user name in the Search User text box, which is on the toolbar. To create a user account:

4. On the User Management toolbar, click New. 5. On the toolbar, click Edit.

6. Update parameters, as necessary. See“User Management window parameters” on page 31.

7. Click Save.

8. Close the User Details window. 9. Close the User Management window.

(41)

Deleting a User Account

If a user account is no longer required, you can delete the user account.

After you delete a user, the user no longer has access to the user interface. If the user attempts to log in, a message is displayed to inform the user that the user name and password is no longer valid. Items that a deleted user created, such as saved searches and reports remain associated with the deleted user.

To quickly locate the user account you want to delete on the User Management window, you can type the user name in the Search User text box on the toolbar.

To delete a user account: 1. Click the Admin tab.

4. Select the user that you want to delete. 5. On the toolbar, click Delete.

6. Click OK.

7. Close the User Management window.

Authentication Management

This topic provides information and instructions for how to configure authentication. Juniper Secure Analytics (JSA) supports various authentication types. You can configure authentication to validate users and passwords.

• Authentication Overview on page 22 • Before you Begin on page 22

• Configuring System Authentication on page 23 • Configuring RADIUS Authentication on page 23 • Configuring TACACS Authentication on page 24 • Configuring Active Directory Authentication on page 26 • Configuring LDAP Authentication on page 26

• Configuring Your SSL or TLS certificate on page 28 • User Role Parameters on page 28

• Security Profile Parameters on page 31

• User Management window parameters on page 31 • User management Window Toolbar on page 32 • User Details Window Parameters on page 32

(42)

Authentication Overview

When authentication is configured and a user enters an invalid user name and password combination, a message is displayed to indicate that the login was invalid.

If the user attempts to access the system multiple times with invalid information, the user must wait the configured amount of time before another attempt to access the system again. You can configure console settings to determine the maximum number of failed logins, and other related settings. For more information about configuring console settings for authentication, see“Configuring the Console Settings” on page 92.

An administrative user can access Juniper Secure Analytics (JSA) through a vendor authentication module or by using the local Admin password. The Admin password functions if you set up and activated a vendor authentication module. However, you cannot change the Admin password while the authentication module is active. To change the Admin password, you must temporarily disable the vendor authentication module, reset the password, and then reconfigure the vendor authentication module.

JSA supports the following user authentication types:

• System authentication—Users are authenticated locally. This is the default authentication type.

• RADIUS authentication—Users are authenticated by a Remote Authentication Dial-in User Service (RADIUS) server. When a user attempts to log in, JSA encrypts the password only, and forwards the user name and password to the RADIUS server for authentication.

• TACACS authentication—Users are authenticated by a Terminal Access Controller Access Control System (TACACS) server. When a user attempts to log in, JSA encrypts the user name and password, and forwards this information to the TACACS server for authentication. TACACS Authentication uses Cisco Secure ACS Express as a TACACS server. JSA supports up to Cisco Secure ACS Express 4.3.

• Active directory—Users are authenticated by a Lightweight Directory Access Protocol (LDAP) server that uses Kerberos.

• LDAP—Users are authenticated by a Native LDAP server.

Configuring the Console Settings on page 92 •

• Configuring System Authentication on page 23 • Configuring RADIUS Authentication on page 23 • Permission Precedences on page 14

• Configuring Your SSL or TLS certificate on page 28

Before you Begin

(43)

Before you can configure RADIUS, TACACS, Active Directory, or LDAP as the authentication type, you must complete the following tasks:

• Configure the authentication server before you configure authentication in JSA. For more information, see your server documentation.

• Ensure that the server has the appropriate user accounts and privilege levels to communicate with log Analytics. For more information, see your server documentation.

• Ensure that all users have appropriate user accounts and roles to allow authentication with the vendor servers.

Authentication Overview on page 22 •

• Configuring System Authentication on page 23 • Configuring RADIUS Authentication on page 23 • Configuring TACACS Authentication on page 24 • Configuring Active Directory Authentication on page 26 • Configuring LDAP Authentication on page 26

Configuring System Authentication

You can configure local authentication on your Juniper Secure Analytics (JSA) system. To configure system authentication:

2. On the navigation menu, click System Configuration > User Management. 3. Click the Authentication icon.

4. From the Authentication Module list, select the System Authentication. 5. Click Save.

• Configuring RADIUS Authentication on page 23 • Permission Precedences on page 14

• Configuring RADIUS Authentication on page 23 • Configuring Your SSL or TLS certificate on page 28

Configuring RADIUS Authentication

(44)

To configure RADIUS authentication: 1. Click the Admin tab.

4. From the Authentication Module list, select the RADIUS Authentication. 5. Configure the parameters:

a. In the RADIUS Server field, type the host name or IP address of the RADIUS server. b. In the RADIUS Port field, type the port of the RADIUS server.

c. From the Authentication Type list, select the type of authentication you want to perform.

Choose from the options described inTable 8 on page 24.

Table 8: Description of authentication types

Description Option

Challenge Handshake Authentication Protocol (CHAP) establishes a Point-to-Point Protocol (PPP) connection between the user and the server.

CHAP

Microsoft Challenge Handshake Authentication Protocol (MSCHAP) authenticates remote Windows workstations.

MSCHAP

Apple Remote Access Protocol (ARAP) establishes authentication for AppleTalk network traffic. ARAP

Password Authentication Protocol (PAP) sends clear text between the user and the server. PAP

d. In the Shared Secret field, type the shared secret that JSA uses to encrypt RADIUS passwords for transmission to the RADIUS server.

6. Click Save.

• Configuring System Authentication on page 23 • Configuring TACACS Authentication on page 24 • Authentication Overview on page 22

• Permission Precedences on page 14

Configuring TACACS Authentication

(45)

To configure TACACS authentication: 1. Click the Admin tab.

4. From the Authentication Module list, select the RADIUS Authentication. 5. Configure the parameters:

a. In the TACACS Server field, type the host name or IP address of the RADIUS server. b. In the TACACS Port field, type the port of the RADIUS server.

c. From the Authentication Type list, select the type of authentication you want to perform.

Choose from the following options as described inTable 9 on page 25:

Table 9: Description of authentication types

Description Option

American Standard Code for Information Interchange (ASCII) sends the user name and password in clear, unencrypted text.

ASCII

Password Authentication Protocol (PAP) sends clear text between the user and the server. This is the default authentication type.

PAP

Challenge Handshake Authentication Protocol (CHAP) establishes a Point-to-Point Protocol (PPP) connection between the user and the server.

CHAP

Microsoft Challenge Handshake Authentication Protocol (MSCHAP) authenticates remote Windows workstations.

MSCHAP

Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAP2) authenticates remote Windows workstations using mutual authentication.

MSCHAP2

Extensible Authentication Protocol using MD5 Protocol (EAPMD5) uses MD5 to establish a PPP connection.

EAPMD5

d. In the Shared Secret field, type the shared secret that JSA uses to encrypt TACACS passwords for transmission to the TACACS server.

6. Click Save.

• Configuring System Authentication on page 23

• Configuring Active Directory Authentication on page 26 • Permission Precedences on page 14

• Configuring RADIUS Authentication on page 23

(46)

Configuring Active Directory Authentication

You can configure Active Directory authentication on your Juniper Secure Analytics (JSA) system.

To configure active directory authentication: 1. Click the Admin tab.

4. From the Authentication Module list, select the Active Directory. Configure the parameters as described inTable 10 on page 26.

Table 10: Active Directory Parameters

Description Parameter

Type the URL used to connect to the LDAP server. For example,

ldaps:/<host>:<port>.You can use a space-separated list to specify multiple LDAP servers.

Server URL

Type the LDAP context you want to use, for example, DC=QRADAR,DC=INC. LDAP Context

Type the LDAP context you want to use, for example, DC=QRADAR,DC=INC. LDAP Domain

Type the domain that you want to use, for example qradar.inc. LDAP Domain

5. Click Save.

• Configuring LDAP Authentication on page 26 • Configuring TACACS Authentication on page 24 • Configuring System Authentication on page 23 • Configuring RADIUS Authentication on page 23 • Security Profile Parameters on page 31

Configuring LDAP Authentication

(47)

information about configuring the SSL certificate, see“Configuring Your SSL or TLS certificate” on page 28.

To configure LDAP authentication: 1. Click the Admin tab.

4. From the Authentication Module list, select LDAP.

Configure the parameters as described inTable 11 on page 27.

Table 11: LDAP Authentication Parameters

Type the URL used to connect to the LDAP server. For example,ldaps:/<host>:<port>.You can use a space-separated list to specify multiple LDAP servers.

Server URL

Select True to use Secure Socket Layer (SSL) encryption to connect to the LDAP server. If SSL encryption is enabled, the value in the Server URL field must specify a secure connection. For example,ldaps:// secureldap.mydomain.com:636".

SSL Connection

From the list, selectTrueto start Transport Layer Security (TLS) encryption to connect to the LDAP server. The default is True.

TLS is negotiated as part of the normal LDAP protocol and does not require a special protocol designation or port in theServer URLfield.

TLS Authentication

Select one of the following options:

• True—Select to search all subdirectories of the specified Directory Name (DN).

• False—Select to search the immediate contents of the Base DN. The subdirectories are not searched.

Search Entire Base

Type the user field identifier that you want to search on, for example, uid. You can use a comma-separated list to search for multiple user identifiers.

LDAP User Field

Type the base DN for required to perform searches, for example, DC=IBM,DC=INC. Base DN

5. Click Save.

Configuring Your SSL or TLS certificate on page 28 •

• Configuring TACACS Authentication on page 24 • Configuring System Authentication on page 23

• Configuring Active Directory Authentication on page 26 • Configuring RADIUS Authentication on page 23 • Security Profile Parameters on page 31

(48)

Configuring Your SSL or TLS certificate

If you use LDAP for user authentication and you want to enable SSL or TLS, you must configure your SSL or TLS certificate.

To configure SSL or TLS certificate:

1. Using SSH, log in to your system as the root user. a. User name: root

b. Password: <password>

2. Type the following command to create the /opt/qradar/conf/trusted_certificates/ directory: mkdir -p /opt/qradar/conf/trusted_certificates

3. Copy the SSL or TLS certificate from the LDAP server to the /opt/qradar/conf/ trusted_certificatesdirectory on your system.

4. Verify that the certificate file name extension is .cert, which indicates that the certificate is trusted. Juniper Secure Analytics (JSA) only loads .cert files.

Configuring LDAP Authentication on page 26 •

• Security Profile Parameters on page 31

• Configuring TACACS Authentication on page 24 • Configuring System Authentication on page 23

• Configuring Active Directory Authentication on page 26 • Configuring RADIUS Authentication on page 23

User Role Parameters

Table 12 on page 28describes the User Role Management window parameters.

Table 12: User Role Management Window Parameters

Type a unique name for the role. The user role name must meet the following requirements: • Minimum of 3 characters

• Maximum of 30 characters User Role

Juniper Secure Analytics