Juniper Secure Analytics Release Notes
7.3.1March 2018
Juniper Networks is pleased to introduce Juniper Secure Analytics 7.3.1.
JSA 7.3.1 Release Notes provides new features, known issues and limitations, and fixes
to known issues.
Contents What's New in JSA 7.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Juniper Secure Analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
JSA Core Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Ariel Query Language (AQL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
JSA Vulnerability Manager and JSA Risk Manager . . . . . . . . . . . . . . . . . . . . . . 10
JSA Vulnerability Manager Custom Risk Classification . . . . . . . . . . . . . . . 10
JSA Risk Manager migration from Configuration Source Management
to Configuration Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Improved JSA Risk Manager topology Searches and Views . . . . . . . . . . . 11
Enhanced Support for CIS Benchmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Installing JSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Known Issues and Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1Copyright © 2018, Juniper Networks, Inc.
What's New in JSA 7.3.1
Juniper Secure Analytics 7.3.1 family of products includes newnavigation features, tighter
IPv6 integration, more health metrics data for diagnosing issues, andmore.
Juniper Secure Analytics
JSA 7.3.1 family of products includes enhancements to its core capabilities, RESTful APIs,
and the Ariel Query Language (AQL).
JSA Core Capabilities
AQL-based Custom Properties
WithAQL-basedcustomeventor customflowproperties, youcanuseanAQLexpression
to extract data from the event or flow payload that JSA does not typically normalize and
display.
For example, you can create anAQL-based propertywhen youwant to combinemultiple
extraction and calculation-based properties, such as URLs, virus names, or secondary
user names, intoasingleproperty. Youcanuse thenewproperty in customrules, searches,
reports, or you can use it for indexing offenses.
Formore information about creating and using customproperties, see the Juniper Secure
Analytics User Guide.
Identifying Flow Direction Reversal
As you are viewing a flow in the JSA Console, youmight want to knowwhether JSA
modified the flowdirection, andwhetheranyprocessingoccurred.Thisalgorithmprovides
information on how the traffic originally appeared on the network and which traffic
features caused it to be reversed, if at all.
When the Flow Collector detects flows, it checks some of the flow properties before it
acts. In some cases, the communication or flows between devices is bidirectional (the
client communicateswith theserverand theserver responds to theclient). In this scenario,
both the client and the server operate as though they are the source and the other is the
destination. In reality, JSA normalizes the communication, and all flows between these
two entities then follow the same convention: destination always refers to the server,
and source always refers to the client.
Formore information, see Identifyingwhether a flow's directionwas reversed in the Juniper
Secure Analytics User Guide.
Identifying How Application Fields are set for Flows
As you are viewing a flow in the JSA Console, youmight want to knowwhether JSA
modified the flow application name, and whether any processing occurred. You can use
this information to gain insight into which algorithm classified the application, and to
ensure that algorithms are extracting flow features correctly.
Copyright © 2018, Juniper Networks, Inc.2
Juniper Security Analytics Release Notes
When the Flow Collector detects a flow, it uses various algorithms to determine which
application the flow came from. After the FlowCollector identifies the application, it sets
the Application property that appears in the Flow Details window.
Formore information, see Identifying howapplication fields are set for a flow in the Juniper
Secure Analytics User Guide.
Reduced Downtime for Event Collection Services
In earlier versions, deploying changes to your JSA system sometimes resulted in gaps in
data collection while the hostcontext service restarted. Tominimize these interruptions,
the event processor service is nowmanaged separately fromother JSA services. The new
event collection service, ecs-ec-ingress, listens on port 7787.
With the new separation of services, the event collection service does not automatically
restart each time that you deploy changes. The service restarts only when the deployed
changes impact the event collection service directly.
This enhancement significantly reduces interruptions in collecting data, andmakes it
easier for you to comply with your organization's data collection targets.
For more information, seeMaking changes in your JSA environment in the Juniper Secure
Analytics Administration Guide.
Continuous Collection of Events during Minor Patch Updates
You can expect fewer disruptions in event collection when you apply future patches to
JSA 7.3.1 or later. Minor patches that do not require the system to restart will not restart
the event collection service.
Ability to Restart only the Event Collection Service
Fromthe JSAproduct interface, youcan restart theeventcollectionserviceonallmanaged
hosts in your deployment.
This newcapability is usefulwhenyouwant to restart theevent collection servicewithout
impacting other JSA services. For example, after you restore a configuration backup, you
can defer restarting the service to a time that is convenient for you.
Formore information about restarting the event collection service, see the Juniper Secure
Analytics Administration Guide.
Event Collection continues when you Install or Update a Protocol RPM
Before JSA 7.3.1, installing or updating a protocol RPM required a full deployment, which
caused event collection to stop for several minutes for all installed protocols.
Now, protocols are loaded dynamically when you deploy the changes. Only those
protocols that were updated experience a brief outage (in seconds).
New slide-out Navigation Menuwith Favorite Tabs
As the number of apps that are installed in your deployment grows, so does the number
of visible tabs. The new slide-out navigation menumakes it easier for you to find the
apps that you use themost by managing which tabs are visible in JSA.
3Copyright © 2018, Juniper Networks, Inc.
What's New in JSA 7.3.1
When you upgrade to JSA 7.3.1, all JSA tabs are available from the slide-out menu ( ).
Eachmenu item is marked as a favorite, which also makes it available as a tab. You can
control which tabs are visible by selecting or clearing the star next to the menu item.
To access the settings that were on the Admin tab in earlier JSA versions, click Admin at
the bottom of the slide-out navigation menu.
Browser-based SystemNotifications
JSA nowuses your browser notification settings to display systemnotifications.With this
enhancement, youcancontinue tomonitor the statusandhealthof your JSAdeployment
even when JSA is not the active browser window. To show system notifications on your
screen, youmust configure your browser to allow notifications from JSA.
Browser notifications are supported for Mozilla Firefox, Google Chrome, and Microsoft
Edge 10. Microsoft Internet Explorer does not support browser-based notifications.
Notifications in Internet Explorer now appear in a restyled JSA notification window.
For more information, see the System notifications topic in the Juniper Secure Analytics
Administration Guide.
More Health Metrics Data
JSA collects up to 60xmore health metrics data than before, making it easier for
administrators to monitor their deployment and diagnose issues when they occur. You
canvisualize thenewhealthmetricsbyusing the JSADeployment Intelligenceapp,which
is available from the Security App Exchange.
The JSA Deployment Intelligence app replaces the SystemHealth information that was
previously available on the Admin tab.
The additional health metrics data increases the size of the JSA log files and the disk
storage requirements for the data. Administratorswho requiremore control over the disk
storage that is required for the accumulated health data can create a retention bucket
that uses Log Source Type = Health Metrics as the criteria.
For more information about working with retention buckets, see the Data retention topic
in the Juniper Secure Analytics Administration Guide.
IPv6 Support
JSA uses the network hierarchy objects and groups to view network activity andmonitor
groups or services in your network. The network hierarchy can be defined by a range of
IP addresses in IPv6 as well as IPv4 format. In addition to Network Hierarchy, Offense
Manager used to only support IPv6 indexing but it now updates and displays all the
appropriate fields for an offense with IPv6 data.
For more information about setting password rules, see the IPv6 addressing in JSA
deployments topic in the Juniper Secure Analytics Administration Guide.
Improved Security with New Password Policy
When using local JSA authentication, you can enforce minimum password length and
complexity, and control password expiry and reuse. The rules that you set are enforced
for administrative and non-administrative users.
Copyright © 2018, Juniper Networks, Inc.4
Juniper Security Analytics Release Notes
For more information about setting password rules, see the Configuring system
authentication topic in the Juniper Secure Analytics Administration Guide.
Create an alias for the User Base DN (distinguished name) that is used for LDAPAuthentication
When you enter your user name on the login page, the Repository ID acts as an alias for
the User Base DN (distinguished name). This use of an alias omits the need for typing a
long distinguished name that might be hard to remember.
For more information about configuring LDAP authentication, see the Juniper Secure
Analytics Administration Guide.
Edit or Create a Login Message that is displayed to Users in JSA
Provide users with important information before they log in to JSA. If needed, you can
force users to consent to the login message terms before they can log in.
For more information about creating and editing login messages, see the Juniper Secure
Analytics Administration Guide.
Monitor successful Login Events by Running Reports in JSA
Easily monitor successful login events for the time period that you configure by running
theWeekly Successful Login Events report template on the JSA Reports tab.
For more information about creating andmanaging reports, see the Juniper Secure
Analytics Administration Guide.
Two New Preinstalled Apps in JSA 7.3.1
App AuthorizationManager - The App AuthorizationManager app provides improved
security for app authorization tokens. Users who have the appropriate permissions can
delete authorization tokens, or change the assigned user level authorization.
JSA Assistant App - The JSA Assistant App provides the following functionality on the
Dashboard tab:
• Recommended apps and content extensions that are based on your configured
preferences.
• JSA Help Center dashboard widget to help you access helpful information about JSA.
• Content update status is highlighted, and then users can download updates from
within JSA.
Formore informationabout thenewapps, see the JuniperSecureAnalyticsAdministration
Guide.
Log Source Auto-detection Configuration
Before JSA7.3.1, log sourceauto-detectionconfigurationwascontrolledbyaconfiguration
file that was editedmanually on each event processor managed host.
As of JSA 7.3.1, global configuration settings are now available. You can use the JSA REST
API or a command line script to enable and disable which log source types are
auto-detected. If you use a smaller number of log source types, you can configure which
5Copyright © 2018, Juniper Networks, Inc.
What's New in JSA 7.3.1
log sources are auto-detected to improve the speed of detection. Log source
auto-detection configuration also helps to improve the accuracy of detecting devices
that share a common format, and can improve pipeline performance by avoiding the
creation of incorrectly detected devices.
NOTE: You can still enable per-event processor auto-detection settings byusing theconfiguration filemethod.Youcanmanage themethod that is usedon each event processor in Admin > System& LicenseManagement >
Component Management. Upgrades from previous versions do not enable
global settings, and retain the use of the local configuration files. Freshinstallations of JSA 7.3.1 enable the global auto-detection settings option.
Formore information about configuringmanaged hosts, see the Juniper Secure Analytics
Administration Guide.
Configuring Auto Property Discovery for Log Source types and a new Configuration Tabin DSM Editor
You can configure the automatic discovery of new properties for a log source type. By
default, the Auto Property Discovery option for a log source type is disabled. When you
enable the option on the new Configuration tab of the DSM Editor, new properties are
automatically generated. The new properties capture all the fields that are present in
the events that are received by the selected log source type. The newly discovered
properties become available in the Properties tab of the DSM Editor.
For more information about using the DSM Editor, see the Juniper Secure Analytics
Administration Guide.
New JSA Data Store Offering
A new offering, JSA Data Store, normalizes and stores both security and operational log
data for future analysis and review. The offering supports the storage of an unlimited
number of logs without counting against your organization’s Events Per Second JSA
license, and enables your organization to build custom apps and reports based on this
stored data to gain deeper insights into your IT environments.
Enhancements to the routing rules in JSA 7.3.1 require a license for JSA Data Store. After
the license is applied and the routing rule enhancement is selected, events that match
the routing rule will be stored to disk and will be available to view and for searches. The
events bypass the custom rule engine and no real-time correlation or analytics occur.
The events can't contribute to offenses and are ignored when historical correlation runs.
Log Source Extensions can Extract values events in JSON format by key reference
Log Source Extensions can now extract values by using the JsonKeypath.
For aneventdata inanested JSONformat, a valid JSONexpression is in the form/"<name
of top-level field>"/"<name of sub-level field_1>".../"<name of sub-level field_n>".
The following two examples show how to extract data from a JSON record:
Copyright © 2018, Juniper Networks, Inc.6
Juniper Security Analytics Release Notes
• Simple case of an event for a flat JSON record: {"action": "login", "user": "John Doe"}
To extract the 'user' field, use this expression: /"user".
• Complex case of an event for a JSON record with nested objects: { "action": "login",
"user": { "first_name": "John", "last_name": "Doe" } }
To extract just the 'last_name' value from the 'user' subobject, use this expression:
/"user"/"last_name".
Ariel Query Language (AQL)
JSA introduces new AQL functions and enhancements.
PARAMETERSREMOTESERVERSnowincludes theoptiontoselectservers inyoursearchby specifying the ID or name of Event Processors
By using the ARIELSERVERS4EPNAME functionwith PARAMETERS REMOTESERVERS,
you can specify anEventProcessor by name in anAQLquery; for example, PARAMETERS
REMOTESERVERS=ARIELSERVERS4EPNAME(’eventprocessor0’, ’eventprocessor104’)
By using the ARIELSERVERS4EPID function with PARAMETERS REMOTESERVERS; you
can specify an Event Processor by ID in an AQL query, for example, PARAMETERS
REMOTESERVERS=ARIELSERVERS4EPID(102)
By specifying an Event Processor, or servers that are connected to that Event Processor,
you can run AQL queries faster andmore efficiently.
When you havemultiple servers in your organization and you knowwhere the data that
you're looking for is saved, you can fine-tune the search to just the servers, clusters, or
specific servers on Event Processors.
In the following example, you search only the servers that are connected to
'eventprocessor104'.
SELECT processorid,PROCESSORNAME(processorid),LOGSOURCENAME(logsourceid)FROM eventsGROUP BY logsourceidPARAMETERS REMOTESERVERS=ARIELSERVERS4EPNAME (’eventprocessor104’)
You can significantly reduce the load on your servers, run the query regularly, and get
your results faster when you filter your query to search fewer servers.
For more information, see the AQL data retrieval functions topic in the Juniper Secure
Analytics Ariel Query Language Guide.
PARAMETERS EXCLUDESERVERS excludes servers from your AQL search
Avoid having to search all AQL servers by using PARAMETERS EXCLUDESERVERS to
exclude specific servers:
• IP address; for example, PARAMETERS
EXCLUDESERVERS=’177.22.123.246:32006,172.11.22.31:32006’
• Event Processor name; for example, PARAMETERS
EXCLUDESERVERS=ARIELSERVERS4EPNAME(’<eventprocessor_name>’)
7Copyright © 2018, Juniper Networks, Inc.
What's New in JSA 7.3.1
• Event Processor ID; for example, PARAMETERS
EXCLUDESERVERS=ARIELSERVERS4EPID(<processor_ID>)
Searching only the servers that have the data that you require speeds up searches and
uses less server resources.
Refine your query to exclude the servers that don't have the data that you're searching
for. In the following example, you exclude servers that are connected to
'eventprocessorABC':
SELECT processorid,PROCESSORNAME(processorid),LOGSOURCENAME(logsourceid)FROM eventsGROUP BY logsourceidPARAMETERS EXCLUDESERVERS=ARIELSERVERS4EPNAME (’eventprocessorABC’)
If you refinemultiple queries by using PARAMETERSEXCLUDESERVERS, you can reduce
the load on your servers and get your results faster.
For more information, see the AQL data retrieval functions topic in the Juniper Secure
Analytics Ariel Query Language Guide.
Specify theEventProcessorname inanAQLquerybyusingtheARIELSERVERS4EPNAMEfunction with PARAMETERS REMOTESERVERS or PARAMETERS EXCLUDESERVERS
In an AQL query, you can include or exclude the servers that are connected to an Event
Processor by using the ARIELSERVERS4EPNAME function to name an Event Processor
in thequery. Forexample, use theARIELSERVERS4EPNAMEfunctionwithPARAMETERS
REMOTESERVERS to include eventprocessor_ABC in the query.
PARAMETERS REMOTESERVERS=ARIELSERVERS4EPNAME(’eventprocessor_ABC’)
Forexample, youmightwant thesearch toexcludeall serversonanamedEventProcessor
byusing theARIELSERVERS4EPNAME functionwithPARAMETERSEXCLUDESERVERS.
In the following example eventprocessor_XYZ is excluded in the query
PARAMETERS EXCLUDESERVERS=ARIELSERVERS4EPNAME (’eventprocessor_XYZ’)
For more information, see the AQL data retrieval functions topic in the Juniper Secure
Analytics Ariel Query Language Guide.
Specify the Event Processor ID in an AQL query by using the ARIELSERVERS4EPIDfunction with PARAMETERS REMOTESERVERS or PARAMETERS EXCLUDESERVERS
In an AQL query, you can include or exclude servers connected to an Event Processor by
using the ARIELSERVERS4EPID function to specify the ID of an Event Processor in the
query.
For example, include servers on the Event Processor that has the ID 101, PARAMETERS
REMOTESERVERS=ARIELSERVERS4EPID(101)
For example, exclude servers on the Event Processor that has the ID 102, PARAMETERS
EXCLUDESERVERS=ARIELSERVERS4EPID(102)
For more information, see the AQL data retrieval functions topic in the Juniper Secure
Analytics Ariel Query Language Guide.
Copyright © 2018, Juniper Networks, Inc.8
Juniper Security Analytics Release Notes
Filter your search by using the ARIELSERVERS4EPID function with the PARAMETERSREMOTESERVERS or PARAMETERS EXCLUDESERVERS to specify Event Processorsby ID and their Ariel servers
You can use the ARIELSERVERS4EPID function with PARAMETERS REMOTESERVERS
and PARAMETERS EXCLUDESERVERS to specify Ariel servers that you want to include
or exclude from your search.
You can also use the following query to list Ariel servers by Event Processor ID.
SELECT processorid, ARIELSERVERS4EPNAME(PROCESSORNAME(processorid)) from events
Returns Ariel servers that are associated with an Event Processor that is identified by ID.
Here's an example of the output for the query, which shows the ID of the processor and
the servers for that processor:
localhost:32011,172.16.158.95:32006
For more information, see the AQL data retrieval functions topic in the Juniper Secure
Analytics Ariel Query Language Guide.
In an AQL query, you can specify Ariel servers that are connected to a named EventProcessor by using the ARIELSERVERS4EPNAME function
Use the ARIELSERVERS4EPNAME function with PARAMETERS REMOTESERVERS or
PARAMETERS EXCLUDESERVERS to specify Ariel servers that you want to include or
exclude from your search.
You can also use the following query to list Ariel servers by Event Processor name.
SELECT PROCESSORNAME(processorid), ARIELSERVERS4EPNAME(PROCESSORNAME(processorid)) from events
Here's an example of the output for the query, which shows the name of the processor
and the servers:
eventprocessorABC localhost:32011,172.16.158.95:32006
For more information, see the AQL data retrieval functions topic in the Juniper Secure
Analytics Ariel Query Language Guide.
Use the COMPONENTID function to retrieve the ID for any named JSA component andreturn data for that component
For example, you can retrieve events for a named Event Processor. In the following
example you retrieve events from eventprocessor0:
SELECT * from events where processorid = COMPONENTID(’eventprocessor0’)
PARSETIMESTAMPfunctionparses thetext representationofdateandtimeandconvertsit to UNIX epoch time
Do time-based calculations easily in AQLwhen you convert time in text format to epoch
time.
Include time-based calculations in your AQLqueries and use the time-based criteria that
you specify to return events that helps to enhance the security of your organization by
9Copyright © 2018, Juniper Networks, Inc.
What's New in JSA 7.3.1
making it easier to monitor user activity. For example, youmight want to find out that
the difference between user logout and re-login times is less than 30minutes. If this
timing seems suspicious, you can investigate further.
For more information, see the AQL data retrieval functions topic in the Juniper Secure
Analytics Ariel Query Language Guide.
Retrieve information about the location and distance of IP addresses
Usegeographical data that is providedbyMaxMind to find informationabout the location
and distance between IP addresses in JSA.
The GEO::LOOKUP AQL function returns location data for a selected IP address.
TheGEO::DISTANCEAQL function returns thedistance, in kilometers, of two IPaddresses.
Easily recognize the geographical origin of your data by organizing your data by location
suchascityor country insteadofby IPaddress, anduse thedistancebetween IPaddresses
to evaluate the relative distance between your JSA locations.
For more information, see the AQL data retrieval functions topic in the Juniper Secure
Analytics Ariel Query Language Guide.
Enhanced support for the AQL subquery
In JSA 2014.8 and 7.3.0, the subquery was accessible only by using API.
The subquery is nowavailable for use in searches fromtheLogActivityorNetworkActivity
tabs.
For more information, see the AQL subquery topic in the Juniper Secure Analytics Ariel
Query Language Guide.
Enhanced support for the SESSION BY clause
In JSA 7.3.0 the SESSION BY clause was accessible only by using API.
The SESSION BY clause is now available for use in searches in JSA.
For more information, see the Grouping related events into sessions topic in the Juniper
Secure Analytics Ariel Query Language Guide.
JSA Vulnerability Manager and JSA Risk Manager
JSA Vulnerability Manager 7.3.1 introduces custom risks and enhanced support for CIS
benchmarks. JSA Risk Manager 7.3.1 migrates features from Configuration Source
Management to the Configuration Monitor and improves topology searches and views.
JSA Vulnerability Manager CustomRisk Classification
Classify vulnerabilities with Custom Risk to prioritize the vulnerabilities that posemost
risk to your enterprise.Overridea vulnerability's riskwith your own risk classificationbased
on individual requirements, and add comments to describe why you are changing the
classification. For example, if a new internal policy requires all assets to disable SMBv1,
you can raise the risk to Critical for all SMBv1 required vulnerabilities.
Copyright © 2018, Juniper Networks, Inc.10
Juniper Security Analytics Release Notes
For more information, see the Juniper Secure Analytics Vulnerability Manager User Guide.
JSA Risk Managermigration fromConfiguration SourceManagement toConfigurationMonitor
Several features are migrated from Configuration Source Management to Configuration
Monitor: add a new device, delete a device, back up a device, and discover devices in the
ConfigurationMonitor. Thismigration is in preparation forwhenGoogle Chrome removes
full support for Adobe Flash, and is the first stage in the removal of Flash dependency
from JSA Risk Manager.
For more information, see the Juniper Secure Analytics Risk Manager User Guide.
Improved JSA Risk Manager topology Searches and Views
Each topology searchopensa tabbed view, and results are cached for improved topology
retrieval, resulting in faster processing time.
For more information, see the Juniper Secure Analytics Risk Manager User Guide.
Enhanced Support for CIS Benchmarks
Added CIS Benchmarks profile support for the following platforms:
• Windows 2012 R2
• Red Hat Enterprise Linux 7
• Solaris 10
• Solaris 11
• Solaris 11.1
• Solaris 11.2
• Ubuntu Linux 14
• Ubuntu Linux 15
• CentOS Linux 6
• CentOS Linux 7
RelatedDocumentation
Installing JSA on page 11•
• Known Issues and Limitations on page 12
• Resolved Issues on page 12
Installing JSA
To install JSA software:
• System Requirements — For information about hardware and software compatibility,
see the detailed system requirements in the Juniper Secure Analytics Installation Guide.
11Copyright © 2018, Juniper Networks, Inc.
Installing JSA
• Upgrading to JSA 7.3.1 —To upgrade to JSA 7.3.1, see the Upgrading Juniper Secure
Analytics to 7.3.1 Guide.
• Installing JSA—For installation instructions, see the Juniper SecureAnalytics Installation
Guide.
RelatedDocumentation
What's New in JSA 7.3.1 on page 2•
• Known Issues and Limitations on page 12
• Resolved Issues on page 12
Known Issues and Limitations
NOTE: None.
RelatedDocumentation
What's New in JSA 7.3.1 on page 2•
• Installing JSA on page 11
• Resolved Issues on page 12
Resolved Issues
This section describes the issues resolved in JSA 7.3.1:
• Session leaks can cause the JSA user interface to become repeatedly inaccessible.
• Network Hierarchy API PUT does not allow for multiple CIDR ranges. Error 422 is
returned.
• Adjusting the email size limit in JSA system settings does not work as expected.
• JSAupgrade fails onapplianceswhere twodisk subsystems (sdaand sdb)arepresent.
• Using the pound symbol (#) in a reference set name causes an application error.
• JSA upgrade can fail after reboot with message Exception AttributeError: "NoneType"
object has no attribute....
• Application installation window hangs when attempting to update JSA apps.
• No Flow data received from JSA Flow Collector appliances after upgrading/patching
to JSA 7.3.0 patch 4.
• An Ariel file lock on deleted files can cause Log Activity searching to fail and prevent
Dashboard Time Series loading.
• Locale list is blank in the DSM Editor when creating a new custom property for field
type Date or Number.
Copyright © 2018, Juniper Networks, Inc.12
Juniper Security Analytics Release Notes
• Event droppedwhile attempting to add to Tenant Event Throttle queue. The Tenant
EventThrottle queue... system notification.
• The JSA Assistant app Help Center dashboard (and possibly others) can stop working
unexpectedly.
• JSA storage partitions might get renamed due to the loading order of required drivers
at bootup.
• Hostnames ending with a trailing dot are considered unique by the JSA asset profiler.
• A benign hostcontext NullPointerException can sometimes be written to the JSA logs
following a Deploy function.
• High Availability appliance reporting as failed in the System and LicenseManagement
screen after a Deploy.
• Using the network activity search filter ICMP Type/Code does not work as expected.
• JSAuser interfacesessionsarebecomingdisconnected(session timeout)unexpectedly.
• Performing a search grouping by Log Source displays the parent and child groups in
the results.
• A custom action script using the parameter creeventlist can fail and generate an
exception in JSA logging.
• Custom action response returns null value for some defined parameters.
• Realtime streaming can fail to display events when filtering on eventprocessor.
• Routing rule filter does not display all category options when selecting Low Level
Category as a filter.
• Search filtering for a customevent property that includes non-English characters does
not work as expected.
• Failed replications can leave residual files in /tmp directory.
• Asset searches by network name can return extra, unexpected results.
• Report Wizard can hang when creating a Log Source Report.
• Log Source reports can fail and display no results.
• Some of the JSA last seen rules can fire unexpectedly.
• System notification ...unable to determine associated log source for IP address
<IPaddress>. Unable to automatically....
• The Asset Name field for assets can sometimes be blank.
• LDAP hover text Tooltip displays duplicate values.
• SNMPtrapdoesnot send severity, credibility, relevancemetrics onageneratedoffense
when configured to include property values.
• AdvancedSearch (AQL) functions using LONG function can causemissing information
on the search screen.
13Copyright © 2018, Juniper Networks, Inc.
Resolved Issues
• Rules with a regex filter on Event Processor can cause performance degradation and
events written to storage.
• Performing anadvanced search (AQL)withSELECT*FROMevents INTO<value> twice
can return an error.
• Aggregated searchesperformedwhendatanodesareattached to the JSAdeployment
display incorrect counts.
• Reference sets associated to rules as a contains rule test are not working as expected.
• Application Errorwhen opening some offenses.
• LogSource reports candisplay incorrect targetdestinations forWinCollect LogSources.
• Drilling into a search that was grouped by a custom event property with parenthesis
does not work as expected.
• Dashboard itemcansometimesdisplaynodata in some instancesofnetworkhierarchy
containing double byte characters.
• Log Source Status can be incorrect for some protocol types.
• Editing an existing report's timespan does not work as expected.
• The Assigned to link in an open offense summary window doesn't work.
• Times series not generated for AQL searches containing mathematical expressions.
• Offense search exclusion filters containing a defined network hierarchy parameter do
not respect the exclusion.
• Attempting to edit a saved search after adding a filter causes the saved searchwindow
to not render properly.
• Unexpected error while retrieving get_logs statuswhen a non-admin user accessessystem and license management.
• ERROR: could not find or loadmain class com.q1labs.core.util.Passwordencryptwhen
configuring LDAP hover feature.
• Ariel searches that are run using API version 7.0+ do not return payload properly for
parsing.
• Rule Response Limiter does not always limit responses as configured.
• Searches using a geographic location filter can return unexpected results.
• Non-admin JSA user can view reports that have not been shared.
• Reports can sometimes fail to complete or complete with incorrect data when using
a top offenses chart.
• AQLqueries (advanced search) can sometimes causeYour browser sent a request that
this server could not understandmessage.
• Results in report data can sometimes not match search results when anOR condition
exists in search filters.
• Residual files froma faileddeploy toamanagedhost canpreventnewdeployattempts
from completing.
Copyright © 2018, Juniper Networks, Inc.14
Juniper Security Analytics Release Notes
• Device stopped sending events rule sometimes does not display the associated log
source when part of an offense.
• Dashboard widgets that are set to Chart Type: Table display Start Time (Minimum) in
Epoch time instead of long format.
• Customized identity changesmade using theDSMEditor forMicrosoft IAS logs are not
honored in the Log Activity tab.
• System and license management can take longer than expected to load large JSA
deployments.
• DSM editor can display regex grabs inconsistently betweenWorkspace field and Log
Activity preview.
• Datanodes may not rebalance correctly if there are multiple destinations.
• Syslogsource payload should not set device time in the future.
• The Asset Details, Asset Summary window of an asset can sometimes bemissing the
Operating System data.
• Event Count displayed for an offense can sometimes fail to match the event count in
related Log Activity search.
• <br/> is displayed in report description hover over where line breaks are expected.
• Events contributing to an offense cannot be displayed after custom event property
OffenseID is created in DSM Editor.
• ECS-EC process can sometimes go out of memory in JSA environments with a very
large number of Log Sources.
• Slow user interface response leading to a Tomcat out of memory can be caused by
adding filters to Scheduled Search results.
• IntermittentTomcatdeadlockcancause the JSAuser interface tobecome inaccessible
without a service rest.
• RuleWizard data validation allows input of invalid AQL syntax
• wget.log file cancontribute to the /var/logpartition runningout of sufficient free space.
• Flow collectors with multi-threading enabled can stop collecting flows after patching.
• MessageTemplatenot found is displayedwhenattempting to view, run, or edit a report.
• Selected event does not display in the DSM Editor Workspace.
• Non-admin users are unable to view Log Sources when filtering on the Log Activity
page.
• Searches can fail with connecting to the query server errors or I/O error occurredwhen
many security profiles exist.
• ApplianceWIPE does not honor the amount of wipes that were entered and always
uses the default of six.
• Hostcontext can runoutofmemorydue to taskmanagementdatabase tablebecoming
corrupted.
15Copyright © 2018, Juniper Networks, Inc.
Resolved Issues
• Lower than expected performance results when using historical correlation.
• The /store/transient partition does not perform required clean up when running low
on free disk space.
• /var/log/partitioncan runoutof spacedue to logs fillingwithmessagesTheUserSession
object in SessionContext....
• Drop in expected event rate after upgrading to JSA 7.3.0 can be caused by network
interfaces dropping packets.
• Reports run on some AQL searches can return inconsistent column names.
• General Failure. Please try againmessage when a Log Activity search with reference
table filter user specified value is run.
• Console installation of JSA 7.3.0 can fail when UTC timezone is selected.
• Rules and Building Blocks can bemissing from view in the JSA user interface while still
being installed or enabled.
• Relevancevaluedisplayedby theRESTAPI varies fromwhat isdisplayed in theOffenses
tab.
• Theserverencounteredanerror readingoneormore fileswhenperformingaLogActivity
search.
• Searches can fail or cancel when amaximum number of results is reached.
• ManageSearchResultspage fails to loadwithGeneralFailure.Pleasetryagainmessage.
• Report output data does not adhere to the security profile of the report creator.
• Non-admin JSA users are unable to perform various right click and API call functions.
• NFSmount fails to mount after High Availability (HA) failover.
• Using Clean Vulnerability Ports can result in vulnerability data not being imported into
the asset model.
• Invocation was successful, but transformation to content type
\'APPLICATION_JSON'failedwhen pulling from the API.
• Application Error during server discovery when there is more than a default domain in
JSA.
• RedHat Enterprise Linux cifs-utils package is not included on JSA appliances installed
at, or upgraded to, 7.3.0.
• Creating a global view based on a search containing a quick filter does not work as
expected.
• Rule response limiter for Username sometimes can't work as expected.
• JSA7.3.0upgradeprocessdoesnot verify thepresenceof ISOprior to setup installation
process starting.
• Flows received when using flow forwarding Offsite Source/Target or Routing Rules
are incorrect.
Copyright © 2018, Juniper Networks, Inc.16
Juniper Security Analytics Release Notes
• Tunnel connections remain after a data node or event collector are removed from a
JSA deployment.
• DNS lookups for internal IP network ranges not working.
• Using Rule Response Execute CustomAction can sometimes not work as expected.
• JSA user interface can become unresponsive whenmultiple users are working with
JSA reports.
• AutoUpdatecancausean interruption in flowcollectionandaperformancedegradation
system notification in the User Interface.
• In progress searches that run longer than the configured search results retention period
are deleted prior to completion.
• Attempting to obfuscate a large volume of username field based events can cause
obfuscated events to be dropped.
• Addinga regex filter toa searchcangenerateerror fatalexception inValidationException:
this is not a valid....
• Commas are treated asOR in quick filter searches causing varied search results.
• Deployment actions - Edit Host Connection option is not enabled after Event and/or
Flow Processor is added to deployment.
• JSA application environment variables are not updated after qchange_netsetup.py is
used to change the IP address of a JSA Console.
• JSA user interface becomes unresponsive linked to logrotate of httpd files.
• Asset Profiler out of memory or AssetCleanupThread TxSentry can occur on systems
with a large amount of assets.
• Ariel searches that domany string comparisons can run slower than expected in low
memory scenarios.
• Tomcat service can fail to load due to deadlock, causing the JSA user interface to
become inaccessible.
• Attempting to use the valid regex (?i) (for case insensitive) in a custom property fails
with regex is invalid.
• Missing files in /storetmp/upgrade errors when running /root/complete_upgrade.sh
script after a failed upgrade.
• An attempt to cancel a duplicate Log Activity search in progress can display error
...WARN_QUERY_COLLECT_DATA_LIMIT.
• Upgrading JSA can hang or fail during the 71-qdocker_upgrade.sh script.
• Themessage There was an error downloading this item can sometimes be displayed
in a dashboard widget.
• JSA upgrade process can fail after reboot on appliances with PCI networking cards.
• JSA upgrade process can sometimes fail at the pre-boot phase, and the ' / ' partition
fills to 100%.
17Copyright © 2018, Juniper Networks, Inc.
Resolved Issues
• Configuration restore onto a console with a different IP address causes JSA apps to
no longer work.
• Triggermatchcount rule wording can sometimes bemisinterpreted.
• JSA 7.3.0 upgrade can fail while running or re-running the upgrade_stage_iso.sh script.
JSA Vulnerability Manager
• The fusionvm database is not backed up when the qvmprocessor it is located on a
manged host instead of the console.
• Newly configured vulnerability exceptions can sometimes be duplicated.
• Unable to add new CIDR ranges in Vulnerability Assignment screen.
• JSA appliance attempts communication with unexpected IP address when JSA
Vulnerability Manager is installed.
• Scan result data can sometimes fail to be updated in the JSA asset model.
• The Vulnerability ID field results contained in a scan that was exported to CSV can be
incorrect.
JSA Risk Manager
• Juniper Junos device backup failure can occur due to an Out of Memory condition.
• Network labels are not displaying on the connection graph in JSA Risk Manager.
• JSA Risk Manager Topology page can take a longer than expected time to load.
• JSA Risk Manager simulation ignores changes made to the topology model.
• Default rules with action NONE are incorrectly listed in the configuration monitor rules
list.
JSA LogManager
• Additional rule tests cannot be added to current rules and new rules cannot be created
when using JSA Log Manager.
RelatedDocumentation
What's New in JSA 7.3.1 on page 2•
• Installing JSA on page 11
• Known Issues and Limitations on page 12
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can send your comments to
[email protected], or fill out the documentation feedback form at
https://www.juniper.net/cgi-bin/docbugreport/. If you are using e-mail, be sure to include
the following information with your comments:
Copyright © 2018, Juniper Networks, Inc.18
Juniper Security Analytics Release Notes
• Document or topic name
• URL or page number
• Software release version (if applicable)
Requesting Technical Support
Technical product support is available through the JuniperNetworksTechnicalAssistance
Center (JTAC). If you are a customer with an active J-Care or Partner Support Service
support contract, or are covered under warranty, and need post-sales technical support,
you can access our tools and resources online or open a case with JTAC.
• JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
• Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/.
• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides youwith the
following features:
• Find CSC offerings: https://www.juniper.net/customers/support/
• Find product documentation: https://www.juniper.net/documentation/
• Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/
• Download the latest versions of software and review release notes:
https://www.juniper.net/customers/csc/software/
• Search technical bulletins for relevant hardware and software notifications:
https://kb.juniper.net/InfoCenter/
• Join and participate in the Juniper Networks Community Forum:
https://www.juniper.net/company/communities/
• Open a case online in the CSC Case Management tool: https://www.juniper.net/cm/
Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement
(SNE) Tool: https://entitlementsearch.juniper.net/entitlementsearch/
Opening a Casewith JTAC
You can open a case with JTAC on theWeb or by telephone.
• Use the Case Management tool in the CSC at https://www.juniper.net/cm/.
• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
19Copyright © 2018, Juniper Networks, Inc.
Requesting Technical Support
For international or direct-dial options in countries without toll-free numbers, see
https://www.juniper.net/support/requesting-support.html.
Revision History
March 2018—Revision 1, for JSA Release 7.3.1
Copyright © 2018 Juniper Networks, Inc. All rights reserved.
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. and/or its affiliates inthe United States and other countries. All other trademarks may be property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.
Copyright © 2018, Juniper Networks, Inc.20
Juniper Security Analytics Release Notes