Juniper Networks App for Qradar. Juniper Networks App for Qradar User Guide

Transcription

1 Juniper Networks App for Qradar User Guide Last Updated: 23-Mar

2 Table of Contents 1 Installation Application Overview Dashboard Application Dashboard Firewall Policies IDP Dashboard Web Filtering Dashboard Sky ATP Dashboard Log Source Custom Properties Troubleshooting Data not displayed on the Dashboard Incorrect information displayed on the Dashboard Reference

3 Introduction Juniper Networks app for Qradar provides visual presentation of information retrieved from Juniper SRX Series Services Gateway firewalls and Sky ATP. This application contains multiple dashboards which include information related to Application, Firewall, IDP, Web filtering and malware. Displays both historic and real-time information, dashboard specific filter criteria can be entered to view specific information. The application is supported on Qradar Versions and above. 1 Installation Juniper Networks App for Qradar can be download from To install the app Download and locate the zip file on your local machine Login to the QRadar Web Page and select Admin tab from the WebUI Figure 1 Qradar App Installation Procedure Under Admin tab goto System Configuration and select Extensions Management Admin -> System Configuration -> Extensions Management 3

4 Figure 2 Qradar App Installation Procedure Click on Add to Browse and select the file from the downloaded path Figure 3 Qradar App Installation Procedure 4

5 Click Add Button and select install to install the application Keep all the default settings and select install to confirm the installation of the app Figure 4 Qradar App Installation Procedure After the app is installed successfully Juniper Networks App for Qradar", close the Extension Management Page Figure 5 Qradar App Installation Procedure Goto QRadar WebUI and the app is shown by refreshing the page. 5

6 Figure 6 Qradar App Installation Procedure 2 Application After the successful installation of app, Qradar will show the installed Juniper Security Dashboard. The Overview Dashboard is displayed by default. Duration control is included in all the dashboards, and the information presented is based on the duration specified, the default value is 5 Minutes. 2.1 Overview Dashboard Provides holistic view of the environment, presenting details On Treats, Malware, Infected Hosts, the Top Applications consuming the bandwidth and trend of treat events which are generated. The information presented can be searched based on SRX, Source IP Address, User Name and Destination IP Address 6

7 Figure 7 Overview Dashboard Chart Threat Events IDP Events Malware Found Affected Hosts Top Sky ATP Malware found Top Infected hosts found by Sky ATP Top Applications by Volume All Threat Events Syslog Events All "RT_IDP" OR "RT_IDS" events ANTISPAM_SPAM_DETECTED_MT FWAUTH_FTP_USER_AUTH_FAIL FWAUTH_HTTP_USER_AUTH_FAIL FWAUTH_TELNET_USER_ AUTH_FAIL FWAUTH_WEBAUTH_FAIL AAMW_ACTION_LOG where verdict_number > 7 All "RT_IDP" OR "RT_IDS" events AAMW_MALWARE_EVENT_LOG AAMW_HOST_INFECTED_EVENT_LOG AAMW_MALWARE_EVENT_LOG AAMW_HOST_INFECTED_EVENT_LOG APPTRACK_SESSION_VOL_UPDATE All "RT_IDP" OR "RT_IDS" events ANTISPAM_SPAM_DETECTED_MT FWAUTH_FTP_USER_AUTH_FAIL FWAUTH_HTTP_USER_AUTH_FAIL FWAUTH_TELNET_USER_ AUTH_FAIL FWAUTH_WEBAUTH_FAIL AAMW_ACTION_LOG where verdict_number > Application Dashboard The Application Dashboard provides information on: 7

8 Top Applications by Session Count Top Applications by Volume Top Nested-Applications Top Sources utilizing Unknown or Unspecified-Encrypted Applications Also, user can search based on SRX, Source IP Address, User Name, Destination IP and Application. Apart from this application search criteria can be selected as either Contains or Does not Contain or Match Exactly, by default it will be selected as Contains. Figure 8 Application Dashboard Chart Top Applications by Most Sessions Top Applications by Volume Top Nested Applications Top Sources Utilizing Applications that are Unidentified Syslog Events APPTRACK_SESSION_CLOSE APPTRACK_SESSION_VOL_UPDATE APPTRACK_SESSION_CLOSE APPTRACK_SESSION_CLOSE 2.3 Firewall Policies The Firewall Policies Dashboard provides information on: Top Firewall Policies by hit-count Top Denied Firewall Policies by hit-count Top Firewall Policies by Bandwidth consumed The information presented can be searched based on SRX, Source IP Address, User Name and Destination IP Address 8

9 Figure 9 Firewall Policies Dashboard Chart Top Firewall Policies Top Firewall Policies Denied Top Firewall Policies (Bytes Transferred) Syslog Events RT_FLOW_SESSION_CREATE RT_FLOW_SESSION_CLOSE RT_FLOW_SESSION_DENY RT_FLOW_SESSION_DENY RT_FLOW_SESSION_CLOSE 2.4 IDP Dashboard The IDP Dashboard provides information on: Top Sources triggering IDP events Top Users triggering IDP events Top Signatures being triggered Threat Severity trends (Critical, High, Medium, Low, Informational) Top Applications by Threat Severity for Critical, High, and Medium severity attacks The information presented can be searched based on SRX, Source IP Address, User Name and Destination IP Address 9

10 Figure 10 IDP Dashboard Chart Top IDP Sources Top IDP Users IDP Threat Events Top IDS and IDP Attacks Top Applications by Threat Severity - Critical Top Applications by Threat Severity - High Top Applications by Threat Severity - Medium Syslog Events RT_IDP events RT_IDP events RT_IDP events RT_IDS and RT_IDP events RT_IDP events RT_IDP events RT_IDP events 2.5 Web Filtering Dashboard The Web Filtering Dashboard provides information on: Top URL Categories Top URLs being accessed Top Users attempting to access URLs which are being denied Top URLs being permitted by policy Top URLs being denied by policy 10

11 The information presented can be searched based on SRX, Source IP Address, User Name and Destination IP Address Figure 11 Web filtering Dashboard Chart Top URLs Top URL Categories Top Users Utilizing Denied URLs Top URLs Permitted Top URLs Denied Syslog Events WEBFILTER_URL_BLOCKED WEBFILTER_URL_PERMITTED WEBFILTER_URL_REDIRECTED WEBFILTER_URL_BLOCKED WEBFILTER_URL_PERMITTED WEBFILTER_URL_REDIRECTED WEBFILTER_URL_BLOCKED WEBFILTER_URL_PERMITTED WEBFILTER_URL_BLOCKED 2.6 Sky ATP Dashboard The Sky ATP Dashboard provides information on: Top Users and Client IP Addresses generating Malware events Top Users and Client IP Addresses communicating with Command-and-Control infrastructure (C&C) The most prevalent Malware 11

12 Top hosts flagged as being "Infected" by Sky ATP The information presented can be searched based on SRX, Malware Name, User Name and Host Name Figure 12 Sky ATP Dashboard Chart Top Usernames by Most Malware Events Top Client IPs by Most Malware Events Top C&C Events By UserName Top Sky ATP Malware found Top Infected hosts found by Sky ATP Top C&C Events By Source address Syslog Events AAMW_MALWARE_EVENT_LOG AAMW_MALWARE_EVENT_LOG SECINTEL_ACTION_LOG AAMW_MALWARE_EVENT_LOG AAMW_HOST_INFECTED_EVENT_LOG SECINTEL_ACTION_LOG 12

13 3 Log Source Log source needs to be configured in the QRadar to receive the events, which will be queried by the app to generate the charts To add a log source 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the parameters for your log source. The Log Source Type and Protocol Configuration to be selected as show in the below figure 5. Enter the IP address of the Log Source (example SRX) in the Log Source Identifier 6. Click Save. 7. On the Admin tab, click Deploy Changes 13

14 4 Custom Properties Juniper App for Qradar uses following custom properties to extract the data from the event, the log source type for all the custom properties is Juniper Junos OS Platform and custom property type is Regex SI.No Property Name Property Description Expression 1 Application Custom extraction of Application Name from DSM applicationname=\"?(.*?)\"?\s application=\"?(.*?)\"?\s 2 Bytes From Client Custom extraction of Client Bytes from DSM 3 Bytes From Server Custom extraction of Server Bytes from DSM 4 Hostname Custom extraction of Hostname from DSM 5 Nested Application Custom extraction of Nested Application Name from DSM 6 Policy Custom extraction of policy from DSM 7 Service Custom extraction of Service Name from DSM 8 URL Custom extraction of URL from DSM 9 attack Custom extraction of attack name from DSM 10 clientip Custom extraction of sourceip from DSM 11 malware Custom extraction of Malware Name from DSM hostname=\"?(.*?)\"?\s bytes-fromclient=\"?(\d*)\"?\s bytes-fromserver=\"?(\d*)\"?\s nestedapplication=\"?(.*?)\"?\s policy-name=\"?(.*?)\"?\s service-name=\"?(.*?)\"?\s url=\"?(.*?)\"?\s attack-name=\"?(.*?)\"?\s client-ip-str=\"?(.*?)\"?\s mw-info=\"?(.*?)\"?\s malware-info=\"?(.*?)\"?\s 14

15 12 record Custom extraction of events that starts with RT_IDP and RT_IDS from DSM 13 threatseverity Custom extraction of Threat Severity from DSM 14 urlcategory Custom extraction of URL Category from DSM 15 verdict Custom extraction of Verdict Number from DSM RT_(IDP IDS) threat-severity=\"?(.*?)\"?\s category=\"?(.*?)\"?\s verdict-number=\"?(.*?)\"?\s 5 Troubleshooting Data not displayed on the Dashboard Try changing the Duration and verify you receive data. Incorrect information displayed on the Dashboard Verify if the required events are in Qradar by coping the query from the dashboard page for the required chart 15

16 On the log activity page, run the query and validate the data 16

17 6 Reference Qradar Extension Installation Documentation mt_importing_extensions.html 17