Reference Data Collections

Similar documents
Managing User-Defined QID Map Entries

Customizing the Right-Click Menu

Deploying JSA in an IPV6 Environment

Partition Splitting. Release Juniper Secure Analytics. Juniper Networks, Inc.

SETTING UP A JSA SERVER

Deploying STRM in an IPV6 Environment

Setting Up an STRM Update Server

Restore Data. Release Juniper Secure Analytics. Juniper Networks, Inc.

Forwarding Logs Using Tail2Syslog. Release Security Threat Response Manager. Juniper Networks, Inc.

Installing JSA Using a Bootable USB Flash Drive

Release Notes. Juniper Secure Analytics. Juniper Networks, Inc North Mathilda Avenue Sunnyvale, CA USA

Reconfigure Offboard Storage During a JSA Upgrade

JSA Common Ports Lists

NSM Plug-In Users Guide

CUSTOM EVENT PROPERTIES FOR IBM Z/OS

Patch Release Notes. Release Juniper Secure Analytics. Juniper Networks, Inc.

NSM Plug-In Users Guide

Troubleshooting Guide

Upgrading STRM to

Release Notes Patch 1

NSM Plug-In Users Guide

STRM Administration Guide

Customizing SNMP Traps

High Availability Guide

Adaptive Log Exporter Users Guide

Patch Release Notes. Release Juniper Secure Analytics. Juniper Networks, Inc.

ScreenOS 5.4.0r4 FIPS Reference Note

Blackwire C610 Blackwire C620

Cisco Unified Communications Manager Device Package 8.6(2)( ) Release Notes

STRM Getting Started Guide. Release Security Threat Response Manager. Juniper Networks, Inc.

WinCollect User Guide

Cisco Meeting Management

STRM Log Manager Administration Guide

Hardware Installation 1. Install two AA batteries in the mouse. Pairing Process in Vista and Windows XP SP2

Cisco Unified Communications Manager Device Package 10.5(1)( ) Release Notes

Cisco Meeting Management

Tetration Cluster Cloud Deployment Guide

Device Registration Walkthrough

Cisco Unified IP Conference Phone 8831 and 8831NR Release Notes for Firmware Release 10.3(1)SR3

Panda Wireless Version 4.0 ( BLE + EDR) Bluetooth USB Adapter Quick Start Guide Model number: PBU40 FCC ID:2ADUTLGPBU40

Cisco Meeting App. What's new in Cisco Meeting App Version December 17

Log Sources Users Guide

STRM Adaptive Log Exporter

RFID SIP Firmware Update Instructions for minipad / rpad

Operation Manual for Cloud 3700F Version 0

Bluetooth Mini Keyboard. User s Manual. Version /05 ID NO: PAKL-231B

QUICK START GUIDE HOW TO LOAD YOUR ECLIPSE MP3 PLAYER:USING WINDOWS MEDIA PLAYER* When you connect your device to your computer and open your

1. Product description

Charging Pad / Charging Stand

Retractable Kaleidoscope TM Notebook mouse USER GUIDE

Home Automation by Reliant User Manual

USER GUIDE. Element Wireless Smart Plug Model: E1C-NB6

USB Ultra-Mini Bluetooth 2.0 Adapter with EDR USER GUIDE

UPGRADING STRM TO R1 PATCH

TERMINAL USER MANUAL 13/12/2017

USB Hub-Audio Series. January 1999 A

TABLE OF CONTENTS Folding the Jacket Case into a Stand... 2 FCC Information... 3 Location of Parts and Controls... 4 Charging the Keyboard...

Considerations for Deploying Cisco Expressway Solutions on a Business Edition Server

Accessibility Features for the Cisco Unified SIP Phone 3905

N331 Wireless Mini Optical Mouse User s Guide

BLUETOOTH KEYBOARD & SPEAKER CASE

This package contains: 1 UC-232A USB-to-Serial Converter 1 Installation Disk 1 User Manual If anything is damaged or missing, contact your dealer.

Installation Guide esata 1.5Gbps 1 external + 1 internal port Low profile PCI card GIC711SW6 PART NO. M0559

VS0801H 8-Port HDMI Switch RS-232 Control Tool V User Manual

midibox 2 user manual

Model: SWBGFSA-0 WiFi/Bluetooth/GPS 3-in-1 Combo Module User Guide

Wireless LAN. SmartPass Quick Start Guide. Release 9.0. Published: Copyright 2013, Juniper Networks, Inc.

Bluetooth Micro Dongle User s Guide. Rating: 5V DC 80mA Made in China

HomePlug Ethernet Bridge

Quick Start Guide. 2/4-Port 4K DisplayPort KVMP Switch with Dual Video Out and RS-232

Wireless Optical Rechargeable Full-size Notebook Mouse USER GUIDE

User Manual. Daffodil. 2.4GHz Wireless Mouse Souris Sans Fil 2.4GHz 2.4GHz Wireless Maus Mouse senza fili da 2.4 GHz Ratón Inalámbrica 2.

USER GUIDE. Smart Wi-Fi LED Bulb (2700K and 5000K) Model: W11-N11

Single Port Serial PC Card User Manual

Introduction. Package Contents. System Requirements

Quick Start Guide. Powerline Wireless Extender GPLWE150 PART NO. Q1337.

Don t plug me in just yet.

FlyTV MCE Installation Guide Animation Technologies Inc.

NO.1. Download and install Tuya App

Bluetooth Wireless Technology Enabled Optical Mouse

Cisco Videoscape Distribution Suite Transparent Caching Troubleshooting Guide

CBV383Z2 Cable Modem Quick Installation Guide

Zodiac WX QUICK START GUIDE

Owner s Manual 2-Port USB to Serial Adapter Cable

Installation Guide 2/4-Port HDMI Multimedia KVMP Switch with Audio GCS1792 / GCS1794 PART NO. M1085 / M1086

4MP WI-FI PAN TILT CAMERA QUICK START GUIDE ENGLISH

Laser Mouse. Bluetooth USER GUIDE. for Mac. ONE YEAR LIMITED WARRANTY N2953

ExpressCard Serial Card

Fleet Device Registration Walkthrough

USER GUIDE. USB Virtual COM. Accessory Part No Version 2.10

Owner s Manual. USB to RJ45 Cisco Rollover Cable. Model: U RJ45-X PROTECT YOUR INVESTMENT!

Intelligent Wireless Router. Quick Installation Guide

Quick Start Guide Bluetooth to Serial Adapter

EAGLE-200. Intelligent Control Gateway. User Manual

Clever Dog User Manual Welcome to Clever Dog

Network Configuration Example

ActiveHome2 USB 2-Way Home Automation Interface. Model CM15A

AwiaTech WirelessHART TM Rapid Development Kit Manual

Wireless 2.4GHz Keyboard & Mouse Combo USER GUIDE

USB-A to Serial Cable

Transcription:

Juniper Secure Analytics Release 2014.2 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000 www.juniper.net Published: 2014-07-15

Copyright Notice Copyright 2014 Juniper Networks, Inc. All rights reserved. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. The following terms are trademarks or registered trademarks of other companies: Java TM and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. FCC Statement The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with Juniper Networks installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/tv technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected. Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device. Disclaimer THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT, SUBJECT TO THE MODIFICTAIONS SET FORTH BELOW ON THIS PAGE, ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY. Release 2014.2 Copyright 2014, Juniper Networks, Inc. All rights reserved. Printed in USA. Revision History July 2014 The information in this document is current as of the date listed in the revision history. END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at http://www.juniper.net/support/eula.html, as modified by the following text, which shall be treated under the EULA as an Entitlement Document taking precedence over any conflicting provisions of such EULA as regards such software: As regards software accompanying the STRM products (the Program ), such software contains software licensed by Q1 Labs and is further accompanied by third-party software that is described in the applicable documentation or materials provided by Juniper Networks. 2

For the convenience of Licensee, the Program may be accompanied by a third party operating system. The operating system is not part of the Program, and is licensed directly by the operating system provider (e.g., Red Hat Inc., Novell Inc., etc.) to Licensee. Neither Juniper Networks nor Q1 Labs is a party to the license between Licensee and the third party operating system provider, and the Program includes the third party operating system AS IS, without representation or warranty, express or implied, including any implied warranty of merchantability, fitness for a particular purpose or non-infringement. For an installed Red Hat operating system, see the license file: /usr/share/doc/redhat-release-server-6server/eula. By downloading, installing or using such software, you agree to the terms and conditions of that EULA as so modified. 3

4

CONTENTS 1 REFERENCE DATA COLLECTIONS About........................................ 7 Creating a Reference Data Collection..................................... 8 Utility Command Reference............................................ 10

1 REFERENCE DATA COLLECTIONS Use the ReferenceDataUtil.sh utility to make complex reference data collections, such as a Reference Map, Reference Map of Sets, and Reference Map of Maps. This technical note applies to Juniper Secure Analytics (JSA) and Log Analytics. About Reference Data Collections Reference data collections enable the storage, retrieval and testing of complex data structures. You can create the following reference data collection types: Reference Map - In a Reference Map, data is stored in records that map a key to a value. For example, to correlate user activity on your network, you can create a reference map that uses the Username parameter as a key and the user s global ID as a value. Reference Map of Sets - In a Reference Map of Sets, data is stored in records that map a key to multiple values. For example, to test for authorized access to a patent, you can create a Map of Sets that uses a custom event property for Patent ID as the key and the Username parameter as the value to populate a list of authorized users. Reference Map of Maps - In a Reference Map of Maps, data is stored in records that map one key to another key, which is then mapped to single value. For example, to test for network bandwidth violations, you can create a Map of Maps that uses the Source IP parameter as the first key, the Application parameter as the second key, and the Total Bytes parameter as the value. For each reference data collection, you specify what the element type is for the collection. You can specify the following element types: Alphanumeric Alphanumeric Ignore Case IP Numeric Port Date

8 REFERENCE DATA COLLECTIONS Creating a Reference Data Collection Using the ReferenceDataUtil.sh utility, you can create a reference data collection. Before you begin If you plan to load an external file containing data elements, ensure that the file is in Comma Separated Value (CSV) format. Also ensure that you have copied the file to your JSA system. The file must follow the format in the following examples reference data collections: Example 1 ReferenceMap key1,data key1,value1 key2,value2 Example 2 ReferenceMapOfSets key1,data key1,value1 key1,value2 Example 3 ReferenceMapOfMaps key1,key2,data map1,key1,value1 map1,key2,value2 The symbol in the first column indicates a comment line.the first non-comment line is the column header and identifies the column name (ie., key1, key2, data). Then each non-commented line after that is a data record that gets added to the map. Keys are alphanumeric strings. About this task See Utility Command Reference for a list of all commands and parameters you can use to manage your reference data collections. You can also type./referencedatautil.sh and press Enter to access a list these commands

Creating a Reference Data Collection 9 Step 1 Step 2 Step 3 Procedure Using SSH, log in to JSA as the root user: Username: root Password: <password> Create a reference data collection: a To change to the /opt/qradar/bin directory, type the following command: cd /opt/qradar/bin b To create the reference data collection, type the following command:./referencedatautil.sh create <name> <count> [MAP MAPofSETS MAPofMAPS] [ALN NUM IP PORT ALNic DATE] [timeout_type] [timetolive] To populate the map with data from an external file, type the following command:./referencedatautil.sh load <name> <filename> [-encoding=...] [-sdf="... "] What to do next Log in to the JSA user interface to create rules that add data to your reference data collections or rule tests that detect activity from elements in your reference data collection. For more information on creating rules and rule tests, see the Juniper Secure Analytics Users Guide.

10 REFERENCE DATA COLLECTIONS Utility Command Reference Use the following commands to manage your reference data collections: Table 1-1 Command Reference Command create Parameters <name> is the name of the reference data collection. <count> is the maximum number of elements that the reference data collection can contain. [timeout_type] specifies whether the timetolive is from the time the element was inserted (0) or last seen (1). [timetolive] specifies the amount of time reference data collection elements remain in the collection. [MAP MAPofSETS MAPofMAPS] specifies the type of reference data collection. [ALN NUM IP PORT DATE] is the type of data in the reference set, where: update add ALN specifies a reference data collection of alphanumeric values. This data type supports IPv4 and IPv6 addresses. ALNic specifies a reference data collection of alphanumeric values but tests ignore the case. This data type supports IPv4 and IPv6 addresses. NUM specifies a reference data collection of numeric values. IP specifies a reference data collection of IP addresses. This data type supports only IPv4 address. PORT specifies a reference data collection of PORT addresses. DATE specifies a reference data collection of DATE values. <name> is the name of the reference data collection. <count> is the maximum number of elements that the reference data collection can contain. [timeout_type] specifies whether the timetolive is from the time the element was inserted (0) or last seen (1). [timetolive] specifies the amount of time reference data collection elements remain in the collection. <name> is the name of the reference data collection. <value key1 [key2]> specifies the values you want to add. Key1 is required for MAP, MAPofSETS and key2 is required for MAPofMAPS. Keys are alphanumeric strings.

Utility Command Reference 11 Table 1-1 Command Reference Command delete remove purge get getall load Parameters <name> is the name of the reference data collection <value key1 [key2]> specifies the values you want to delete. Key1 are required for MAP, MAPofSETS and key2 is required for MAPofMAPS [-sdf="... "] specifies the Simple Date Format string used to parse the date data. <name> is the name of the reference data collection. <name> is the name of the reference data collection. <name> is the name of the reference data collection [loadelements] displays all elements in the specified reference data collection. [loadelements] displays all elements in all reference data collections. <name> is the name of the reference data collection <filename> is a fully qualified filename to be loaded, with each line in the file representing a record to be added to the reference data collection [-encoding=...] specifies encoding to use when reading the file. [-sdf="... "] specifies the Simple Date Format string used to parse the date data.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback