Security
Security is top-of-mind, especially right here where Juniper experts share their insights on the latest security trends and breakthroughs
Juniper Employee , Juniper Employee Juniper Employee
Security
Introducing the Juniper Networks App for Splunk - Now Available in Splunkbase
Oct 23, 2017

Juniper Networks is excited to announce the availability of our App in Splunk's marketplace, Splunkbase. You can find it here.

 

Leveraging the rich reporting capabilities of SRX Series Next-Generation Firewalls, Splunk users can now monitor, analyze, and evaluate threats in real-time through a unified dashboard.

 

Diving In

 

The Overview Dashboard aims to be a holistic review of your environment, presenting you with details on threat events, network-based exploits, prolific malware, infected hosts, and which applications are consuming the most bandwidth. 

 

Screen Shot 2017-10-18 at 11.50.37 AM.pngOverview Dashboard

 

The Application Dashboard provides information on:

  • Top Applications by Session Count
  • Top Applications by Volume
  • Top Nested-Applications
  • Top Sources utilizing Unknown or Unspecified-Encrypted Applications

 

Screen Shot 2017-10-18 at 12.17.02 PM.pngApplication Dashboard

 

The Firewall Policies Dashboard provides information on:

 

  • Top Firewall Policies by hit-count
  • Top Denied Firewall Policies by hit-count
  • Top Firewall Policies by Bandwdith consumed

 

Screen Shot 2017-10-18 at 12.21.00 PM.pngFirewall Policies Dashboard

 

The IDP Dashboard provides information on:

 

  • Top Sources triggering IDP events
  • Top Users triggering IDP events
  • Top Signatures being triggered
  • Threat Severity trends (Critical, High, Medium, Low, Informational)
  • Top Applications by Threat Severity for Critical, High, and Medium severity attacks

 

Screen Shot 2017-10-18 at 12.27.22 PM.pngIDP Dashboard

 

The Web Filtering Dashboard provides information on:

 

  • Top URL Categories
  • Top URLs being accessed
  • Top Users attempting to access URLs which are being denied
  • Top URLs being permitted by policy
  • Top URLs being denied by policy

 

Screen Shot 2017-10-18 at 12.34.31 PM.pngWeb Filtering Dashboard

 

The Sky ATP Dashboard provides information on:

 

  • Top Users and Client IP Addresses generating Malware events
  • Top Users and Client IP Addresses communicating with Command-and-Control infrastructure (C&C)
  • The most prevalent Malware
  • Top hosts flagged as being "Infected" by Sky ATP

 

Screen Shot 2017-10-18 at 12.38.39 PM.pngSky ATP Dashboard

 

The Event Information Dashboard provides system-level information, such as account auditing, process status, command-line activity, and more.

 

Screen Shot 2017-10-18 at 12.48.33 PM.pngEvent Information Dashboard

 

 Configuring an SRX Series Next-Generation Firewall to forward events to Splunk: 

Through Security Director:

  1.  Go to Devices
  2.  Right click your device
  3.  Modify Configuration
  4.  Security Logging
  5.  Stream Configuration
  6.  Add Splunk's detailsScreen Shot 2017-10-18 at 12.56.46 PM.pngAdding Splunk via Security Director

     

 Through J-Web

  1. Device Settings
  2. Basic Setup
  3. Logging
  4. Set Logging-Type to 'Stream' and enable 'Traffic Logs'
  5. Add Splunk's details
  6. CommitScreen Shot 2017-10-18 at 1.02.01 PM.pngAdding Splunk via J-Web

     

     

     

Through the CLI:

  1.  Enter configuration mode via 'edit' or 'configure'
  2.  Add the correct information for your Splunk instance (IP address, port, SRX source interface if required, etc)

 

set security log mode stream
set security log source-interface <srx.interface>
set security log stream Splunk format sd-syslog
set security log stream Splunk host <ip.address.of.splunk>

# Commit the changes
commit and-quit

 

 

 

 

 

 

 

Nov 8, 2017

I have a few questions.

 

- So how does this interact with Junos Space\SD once configured?

- How does this affect Policy Enforcer?

- Does this work with Splunk Cloud? 

- Can you transport the security logs via TLS to Splunk? TLS is a transport option but wanted to know if it was compatible with Splunk. Currently TLS does not work with Junipers own Log Collector. 

Nov 28, 2017
Sergej.

Hi dwolcot1,

 

I was checking this new app, and it is looks like:

1. It does not interact with Space ro SD

2. It does not interact with PE. Even without new JunOS app you can search for PE events looking for SECINTEL_ACTION_LOG type syslogs

3. Not sure about Cloud, but work fine with on prem Linux

4. It take clean Syslog (in same structured format as Space Log collector)

 

I also checked with JTAC and they promised to update official documentation for the app shortly.

 

Please post here if you had any luck with app. I’m mostly confused about this new Juniper App clashing with old Splunk supported Juniper app. It is also not clear if new app CIM compatible and can be used by Splunk ESS.

Jan 3, 2018

It isn't certifiied by Splunk for Splunk cloud so you can't install it. Anyone know if the new app will be certified for Splunk cloud anytime soon?

Mar 14, 2018
Miles B Dyson

Can this app still work with Juniper data that is not streamed direct from juniper devices, what if your Juniper data is sent to syslog recievers and then wrtitten to file which a Splunk forwarder can pick up?

Mar 20, 2018
Juniper Employee

@RRiley - It's certified now, you should be able to use it where it's convenient for you.

 

@Miles - As long as the messages themselves retain the same semantic structure, yes (Tested this with JSA/QRadar forwarding to Splunk and it worked just fine).

Mar 30, 2018
tcw135

Hello.  I installed the Juniper app for Splunk this morning and am excited to get it working.  I am running into an issue with the app populating data.  All the windows say "Waiting for data...".  Our main firewall, a Juniper SRX 1500, is set to send sd-syslogs over port 1514 since 514 is used by other devices to send regular syslogs.  When I search for jnpr-syslog I receive the logs that I expect but I don't see any of that information in the Juniper app.

 

I'm not sure where to look to troubleshoot this.  Any help would be apprciated!

Apr 3, 2018
Juniper Employee

Hi tcw135

 

You can change the port it's listening on by going to:

Settings -> Data Inputs -> UDP (assuming you're using UDP syslog instead of tcp/tls) 

 

Create new Port

 

Set source name override to jnpr-syslog and add the correct port (1514)


Next 

 

Select app context (Juniper Networks App for Splunk)

 

Set other settings as needed

Apr 3, 2018
tcw135

@cdods, thank you for the reply.  I think my problem was that we don't have APPTRACK turned on.  I edited the search and noticed it was searching for "APPTRACK_SESSION_CLOSE.  When I switched to the Firewall section I was seeing data as expected.

 

Thank you, for the help!

Jun 12, 2018
Sprunkphun

I just downloaded the app, and found that only the "event information" view populates with data.

 

After some digging I found that the props.conf only has 2 extractions in it:

EXTRACT-attack_name_full = attack_name.(?<attack_name>.*?)[\r\n]
EXTRACT-event_severity = ^[^>\n]*>(?P<event_severity>\d+)

Based on the xml content, I'm showing that the searches are looking for other fields, like policy_name.

Did I get a bad version? (Mine is version 121)

 

If not, does anyone have a "full" props.conf with all the extractions, or perhaps just a list of the extractions required for this app? At a bare minimum, I need the policy_name extraction for firewall policies.

 

Thanks!

 

Jun 19, 2018
Dlobos

I hava a trouble with the app only show event information, can you explain how configurate the app?

 

 

syslog : EXTRACT-attack_name_full Inline attack_name.(?<attack_name>.*?)[\r\n]
syslog : EXTRACT-event_severity Inline ^[^>\n]*>(?P<event_severity>\d+)

Top Kudoed Authors