Panther supports ingesting Juniper logs via common options: Amazon Web Services (AWS) S3 and SQS.
How to onboard Juniper logs to Panther
To connect these logs into Panther:
Log in to the Panther Console.
In the left sidebar, click Configure > Log Sources.
Click Create New.
Search for the log type you want to onboard, then click its tile.
Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:
Configure Juniper to push logs to the Data Transport source.
See Juniper's documentation for instructions on pushing logs to your selected Data Transport source.
Supported log types
Juniper.Access
Juniper.Access logs for all traffic coming to and from the box.
schema: Juniper.Access
description: Juniper.Access logs for all traffic coming to and from the box.
referenceURL: https://www.juniper.net/documentation/en_US/webapp5.6/topics/reference/w-a-s-access-log.html
fields:
- name: timestamp
required: true
description: Log entry timestamp
type: timestamp
timeFormats:
- '%b %d %H:%M:%S'
isEventTime: true
- name: hostname
description: The hostname of the appliance
type: string
indicators:
- hostname
- name: log_level
description: The importance level of a log entry. Can be TRACE, DEBUG, INFO, WARN, or ERROR.
type: string
- name: thread
description: The specific thread that is handling the request or response.
type: string
- name: unique_request_key
description: The key used to uniquely identify requests.
type: string
- name: type
description: Whether the HTTP packet is a client request, or a server response (REQUEST,RESPONSE).
type: string
- name: stage
description: Whether the HTTP packet is being logged before or after Security Engine processes it (and potentially manipulates it).
type: string
- name: proxy_client_ip
description: The incoming client IP. Since WebApp Secure works around a Nginx proxy, the client IP will most-likely be '127.0.0.1'.
type: string
indicators:
- ip
- name: url
description: The full request or response URL.
type: string
indicators:
- domain
Juniper.Audit
The audit log contains log entries that indicate non-idempotent (state changing) actions performed on WebApp Secure.
schema: Juniper.Audit
description: Juniper.Audit The audit log contains log entries that indicate non-idempotent (state changing) actions performed on WebApp Secure.
referenceURL: https://www.juniper.net/documentation/en_US/webapp5.6/topics/reference/w-a-s-incident-log-format.html
fields:
- name: timestamp
required: true
description: Log entry timestamp
type: timestamp
timeFormats:
- '%b %d %H:%M:%S'
isEventTime: true
- name: hostname
description: The hostname of the appliance
type: string
indicators:
- hostname
- name: log_level
description: The importance level of a log entry. Can be TRACE, DEBUG, INFO, WARN, or ERROR.
type: string
- name: message
description: The message. Can indicate any of the previously mentioned actions.
type: string
- name: api_key
description: The key used to perform the action described in the message.
type: string
- name: login_ip
description: The IP address the user performed logged in from
type: string
indicators:
- ip
- name: username
description: The user that performed the login
type: string
indicators:
- username
Juniper.Firewall
Juniper.Firewall stores information about dropped packets from the iptables firewall.
schema: Juniper.Firewall
description: Juniper.Firewall stores information about dropped packets from the iptables firewall.
referenceURL: https://www.juniper.net/documentation/en_US/webapp5.6/topics/reference/w-a-s-incident-log-format.html
fields:
- name: timestamp
required: true
description: Log timestamp
type: timestamp
timeFormats:
- '%b %d %H:%M:%S'
isEventTime: true
- name: hostname
description: Hostname
type: string
indicators:
- hostname
- name: event
description: Event name
type: string
- name: DST
description: Destination IP address
type: string
indicators:
- ip
- name: DPT
description: Destination port
type: int
- name: SRC
description: Source IP address
type: string
indicators:
- ip
- name: SPT
description: Source port
type: int
- name: TTL
description: IP TTL in milliseconds
type: bigint
- name: ID
description: Packet id
type: bigint
- name: MAC
description: MAC address
type: string
indicators:
- mac
- name: LEN
description: Packet length
type: int
- name: TOS
description: Packet Type of Service field
type: string
- name: PREC
description: Packet precedence bits
type: string
- name: RES
description: Reserved bits
type: string
- name: RST
description: Packet is RST
type: boolean
- name: SYN
description: Packet is SYN
type: boolean
- name: DF
description: Packet has do not fragment flag
type: boolean
- name: IN
description: Input interface
type: string
- name: OUT
description: Output interface
type: string
- name: PROTO
description: Protocol
type: string
- name: WINDOW
description: Transmit window
type: int
Juniper.MWS
Juniper.MWS is the main log file for most WebApp Secure logging needs. All messages that don't have a specific log location are sent, by default, to mws.log.
schema: Juniper.MWS
description: Juniper.MWS is the main log file for most WebApp Secure logging needs. All messages that don't have a specific log location are sent, by default, to mws.log.
referenceURL: https://www.juniper.net/documentation/en_US/webapp5.6/topics/reference/w-a-s-mws-log.html
fields:
- name: timestamp
description: The date of the log entry, in UTC.
type: timestamp
timeFormats:
- '%b %d %H:%M:%S'
isEventTime: true
- name: hostname
description: The appliance hostname.
type: string
indicators:
- hostname
- name: log_level
description: The importance level of a log entry. Can be TRACE, DEBUG, INFO, WARN, or ERROR.
type: string
- name: service_name
description: The WebApp Secure service that generated the log entry.
type: string
- name: service_component
description: The specific component that is issuing the log message.
type: string
- name: log_message
description: The message. This can be anything, but usually contains information to help you narrow down problems or confirm certain events have occurred as they should.
type: string
Juniper.Postgres
Juniper.Postgres contains logs of manipulations on the schema of the database that WebApp Secure uses, as well as any errors that occurred during database operations.
schema: Juniper.Postgres
description: Juniper.Postgres contains logs of manipulations on the schema of the database that WebApp Secure uses, as well as any errors that occurred during database operations.
referenceURL: https://www.juniper.net/documentation/en_US/webapp5.6/topics/reference/w-a-s-postgres-log.html
fields:
- name: timestamp
required: true
description: Log entry timestamp
type: timestamp
timeFormats:
- '%b %d %H:%M:%S'
isEventTime: true
- name: hostname
description: The hostname of the machine
type: string
- name: pid
description: The process ID of the postgres instance.
type: int
- name: group_id_major
description: Group id major number
type: int
- name: group_id_minor
description: Group id minor number
type: int
- name: sql_error_code
description: The SQL error code.
type: string
- name: session_id
description: A somewhat unique session identifier that can be used to search for specific lines in the log.
type: string
indicators:
- trace_id
- name: message_type
description: The type of the message. Can be LOG, WARNING, ERROR, or STATEMENT.
type: string
- name: message
description: The message.
type: string
Juniper.Security
Juniper.Security Webapp Secure is configured to log security incidents to mws-security.log. All security alerts should be sent to security.log (previously named security-alert.log). There are different types of security incidents that will be a part of this log: new profiles, security incidents, new counter responses.
schema: Juniper.Security
description: |-
Juniper.Security Webapp Secure is configured to log security incidents to mws-security.log.
All security alerts should be sent to security.log (previously named security-alert.log).
There are different types of security incidents that will be a part of this log: new profiles, security incidents, new counter responses.
referenceURL: https://www.juniper.net/documentation/en_US/webapp5.6/topics/reference/w-a-s-log-format.html
fields:
- name: timestamp
required: true
description: Log entry timestamp
type: timestamp
timeFormats:
- '%b %d %H:%M:%S'
isEventTime: true
- name: hostname
description: The hostname of the appliance
type: string
indicators:
- hostname
- name: log_level
description: The importance level of a log entry. Can be TRACE, DEBUG, INFO, WARN, or ERROR.
type: string
- name: service
description: The WebApp Secure service that triggered the security log entry.
type: string
- name: category
description: Log entry category
type: string
- name: profile_id
description: The numerical ID assigned to the Profile that caused the security alert, or the profile ID that received a Response.
type: string
- name: profile_name
description: The friendly name assigned to the Profile that caused the security alert, or the Profile that received a Response.
type: string
- name: pubkey
description: The Public ID that can be used in conjunction with the Support_Processor to unblock Profiles.
type: string
- name: incident
description: The name of the incident that triggered this security alert.
type: string
- name: severity
description: The numerical severity of the incident that triggered this security alert. This can be a number from 0 to 4, inclusive.
type: smallint
- name: source_ip
description: The IP the request that generated this alert originated from.
type: string
indicators:
- ip
- name: user_agent
description: The client's user agent string that generated this alert.
type: string
- name: url
description: The request URL that generated this alert.
type: string
indicators:
- url
- name: count
description: The number of times the profile triggered this incident. This is used for certain incidents to decide whether or not to elevate the profile or increase the responses on the profile.
type: int
- name: fake_response
description: Whether or not (true or false) the response sent back to the client was a fake one created by WebApp Secure.
type: boolean
- name: response_code
description: The numerical code for the response issued.
type: string
- name: response_name
description: The friendly name for the response issued on the profile indicated in the alert.
type: string
- name: created_date
description: The date and time the response was created.
type: timestamp
timeFormats:
- '%Y-%m-%d %H:%M:%S.%f'
- name: delay_date
description: The date and time the response is set to be delayed until.
type: timestamp
timeFormats:
- '%Y-%m-%d %H:%M:%S.%f'
- name: expiration_date
description: The date and time the response is set to expire.
type: timestamp
timeFormats:
- '%Y-%m-%d %H:%M:%S.%f'
- name: response_config
description: The configuration used in this response. Displayed as an XML-like node.
type: string
- name: silent_running
description: Whether or not this Counter Response was set to be silent with the Silent Running service at the time of activation.
type: boolean
