☰

🌙☀

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis Docs Home
About XDR
Get Started
- Get Started with XDR
- Top 5 Tasks
Integrate with XDR
- Integration Overview
- Data Source Integration Definitions
- All Available Integrations
- Add Data Collectors
- Add Endpoint Agents
- Forward Data to XDR
- Create Custom Parsers
  - Overview
  - Syntax
  - Repeating Fields
  - Overriding and Extending Global Parsers
  - Supported Schemas
  - All Schemas
    - Antivirus
    - Auth
    - CloudAudit
    - DHCP
    - DNS
    - Email
    - Encrypt
    - FileMod
    - HTTP
    - Management Event
    - Netflow
    - NIDS
    - Process
    - Registry
    - Thirdparty
    - Types
Manage Integrations
Alerts, Events, and Investigations
- Alerts
- Events
- Investigations
- CyberChef
Dashboards
Search and Reports
- Search
- Reports
Automation
- Automation Overview
- Supported Playbooks
- Supported Connectors
- Playbooks
- Connectors
- Automation Authoring
  - Building Connector Definitions
  - Building Playbook Templates
  - Common Expression Language (CEL)
Threat Intelligence, Hunting, and Detection
- Threat Intelligence
- Threat Hunting
  - Hunting with Jupyter Notebooks
- Detectors
- Adversary Software Coverage
  - Adversary Software Coverage
  - Frequently Asked Questions
XDR Admin
- Your Account
- Tenant Settings
APIs, SDK, and Magic
- Using XDR GraphQL APIs
- API Authentication
- XDR Python SDK
- Taegis Magic Jupyter Integration
  - Overview
- Alerts API
  - Using the Alerts API
  - Alerts GraphQL API
- Assets API
- Audits API
  - Using the Audits API
  - Audits GraphQL API
- Automations APIs
- Bring Your Own Threat Intelligence API
  - Using the BYOTI API
  - BYOTI GraphQL API
- Collector APIs
- Investigations API
  - Using the Investigations API
  - Investigations GraphQL API
- Threat Intelligence API
  - Using the Threat Intelligence API
  - Threat Intelligence GraphQL API
- Using the Users GraphQL API
- Using the Tenants GraphQL API
- Using the Countermeasures API
- Using the File Upload API
Secureworks Products, Services, and Policies
- Managed iSensor
- ManagedXDR
- ManagedXDR Elite
  - Service Description
  - Onboarding Guide
- ManagedXDR for OT
- ManagedXDR Enhanced
  - Service Description
  - Onboarding Guide
- ManagedXDR–Managed iSensor Add-on
- Secureworks Professional Services
- Legal

Juniper SRX Firewall Integration Guide

Juniper SRX Series Services Gateway firewalls must be configured to send logs via syslog to the Taegis™ XDR Collector. Firewall logs are filtered and correlated in real time for various security event observations, including correlation of denied traffic logs, port scanning, broad scanning, internal network outbreaks, peer-to-peer file sharing activity, and outbound traffic to known malicious IP addresses, including known Advanced Persistent Threat (APT) target endpoints being monitored by the Secureworks Counter Threat Unit.

Follow the instructions below to configure the SRX logging and enable monitoring by Secureworks.

Firewall Requirements ⫘

Source	Destination	Port/Protocol
Firewall_mgmt_interface	XDR Collector (mgmt IP)	UDP/514

Data Provided from Integration ⫘

	Antivirus	Auth	DHCP	DNS	Email	Encrypt	File	HTTP	Management	Netflow	NIDS	Process	Thirdparty
Juniper SRX Firewall		D					Y	D		D	V

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Logging Configuration Instructions ⫘

Command Line Instructions ⫘

Use a Command Line Interface (CLI) to run the following commands that enable Juniper SRX Series logging, depending on the firewall set-up.

Code Example Variables ⫘

Variables in the code examples below are indicated with angle brackets ( <xxx> ). These must be replaced with the information specific to your implementation.

Some of the variables in the following code samples are:

<TDR_DC_IP> — The IP of the destination.
TDR-FWLOGS — A streamname variable.

For more information on configuration commit commands for Juniper SRX, see Setting the System to Stream Security Logs in the Juno OS documentations.

Stanadlone Firewall ⫘

set system syslog host <TDR_DC_IP> any any
set system syslog source-address <MANAGEMENT_INTERFACE_IP>
set security log mode stream
set security log utc-timestamp
set security log source-address <MANAGEMENT_INTERFACE_IP>
set security log stream TDR-FWLOGS format syslog
set security log stream TDR-FWLOGS category all
set security log stream TDR-FWLOGS host <TDR_DC_IP> any any
set security log stream TDR-FWLOGS host port 514
commit check
commit

set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system syslog file default-log-messages any any
set system syslog file default-log-messages match "(requested 'commit' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|transitioned|Transferred|transfer-file|(license add)|(license delete)|(package -X update)|(package -X delete)|(FRU Online)|(FRU Offline)|(plugged in)|(unplugged)|GRES|(AIS_DATA_AVAILABLE)"
set system syslog file RTFLOW match RT_FLOW
set system syslog time-format

HA Firewall Pair ⫘

HA syslog format
set groups node0 system syslog file default-log-messages any info
set groups node0 system syslog file default-log-messages match "(requested 'commit' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|transitioned|Transferred|transfer-file|(license add)|(license delete)|(package -X update)|(package -X delete)|(FRU Online)|(FRU Offline)|(plugged in)|(unplugged)|GRES|(AIS_DATA_AVAILABLE)"
set system syslog host <TDR_DC_IP> any any
set security log mode stream
set security log source-address <RETH_INTERFACE_IP>
set security log stream TDR-FWLOGS format syslog
set security log stream TDR-FWLOGS host <TDR_DC_IP> any any
set groups node0 system host-name <HOSTNAME1>
set groups node1 system host-name <HOSTNAME2>
set groups node0 system backup-router <GATEWAY_IP> destination <TDR_DC_IP>
set groups node1 system backup-router <GATEWAY_IP> destination <TDR_DC_IP>
set groups node0 system syslog source-address <FXP0 INTERFACE_IP>
set groups node1 system syslog source-address <FXP0_INTERFACE_IP>
commit check
commit

Enable Logging on Security Policies ⫘

Logging is configured on a per-policy basis. You can specify that traffic logs are generated when a session closes (session-close) and when a session starts (session-init). Secureworks recommends generating traffic logs both when a session starts and a session closes to gather as much information as possible for analysis.

The following includes an example of enabling logging for a security policy named default-permit.

To enable logging for a security policy:

Specify that traffic logs are generated when a session closes.

user@host# set security policies from-zone trust to-zone untrust policy default-permit then log session-close

Specify that traffic logs are generated when a session starts.

user@host# set security policies from-zone trust to-zone untrust policy default-permit then log session-init

Repeat steps 1 and 2 for all policies, in order to obtain all security logs.
Update your Implementation Ticket and notify your Provisioning Engineer when you have completed the logging configuration.

Configuration Commit Commands ⫘

This section illustrates some basic CLI commands that are required to save your configurations.

Commit Check ⫘

After making your changes, you can proceed to check them with the commit check and then apply with a commit.

root@juniper1# commit check
configuration check succeeds
root@SRX100LAB# commit
commit complete

Commit Confirmed ⫘

The commit confirmed command commits a candidate configuration for 10 minutes. If you don’t then follow up with a second commit command, the device automatically rolls back to the previous configuration. You can use the commit confirmed command anytime you want a safety net against potential configuration problems. This command is very useful for configuring remote devices.

[edit]
root@juniper1# commit confirmed
commit confirmed will be automatically rolled back in 10 minutes
unless confirmed
commit complete

If everything passes your review, then you need to commit the new configuration a second time for the configuration to become permanent.

[edit]
root@juniper1# commit
commit complete

If you do not confirm the configuration by entering a second commit command, the CLI will roll back the device to the previous active configuration after 10 minutes. A message is displayed when the rollback is automatically completed:

Broadcast Message from root@juniper1
 (no tty) at 08:10:17 UTC
Commit was not confirmed; automatic rollback complete