STRM stands for Security Threat Response Manager. This is Juniper’s Security Information and Event Management (SIEM)/Security Event Management (SEM) offering that provides log management, correlation, collection and reporting for all Juniper and multi-vendor products. STRM also provides flow-based analysis and reporting of application and traffic trending and performance visibility.
Yes, STRM comes with a generic Universal DSM that can be customized to allow you to add your own devices/applications into STRM. Please contact your Juniper Sales Representative if you require Professional Services to help you create your own DSM from the Universal DSM.
Events, measured in EPS (events per second), are actual logs (syslog, events) sent from Log Source devices like routers, switches, Windows, Unix hosts, firewalls and intrusion detection and prevention (IDP) systems.
Flows, measured in FPM (flows per minute), are traffic sessions monitored by STRM between network devices like routers and switches which are running special protocols like J-flow, S-flow, and so on.
Sentries monitor events and flows for specific (user configured) activity. When the activity is seen, the sentry triggers an offense which will then take some other user defined action like assigning the offense to an admin for review, creating other events as needed, etc. If they are not turned on, no offenses will be generated and nothing will be detected from the flow data.
STRM has IPtables configuration by default, you will need to enable ICMP ports using the management console. To validate connectivity, you can try to SSH v2 to the box (for more information, refer to KB14001 - Enable Ping on STRM).
Events and Payloads are stored locally on the Event Processor. They are sent in realtime to the console if a user is on the event viewer tab and viewing in “Realtime”. When a historical search (one minute or more) is performed, the search process will poll the remote Event Collectors/Processors for the data. It will then return the data in the form of a cursor. The cursor will be stored locally until it expires (managed search results).
Deduplication for events in STRM is known as coalescing. If coalescing is enabled, STRM will only store it under one record and payload but include a count of how many times it has occurred. The Event must have the same Event name, IPs, ports, usernames etc from the parsed values to be combined.
Compression occurs only when the disk on the Event collector reaches 85% (configurable value within the deployment editor). It will compress all data from that timeframe. These are uncompressed when a search is requested for the given time period.
Manual reports will act similar to a search. It will poll the Event Collectors/Processors and pull the data back in the form of a cursor. A scheduled report will run off accumulated data. Once an hour, the reporting engine will perform the searches based on 15 minute increments and pull the data back. This data is stored as accumulated data which the report will use at the scheduled run time (these launch nightly).