Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Hosts Overview

Access this page from the Monitor menu.

The hosts page lists compromised hosts and their associated threat levels. From here, you can monitor and mitigate malware detections on a per host basis.

Note:

User notification of infected hosts—As of Junos OS 18.1R1, there is support HTTP URL redirection based on infected hosts with the block action. This is configured through the CLI on the SRX Series Firewall using the set services security-intelligence profile command. See security-intelligence(services) for details.

Compromised hosts are systems for which there is a high confidence that attackers have gained unauthorized access. When a host is compromised, the attacker can do several things to the computer, such as:

  • Send junk or spam e-mail to attack other systems or distribute illegal software.

  • Collect personal information, such as passwords and account numbers.

Compromised hosts are listed as secure intelligence data feeds (also called information sources.) The data feed lists the IP address of the host along with a threat level; for example, 10.130.132.133 and threat level 5. Once threats are identified, you can create threat prevention policies to take enforcement actions on the inbound and outbound traffic on these infected hosts. See Configuration for Infected Hosts for more information.

For the Hosts listed on this page, you can perform the following actions on one or multiple hosts at once:

Table 1: Operations for Multiple Infected Hosts

Action

Definition

Export Data

Click the Export button to download compromised host data to a CSV file. You are prompted to narrow the data download to a selected time-frame.

Set Policy Override

Select the check box beside one or multiple hosts and choose one of the following options:

  • Never include host(s) in infected hosts feed

  • Always include host(s) in infected hosts feed

  • Use configured policy (not included in infected hosts feed)

Note:

The policy referred to here is the policy configured on the SRX Series Firewall. See Example: Configure Juniper Advanced Threat Prevention Cloud Policy.

Set Investigation Status

Select the check box beside one or multiple hosts and choose one of the following options: In progress, Resolved - false positive, Resolved - fixed, and Resolved - ignored.

NOTE: When you select a Policy Override option for hosts, other dependent status fields, such as Infected Host Feed, will also change accordingly. In some cases, you may have to refresh the page to see the updated information.

The following information is available in the Host table.

Table 2: Compromised Host Information

Field

Description

Host Identifier

The Juniper ATP Cloud-assigned name for the host. This name is created by Juniper ATP Cloud using known host information such as IP address, MAC address, user name, and host name. The assigned name will be in the following format: username@server. If the username is not known and MAC address or IP address are used, the name may appear as any of the following formats:

user01@2001:db8:cc:dd:ee:ff, user02@10.1.1.1 or 10.1.1.1

Note:

You can edit this name. If you edit the Juniper ATP Cloud-assigned name, Juniper ATP Cloud will recognize the new name and not override it.

Host IP

The IP address of the compromised host.

Threat Level

A number between 0 -10 indicating the severity of the detected threat, with 10 being the highest.

Note:

Click the three vertical dots at the top of the column to filter the information on the page by threat level.

Infected Host Feed

Displays the current host feed settings:

  • Included: This is the default policy. The host is included in the infected host feed if its threat level meets the set infected host threshold.

  • Excluded: The host is allowlisted and will be excluded from the infected host feed even if its threat level meets the threshold.

  • Excluded Manually: The host is allowlisted manually and will be excluded from the infected host feed even if its threat level meets the threshold.

    Example: If you do not enable Add to Infected Hosts setting while creating a new adaptive threat profiling feed, the feed information will not be sent to the infected host feed.

  • Included Manually: The host is blocklisted and will be included in infected host feed even if its threat level does not meet the threshold.

Last Host Activity

Displays the date and time of the most recent activity of the threat.

C&C Hits

The number of times a command and control server communication threat with this host was detected.

Note:

Click the three vertical dots at the top of the column to filter the information on the page by C&C hits.

Malware

The number of times a malware threat was downloaded by this host.

Note:

Click the three vertical dots at the top of the column to filter the information on the page by malware detections.

Policy

Displays the current policy settings.

  • Use configured policy

  • Always include host in infected hosts feed

  • Never include host in infected hosts feed

State of Investigation

Displays either Open, In progress, Resolved-False positive, Resolved-Fixed, Resolved-Ignored

Source

Displays the source of the threat. For example, API, Detection, Adaptive threat profiling feed, and so on.