Hosts Overview
Access this page from the Monitor menu.
The hosts page lists compromised hosts and their associated threat levels. From here, you can monitor and mitigate malware detections on a per host basis.
User notification of infected hosts—As of Junos OS 18.1R1, there is support HTTP URL
redirection based on infected hosts with the block action. This is configured
through the CLI on the SRX Series Firewall using the set services
security-intelligence profile
command. See security-intelligence(services) for
details.
Compromised hosts are systems for which there is a high confidence that attackers have gained unauthorized access. When a host is compromised, the attacker can do several things to the computer, such as:
-
Send junk or spam e-mail to attack other systems or distribute illegal software.
-
Collect personal information, such as passwords and account numbers.
Compromised hosts are listed as secure intelligence data feeds (also called information sources.) The data feed lists the IP address of the host along with a threat level; for example, 10.130.132.133 and threat level 5. Once threats are identified, you can create threat prevention policies to take enforcement actions on the inbound and outbound traffic on these infected hosts. See Configuration for Infected Hosts for more information.
For the Hosts listed on this page, you can perform the following actions on one or multiple hosts at once:
Action |
Definition |
---|---|
Export Data |
Click the Export button to download compromised host data to a CSV file. You are prompted to narrow the data download to a selected time-frame. |
Set Policy Override |
Select the check box beside one or multiple hosts and choose one of the following options:
Note:
The policy referred to here is the policy configured on the SRX Series Firewall. See Example: Configure Juniper Advanced Threat Prevention Cloud Policy. |
Set Investigation Status |
Select the check box beside one or multiple hosts and choose one of the following options: In progress, Resolved - false positive, Resolved - fixed, and Resolved - ignored. |
NOTE: When you select a Policy Override option for hosts, other dependent status fields, such as Infected Host Feed, will also change accordingly. In some cases, you may have to refresh the page to see the updated information. |
The following information is available in the Host table.
Field |
Description |
---|---|
Host Identifier |
The Juniper ATP Cloud-assigned name for the host. This name is
created by Juniper ATP Cloud using known host information such as IP
address, MAC address, user name, and host name. The assigned name
will be in the following format:
Note:
You can edit this name. If you edit the Juniper ATP Cloud-assigned name, Juniper ATP Cloud will recognize the new name and not override it. |
Host IP |
The IP address of the compromised host. |
Threat Level |
A number between 0 -10 indicating the severity of the detected threat, with 10 being the highest. Note:
Click the three vertical dots at the top of the column to filter the information on the page by threat level. |
Infected Host Feed |
Displays the current host feed settings:
|
Last Host Activity |
Displays the date and time of the most recent activity of the threat. |
C&C Hits |
The number of times a command and control server communication threat with this host was detected. Note:
Click the three vertical dots at the top of the column to filter the information on the page by C&C hits. |
Malware |
The number of times a malware threat was downloaded by this host. Note:
Click the three vertical dots at the top of the column to filter the information on the page by malware detections. |
Policy |
Displays the current policy settings.
|
State of Investigation |
Displays either Open, In progress, Resolved-False positive, Resolved-Fixed, Resolved-Ignored |
Source |
Displays the source of the threat. For example, API, Detection, Adaptive threat profiling feed, and so on. |