You can configure PDF threat assessment reports to be run on-demand
or on scheduled intervals. While you cannot determine the information
included in the report, you can narrow information to a selected timeframe.
The generated report will contain categories such as the following:
Table 1: PDF Report Contents
Report Category
Definition
Executive Summary
An overview report data separated into following categories:
Malware—Lists newly discovered malware and known
malware.
C&C Server Destinations—Lists C&C server
destination.
Note:
The criteria to display the C&C server destination
in the reports is that the threat level must be equal to or greater
than 7.
Hosts with Malicious Activities—Lists the following:
Infected hosts—Lists the number of potentially infected
hosts whose threat level is less than the threshold threat level that
is set by the customer.
Blocked hosts—Lists the number of infected hosts that have met the threshold threat level and is
blocked by policies configured on the SRX Series
Firewall.
Domains and URLs—Lists the domains and URLs that
are suspicious or known to be risky.
High-risk User Data—Lists the following:
Users’ computers infected with malware.
High-risk web sites accessed by users.
DNS DGA—Lists the DNS-DGA query counts for the top host IP
addresses.
DNS Tunnels—Lists the DNS tunnel counts for the top host IP
addresses.
ETI Source Hosts—Lists the ETI detection counts for the top
host IP addresses.
ETI Destinations—Lists the ETI detection counts for the top
Server Name Indication (SNI) domains.
Malware
The malware section contains the following information:
Top Malware Identified—Lists the names of the top
malware by count.
Top Infected File MIME Types—Lists the top infected
multi-purpose Internet mail extensions (MIME) by count.
Top Scanned File Categories—Lists the top file categories
that are scanned.
C&C Server and Malware Locations
This section contains the following information:
Top C&C Server Location by Count—Lists the top
countries for command and control (C&C) servers by number of communication
attempts (C&C hits).
Top Malware Threat Locations by Count—Lists the
top countries with malware threats.
ETI Server Locations
This section contains the following
information:
Top ETI Server Locations by Count—Lists the top countries for
ETI servers by number of communication attempts (ETI
hits).
DNS
This section contains the following information:
DNS Event Counts—Lists the following:
DNS-DGA Events—Lists the number of DGA events seen
by ATP Cloud for the customer over the time period
that the report covers.
DNS Tunnel Events—Lists the number of Tunnel events
seen by ATP Cloud for the customer over the time
period that the report covers.
Top DNS Tunnel Destination Domains—Lists the top tunnel
domains seen by ATP Cloud and number of events involving
those domains for the customer over the time period that the
report covers.
Hosts
This section contains the following information:
Top Compromised Hosts—Lists the top hosts that may
have been compromised based on their associated threat level.
Risky Files
This section contains the following information:
Top Risky File Categories by Count—Lists the top
risky file categories by count for known and newly discovered malicious
files.
Top Risky Files Detected by Count—Lists the top
risky files detected by count.
Top IPs Detected Attempting to Access Risky Files by Count—Lists
the top IP addresses attempting to access risky files.
Top Risky Files Detected per Top Users—Lists the top risky
files detected per top users attempting to access the files.
Risky Domains, URLS, AND IPs
This section contains the following information: top
risky domains, URLs, and IP addresses detected by the number of times
access was attempted. It also includes the top users who have attempted
to access these risky domains, URLs, and IP addresses.
Top Detected Risky Domains, URLs, and IPs by Count—Lists
the top risky domains, URLs, and IP addressess detected by the number
of times access was attempted.
Most Active Users for Risky Domains, URLs, and IPs by
Count—Lists the top users who are most active in attempting
to access the risky domains, URLs, and IP addresses by count.
Top Detected Risky Domains, URLs, and IPs by Threat Level—Lists
the top risky domains, URLs, and IP addressess detected by the threat
level.
Email
This section contains the list of actions taken on scanned
emails. It also includes email attachments determined to be malware
and users who are risky email senders.
Actions Taken—Lists the action taken for scanned
e-mail.
High-Risk Email Data—Lists the count of e-mail attachments
with malware and risky senders.
Malicious SMTP Email by Count—The report breaks
scanned e-mail down by protocol and lists SMTP e-mails found to be
malicious.
Malicious IMAP Email by Count—The report breaks
scanned e-mail down by protocol and lists IMAP e-mails found to be
malicious.
Top Risky File Categories Detected for Email Attachments—Lists
the top risky file categories that were detected from files received
as e-mail attachments.
Top Risky Email Attachments Detected by Count—Lists
the top risky files that are detected from email attachments.
Top Users Receiving Risky Email Attachments—Lists
the top users who are receiving risky file attachments through e-mail.
Top Risky Email Attachments Detected per Top Users—Lists
the top users and their most risky file attachments.
Top Risky Email Sender Domains by Count—Lists the
top risky sender domains based on the threat level of file attachments
sent in email.
Top Sender Domains of Risky File Attachments by Count—Lists
the top sender domains with risky file attachments and the count of
how many times the the risky file attachments that were detected.
Actions on SMTP Malicious Email by Count—Lists actions
taken for malicious SMTP e-mails.
Actions on IMAP Malicious Email by Count—Lists actions
taken for malicious IMAP e-mails.
Devices
This section contains the following
information:
Zero Submissions—Lists the devices that have not submitted
files in the past 30 days.
Expiring Devices—Lists the devices that are going to expire
in next 60 days.