Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

SecIntel Feeds Overview

SecIntel provides carefully curated and verified threat intelligence from Juniper Networks’ Advanced Threat Prevention (ATP) Cloud, Juniper Threat Labs, Dynamic Address Group (DAG), and industry-leading threat feeds to Juniper Secure Edge, MX Series routers, SRX Series Firewalls, and NFX Series Network Services Platform to block Command and Control (C&C) communications at line rate. SecIntel delivers real-time threat intelligence by enabling automatic and responsive traffic filtering.

SecIntel integrates with EX Series and QFX Series switches and enables these switches to subscribe to SecIntel’s infected host feed. This enables you to block compromised hosts at the switch port. You can now extend SecIntel throughout your entire network and increase the number of security enforcement points.

Benefits of SecIntel Feeds

You can view all the default feeds that are available with your current license.

Using this page, you can enable the following feeds for integration with Juniper ATP Cloud.

  • Juniper threat feeds

  • Third party threat feeds—IP threat feeds and URL threat feeds.

  • Dynamic address group feeds—Juniper DAG feeds and Third-party DAG feeds.

Note:

The total number of CC feeds are 32, out of which four feeds are reserved for cc_ip, cc_url, cc_ipv6, and cc_cert_sha1. So, you can enable up to 28 feeds to the CC category, which includes CC custom feeds and CC third-party feeds. This limit is applicable if you are injecting additional feeds using the available open API.

Information to know if you are enabling external feeds:

  • If a hit is detected on an enabled external feed, this event appears under Monitor>ATP with a threat level of 10.

  • On Juniper Secure Edge, you can configure policies with the permit or block action for each feed. Note that C&C and Infected Host feeds require an enabled Security Intelligence policy on Juniper Secure Edge in order to work.

  • External feeds are updated once every 24 hours.

Warning:

Understand that these are open source feeds managed by third parties and determining the accuracy of the feed is left up to the Juniper ATP Cloud administrator. Juniper will not investigate false positives generated by these feeds.

Warning:

Juniper Secure Edge policies will block malicious IP addresses based on enabled third party feeds, but these events do not affect host threat scores. Only events from Juniper ATP Cloud feeds affect host threat scores.

To enable the available feeds, do the following:

  1. Navigate to Configure>SecIntel Feeds.

  2. For each feed, select the toggle button to enable the feed. Refer to the guidelines in Table 1.

    Note:

    The Infected Host feed is enabled for all license tiers. All other Juniper SecIntel feeds are enabled only with Secure Edge Advanced or higher license.

    Click the Go to feed site link to view feed information, including the contents of the feed.

    Table 1: SecIntel Feeds

    Field

    Guidelines

    Juniper Threat Feeds

    Command and Control

    Displays whether the C&C feed is enabled or not.

    Malicious Domains

    Displays whether the DNS feed is enabled or not.

    Infected Host Feed

    Displays whether the infected host feed is enabled or not.

    Third Party Threat Feeds

    IP Threat Feeds

    Block List

    Click the toggle button to enable block list feeds as third party feeds.

    Threatfox IP

    Click the toggle button to enable Threatfox feeds as third party feeds.

    Feodo Tracker

    Click the toggle button to enable Feodo feeds as third party feeds.

    DShield

    Click the toggle button to enable DShield feeds as third party feeds.

    Tor

    Click the toggle button to enable tor feeds as third party feeds.

    URL Threat Feeds

    Threatfox URL

    Click the toggle button to enable Threatfox feed as third party feeds. ThreatFox is a free platform from abuse.ch with the goal of sharing indicators of compromise (IOCs) associated with malware with the infosec community, AV vendors and threat intelligence providers. The IOC can be an IP address, domain name, or URL.

    URLhaus URL Threat Feed

    Click the toggle button to enable URLhaus feed as third party feeds. URLhaus is a threat intelligence feed that shares malicious URLs that are used for malware distribution.

    Open Phish

    Click the toggle button to enable OpenPhish feed as third party feeds. OpenPhish is a fully automated self-contained platform for phishing intelligence. It identifies phishing sites and performs intelligence analysis in real time without human intervention and without using any external resources, such as blocklists. For malware inspection, SecIntel will analyze traffic using URLs in this feed.

    Domain Threat Feeds

    Threatfox Domains

    Click the toggle button to enable Threatfox feed as third party feeds.

    Dynamic Address Group Feeds

    Juniper DAG Feeds

    GeoIP Feed

    Displays whether the GeoIP feed is enabled or not. GeoIP feed is an up-to-date mapping of IP addresses to geographical regions. This gives you the ability to filter traffic to and from specific geographies in the world.

    Third Party DAG Feeds

    office365

    Click the toggle button to enable office365 IP filter feed as a third party feed. The office365 IP filter feed is an up-to-date list of published IP addresses for Office 365 service endpoints which you can use in security policies. This feed works differently from others on this page and requires certain configuration parameters, including a pre-defined cloud feed name of “ipfilter_office365”.

    Pre-defined cloud feed name— ipfilter_office365

    facebook

    Click the toggle button to enable feeds from Facebook.

    Pre-defined cloud feed name— ipfilter_facebook

    google

    Click the toggle button to enable feeds from Google.

    Pre-defined cloud feed name— ipfilter_google

    atlassian

    Click the toggle button to enable feeds from Atlassian.

    Pre-defined cloud feed name— ipfilter_atlassian

    zscaler

    Click the toggle button to enable feeds from Zscaler.

    Pre-defined cloud feed name— ipfilter_zscaler

    oracleoci

    Click the toggle button to enable feeds from Oracle oci.

    Pre-defined cloud feed name— ipfilter_oracleoci

    cloudflare

    Click the toggle button to enable feeds from Cloudflare.

    Pre-defined cloud feed name— ipfilter_cloudflare

    zoom

    Click the toggle button to enable feeds from Zoom.

    Pre-defined cloud feed name— ipfilter_zoom

    microsoftazure

    Click the toggle button to enable feeds from Microsoft Azure.

    Pre-defined cloud feed name— ipfilter_microsoftazure

    amazonaws

    Click the toggle button to enable feeds from Amazon AWS.

    Pre-defined cloud feed name— ipfilter_amazonaws

    okta

    Click the toggle button to enable feeds from Okta.

    Pre-defined cloud feed name— ipfilter_okta

    paypal

    Click the toggle button to enable feeds from Paypal.

    Pre-defined cloud feed name— ipfilter_paypal

    Note:
    • Since Ransomware Tracker and Malware Domain list are deprecated, ransomware tracker and malware domain list IP feeds are not supported on Juniper ATP Cloud. If you had enabled this feed earlier, you might stop receiving these feeds.

    • The update interval for a third party Internet service feed is one day.

Using the office365 Feed

Enable the Using the office365 Feed check box in Juniper ATP Cloud to push Microsoft Office 365 services endpoint information (IP addresses) to Juniper Secure Edge. The office365 feed works differently from other feeds on this page and requires certain configuration parameters, including a pre-defined name of “ipfilter_office365”.

After you enable the check box, you must create a dynamic address object on Juniper Secure Edge that refers to the ipfilter_office365 feed.