Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Adaptive Threat Profiling Overview

Overview

Juniper ATP Cloud Adaptive Threat Profiling allows Juniper Secure Edge to generate, propagate, and consume threat feeds based on their own advanced detection and policy-match events. Adaptive threat profiling is available with a Juniper ATP Cloud license. For feature specific licensing information, see Software Licenses for ATP Cloud.

This feature allows you to configure security or IDP policies that, when matched, inject the source IP address, destination IP address, source identity, or destination identity into a threat feed. Other devices can use this threat feed as a dynamic-address-group (DAG). This feature is mainly used to track and mitigate threats in your network, but you can also use it for non-threat related activities, such as device classification.

Juniper ATP Cloud uses adaptive threat profiling to gather and consolidate information from Juniper Secure Edge across your enterprise. Juniper ATP Cloud shares these deduplicated results with all Juniper Secure Edge devices in your organization at regular intervals. The devices use this information to take additional actions against potential threats in the traffic.

Figure 1 shows the workflow for adaptive threat profiling.

Figure 1: Adaptive Threat Profiling Workflow Adaptive Threat Profiling Workflow

Benefits of Adaptive Threat Profiling

  • Deployment as a sensor—Juniper Secure Edge can be deployed as sensors across the network on Tap ports. These sensors detect threats and share intelligence with inline devices for real-time enforcement.

  • Dynamic threat response—Administrators have the flexibility to adapt to evolving threats and network conditions. Security policies can be staged with adaptive threat profiling feeds, which automatically update with entries during an intrusion or a malware outbreak.

  • Endpoint classification—Provides the ability to classify endpoints based on network behavior and deep packet inspection (DPI) results. For example, you can use AppID, Web Filtering, or IDP to identify hosts communicating with Ubuntu’s update servers. These hosts can then be placed into a DAG to manage Ubuntu server behavior on your network.

Access this page from Configure > Adaptive Threat Profiling.

Table 1: Adaptive Threat Profiling Page Details

Field

Description

Feed Name

Name of the adaptive threat profiling feed.

The feeds can only be used as DAG or IP filters.

Items

Number of entries in the feed.

Feed Type

Content type of the feed. The following options are supported:

  • IP

  • USER_ID

Added to Infected Hosts

Displays whether the feed content (for example, source or destination IP address) is added to the Infected host feed.

  • True—The feed content is added to the Infected host feed.

  • False—The feed content is not added to the Infected host feed.

You can only add IP address feed type to the Infected host feed.

Time to Live (days)

Defines how long an entry will “live” inside the feed. Once the TTL is reached, the entry is removed automatically.

Related Documentation