In response to an incident, you can either isolate or quarantine an infected endpoint based on its IP address and block the threat source IP address. This prevents you from downloading files that are known to be harmful or suspicious. Mitigation is performed by either Policy Enforcer or Juniper SkyATP.
To configure mitigation settings:
The Mitigation Settings page appears.
Mitigation setting is saved and enabled.
Table 409: Configure Mitigation Settings Page
Setting | Guideline |
|---|---|
ATP Cloud | |
Application Token | Add an application token to allow Security Director Insights or Open API users to securely access ATP Cloud APIs over HTTPs. |
Open API (Infected hosts) URL | Provide an endpoint URL for infected host (Open API) and blacklist API (Gophro). For example: https://api.argonqa.junipersecurity.net |
Open API (Threat Intelligence) URL | Provide the Threat Intelligence Open API URL to program the Juniper Sky ATP Command and Control (C&C) server feeds. For example: https://threat-api.argonqa.junipersecurity.net |
Blacklist Feed Name | Specify the blocklist feed name. Security Director Insights sends the source IP addresses to the blocklist feed with the specified feed name. You cannot modify the feed name once configured. |
Policy Enforcer | |
Hostname | Enter the hostname of the Policy Enforcer virtual machine. (This is the hostname you configured during the Policy Enforcer VM installation.) |
SSH Username | Enter the username of the Policy Enforcer virtual machine. |
SSH Password | Enter the password of the Policy Enforcer virtual machine. |
API Username | Specify the username of the Policy Enforcer controller API. |
API Password | Specify the password of the Policy Enforcer controller API. |
Blacklist Feed Name | Ensure that you have configured the blocklist custom feed under Configure>Threat Prevention>Feed Sources>Create Custom Feed. Specify the blocklist feed name to mitigate the source IP addresses. The default blocklist feed name is Yeezy_blacklsit. |
Infected Host Feed Name | Ensure that you have configured the infected host custom feed under Configure>Threat Prevention>Feed Sources>Create Custom Feed. Specify the infected host feed name to mitigate the endpoint IP addresses. By default, the infected host feed name is Yeezy_infected_host. |
Click Test to verify the configuration. Also, you have an option to disable the already enabled mitigation setting.