Configure Mitigation Settings

In response to an incident, you can either isolate or quarantine an infected endpoint based on its IP address and block the threat source IP address. This prevents you from downloading files that are known to be harmful or suspicious. Mitigation is performed by either Policy Enforcer or Juniper SkyATP.

Procedure

To configure mitigation settings:

  1. Select Administration>Insights Management>Mitigation Settings.

    The Mitigation Settings page appears.

  2. Complete the configuration according to the guidelines provided in Table 409.
  3. Click Save and Enable.

    Mitigation setting is saved and enabled.

Table 409: Configure Mitigation Settings Page

 

Setting

Guideline

ATP Cloud

Application Token

Add an application token to allow Security Director Insights or Open API users to securely access ATP Cloud APIs over HTTPs.

Open API (Infected hosts) URL

Provide an endpoint URL for infected host (Open API) and blacklist API (Gophro). For example: https://api.argonqa.junipersecurity.net

Open API (Threat Intelligence) URL

Provide the Threat Intelligence Open API URL to program the Juniper Sky ATP Command and Control (C&C) server feeds. For example: https://threat-api.argonqa.junipersecurity.net

Blacklist Feed Name

Specify the blocklist feed name. Security Director Insights sends the source IP addresses to the blocklist feed with the specified feed name. You cannot modify the feed name once configured.

Policy Enforcer

Hostname

Enter the hostname of the Policy Enforcer virtual machine. (This is the hostname you configured during the Policy Enforcer VM installation.)

SSH Username

Enter the username of the Policy Enforcer virtual machine.

SSH Password

Enter the password of the Policy Enforcer virtual machine.

API Username

Specify the username of the Policy Enforcer controller API.

API Password

Specify the password of the Policy Enforcer controller API.

Blacklist Feed Name

Ensure that you have configured the blocklist custom feed under Configure>Threat Prevention>Feed Sources>Create Custom Feed.

Specify the blocklist feed name to mitigate the source IP addresses. The default blocklist feed name is Yeezy_blacklsit.

Infected Host Feed Name

Ensure that you have configured the infected host custom feed under Configure>Threat Prevention>Feed Sources>Create Custom Feed.

Specify the infected host feed name to mitigate the endpoint IP addresses. By default, the infected host feed name is Yeezy_infected_host.

Click Test to verify the configuration. Also, you have an option to disable the already enabled mitigation setting.