Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configure Mitigation Settings

 

In response to an incident, you can either isolate or quarantine an infected endpoint based on its IP address and block the threat source IP address. This prevents you from downloading files that are known to be harmful or suspicious. Mitigation is performed by either Security Director Policy Enforcer or Juniper Advanced Threat Prevention Cloud (ATP Cloud).

To configure mitigation settings:

  1. Select Administration>Insights Management>Mitigation Settings.

    The Mitigation Settings page appears.

  2. Complete the configuration according to the guidelines provided in Table 1.
  3. Click Save.

    The mitigation settings are saved and enabled.

Table 1: Configure Mitigation Settings

Setting

Guideline

ATP Cloud

Application Token

Add an application token to allow Security Director Insights or OpenAPI users to securely access ATP Cloud APIs over HTTPS.

Open API (Infected hosts) URL

Enter an endpoint URL for the infected host (OpenAPI) and blocklisted API (Gophro).

Open API (Threat Intelligence) URL

Enter the Threat Intelligence OpenAPI URL to program the ATP Cloud command-and-control (C&C) server feeds.

Blocklist Feed Name

Enter the blocklist feed name. Security Director Insights sends the source IP addresses to the blocklist feed with the specified feed name. You cannot modify the feed name after it is configured.

Policy Enforcer

Hostname

Enter the hostname of the Policy Enforcer VM. (This is the hostname you configured during the installation of the Policy Enforcer VM.)

To configure Policy Enforcer running on Security Director Insights, enter the hostname or IP address of the Security Director Insights VM.

SSH Username

Enter root as the username of the Policy Enforcer VM (for the standalone Policy Enforcer). For the integrated Policy Enforcer running on Security Director Insights, the 'admin' username is already prepopulated.

SSH Password

Enter the root password of the Policy Enforcer VM (for the standalone Policy Enforcer). For the integrated Policy Enforcer running on Security Director Insights, enter the password of the Security Director Insights CLI administrator.

API Username

Enter the username of the Policy Enforcer controller API.

API Password

Enter the password of the Policy Enforcer controller API.

Blocklist Feed Name

Ensure that you have configured the blocklist custom feed under Configure > Threat Prevention > Feed Sources > Create Custom Feed.

Infected Host Feed Name

Ensure that you have configured the infected host custom feed under Configure > Threat Prevention > Feed Sources > Create Custom Feed.

Click Test to verify the configuration. Also, you have an option to disable the already enabled mitigation setting.

Related Documentation