Configure Mitigation Settings
In response to an incident, you can either isolate or quarantine an infected endpoint based on its IP address and block the threat source IP address. This prevents you from downloading files that are known to be harmful or suspicious. Mitigation is performed by either Security Director Policy Enforcer or Juniper Advanced Threat Prevention Cloud (ATP Cloud).
To configure mitigation settings:
- Select Administration>Insights Management>Mitigation Settings.
The Mitigation Settings page appears.
- Complete the configuration according to the guidelines provided in Table 1.
- Click Save.
The mitigation settings are saved and enabled.
Table 1: Configure Mitigation Settings
Add an application token to allow Security Director Insights or OpenAPI users to securely access ATP Cloud APIs over HTTPS.
Open API (Infected hosts) URL
Enter an endpoint URL for the infected host (OpenAPI) and blocklisted API (Gophro).
Open API (Threat Intelligence) URL
Enter the Threat Intelligence OpenAPI URL to program the ATP Cloud command-and-control (C&C) server feeds.
Blocklist Feed Name
Enter the blocklist feed name. Security Director Insights sends the source IP addresses to the blocklist feed with the specified feed name. You cannot modify the feed name after it is configured.
Enter the hostname of the Policy Enforcer VM. (This is the hostname you configured during the installation of the Policy Enforcer VM.)
To configure Policy Enforcer running on Security Director Insights, enter the hostname or IP address of the Security Director Insights VM.
Enter root as the username of the Policy Enforcer VM (for the standalone Policy Enforcer). For the integrated Policy Enforcer running on Security Director Insights, the 'admin' username is already prepopulated.
Enter the root password of the Policy Enforcer VM (for the standalone Policy Enforcer). For the integrated Policy Enforcer running on Security Director Insights, enter the password of the Security Director Insights CLI administrator.
Enter the username of the Policy Enforcer controller API.
Enter the password of the Policy Enforcer controller API.
Blocklist Feed Name
Ensure that you have configured the blocklist custom feed under Configure > Threat Prevention > Feed Sources > Create Custom Feed.
Infected Host Feed Name
Ensure that you have configured the infected host custom feed under Configure > Threat Prevention > Feed Sources > Create Custom Feed.
Click Test to verify the configuration. Also, you have an option to disable the already enabled mitigation setting.