Viewing File and Command and Control Incidents
In the JATP Web UI, view file and command and control detections from the Incidents tab.
View downloaded file incidents by looking for DL in the Progression field. Select an incident to view the progression of the malware in the Summary tab at the bottom of the page. From the Action pulldown, you can select to Mitigate the incident or view the infection Timeline.
View command and control server incidents by looking for IN in the Progression field. Select an incident to view the progression of the malware in the Summary tab at the bottom of the page. From the Action pulldown, you can select to Mitigate the incident or view the infection Timeline.
In some cases, an incident may have both DL and IN in the progression field.
For each incident type, when you click on a log entry, additional information is provided at the bottom of the page in tabs.
Downloads Tab—For file incidents, in addition to the Summary tab, there is also a Downloads tab from which you can take the following actions:
Find on VirusTotal—VirusTotal is a web site that analyzes suspicious files and URLs to detect types of malware. You can also search for malware on this site by entering a URL, IP address, domain, or file hash.
Download PCAP trace—Click this link to download the pcap (packet capture) file data collected by the SRX Series device. You are prompted to save the file. (Note that there is no collector dashboard for the SRX Series at this time.)
Download Sample—Click this link to download a password-protected zipped file containing the malware. The password for the zip file is the SHA256 hash of the malware exe file (64 characters long, alpha numeric string) shown in the Download tab for the file in question..
Download Behavior Log—Click this link to download a zip file containing log information about the malware. You are prompted to save the file.
Add to Whitelist—If you believe the file was incorrectly categorized as malware, click this link to add the file to the allowlist so that it will not be blocked.
Report False Positive—Click this link to report a false positive. You are prompted to create a ticket and to fill in information to explain the issue.
Infections Tab—For command and control server hits, in addition to the Summary tab, there is also a Infections tab from which you can view more information on the threat such as the threat name, severity, category of threat, and the name of the feed that blocked the threat. You can also add the threat to the allowlist and report it as a false positive.