Help Center User GuideWhat's New
 
X
User Guide
What's New
Contents  

Command and Control Server Details

Access this page by clicking on an External Server IP link from the Command and Control Servers page.

Use Command and Control Server Details page to view analysis information and a threat summary for the C&C server. The following information is displayed for each server.

This page is divided into several sections:

Table 37: Options on the C&C Server Details Page (Upper Right Side of Page)

Button/Link

Purpose

Select Option > Add to Whitelist

Choose this option to add the C&C server to the allowlist.

Warning: Adding a C&C server to the allowlist automatically triggers a remediation process to update any affected hosts (in that realm) that have contacted the newly whiltelisted C&C server.

All C&C events related to this allowlisted server will be removed from the affected hosts’ events, and a host threat level recalculation will occur.

If the host score changes during this recalculation, a new host event appears describing why it was rescored. (For example, “Host threat level updated after C&C server 1.2.3.4 was cleared.”) Additionally, the server will no longer appear in the list of C&C servers because it has been cleared.

Note: You can also allowlist C&C servers from the Configuration > Whitelist page. See Creating Allowlists and Blocklists for details.

Select Option > Report False Positive

Choose this option to launch a new screen which lets you send a report to Juniper Networks, informing Juniper of a false position or a false negative. Juniper will investigate the report, however, this does not change the verdict.

Under Time Range is a graph displaying the frequency of events over time. An event occurs when a host communicates to the C&C server IP address (either sending or receiving data). You can filter this information by clicking on the time-frame links: 1 day, 1 week, 1 month, Custom (select your own time-frame).

Hosts is a list of hosts that have contacted the server. The information provided in this section is as follows:

Table 38: Command & Control Server Contacted Host Data

Field

Definition

Client Host

The name of the host in contact with the command and control server.

Client IP Address

The IP address of the host in contact with the command and control server. (Click through to the Host Details page for this host IP.)

C&C Threat Level

The threat level of the C&C server as determined by an analysis of actions and behaviors at the time of the event.

Action

The action taken by the device on the communication (whether it was permitted or blocked).

Protocol

The protocol (TCP or UDP) the C&C server used to attempt communication.

Port

The port the C&C server used to attempt communication.

Device Name

The name of the device in contact with the command and control server.

Date Seen

The date and time of the most recent C&C server hit.

Username

The name of the host user in contact with the command and control server.

Domains is a list of domains that the IP address has previously used at the time of suspicious events. If a C&C IP address is seen changing its DNS/domain name to evade detection, a list of the various names used will be listed along with the dates in which they were seen.

Table 39: Command & Control Server Associated Domains Data

Field

Definition

Client Host

This is a list of domains the destination IP addresses in the C&C server events resolved to.

Last Seen

The date and time of the most recent C&C server hit.

Signatures is a list of the threat indicators associated with the IP address. The C&C server blocked by the Juniper “Global Threat Feed” will show domains and/or signatures. (The “Blocked Via” column, under the C&C servers listing, shows whether a C&C server IP address was found in the Juniper “Global Threat Feed” or in a different configured custom feed.)

Table 40: Command & Control Server Signature Data

Field

Definition

Name

The name or type of detected malware.

Category

Description of the malware and way in which it may have compromised a resource or resources.

Date

The date the malware was seen.

Related Documentation

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit