Help Center User GuideWhat's New
 
X
User Guide
What's New
Contents  

Threat Source Details

Access this page by clicking on an External Server link from the Threat Sources page.

Use Threat Source Details page to view analysis information and a threat summary for the threat source. The following information is displayed for each threat source.

For threat sources of type C&C, you can add the threat source to the allowlist or report it as a false positive to Juniper Networks from the Threat Source Details page.

For threat source of type DNS , you can only report the threat source as false positive to Juniper Networks.

Table 37: Options on the Threat Source Details Page (Upper Right Side of Page)

Button/Link

Purpose

Select Option > Add to Whitelist

Choose this option to add the threat source to the allowlist.

Warning: Adding a threat source to the allowlist automatically triggers a remediation process to update any affected hosts (in that realm) that have contacted the newly allowlisted threat source.

All C&C events related to this allowlisted server will be removed from the affected hosts’ events, and a host threat level recalculation will occur.

If the host score changes during this recalculation, a new host event appears describing why it was rescored. (For example, “Host threat level updated after threat source 1.2.3.4 was cleared.”) Additionally, the threat source will no longer appear in the list of threat source because it has been cleared.

Note: You can also allowlist threat source from the Configuration > Allowlists page. See Creating Allowlists and Blocklists for details.

Select Option > Report as False Positive

Choose this option to launch a new screen which lets you send a report to Juniper Networks, informing Juniper of a false position or a false negative. Juniper will investigate the report, however, this does not change the verdict.

Under Time Range is a graph displaying the frequency of events over time. An event occurs when a host communicates to the threat source IP address (either sending or receiving data). You can filter this information by clicking on the time-frame links: 1 day, 1 week, 1 month, Custom (select your own time-frame).

Hosts is a list of hosts that have contacted the server. The information provided in this section is as follows:

Table 38: Threat Source Contacted Host Data

Field

Definition

Client Host

The name of the host in contact with the threat source.

Client IP Address

The IP address of the host in contact with the threat source. (Click through to the Host Details page for this host IP.)

Threat Level at Time

The threat level of the threat source as determined by an analysis of actions and behaviors at the time of the event.

Status

The action taken by the device on the communication (whether it was permitted, sinkhole, or blocked).

Protocol

The protocol (TCP or UDP) the threat source used to attempt communication.

Source Port

The port the threat source used to attempt communication.

Device Name

The name of the device in contact with the threat source.

Date/Time Seen

The date and time of the most recent threat source hit.

Username

The name of the host user in contact with the threat source.

Domains is a list of domains that the IP address has previously used at the time of suspicious events. If a threat source IP address is seen changing its DNS/domain name to evade detection, a list of the various names used will be listed along with the dates in which they were seen.

Table 39: Threat Source Associated Domains Data

Field

Definition

C & C Host

This is a list of domains the destination IP addresses in the threat source events resolved to.

Last Seen

The date and time of the most recent threat source server hit.

Signatures is a list of the threat indicators associated with the IP address. The threat source blocked by the Juniper “Global Threat Feed” will show domains and/or signatures. (The “Blocked Via” column, under the threat source listing, shows whether a threat source IP address was found in the Juniper “Global Threat Feed” or in a different configured custom feed.)

Table 40: Threat Source Signature Data

Field

Definition

Name

The name or type of detected malware.

Category

Description of the malware and way in which it may have compromised a resource or resources.

Date

The date the malware was seen.

Certificates is a list of certificates associated with the threat source.

Table 41: Threat Source Certificate Data

Field

Definition

Certificate Hash

Displays the certificate hash of the threat source.

Date/Time Seen

The date and time when the certificate hash file was last updated.

Related Documentation

Help us to improve. Rate this article.
Feedback Received. Thank You!

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit