Access this page from the Monitor menu.
The hosts page lists compromised hosts and their associated threat levels. From here, you can monitor and mitigate malware detections on a per host basis.
User notification of infected hosts—As of Junos OS 18.1R1, there is support HTTP URL redirection based on infected hosts with the block action. This is configured through the CLI on the SRX Series device using the set services security-intelligence profile command. See the Juniper ATP Cloud CLI Reference Guide for details.
Compromised hosts are systems for which there is a high confidence that attackers have gained unauthorized access. When a host is compromised, the attacker can do several things to the computer, such as:
Send junk or spam e-mail to attack other systems or distribute illegal software.
Collect personal information, such as passwords and account numbers.
Compromised hosts are listed as secure intelligence data feeds (also called information sources.) The data feed lists the IP address of the host along with a threat level; for example, 126.96.36.199 and threat level 5. Once threats are identified, you can create threat prevention policies to take enforcement actions on the inbound and outbound traffic on these infected hosts. See Global Configuration for Infected Hosts for more information.
For the Hosts listed on this page, you can perform the following actions on one or multiple hosts at once:
Table 1: Operations for Multiple Infected Hosts
Click the Export button to download compromised host data to a CSV file. You are prompted to narrow the data download to a selected time-frame.
Set Policy Override
Select the check box beside one or multiple hosts and choose one of the following options:
Note: The policy referred to here is the policy configured on the SRX Series device. See Example: Configuring a Juniper Advanced Threat Prevention Cloud Policy Using the CLI.
Set Investigation Status
Select the check box beside one or multiple hosts and choose one of the following options: In progress, Resolved - false positive, Resolved - fixed, and Resolved - ignored.
NOTE: When you select a Policy Override option for hosts, other dependent status fields, such as Infected Host Feed, will also change accordingly. In some cases, you may have to refresh the page to see the updated information.
The following information is available in the Host table.
Table 2: Compromised Host Information
The Juniper ATP Cloud-assigned name for the host. This name is created by Juniper ATP Cloud using known host information such as IP address, MAC address, user name, and host name. The assigned name will be in the following format: username@server. If the username is not known and MAC address or IP address are used, the name may appear as any of the following formats:
user01@aa:bb:cc:dd:ee:ff, email@example.com or 188.8.131.52
Note: You can edit this name. If you edit the Juniper ATP Cloud-assigned name, Juniper ATP Cloud will recognize the new name and not override it.
The IP address of the compromised host.
A number between 0 -10 indicating the severity of the detected threat, with 10 being the highest.
Note: Click the three vertical dots at the top of the column to filter the information on the page by threat level.
Infected Host Feed
Displays the current host feed settings:
Last Host Activity
Displays the date and time of the most recent activity of the threat.
The number of times a command and control server communication threat with this host was detected.
Note: Click the three vertical dots at the top of the column to filter the information on the page by C&C hits.
The number of times a malware threat was downloaded by this host.
Note: Click the three vertical dots at the top of the column to filter the information on the page by malware detections.
Displays the current policy settings.
State of Investigation
Displays either Open, In progress, Resolved-False positive, Resolved-Fixed, Resolved-Ignored
Displays the source of the threat. For example, API, Detection, Adaptive threat profiling feed, and so on.