Threat Source Details
Access this page by clicking on an External Server link from the Threat Sources page.
Use Threat Source Details page to view analysis information and a threat summary for the threat source. The following information is displayed for each threat source.
Threat Summary (Location, Category, Host Name, and Time Seen)
Protocols and Ports( TCP and UDP)
For threat sources of type C&C, you can add the threat source to the allowlist or report it as a false positive to Juniper Networks from the Threat Source Details page.
For threat source of type DNS , you can only report the threat source as false positive to Juniper Networks.
Table 1: Options on the Threat Source Details Page (Upper Right Side of Page)
Select Option > Add to Whitelist
Choose this option to add the threat source to the allowlist.
Warning: Adding a threat source to the allowlist automatically triggers a remediation process to update any affected hosts (in that realm) that have contacted the newly allowlisted threat source.
All C&C events related to this allowlisted server will be removed from the affected hosts’ events, and a host threat level recalculation will occur.
If the host score changes during this recalculation, a new host event appears describing why it was rescored. (For example, “Host threat level updated after threat source 220.127.116.11 was cleared.”) Additionally, the threat source will no longer appear in the list of threat source because it has been cleared.
Note: You can also allowlist threat source from the Configuration > Allowlists page. See Creating Allowlists and Blocklists for details.
Select Option > Report as False Positive
Choose this option to launch a new screen which lets you send a report to Juniper Networks, informing Juniper of a false position or a false negative. Juniper will investigate the report, however, this does not change the verdict.
Under Time Range is a graph displaying the frequency of events over time. An event occurs when a host communicates to the threat source IP address (either sending or receiving data). You can filter this information by clicking on the time-frame links: 1 day, 1 week, 1 month, Custom (select your own time-frame).
Hosts is a list of hosts that have contacted the server. The information provided in this section is as follows:
Table 2: Threat Source Contacted Host Data
The name of the host in contact with the threat source.
Client IP Address
The IP address of the host in contact with the threat source. (Click through to the Host Details page for this host IP.)
Threat Level at Time
The threat level of the threat source as determined by an analysis of actions and behaviors at the time of the event.
The action taken by the device on the communication (whether it was permitted, sinkhole, or blocked).
The protocol (TCP or UDP) the threat source used to attempt communication.
The port the threat source used to attempt communication.
The name of the device in contact with the threat source.
The date and time of the most recent threat source hit.
The name of the host user in contact with the threat source.
Domains is a list of domains that the IP address has previously used at the time of suspicious events. If a threat source IP address is seen changing its DNS/domain name to evade detection, a list of the various names used will be listed along with the dates in which they were seen.
Table 3: Threat Source Associated Domains Data
C & C Host
This is a list of domains the destination IP addresses in the threat source events resolved to.
The date and time of the most recent threat source server hit.
Signatures is a list of the threat indicators associated with the IP address. The threat source blocked by the Juniper “Global Threat Feed” will show domains and/or signatures. (The “Blocked Via” column, under the threat source listing, shows whether a threat source IP address was found in the Juniper “Global Threat Feed” or in a different configured custom feed.)
Table 4: Threat Source Signature Data
The name or type of detected malware.
Description of the malware and way in which it may have compromised a resource or resources.
The date the malware was seen.
Certificates is a list of certificates associated with the threat source.
Table 5: Threat Source Certificate Data
Displays the certificate hash of the threat source.
The date and time when the certificate hash file was last updated.