Overview
The Juniper ATP Appliance supports an HTTP-based API for accessing all threat and processing data as well as device and software configuration. All functionality available from the Central Manager Web UI is also accessible via the Juniper ATP Appliance HTTP API. JSON is returned in all responses from the API, including errors.
All Juniper ATP Appliance detection engine Cores support the same API. Juniper ATP Appliance Traffic Collectors do not currently support APIs.
Juniper ATP Appliance defines “incidents” as a group of events that share the same enterprise endpoint. In other words, a Juniper ATP Appliance incident contains events that are likely part of the same attack. Currently, the grouping of events into an incident is primarily a measure of an occurrence in time; the events occurred at or from the same endpoint within a 5-minute timespan.
The Juniper ATP Appliance now provides an "events" API that retrieves the raw data accrued during the detection and analysis process.
Events include:
a download
a CnC detection via signature
a phishing detection
a malicious email URL or attachment
exploits from chain heuristics
a user upload