Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Adaptive Threat Profiling Use Cases

Threat Detection Use Case

In this example, we will continue with the definition of the High_Risk_Users use case, with the goal of identifying any unusual activity which might suggest an endpoint has been compromised.

  1. Create a policy that detects the usage of The Onion Router (TOR), Peer-to-Peer (P2P), and Anonymizers / Proxies and add the source IP address of these to the High_Risk_Users feed.

  2. Create a second policy that looks for communication with known malicious sites and malware Command-and-Control (C2) infrastructure as well as newly registered domains and adds it to High_Risk_Users feed.

  3. Create an IDP policy that identifies unusual scanning activity and brute-force attempts.

    Note:

    This is an example of a safe policy to deploy on a Tap-based SRX sensor. The example does not make sense to deploy on an in-line device due to the permissive nature of the rule. In production, we recommend being more restrictive.

  4. Apply the IDP rulebase to a security policy to take effect.

  5. Create a simple rule at the top of the rule-base which drops any traffic from hosts within the High_Risk_Users threat feed.

Asset Classification Use Case

In this example, we will leverage AppID to identify Ubuntu and RedHat servers in an environment and add them to feed for use by other devices.

As many legacy devices lack the compute power required to enable Deep-Packet Inspection (DPI), adaptive threat profiling can provide you a flexible way in which you can share DPI classification results between newer and older platforms in your environment.

Create a security policy that identifies Advanced Packaging Tool (APT) and Yellowdog Updater, Modified (YUM) communication with Ubuntu and RedHat Update servers:

Compromised Application Use Case

In this example, the user who is using a compromised application is added to the infected-hosts feed.

We will continue with the definition of the High_Risk_Users use case, with the goal of identifying any unusual activity which might suggest an endpoint has been compromised. We create a policy that detects the The Onion Router (TOR) usage and adds the source identity to the High_Risk_Users feed.