Threat Sources Overview
Access this page from the Monitor menu.
The Threat Sources page lists information of servers that have attempted to contact and compromise hosts on your network. A threat source is a centralized computer that issues commands to botnets (compromised networks of computers) and receives reports back from them.
Benefits
Using C&C feeds adds another layer of protection to your network, preventing the creation of botnets from within your network. Botnets gather sensitive information, such as account numbers or credit card information, and participate in distributed denial-of-service (DDoS) attacks.
Using C&C feeds also prevents botnets from communicating with hosts within your network in an attempt to gather information or launch an attack.
You can allowlist threat sources from the details page. See Threat Source Details.
C&C and Geo IP filtering feeds are only available with a Juniper ATP Cloud premium or basic license.
DNS feeds are available only with ATP Cloud premium license.
At this time, C&C URL feeds are not supported with SSL forward proxy.
-
The retention period for threat sources is 60 days.
The following information is available on this page.
Field |
Definition |
---|---|
External Server |
The IP address or host name of the suspected threat source. |
Blocked Via |
Displays the custom feed name. |
Highest Threat Level |
The threat level of the threat source as determined by an analysis of actions and behaviors. |
Count |
The number of times hosts on the network have attempted to contact the threat server. |
Country |
The country where the threat source is located. |
Last Seen |
The date and time of the most recent threat source hit. |
Action |
The action taken on the communication (permitted, sinkhole, or blocked). |
Category |
Displays the DNS feed category. The available options are custom, global, and whitelist. |
DNS Record Type |
Displays the query type of the DNS request. The supported DNS query types are A, AAAA, MX, CNAME, SRV, SRV NoErr, TXT, ANY, and so on. |