Hosts Overview
Access this page from the Monitor > ATP > Hosts menu.
The hosts page lists compromised hosts and their associated threat levels. From here, you can monitor and mitigate malware detections on a per host basis.
Compromised hosts are systems for which there is a high degree of confidence that attackers have gained unauthorized access. When a host is compromised, the attacker can do several things, such as:
-
Send junk or spam e-mail to attack other systems or distribute illegal software.
-
Collect personal information, such as passwords and account numbers.
Compromised hosts are listed as security threat intelligence data feeds (also called information sources.) The data feed lists the IP address of the host along with a threat level; for example, 10.130.132.133 and threat level. 5. Once threats are identified, you can create threat prevention policies to take enforcement actions on the inbound and outbound traffic on these infected hosts. See Global Configuration for Infected Hosts for more information.
For the Hosts listed on this page, you can perform the following actions on one or multiple hosts at once:
Action |
Definition |
---|---|
Export Data |
Click the Export button to download compromised host data to a CSV file. You are prompted to narrow the data download to a selected time-frame. |
Set Policy Override |
Select the check box beside one or multiple hosts and choose one of the following options:
|
Set Investigation Status |
Select the check box beside one or multiple hosts and choose one of the following options: In progress, Resolved - false positive, Resolved - fixed, and Resolved - ignored. |
NOTE: When you select a Policy Override option for hosts, other dependent status fields, such as Infected Host Feed, will also change accordingly. In some cases, you may have to refresh the page to see the updated information. |
The following information is available in the Host table.
Field |
Description |
---|---|
Host Identifier |
The Juniper ATP Cloud-assigned name for the host. This name is
created by Juniper ATP Cloud using known host information such as IP
address, MAC address, user name, and host name. The assigned name
will be in the following format:
Note:
You can edit this name. If you edit the Juniper ATP Cloud-assigned name, Juniper ATP Cloud will recognize the new name and not override it. |
Host IP |
The IP address of the compromised host. |
Threat Level |
A number between 0 and 10 indicating the severity of the detected threat, with 10 being the highest. Note:
Click the three vertical dots at the top of the column to filter the information on the page by threat level. |
Infected Host Feed |
Displays the current host feed settings:
|
First Host Activity |
Displays the date and time of the first activity of the threat. |
Last Host Activity |
Displays the date and time of the most recent activity of the threat. |
C&C Hits |
The number of times a command and control (C&C) server communication threat with this host was detected. Note:
Click the three vertical dots at the top of the column to filter the information on the page by C&C hits. |
Malware |
The number of times malware was downloaded by this host. Note:
Click the three vertical dots at the top of the column to filter the information on the page by malware detections. |
Policy |
Displays the current policy settings.
|
State of Investigation |
Displays either Open, In progress, Resolved-False positive, Resolved-Fixed, Resolved-Ignored |
Source |
Displays the source of the threat. For example, API, Detection, Adaptive threat profiling feed, and so on. |