Threat Sources Overview
Access this page from the Monitor > ATP > Threat Sources menu.
The Threat Sources page lists information of servers that have attempted to contact and compromise hosts on your network. A threat source is a centralized computer that issues commands to botnets (compromised networks of computers) and receives reports back from them.
Benefits
-
Using C&C feeds adds another layer of protection to your network, preventing the creation of botnets from within your network. Botnets gather sensitive information, such as account numbers or credit card information, and participate in distributed denial-of-service (DDoS) attacks.
-
Using C&C feeds also prevents botnets from communicating with hosts within your network to gather information or launch an attack.
You can allowlist threat sources from the details page. See Threat Source Details.
-
At this time, C&C URL feeds are not supported with SSL forward proxy.
The following information is available on this page.
Field |
Definition |
---|---|
External Server |
The IP address or host name of the suspected threat source. |
Blocked Via |
Displays the custom feed name. |
Highest Threat Level |
The threat level of the threat source as determined by an analysis of actions and behaviors. |
Count |
The number of times hosts on the network have attempted to contact the threat server. |
Country |
The country where the threat source is located. |
Last Seen |
The date and time of the most recent threat source hit. |
Protocol |
The protocol of the threat source. |
Action |
The action taken on the communication (permitted, sinkhole, or blocked). |
Category |
Displays the DNS feed category. The available options are custom, global, and whitelist. |
DNS Record Type |
Displays the query type of the DNS request. The supported DNS query types are A, AAAA, MX, CNAME, SRV, SRV NoErr, TXT, ANY, and so on. |
Report False Positive |
Displays the status of report false positives. |