Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Threat Source Details

Access this page by clicking on an External Server link from the Threat Sources page.

Use Threat Source Details page to view analysis information and a threat summary for the threat source. The following information is displayed for each threat source.

  • Threat Summary (Location, Category, Host Name, and Time Seen)

  • Total Hits

  • Protocols and Ports( TCP and UDP)

For threat sources of type C&C, you can add the threat source to the allowlist or report it as a false positive to Juniper Networks from the Threat Source Details page.

For threat source of type DNS , you can only report the threat source as false positive to Juniper Networks.

Table 1: Options on the Threat Source Details Page (Upper Right Side of Page)

Button/Link

Purpose

Select Option > Add to Whitelist

Choose this option to add the threat source to the allowlist.

Warning:

Adding a threat source to the allowlist automatically triggers a remediation process to update any affected hosts (in that realm) that have contacted the newly allowlisted threat source.

All C&C events related to this allowlisted server will be removed from the affected hosts’ events, and a host threat level recalculation will occur.

If the host score changes during this recalculation, a new host event appears describing why it was rescored. (For example, “Host threat level updated after threat source 1.2.3.4 was cleared.”) Additionally, the threat source will no longer appear in the list of threat source because it has been cleared.

Note:

You can also allowlist threat source from the Configuration > Allowlists page. See Create Allowlists and Blocklists for details.

Select Option > Report as False Positive

Choose this option to launch a new screen which lets you send a report to Juniper Networks, informing Juniper of a false position or a false negative. Juniper will investigate the report, however, this does not change the verdict.

Under Time Range is a graph displaying the frequency of events over time. An event occurs when a host communicates to the threat source IP address (either sending or receiving data). You can filter this information by clicking on the time-frame links: 1 day, 1 week, 1 month, Custom (select your own time-frame).

Hosts is a list of hosts that have contacted the server. The information provided in this section is as follows:

Table 2: Threat Source Contacted Host Data

Field

Definition

Client Host

The name of the host in contact with the threat source.

Client IP Address

The IP address of the host in contact with the threat source. (Click through to the Host Details page for this host IP.)

Threat Level at Time

The threat level of the threat source as determined by an analysis of actions and behaviors at the time of the event.

Status

The action taken by the device on the communication (whether it was permitted, sinkhole, or blocked).

Protocol

The protocol (TCP or UDP) the threat source used to attempt communication.

Source Port

The port the threat source used to attempt communication.

Device Name

The name of the device in contact with the threat source.

Date/Time Seen

The date and time of the most recent threat source hit.

Username

The name of the host user in contact with the threat source.

Domains is a list of domains that the IP address has previously used at the time of suspicious events. If a threat source IP address is seen changing its DNS/domain name to evade detection, a list of the various names used will be listed along with the dates in which they were seen.

Table 3: Threat Source Associated Domains Data

Field

Definition

C & C Host

This is a list of domains the destination IP addresses in the threat source events resolved to.

Last Seen

The date and time of the most recent threat source server hit.

Signatures is a list of the threat indicators associated with the IP address. The threat source blocked by the Juniper “Global Threat Feed” will show domains and/or signatures. (The “Blocked Via” column, under the threat source listing, shows whether a threat source IP address was found in the Juniper “Global Threat Feed” or in a different configured custom feed.)

Table 4: Threat Source Signature Data

Field

Definition

Name

The name or type of detected malware.

Category

Description of the malware and way in which it may have compromised a resource or resources.

Date

The date the malware was seen.

Certificates is a list of certificates associated with the threat source.

Table 5: Threat Source Certificate Data

Field

Definition

Certificate Hash

Displays the certificate hash of the threat source.

Date/Time Seen

The date and time when the certificate hash file was last updated.