Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

SecIntel Feeds Overview

SecIntel provides carefully curated and verified threat intelligence from Juniper Networks’ Advanced Threat Prevention (ATP) Cloud, Juniper Threat Labs, and industry-leading threat feeds to MX Series routers, SRX Series Services Gateways, and NFX Series Network Services Platform to block Command and Control(C&C) communications at line rate. SecIntel delivers real-time threat intelligence by enabling automatic and responsive traffic filtering.

SecIntel integrates with EX Series and QFX Series switches and enables these switches to subscribe to SecIntel’s infected host feed. This enables you to block compromised hosts at the switch port. You can now extend SecIntel throughout your entire network and increase the number of security enforcement points.

Benefits of SecIntel Feeds

You can view all the default feeds that are available with your current license.

Using this page, you can enable the following feeds for integration with Juniper ATP Cloud.

  • Juniper SecIntel feeds

  • Third party Internet services feeds

  • Third party IP threat feeds

  • Third party URL threat feeds

Note:

The total number of CC feeds are 32, out of which four feeds are reserved for cc_ip, cc_url, cc_ipv6, and cc_cert_sha1. So, you can enable up to 28 feeds to the CC category, which includes CC custom feeds and CC third-party feeds. This limit is applicable if you are injecting additional feeds using the available open API.

Information to know if you are enabling external feeds:

  • If a hit is detected on an enabled external feed, this event appears under Monitor > C&C Servers with a threat level of 10.

  • On enrolled SRX Series devices, you can configure policies with the permit or block action for each feed. Note that C&C and Infected Host feeds require an enabled Security Intelligence policy on the SRX Series device in order to work.

  • External feeds are updated once every 24 hours.

Warning:

Understand that these are open source feeds managed by third parties and determining the accuracy of the feed is left up to the Juniper ATP Cloud administrator. Juniper will not investigate false positives generated by these feeds.

Warning:

Configured SRX Series policies will block malicious IP addresses based on enabled third party feeds, but these events do not affect host threat scores. Only events from Juniper ATP Cloud feeds affect host threat scores.

To enable the available feeds, do the following:

  1. Navigate to Configure > SecIntel.

  2. For each feed, select the check box to enable the feed. Refer to the guidelines in Table 1.

    Note:

    All Juniper SecIntel feeds are enabled by default with premium license. The Infected host feed is enabled by default for both free and premium licenses.

    Click the Go to feed site link to view feed information, including the contents of the feed.

    Table 1: SecIntel Feeds

    Field

    Guidelines

    Juniper SecIntel Feeds

    Command and Control Feed

    Displays whether the C&C feed is enabled or not.

    Attacker IP Feed

    Displays whether the attacker IP feed is enabled or not.

    GeoIP Feed

    Displays whether the GeoIP feed is enabled or not.

    Infected Host Feed

    Displays whether the infected host feed is enabled or not.

    Third Party Internet Services

    office365

    Select the check box to enable office365 IP filter feed as a third party feed. The office365 IP filter feed is an up-to-date list of published IP addresses for Office 365 service endpoints which you can use in security policies. This feed works differently from others on this page and requires certain configuration parameters, including a pre-defined name of “ipfilter_office365”. See more instructions at the bottom of this page, including usage of the set security dynamic-address command for using this feed.

    Third Party IP Threat Feeds

    Malware Domain List

    Select the check box to enable malware domain list feed as third party feeds.

    Block List

    Select the check box to enable block list feeds as third party feeds.

    DShield

    Select the check box to enable DShield feeds as third part feeds.

    Tor

    Select the check box to enable tor feeds as third part feeds.

    Third Party URL Threat Feeds

    URLhaus URL Threat Feed

    Select the check box to enable URLhaus feed as third party feeds. URLhaus is a threat intelligence feed that shares malicious URLs that are used for malware distribution.

    Open Phish

    Select the check box to enable OpenPhish feed as third party feeds. OpenPhish is a fully automated self-contained platform for phishing intelligence. It identifies phishing sites and performs intelligence analysis in real time without human intervention and without using any external resources, such as blocklists. For malware inspection, SecIntel will analyze traffic using URLs in this feed.

    Note:
    • Starting in Junos OS Release 19.4R1, third party URL feeds are supported on Juniper ATP Cloud.

    • Since Ransomware Tracker is deprecated, ransomware tracker IP feeds are not supported on Juniper ATP Cloud. If you had enabled this feed earlier, you might stop receiving these feeds.

  3. Like other C&C and infected host feeds, enabled third party feeds require a security intelligence policy on the SRX Series device in order to work. Example commands are provided here. Please refer to the Juniper Advanced Threat Prevention Cloud CLI Reference Guide for more information.

    • On the SRX Series Device: Configure a Security Intelligence Profile

      set services security-intelligence profile secintel_profile category CC

      set services security-intelligence profile secintel_profile rule secintel_rule match threat-level 10

      set services security-intelligence profile secintel_profile rule secintel_rule match threat-level 9

      set services security-intelligence profile secintel_profile rule secintel_rule then action block close

      set services security-intelligence profile secintel_profile rule secintel_rule then log

      set services security-intelligence profile secintel_profile default-rule then action permit

      set services security-intelligence profile secintel_profile default-rule then log

      set services security-intelligence profile ih_profile category Infected-Hosts

      set services security-intelligence profile ih_profile rule ih_rule match threat-level 10

      set services security-intelligence profile ih_profile rule ih_rule then action block close

      set services security-intelligence profile ih_profile rule ih_rule then log

      set services security-intelligence policy secintel_policy Infected-Hosts ih_profile

      set services security-intelligence policy secintel_policy CC secintel_profile

  4. The security intelligence policy must also be added to an SRX Series device policy.

    • On the SRX Series Device: Configure a Security Policy (Enter the following commands to create a security policy on the SRX Series device for the inspection profiles.)

      set security policies from-zone trust to-zone untrust policy 1 match source-address any

      set security policies from-zone trust to-zone untrust policy 1 match destination-address any

      set security policies from-zone trust to-zone untrust policy 1 match application any

      set security policies from-zone trust to-zone untrust policy 1 then permit application-services ssl-proxy profile-name ssl-inspect-profile-dut

      set security policies from-zone trust to-zone untrust policy 1 then permit application-services security-intelligence-policy secintel_policy

    For more information on configuring the SRX Series with Juniper ATP Cloud using the available CLI commands, refer to the Juniper Advanced Threat Prevention Cloud CLI Reference Guide.

Using the office365 Feed

  1. Enable theUsing the office365 Feed check box in Juniper ATP Cloud to push Microsoft Office 365 services endpoint information (IP addresses) to the SRX Series device. The office365 feed works differently from other feeds on this page and requires certain configuration parameters, including a pre-defined name of “ipfilter_office365”.

  2. After you enable the check box, you must create a dynamic address object on the SRX Series device that refers to the ipfilter_office365 feed as follows:

    • set security dynamic-address address-name office365 profile category IPFilter feed ipfilter_office365

      Note:

      A security policy can then reference the dynamic address entry name (‘office365’ in this example) in the source or destination address.

    A sample security policy is as follows:

Use the following command to verify the office365 feed has been pushed to the SRX Series device. (Update status should display Store succeeded.)

  • show services security-intelligence category summary

Use the following command to show all the individual feeds under IPFILTER.

  • show security dynamic-address category-name IPFilter