Reports Overview

Executive Summary

An overview report data separated into following categories:

• Malware—Lists newly discovered malware and known malware.

• C&C Server Destinations—Lists C&C server destination.

  Note:

  The criteria to display the C&C server destination in the reports is that the threat level must be equal to or greater than 7.

• Hosts with Malicious Activities—Lists the following:

  • Infected hosts—Lists the number of potentially infected hosts whose threat level is less than the threshold threat level that is set by the customer.

  • Blocked hosts—Lists the number of infected hosts that have met the threshold threat level and is blocked by policies configured on the SRX Series Firewall.

• Domains and URLs—Lists the domains and URLs that are suspicious or known to be risky.

• High-risk User Data—Lists the following:

  • Users’ computers infected with malware.

  • High-risk web sites accessed by users.

• DNS DGA—Lists the DNS-DGA query counts for the top host IP addresses.

• DNS Tunnels—Lists the DNS tunnel counts for the top host IP addresses.

• ETI Source Hosts—Lists the ETI detection counts for the top host IP addresses.

• ETI Destinations—Lists the ETI detection counts for the top Server Name Indication (SNI) domains.

Malware

The malware section contains the following information:

• Top Malware Identified—Lists the names of the top malware by count.

• Top Infected File MIME Types—Lists the top infected multi-purpose Internet mail extensions (MIME) by count.

• Top Scanned File Categories—Lists the top file categories that are scanned.

C&C Server and Malware Locations

This section contains the following information:

• Top C&C Server Location by Count—Lists the top countries for command and control (C&C) servers by number of communication attempts (C&C hits).

• Top Malware Threat Locations by Count—Lists the top countries with malware threats.

• Top ETI Server Locations by Count—Lists the top countries for ETI servers by number of communication attempts (ETI hits).

This section contains the following information:

• DNS Event Counts—Lists the following:

  • DNS-DGA Events—Lists the number of DGA events seen by ATP Cloud for the customer over the time period that the report covers.

  • DNS Tunnel Events—Lists the number of Tunnel events seen by ATP Cloud for the customer over the time period that the report covers.

• Top DNS Tunnel Destination Domains—Lists the top tunnel domains seen by ATP Cloud and number of events involving those domains for the customer over the time period that the report covers.

Hosts

This section contains the following information:

• Top Compromised Hosts—Lists the top hosts that may have been compromised based on their associated threat level.

Risky Files

This section contains the following information:

• Top Risky File Categories by Count—Lists the top risky file categories by count for known and newly discovered malicious files.

• Top Risky Files Detected by Count—Lists the top risky files detected by count.

• Top IPs Detected Attempting to Access Risky Files by Count—Lists the top IP addresses attempting to access risky files.

• Top Risky Files Detected per Top Users—Lists the top risky files detected per top users attempting to access the files.

Risky Domains, URLS, AND IPs

This section contains the following information: top risky domains, URLs, and IP addresses detected by the number of times access was attempted. It also includes the top users who have attempted to access these risky domains, URLs, and IP addresses.

• Top Detected Risky Domains, URLs, and IPs by Count—Lists the top risky domains, URLs, and IP addressess detected by the number of times access was attempted.

• Most Active Users for Risky Domains, URLs, and IPs by Count—Lists the top users who are most active in attempting to access the risky domains, URLs, and IP addresses by count.

• Top Detected Risky Domains, URLs, and IPs by Threat Level—Lists the top risky domains, URLs, and IP addressess detected by the threat level.

Email

This section contains the list of actions taken on scanned emails. It also includes email attachments determined to be malware and users who are risky email senders.

• Actions Taken—Lists the action taken for scanned e-mail.

• High-Risk Email Data—Lists the count of e-mail attachments with malware and risky senders.

• Malicious SMTP Email by Count—The report breaks scanned e-mail down by protocol and lists SMTP e-mails found to be malicious.

• Malicious IMAP Email by Count—The report breaks scanned e-mail down by protocol and lists IMAP e-mails found to be malicious.

• Top Risky File Categories Detected for Email Attachments—Lists the top risky file categories that were detected from files received as e-mail attachments.

• Top Risky Email Attachments Detected by Count—Lists the top risky files that are detected from email attachments.

• Top Users Receiving Risky Email Attachments—Lists the top users who are receiving risky file attachments through e-mail.

• Top Risky Email Attachments Detected per Top Users—Lists the top users and their most risky file attachments.

• Top Risky Email Sender Domains by Count—Lists the top risky sender domains based on the threat level of file attachments sent in email.

• Top Sender Domains of Risky File Attachments by Count—Lists the top sender domains with risky file attachments and the count of how many times the the risky file attachments that were detected.

• Actions on SMTP Malicious Email by Count—Lists actions taken for malicious SMTP e-mails.

• Actions on IMAP Malicious Email by Count—Lists actions taken for malicious IMAP e-mails.

Devices

• Zero Submissions—Lists the devices that have not submitted files in the past 30 days.

• Expiring Devices—Lists the devices that are going to expire in next 60 days.