`Case 3:17-cv-05659-WHA Document 245-6 Filed 11/23/18 Page 1 of 3
`
`
`
`
`
`EXHIBIT 5
`EXHIBIT 5
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 245-6 Filed 11/23/18 Page 2 of 3
`
`Threat Intelligence Open API Setup Guide
`
`Sky Advanced Threat Prevention (Sky ATP) provides the following APIs that can help
`you keep your network free of sophisticated malware and cyberattacks by using superior
`cloud-based protection:
`
`• Threat Intelligence API Overview on page 1
`
`• Sky ATP API Overview on page 3
`
`• File/Hash API Overview on page 5
`
`•
`
`•
`
`Infected Host API Overview on page 6
`
`IP Filter API Overview on page 6
`
`• Example on page 7
`
`Threat Intelligence API Overview
`
`The Threat Intelligence open API allows you to program the Sky ATP Command and
`Control server (C&C) feeds to suit your requirements. You can perform the following
`operations using the threat intelligence API:
`
`•
`
`Inject an IP, URL, or domain into a C&C feed with a threat level from 1 through 10. You
`can create up to 30 different custom C&C feeds.
`
`• An IP can be an IP address, IP range, or IP subnet.
`
`• Only IPv4 addresses are currently supported.
`
`• Update the threat level of an IP, URL, or domain from 1 through 10.
`
`• Delete a specific server in the feed or delete the entire feed.
`
`• Retrieve the current status of an operation (processing) or errors (if any) from the feed
`processing engine.
`
`The Threat Intelligence API supports a Swagger API specification in JSON format to allow
`programmatic access to it. For more information on the Swagger API specification, see
`https://threat-api.sky.junipersecurity.net/swagger.json.
`
`NOTE: C&C regular feeds currently support only HTTP host URLs. For
`example, if you create www.example.com/example1/, it will check only
`www.example.com.
`
`Blacklist and whitelist feeds (see below) support full URLs with Junos OS
`15.1X49-D70 and later releases.
`
`Copyright © 2018, Juniper Networks, Inc.
`
`1
`
`
`
`Case 3:17-cv-05659-WHA Document 245-6 Filed 11/23/18 Page 3 of 3
`
`Example
`
`configure security policies to use the DAE within a security policy. When the DAE is
`updated, the changes automatically become part of the security policy. There is no need
`to update the policy manually. Note that this is an IP address-only feed. It does not
`support URLs or fully qualified domain names (FQDNs).
`
`The IP filter APIs let you perform the following tasks:
`
`• Remove IP addresses (in a .csv file) from an IP filter feed
`
`• Add IP addresses (in a .csv file) to an IP filter feed.
`
`• Remove a specific IP address from the IP filter feed.
`
`• Add a specific IP address to the IP filter feed.
`
`• Remove a specific IP filter feed.
`
`• Get the processing status of a specific IP Filter feed.
`
`The IP filter API supports a Swagger API specification in JSON format to allow
`programmatic access to it. For more information on the Swagger API specification, see
`https://api.sky.junipersecurity.net/swagger.json.
`
`Configuration and Setup
`
`To access the API, you must create an application token in the Sky ATP Web UI and use
`that token as the bearer token in the authorization header. See section “Configuration
`and Setup” on page 2 for more information on the creation of the token.
`
`In this example, targeted attacked are being performed against web servers in a DMZ
`while concealing their identities via Tor. Tor exit nodes move frequently and keeping an
`up-to-date list of all 1000+ exit nodes within a firewall policy is almost impossible. This
`can, however, be done easily using Sky ATP’s APIs. For more information on this example,
`see Automating Cyber Threat Intelligence with Sky ATP.
`
`Shown below is an example script that performs the following actions:
`
`• Polls the official TorProject's exit-node list via cURL and extracts legitimate IP
`information via grep.
`
`• Utilizes Sky ATP's open API to install and propagate third-party threat intelligence to
`all SRX Series devices in the network.
`
`• Runs on an hourly basis via cron to ensure that the active Tor Relays are always being
`blocked.
`
`#!/bin/bash
`
`# Define Application Token (Paste in your value between the "")
`APPToken="Your_Application_Token_Here"
`
`# Define the name of the feed you wish to create
`FeedName="Tor_Exit_Nodes"
`
`#Define temporary file to store address list
`
`Copyright © 2018, Juniper Networks, Inc.
`
`7
`
`
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
