Case 3:17-cv-05659-WHA Document 393-15 Filed 03/14/19 Page 1 of 9
`
`Case 3:17-cv-05659-WHA Document 393-15 Filed 03/14/19 Page 1 of 9
`
`EXHIBIT 13
`
`

`

`Case 3:17-cv-05659-WHA Document 393-15 Filed 03/14/19 Page 2 of 9
`HTTP API Guide
`
`password
`
`csrf_token
`
`remote_authentication
`
`remote_authorization
`
`Example
`
`Password for the new user
`
`unique token ID for the new user
`
`Valid values are true or false.This key determines
`whether the user being created will be authenticated
`using the remote system or not.
`
`Valid values are true or false.This key determines
`whether the user being created will be authorized
`using the remote system or not.
`
`curl -k -H "Authorization:d7e6d14140fc944fc4ba287f88f42d45"
`"https://10.2.20.107/admin/api.php?op=add_user" -d user_name=test2 -d
`full_name=test2 -d role_name='Default Admin Role' -d
`generate_api_key=0 -d api_key_is_disabled=0 -d password=JATP1z2 -d
`remote_authentication=false -d remote_authorization=false
`
`Authorization - The device user API key.
`Obtain from Config > System Profiles > Users > Click on any User to obtain an API Key.
`
`Sample Response
`
`There is no response from this API call.
`
`analysis_details
`
`Use the analysis_details API to retrieve the analysis details associated with a particular file object. The
`analysis_details API takes either an event_id, md5sum or sha1sum as a parameter.
`
`TIP As of Release 4.1.1 and later, Juniper ATP Appliance now limits the upload to the actual processing
`limit and throws an error if the file is greater than 16MB.
`
`Unlike the “event” API, analysis_details does not return any context about how and when the file object was
`discovered.
`
`An additional boolean parameter “get_components” set to 1 will cause the return of all the components of the
`specified file. This option is only meaningful if the md5sum/sha1sum corresponds to a zip, tar, or other archive.
`
`https://HOST/admin/api.php?op=analysis_details
`
`.
`
`HTTP Post Parameters
`
`Description
`
`event_id or md5sum/
`sha1sum
`
`[Required] Unique identifier for this event. One of these parameters is a
`mandatory parameter. Get this from the output of the API
`https://<Host>/admin/api.php?op=events
`The md5sum & sha1sum are the hashes of the objects.
`
`Copyright© 2018, Juniper Networks, Inc.
`
`7
`
`

`

`Case 3:17-cv-05659-WHA Document 393-15 Filed 03/14/19 Page 3 of 9
`Juniper Advanced Threat Prevention Appliance
`
`get_components
`
`1 indicates components are available.
`
`When the get_components value is set, analysis details for all the sub-
`components are also returned.
`
`API Access: To demonstrate the analysis_details API from the Central Manager Web UI Incidents page: select an
`incident from the Incidents table then scroll down the page and click Downloads or Uploads tab. Expand the row
`to view details and with this action, you will see a call to the analysis_details API.
`See also behavior_details on page 10
`
`Example
`
`curl -k -H "Authorization:7c71c218662411a5c857042053acca8f"
`"https://10.2.20.37/admin/api.php?op=analysis_details" -d
`event_id=672
`
`Authorization - The device user API key.
`Obtain from Config > System Profiles > Users > Click on any User to obtain an API Key.
`
`NOTE The request should include one of event-id or md5 or sha1. If both are specified, then the server only
`considers the event-id.
`
`Sample Response
`
`[1
`
`{
`
`analysis_array:
`
`]
`
`0:
`{
`
`local_path: "/var/spool/c-icap/download/CI_TMPFP9jYz"
`file_md5_string: "7be866d691c3da79f51240bf8963e210"
`file_sha1_string:
`"1f707b2fe77691ee91aa5da0a326aec40182bb0d"
`file_sha256_string:
`"fada509542437360aeaa73a6256a9f1c8
`8764e823f0f0a6a78fb66e419b5f389"
`file_size: "893977"
`file_type_string: "PE32 executable (GUI) Intel 80386,
`for MS Windows"
`file_suffix: "exe"
`mime_type_string: "FILE_UPLOAD"
`has_components: null
`packer_name: null
`malware_name: "TROJAN_YAKES.CY"
`malware_severity: "0.75"
`malware_category: "Trojan_Generic"
`malware_classname: "malware"
`has_static_detection: "1"
`has_behavioral_detection: "0"
`
`8
`
`Copyright© 2018, Juniper Networks, Inc.
`
`

`

`Case 3:17-cv-05659-WHA Document 393-15 Filed 03/14/19 Page 4 of 9
`HTTP API Guide
`
`user_whitelisted: null
`JATP_whitelisted: null
`has_cnc: null
`dig_cert_name: null
`analysis_start_time: "2016-06-02 08:34:40.513488+00"
`analysis_done_time: "2016-06-02 08:35:03.877626+00"
`source_url_rank: "-1"
`reputation_score: "35"
`microsoft_name: "None"
`has_behavior_log: "1"
`screen_shots:
`
`]
`
`[3
`
`0: "/analysis/897/qemu-results/screenshots-
`winxp/screenshot_00.jpg"
`1: "/analysis/897/qemu-results/screenshots-
`winxp/screenshot_01.jpg"
`2: "/analysis/897/qemu-results/screenshots-
`winxp/screenshot_02.jpg"
`
`-
`
`}-
`
`nalysis_details:
`
`-a
`
`{
`
`local_path: "/var/spool/c-icap/download/CI_TMPFP9jYz"
`file_md5_string: "7be866d691c3da79f51240bf8963e210"
`file_sha1_string: "1f707b2fe77691ee91aa5da0a326aec40182bb0d"
`file_sha256_string: "fada509542437360aeaa73a6256a9f1c88
`764e823f0f0a6a78fb66e419b5f389"
`file_size: "893977"
`file_type_string: "PE32 executable (GUI) Intel 80386, for MS
`Windows"
`file_suffix: "exe"
`mime_type_string: "FILE_UPLOAD"
`has_components: null
`packer_name: null
`malware_name: "TROJAN_YAKES.CY"
`malware_severity: "0.75"
`malware_category: "Trojan_Generic"
`malware_classname: "malware"
`has_static_detection: "1"
`has_behavioral_detection: "0"
`user_whitelisted: null
`JATP_whitelisted: null
`has_cnc: null
`dig_cert_name: null
`analysis_start_time: "2016-06-02 08:34:40.513488+00"
`analysis_done_time: "2016-06-02 08:35:03.877626+00"
`source_url_rank: "-1"
`
`Copyright© 2018, Juniper Networks, Inc.
`
`9
`
`

`

`Case 3:17-cv-05659-WHA Document 393-15 Filed 03/14/19 Page 5 of 9
`HTTP API Guide
`
`collector_id
`
`ID of the Collector that processed the malicious traffic.
`
`API Access: To demonstrate the behavior_details API from the Central Manager Web UI Incidents page: select an
`incident from the Incidents table then scroll down the page and click Downloads or Uploads tab. Expand the row
`to view details and with this action, you will see a call to the behavior_details API.
`See also analysis_details on page 7
`
`Example
`
`curl -k -H "Authorization:7c71c218662411a5c857042053acca8f"
`"https://10.2.20.37/admin/api.php?op=behavior_details" -d
`event_id=672&collector_id=aaaa-bbbb-cccc-ddddd”
`
`Authorization - The device user API key.
`Obtain from Config > System Profiles > Users > Click on any User to obtain an API Key.
`
`NEW: Additional JSON objects are available for obtaining third party ingestion vendor information:
`
`memory_artifact_details This contains all the memory artifact strings that are recognized for the executable from
`which Juniper ATP Appliance is able to take a memory dump when certain Windows API calls are used. This
`corresponds to Memory Artifacts information displayed in the Juniper ATP Appliance Central Manager Web UI
`incident displays.
`
`behavior_details uses an object called malware_actions that lists all the actions exhibited by detected malware.
`This corresponds to the Malware Traits information displayed in the Juniper ATP Appliance Central Manager Web
`UI incident displays.
`
`Sample Output
`
`curl 'https://10.2.25.21/admin/
`api.php?op=behavior_details&sha1sum=c174ed87d658110b1596e30a827a810f0
`e1bc102' -H 'Host: 10.2.25.24' -H
`"Authorization:292fef0472b25dd9e1c032c69a4c9a18" --insecure |
`json_pp
`
`{
`
` "behavior_details": {
`"has_ivp": true,
`"cnc_array": [
` {
` "host": "teredo.ipv6.microsoft.com",
` "string": "port 53 DNS",
` "response": ""
` }
`],
`"registry_changes": [
`
`Copyright© 2018, Juniper Networks, Inc.
`
`11
`
`

`

`Case 3:17-cv-05659-WHA Document 393-15 Filed 03/14/19 Page 6 of 9
`Juniper Advanced Threat Prevention Appliance
`
` "server_ip": "192.168.1.21",
` "server_name": "test-upload.JATP.net",
` "max_cook_size": 15000001,
` "status_fc_on": 0,
` "status_sigeng_on": 1,
` "status_hre_on": 1,
` "status_sc_on": 1,
` "status_correlation_on": 1,
` "status_internet_on": 1,
` "status_mode": 0,
` "status_web_collector": 1
`}
`
`TIP Sample APIs for obtaining behavioral details from a Zip file.
`
`1.
`
`Get components of the Zip file:
`
`Example
`URL: https://host1.JATP.net/admin/api.php?op=analysis_details
`
`Data:
`sha1sum:5ac9a76d3057cd40f33bf8698028ed9928badb04 (sha1sum of the Zip file)
`get_components:1
`
`{
`
` "status" : 0,
` "session_timeout_sec" : 900,
` "analysis_array" : [
` {
` "malware_classname" : "malware",
` "mime_type_string" : "application/x-dosexec",
` "file_size" : "61952",
` "packer_name" : "UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus
`& Laszlo [overlay]",
` "microsoft_name" : "",
` "malware_name" : "WORM_GAMARUE.DC",
` "dig_cert_name" : null,
` "has_embedded_code" : null,
`
`Response:
`
`52
`
`Copyright© 2018, Juniper Networks, Inc.
`
`

`

`Case 3:17-cv-05659-WHA Document 393-15 Filed 03/14/19 Page 7 of 9
`HTTP API Guide
`
`It is possible to get events for a given hostname or IP address by passing these values in the request paramenter,
`for example:
`
`curl 'https://10.2.25.24/admin/api.php?op=events' -H 'Host:
`10.2.25.24' -H "Authorization:fb4f4fff2841a784fb21aa864af5e8fa" --
`data
`'min_severity_value=0&normalize_names=0&has_endpoint_meta=true&get_al
`l_events=false&get_lateral_and_phishing_as_events=true&endpoint_hostn
`ame_value=TEST-2F0DDD7E5F' --insecure | json_pp
`
`min_severity_value can be 0, 0.25, 0.5, 0.75 or 1.
`
`get_all_events, when true, will get all the events from the time Juniper ATP Appliance is installed. It can be
`very slow depending on the size of data.
`
`get_lateral_and_phishing_as_events can be true or false. If true, this will get the lateral events from the
`endpoint_hostname_value as events. If false, the lateral events are excluded in the response.
`
`endpoint_hostname_value is the name of the host for which events are being fetched. It is case sensitive
`and should exactly match with the host_name of the real system.
`
`NOTE You can also pass the IP address of the endpoint local_ip_value or username_value instead of
`endpoint_hostname_value.
`
`event_details
`
`Use the following “event_details” API to retrieve event details.
`A new event_details API key is provided in the response: custom_snort_event_details.
`
`The event_details API takes only an event_id as a parameter.
`
`NOTE The "events" API returns a set of events matching the query parameters, whereas, currently, the
`"event_details" API returns the details of a specific event.
`
`https://<HOST>/admin/api.php?op=event_details
`
`An event can be one of several different types:
`
`Types of events
`
`Description
`
`cnc
`
`email
`
`exploit
`
`The event is a signature match on network traffic
`
`The event is an email attachment.
`
`The event is an HTTP exploit sequence.
`
`Copyright© 2018, Juniper Networks, Inc.
`
`73
`
`

`

`Case 3:17-cv-05659-WHA Document 393-15 Filed 03/14/19 Page 8 of 9
`Juniper Advanced Threat Prevention Appliance
`
`fsp
`
`http
`
`upload
`
`The event is a lateral spread.
`
`The event is an http download
`
`The event is a manual file upload, i.e. an appliance user uploaded a file for
`analysis.
`
`HTTP Post Parameters
`
`Description
`
`event_id
`
`Example
`
`[Required] The ID set for the incident during malware analysis. Get this id
`from the output of the API:
`https://<Host>/admin/api.php?op=events
`
`curl -k -H "Authorization:7c71c218662411a5c857042053acca8f" "https://
`10.1.1.1/admin/api.php?op=event_details" -d event_id=604
`
`Authorization - The device user API key.
`Obtain from Config > System Profiles > Users > Click on any User to obtain an API Key.
`
`Sample Response
`
`Sample output for this API is provided further below. Output field definitions are provided here. The general details
`are shared by each event type per these fields:
`
`Output Field
`
`Definition
`
`app_protocol_array
`
`HTTP or Email protocol instance, as in: "app_protocol_array": ["EMAIL"],
`
`analysis_done_time
`
`Timestamp for analysis engine detonation completion.
`
`cnc_details
`
`collector_id_array
`
`Details of a detected CnC event.
`
`The collector ID(s) associated with observing this event. A string enclosed in
`curly braces { }; as in:
`"collector_id_array": ["00000000-0000-0000-0000-000000000001"]
`
`collector_name
`
`Name of the collector that observed the event.
`
`custom_snort_event_details
`
`Details of the custom SNORT rule match.
`
`destination_email_id
`
`The destination email ID.
`
`download_details
`
`Details about a detected download.
`
`endpoint_hostname
`
`The hostname of the endpoint.
`
`endpoint_id
`
`endpoint_ip
`
`The ID associated with the endpoint.
`
`The IP address of the endpoint.
`
`endpoint_name
`
`The host name of the endpoint, if available.
`
`74
`
`Copyright© 2018, Juniper Networks, Inc.
`
`

`

`Case 3:17-cv-05659-WHA Document 393-15 Filed 03/14/19 Page 9 of 9
`HTTP API Guide
`
`endpoint_os_type
`
`The endpoint OS type, if available.
`
`endpoint_username
`
`The username for the endpoint device.
`
`event_category
`
`The event category, for example Adware, Exploit, Trojan_Generic, etc.
`
`event_id
`
`event_name
`
`event_severity
`
`event_type
`
`exploit_details
`
`file_md5_string
`
`file_sha1_string
`
`file_sha256_string
`
`file_size
`
`file_type_string
`
`The ID of this event
`
`The event name, such as: “WORM.GAMARUE.CY”
`
`The severity of the event: 0 is benign, 1 is critical, 0.75 is high, 0.5 is medium.
`
`Type of event: “exploit”, “http”, “email”, “cnc”, “submission” (for file
`submission).
`
`Details of a detected exploit event.
`
`The MD5 checksum for the event, such as:
`"340c860492c5ee5f708dfee57f650cd3"
`
`The SHA1 for the event, such as:
`"a0bd2ee698848dc40f41ce593c9668ccf7dd1993"
`
`The SHA256 associated with the event, such as:
`"e482ea7bdbfd42dbf1c33cb0b4a57920f40e8ccba52a8ba57cf6191700fb
`6751"
`
`The file size in bytes, such as:
`"55808"
`
`The file type associated with the event, such as:
`"PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed"
`
`Copyright© 2018, Juniper Networks, Inc.
`
`75
`
`