The Juniper ATP Appliance platform collects, inspects and analyzes advanced and stealthy web, file, and email-based threats that exploit and infiltrate client browsers, operating systems, emails and applications.  Juniper ATP Appliance’s detection of malicious attacks generates incident and event details that can be sent to connected SIEM platforms in CEF, LEEF or Syslog formats 1 .  CEF (Common Event Format) is an open log management standard that improves the interoperability of security-related information from different vendors 2 . Juniper ATP Appliance supports CEF format for sending events and system audit notifications to SIEM servers.  You can configure the CEF format in the Juniper ATP Appliance Central Manager WebUI Config > Notifications > SIEM Settings 1 . Therefore, the correct answer is C. CEF is a supported logging output format for Juniper ATP Appliance. The other options are incorrect because:

A.  WELF (WebTrends Enhanced Log Format) is a proprietary log format developed by WebTrends Corporation for web analytics 3 . Juniper ATP Appliance does not support WELF format for SIEM integration.

B.  JSON (JavaScript Object Notation) is a lightweight data-interchange format that is easy for humans and machines to read and write 4 .  Juniper ATP Appliance supports JSON format for HTTP API results, but not for SIEM notifications 1 .

D. Binary is a numeric system that uses only two digits: 0 and 1. Binary is not a logging output format for Juniper ATP Appliance or any SIEM platform.

References:

SIEM Syslog, LEEF and CEF Logging

Common Event Format Configuration Guide

WebTrends Enhanced Log Format

JSON

The command " show security dynamic-address category-name DS hield " will show the IP addresses that are part of the DS hield category. By filtering the output of this command with the " match 203.0.113.5 " command, you can determine if the IP address 203.0.113.5 is part of the DS hield feed. This command will check the feeds that are configured on SRX Series device and are associated to juniper ATP Cloud.

Juniper ATP Cloud performs cache lookup to see if the file is seen already and known to be malicious and dynamic analysis to see what happens if you execute the file in a real environment.

Cache lookup is one of the functions that Juniper ATP Cloud performs to analyze and detect malware. Cache lookup is the first step in the pipeline approach that Juniper ATP Cloud uses to examine files. Cache lookup checks whether the file has been seen before and whether it has a stored verdict in the database. If the file is known to be malicious, the verdict is returned to the SRX Series Firewall and the file is dropped.  If the file is not found in the cache, the analysis continues with the other techniques 1 .

Dynamic analysis is another function that Juniper ATP Cloud performs to analyze and detect malware. Dynamic analysis runs the file in a sandbox environment and observes its behavior and actions. Dynamic analysis can reveal the hidden or obfuscated functionality of malware, such as network connections, file modifications, registry changes, and process injections.  Dynamic analysis can also detect zero-day threats and evasive malware that try to avoid static analysis 1 .

References :

How is Malware Analyzed and Detected? | ATP Cloud | Juniper Networks

According to the Juniper documentation, the infected host score is a global setting that determines the minimum threat level required for a host to be considered infected and blocked by Juniper ATP Cloud. The infected host score can be configured from 1 to 10, where 1 is the lowest and 10 is the highest. The default infected host score is 5, which means that any host with a threat level of 5 or higher will be automatically blocked by Juniper ATP Cloud. However, the infected host score can be changed to a higher value, such as 6 or 7, to reduce the number of false positives and allow more traffic to pass through. In the exhibit, the host has a threat level of 5, which indicates that it is infected with malware and has attempted to contact command-and-control servers. However, some of the events have not been automatically mitigated, which means that the host has not been blocked by Juniper ATP Cloud. A possible reason for this behavior is that the infected host score is globally set above a threat level of 5, such as 6 or 7, which means that the host does not meet the minimum threshold for blocking. Therefore, the correct answer is C.  The infected host score is globally set above a threat level of 5.  References : [Configuring the Infected Host Score]  1 , [Compromised Hosts: More Information]  2

1 : https://www.juniper.net/documentation/us/en/software/sky-atp/atp-cloud-user-guide/topics/task/sky-atp-infected-host-score.html  2 : https://www.juniper.net/documentation/us/en/software/sky-atp/atp-cloud-user-guide/topics/concept/sky-atp-infected-host-overview.html

https://ww w.juniper.net/documentation/en_US/junos- space18.1/policy-enforcer/topics/task/configuration/junos-space-policyenforcer-custom-feeds-infected-host-configure.html

The two steps that will fulfill the requirement of deploying a security policy on an SRX Series device that blocks all known Tor network IP addresses are enrolling the devices with Juniper ATP Cloud and enabling a third-party Tor feed. Juniper ATP Cloud is a cloud-based service that provides advanced threat detection and mitigation capabilities for SRX Series devices. By enrolling the devices with Juniper ATP Cloud, the devices can leverage the cloud intelligence and analytics to identify and block malicious traffic, including Tor traffic. A third-party Tor feed is a source of information that provides a list of IP addresses that are associated with the Tor network. By enabling a third-party Tor feed on the SRX Series device, the device can use the feed to create a dynamic address object that contains all the known Tor IP addresses. The device can then apply a security policy that denies traffic from or to the dynamic address object, effectively blocking the Tor network IP addresses.  References : Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/concept/security-atp-cloud-overview.html https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/security-intelligence-third-party-feed-configuring.html

Certificate Renewal The renewal of certificates is much the same as initial certificate enrollment except you are just replacing an old certificate (about to expire) on the VPN device with a new certificate. As with the initial certificate request, only manual renewal is supported. SCEP can be used to re-enroll local certificates automatically before they expire. Refer to Appendix D for more details.

The SRX Series device in transparent mode uses packet flooding to learn about unknown devices in a network. Packet flooding is a process wherein the device sends out packets to every device it knows about or suspects in the network. When the packets are returned, the device can identify and classify the unknown devices in the network.