System Information and Updates
Checking Appliance Health
Click the System Health dropdown to view real-time operational status for the Juniper ATP Appliance inspection and detection engines.
Internet |
Internet connection status |
Behavior Engine |
Core behavior analysis engine status |
Static Engine |
Static analysis engine status |
Correlation |
Hierarchical Reasoning Engine (HRE) machine learning component status |
Web Collectors |
Web collectors status is displayed if there are distributed Web Collector devices enabled. Note:
If the current system is an All-in-One and no additional Collector device is configured, then the Web Collectors item in the dropdown menu will be absent. |
Secondary Cores |
Secondary Cores status is displayed if there are distributed Mac Mini Secondary or Windows Secondary Core devices enabled. |
System Dashboard
The System Dashboard is also available from the Dashboard tab as well for monitoring system inspection and detection metrics:
The System Dashboard includes metrics for the following:
Scanned Traffic Objects/Offered Traffic Objects
Core Utilization (Windows and Mac OSX)
Objects Processed
Average Analysis Time (in Minutes) (Windows and Mac OSX)
Malware Objects
System Charts can be displayed for:
Last 24 Hours | Last Week | Last Month | Last 3 Months | Last Year
Collectors Dashboard
The Collectors Dashboard is another dashboard available from the Dashboard tab:
The Collectors Dashboard includes metrics for the following collector inspection and analysis Trend displays (options are select from the Trend dropdown menu):
Total Traffic (Mbps)
CPU Usage
Memory Usage
Found Objects
Malware Objects
System Charts can be displayed for:
Last 24 Hours | Last Week | Last Month | Last 3 Months | Last Year
The Collectors Dashboard Summary table provides configured and statistical information in the following columns:
Summary Column |
Description |
|---|---|
Plot |
Click to display [multiple] plots for comparisons in the graph above; colors are displayed for each selected graphical plot line |
Collector Name |
Name of the installed Traffic Collector |
IP Address |
IP Address of the Collector |
Memory |
Memory Usage statistics |
CPU |
CPU usage statistics |
Disk |
Disk Usage |
Total Traffic |
Total Traffic Scanned in Kbps or Mbps |
Objects |
Objects analyzed |
Malware Objects |
Malware Objects detected |
Last Malware Seen |
Last malware incident detected and analyzed |
Status |
Last status check on the Collector (example: “83 seconds ago”) |
Enabled |
Green checkmark indicates that the Collector is currently enabled; a red X indicates that the Collector is disabled or offline. |
Upgrading Juniper ATP Appliance Software and Security Content
Upgrading of software and security content is automatic when configured from the Central Manager Web UI Config>System Settings>System Settings page.
To enable automatic upgrades, check the “Software Update Enabled” and/or “Content Update Enabled” options on the System Settings page.
Ongoing updates take place on a regular schedule:
The software and content update (if enabled) checks for available updates every 30 minutes.
The Core detonation engine image upgrade check occurs daily at midnight.
CEF Logging Support for SIEM
Juniper ATP Appliance’s detection of malicious events generates incident and alert details that can be sent to connected SIEM platforms in CEF format via UDP.
Refer to the Juniper ATP Appliance CEF Logging Support for SIEM document, which focuses on CEF outputs for SIEM mapping and integration. Juniper ATP Appliance also provides JSON-based HTTP API results and ASCII TEXT notifications that are not discussed in this guide.
The Juniper ATP Appliance Central Manager WebUI Config>Notifications>SIEM Settings page provides the option to configure event and system audit notifications for SYSLOG or CEF-based SIEM servers. The servers, in turn, must be configured to receive the Juniper ATP Appliance notifications in CEF format.
syslog Trap Sink Server
When configuring the Juniper ATP Appliance to generate alert notifications in Syslog format, an administrator must confirm that the syslog trap-sink SIEM server support. The Syslog output is accessible for parsing only on the syslog server and cannot be viewed from the Juniper ATP Appliance CLI or Web UI.
CEF Format
Common Event Format (CEF) is an open standard syslog format for log management and interoperabily of security related information from different devices, network appliances and applications. This open log format is adopted by Juniper ATP Appliance for sending Juniper ATP Appliance malware event notifications to the configured channel.
The standard CEF format is:
CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
The Juniper ATP Appliance CEF format is as follows:
CEF:0|Juniper ATP Appliance|Cortex|<Juniper ATP Appliance version x.x.x.x>|<event type: http,email,datatheft...>|<malware name>|<incident risk mapping to 0- 10>|externalId=<Juniper ATP Appliance Incident ID> eventId=<Juniper ATP Appliance event ID> <ExtensionField=value...>...
The CEF format contains the most relevant malware event information, making it available for event consumers to parse and use the data interoperably. To integrate events, the syslog message format is used as a transport mechanism. This mechanism is structured to include a common prefix applied to each message, and contains the date and hostname as shown below:
<timestamp in UTC> host <message> where message=<header>|<extension>
Here is the common prefix as shown in Splunk:
<Timestamp in UTC> <server-fully-qualified domain name of the Juniper ATP Appliance box> <CEF format>
Definitions for the primary CEF fields as well as the CEF Extensions are provided and detailed in the Juniper ATP Appliance CEF and Syslog Support for SIEM guide.
The Username field is included in the SIEM logs while sending audit logs.