About the Threats Map (Live) Page
Use this page to visualize incoming and outgoing threats between geographic regions. You can view blocked and allowed threat events based on feeds from intrusion prevention systems (IPS), antivirus, and antispam engines, unsuccessful login attempts, and screen options. You can also click a specific geographical location to view the event count and the top five inbound and outbound IP addresses.
The threat data is displayed starting from 12:00 AM (midnight) up to the current time (in your time zone) on that day and is updated every 30 seconds. The current date and time is displayed at the top right and a legend is displayed at the bottom left of the page.
If a threat occurs when you are viewing the page, an animation shows the country from which the threat originated (source) and the country in which the threat occurred (destination).
For threats with unknown geographical IP addresses (private IP addresses), the animation shows the threat originating from the bottom center of the geographical map.
Tasks You Can Perform
You can perform the following tasks from this page:
Toggle between updating the data and allowing live updates—Click the Pause icon to stop the page from updating the threat map data and to stop animations. Click the Play icon to update the page data and resume animations.
Zoom in and out of the page—Click the zoom in (+) and zoom out (–) icons to zoom in and out of the page.
Pan the page—Click and drag the mouse to pan the page.
View country-specific details:
Click a country on the threat map to view threat information specific to that country. A Country-Name pop-up appears displaying country-specific information.
Click the View Details link in the Country-Name pop-up to view additional details. The Country-Name (Details) panel appears.
For more information, see Table 1.
Field |
Description |
Displayed In |
|---|---|---|
Number-of-threat-events Threat Events since 12:00 am |
Displays the total number of threat events (inbound and outbound) since midnight for that country. Click the hyperlinked number to go to the All Events page, where you can view more information about the events. |
Country-Name pop-up |
Inbound (Number-of-threat-events) |
Displays the total number of inbound threats for the country and the IP address and the number of events for that IP address for the top five inbound events. |
Country-Name pop-up |
Outbound (Number-of-threat-events) |
Displays the total number of outbound threats for the country and the IP address and the number of events for that IP address for the top five outbound events. |
Country-Name pop-up |
Number-of-threat-events Events since 12:00 am |
Displays the total number of threat events (inbound and outbound) since midnight for that country. Click the hyperlinked number to go to the All Events page, where you can view more information about the events. |
Country-Name (Details) panel |
Number-of Inbound Events |
Displays the total number of inbound threats for the country and the number of inbound threat events for each of the following categories:
Click the hyperlinked number for a category to go to the page for that category, where you can view more information about that category. For example, clicking the hyperlinked number for IPS threats takes you to the IPS Events page. Click the Top 5 IP Addresses (Inbound) to view the IP address and the number of events for that IP address for the top five inbound events. |
Country-Name (Details) panel |
Number-of Outbound Events |
Displays the total number of outbound threats for the country and the number of outbound threat events for each of the following categories:
Click the hyperlinked number for a category to go to the page for that category, where you can view more information about that category. For example, clicking the hyperlinked number for screens takes you to the Screen Events page. Click the Top 5 IP Addresses (Outbound) to view the IP address and the number of events for that IP address for the top five outbound events. |
Country-Name (Details) panel |
Field Descriptions
Table 2 displays the fields the Threats Map (Live) page.
Field |
Description |
|---|---|
Total Threats Blocked & Allowed |
Displays the total number of threats blocked and allowed. Click the hyperlinked number to go to the All Events page (filtered view of the Detail View tab), where you can view more information about the IPS, virus, spam, device authentication, and screen events. |
Threats Blocked & Allowed |
Displays the total number of threats blocked and allowed by the following categories:
Click the hyperlinked number for a category to go to the page for that category, where you can view more information about that category. For example, clicking the hyperlinked number for IPS threats takes you to the IPS Events page (filtered view of the Detail View tab). |
Top Target Devices |
Displays the top five targeted devices and the number of threats per device. Click the hyperlink for a device to go to the All Events page (filtered view of the Detail View tab), where you can view more information about the IPS, virus, spam, device authentication, and screen events for that device. |
Top Destination Countries |
Displays the top five destination countries and the number of threats per country. Click the hyperlink for a country to go to the All Events page (filtered view of the Detail View tab), where you can view more information about the IPS, virus, spam, device authentication, and screen events for that country. |
Top Source Countries |
Displays the top five source countries and the number of threats per country. Click the hyperlink for a country to go to the All Events page (filtered view of the Detail View tab), where you can view more information about the IPS, virus, spam, device authentication, and screen events for that country. Note:
For threats with unknown geographical IP addresses (private IP addresses), the country name is displayed as Undefined. So, when you click the hyperlinked threat count and go to the All Events page, the filter query uses Undefined as the source country. |
Threat Types
The Threats Map (Live) page displays blocked and allowed threat events based on feeds from IPS, antivirus, and antispam engines, unsuccessful login attempts, and screen options. Table 3 describes different types of threats blocked and allowed.
Attack |
Description |
|---|---|
IPS threat events |
Intrusion detection and prevention (IDP) attacks detected by the IDP module. The information reported about the attack (displayed on the IPS Events page) includes information about:
|
Virus events |
Virus attacks detected by the antivirus engine. The information reported about the attack (displayed on the Antivirus Events page) includes information about:
|
Spam events |
E-mail spam that is detected based on the blocklist spam e-mails. The information reported about the attack (displayed on the Antispam Events page) includes information about:
|
Device authentications |
The firewall authentication messages generated due to unauthorized attempts to access the network. The reported information (displayed on the All Events page) contains the reason for authentication failure and the source of the request. |
Screen events |
Events that are detected based on screen options. The information reported about the attack (displayed on the Screen Events page) includes information about:
|