Monitor Threats Map
You are here: Monitor > Maps and Charts > Threats Map.
Threats Map page is available on all the SRX Series Firewalls except the SRX5000 line of devices.
Use this page to visualize incoming and outgoing threats between geographic regions. You can view blocked and allowed threat events based on feeds from intrusion prevention systems (IPS), antivirus, antispam engines, Juniper ATP Cloud, and screen options. You can also click a specific geographical location to view the event count and the top five inbound and outbound IP addresses.
To view the data on the Threats Map (Live) page, ensure that:
Security logging is enabled. If not, go to Device Administration > Basic Settings > Security Logging and enable Stream mode Logging.
Required firewall policy is configured on the device.
Required licenses are configured for IPS and antivirus.
Your device is enrolled to the Juniper ATP Cloud server.
The threat data is displayed starting from 12:00 AM (midnight) up to the current time (in your time zone) on that day and is updated every 30 seconds. The current date and time are displayed at the upper right and a legend is displayed at the lower left of the page.
If a threat occurs when you are viewing the page, an animation shows the country from which the threat originated (source) and the country in which the threat occurred (destination).
Threats with unknown geographical IP addresses and private IP addresses are displayed as UNKNOWN_COUNTRY.
Field Descriptions
Table 1 displays the fields of the Threats Map (Live) page.
Field |
Description |
---|---|
Total Threats Blocked & Allowed |
Displays the total number of threats blocked and allowed. Click the hyperlinked number to go to the All Events (Monitor > Logs > All Events) page (filtered view of the Grid View tab), where you can view more information about the IPS, virus, spam, Juniper ATP Cloud, and screen events. |
Threats Blocked & Allowed |
Displays the total number of threats blocked and allowed by the following categories:
|
Top Destination Countries |
Displays the top five destination countries and the number of threats per country. |
Top Source Countries |
Displays the top five source countries and the number of threats per country. |
Threat Types
The Threats Map page displays blocked and allowed threat events based on feeds from IPS, antivirus, antispam engines, Juniper ATP Cloud, and screen options. Table 2 describes different types of threats blocked and allowed.
Attack |
Description |
---|---|
IPS threat events |
Intrusion detection and prevention (IDP) attacks detected by the IDP module. The information reported about the attack (displayed on the IPS (Monitor > Logs > Threats page) includes information about:
|
Virus |
Virus attacks detected by the antivirus engine. The information reported about the attack (displayed on the Antivirus (Monitor > Logs > Threats page) includes information about:
|
Spam |
E-mail spam that is detected based on the blacklist spam e-mails. The information reported about the attack (displayed on the Antispam (Monitor > Logs > Threats page) includes information about:
|
Juniper ATP Cloud |
Events that are detected based on Juniper ATP Cloud policies. The information reported about the attack (displayed on the Screen (Monitor > Logs > ATP page) includes information about:
|
Screen |
Events that are detected based on screen options. The information reported about the attack (displayed on the Screen (Monitor > Logs > Threats page) includes information about:
|
Tasks You Can Perform
You can perform the following tasks from this page:
Toggle between updating the data and allowing live updates—Click the Pause icon to stop the page from updating the threat map data and to stop animations. Click the Play icon to update the page data and resume animations.
Zoom in and out of the page—Click the zoom in (+) and zoom out (–) icons to zoom in and out of the page.
Pan the page—Click and drag the mouse to pan the page.
View country-specific details:
Click a country on the threat map to view threat information specific to that country. A Country-Name pop-up appears displaying country-specific information.
Click View Details in the Country-Name pop-up to view additional details. The Country-Name (Details) panel appears.
Table 3 provides more details on the country-specific threat information.
Field |
Description |
---|---|
Displayed in Country-Name pop-up |
|
Number of threat events Threat Events since 12:00 am |
Displays the total number of threat events (inbound and outbound) since midnight for that country. |
Inbound (Number of threat events) |
Displays the total number of inbound threats for the country and the IP address and the number of events for that IP address for the top five inbound events. Click View All to view all the destination IP address with threat events count. |
Outbound (Number of threat events) |
Displays the total number of outbound threats for the country and the IP address and the number of events for that IP address for the top five outbound events. Click View All to view all the source IP address with threat events count. |
View Details—Displayed in Country-Name (Details) panel |
|
Number of threat events Threat Events since 12:00 am |
Displays the total number of threat events (inbound and outbound) since midnight for that country. |
Number of Inbound Events |
Displays the total number of inbound threats for the country and the number of inbound threat events for each of the following categories:
Click Top 5 IP Addresses (Inbound) to view the IP address and the number of events for that IP address for the top five inbound events. Click View All IP Addresses to view all the destination IP addresses and number of events for that IP address. Note:
You can view or select View All IP Addresses only after you click Top 5 IP Addresses (Inbound). |
Number of Outbound Events |
Displays the total number of outbound threats for the country and the number of outbound threat events for each of the following categories:
Click Top 5 IP Addresses (Outbound) to view the IP address and the number of events for that IP address for the top five outbound events. Click View All IP Addresses to view all the source IP addresses and number of events for that IP address. Note:
You can view or select View All IP Addresses only after you click Top 5 IP Addresses (Outbound). |