Monitor Threats
You are here: Monitor > Logs > Threats.
Use the monitoring functionality to view the security threats. Threats are defined as any IPS, screen, security intelligence, antivirus, content filtering, or antispam.
Threat page is available on all the SRX Series Firewalls except the SRX5000 line of devices.
Table 1 describes the fields on the Threats page.
Field |
Description |
---|---|
Last |
Select the time from the list to view the activity that you are most interested in. Once the time is selected, all of the data presented in your view is refreshed automatically. You can also use Customize to set a custom date and click Apply to view the specified threats. |
Refresh |
Click the refresh icon to get the latest threat information. |
Show Hide Columns |
This icon is represented by three vertical dots. Enables you to show or hide a column in the grid. |
Export to CSV |
You can export the threats data to a comma-separated value (.csv) file. Select the three vertical dots on the right-side of the page and click Export to CSV. The CSV file is downloaded to your local machine. You can download only maximum of 100 sessions data. |
Filter Criteria |
Use the filter text box present above the table grid. The search includes the logical operators as part of the filter string. Note:
Starting in Junos OS 23.1R1 Release, J-Web supports the following operators:
J-web also supports Netmask when searching for IP addresses. In the filter text box, when you hover over the icon, it displays an example filter condition. When you start entering the search string, the icon indicates whether the filter string is valid or not. The following filters are available:
|
X |
Click X to clear your search filter. |
Save Filter |
Click Save Filter to save filters after you specify the filtering criteria. To save a filter:
|
Load Filter |
Displays the saved filters list. Hover over the saved filter name to view the query expression. You can delete the saved filter using the delete icon. |
View Details |
When you hover over the PCAP file, a Detailed View icon appears before the PCAP file. Click the icon to view the log details on the Detailed Log View page. Click on the download icon on the Detailed Log View page to download the packet capture file. If the files are not available, the download fails and you will receive an error message. Note:
The download icon will only be available for the IPS attack logs. To view the packet capture data on the Threats page, ensure that attack logging notification is enabled. If not:
|
PCAP |
Click on the download icon to download the packet capture (PCAP) file of IPS attacks. Note:
The download icon appears only for the IPS attack logs. The PCAP file will be downloaded to your system from the /var/log/pcap/ folder. If the files are not available, the download fails and you will receive an error message. |
Time |
Displays the time when the threats log was received. |
Log Type |
Displays the threats log type. For example, IPS, Antivirus, Antispam, and so on. |
Name |
Displays the name of the event. |
Severity |
Displays the severity of the threat. |
Source Zone |
Displays the source zone of the threats. |
Source IP |
Displays the source IP address from where the threats log occurred. |
Source Port |
Displays the port number of the source. |
User |
Displays the username from whom the threat log is generated. |
Destination Zone |
Displays the destination zone of the threats. |
Destination IP |
Displays the destination IP of the threats occurred. |
Destination Port |
Displays the port number of the destination. |
Application |
Displays the nested application or application name from which the threats are generated. |
Action |
Displays the action taken from the threats. |
Session ID |
Displays the traffic session ID of the threats. |
Closure Reason |
Displays the reason for the session closure. |
Profile |
Displays the threat profile name. |
Category |
Displays the threat category. |
URL |
Displays the accessed URL name that triggered the event. |
Object |
Displays the object name of the threats. |
Destination Interface |
Displays the interface name of the destination. |
Source Interface |
Displays the interface name of the source. |
Policy |
Displays the policy name that triggered the threats log. |
Rule |
Displays the rule name of the threats log. |
Protocol |
Displays the protocol ID in the threats log. |
CVE-ID |
Displays the Common Vulnerabilities and Exposures (CVE) identifiers information for the threat. |
Elapsed Time |
Displays the time elapsed since the last time interval began. |
Packet Log ID |
Displays the packets ID received before and after the attack for further offline analysis of attacker behavior. |
XFF |
Displays X-Forwarded-For (XFF) header added to packets by a proxy server that includes the real IP address of the client making the request. |
File Name |
Displays the filename of the threats log. |
Argument |
Displays the arguments that are passed to an event when it is invoked from the threats log. |
Source Name |
Displays the name of the source from where threat is originated. |
Feed Name |
Displays the feed name of the threat detected. |
Count |
Displays the number of threats count. |
Message Type |
Displays the message type for the threat detected. |
HTTP Host |
Displays the host URL for the threat. |