- play_arrow Introduction
- play_arrow Dashboard
- play_arrow SRX Device Management
- play_arrow Devices
- Devices Overview
- Add Devices
- Enroll SRX Series Firewalls from ATP Cloud to Juniper Security Director Cloud
- Disenroll SRX Series Firewall from ATP Cloud
- Device Subscriptions
- Add Licenses
- Import Device Certificates
- Configure Security Logs
- Configuration Versions
- Out-of-Band Changes
- Resolve Out-of-Band Changes
- Resynchronize Devices
- Upgrade Devices
- Reboot Devices
- Delete Devices
- play_arrow Device Groups
- play_arrow Preprovision Profiles
- play_arrow Configuration Templates
- play_arrow Images
- play_arrow Security Packages
-
- play_arrow SRX Security Policy
- play_arrow SRX Security Policies
- play_arrow SRX Security Policy Rules
- Security Policy Rules Overview
- Security Policy Rule Analysis Overview
- Add and Manage Security Policy Rules
- Analyze Security Policy Rules
- Edit, Clone, and Delete a Security Policy Rule
- Reorder a Security Policy Rule
- Configure Default Rule Option
- Select a Security Policy Rule Source
- Select a Security Policy Rule Destination
- Select Applications and Services
- Common Operations on a Security Policy Rule
- Add SRX Policy Rules to Secure Edge Policy (From SRX Policy Page)
- play_arrow SRX Security Policy Versions
- play_arrow Device View
-
- play_arrow SRX Security Subsciptions
- play_arrow IPS Profiles
- play_arrow IPS Signatures
- play_arrow Content Security
- play_arrow Content Security Profiles
- play_arrow Web Filtering Profiles
- play_arrow Antivirus Profiles
- play_arrow Antispam Profiles
- play_arrow Content Filtering Profiles
- play_arrow Content Filtering Policies (New)
- play_arrow Decrypt Profiles
- play_arrow SecIntel
- play_arrow SecIntel Profiles
- play_arrow SecIntel Profile Groups
- play_arrow Anti-Malware
- play_arrow Secure Web Proxy
- play_arrow Flow-Based Antivirus
- play_arrow ICAP Redirect Profile
- play_arrow Metadata Streaming Policy
- Security Metadata Streaming Policies Overview
- Create and Manage Metadata Streaming Profiles
- Create and Manage Metadata Streaming Profiles to Detect all DNS Threats
- Create and Manage Metadata Streaming Profiles to Detect DGA-Based Threats
- Create and Manage Metadata Streaming Profiles to Detect DNS Tunnels
- Create and Manage Metadata Streaming Profiles to Detect all HTTP Threats
- Create and Manage Metadata Streaming Profiles to Detect Command-and-Control (C2) Communications
- Edit, Clone, or Delete Metadata Streaming Profile
- Create and Manage Metadata Streaming Rules
- Edit or Delete Metadata Streaming Rule
- Deploy Metadata Streaming Policy
- Import Metadata Streaming Policy and DNS Cache
- play_arrow DNS Filter
-
- play_arrow SRX IPSec VPN
- play_arrow IPsec VPNs
- IPsec VPN Overview
- Understanding IPsec VPN Modes
- Understanding IPsec VPN Routing
- Understanding IKE Authentication
- IPsec VPN Global Settings
- Create a Policy-Based Site-to-Site VPN
- Create a Route-Based Site-to-Site VPN
- Create a Hub-and-Spoke (Establishment All Peers) VPN
- Create a Hub-and-Spoke (Establishment by Spokes) VPN
- Create a Hub-and-Spoke Auto Discovery VPN
- Create a Remote Access VPN—Juniper Secure Connect
- Importing IPsec VPNs
- Deploy an IPsec VPN
- Modify IPsec VPN Settings
- Delete an IPsec VPN
- play_arrow VPN Profiles
- play_arrow Extranet Devices
-
- play_arrow SRX NAT
- play_arrow NAT Policies
- play_arrow NAT Pools
- Devices with NAT Policies
-
- play_arrow SRX Identity
- play_arrow JIMS
- play_arrow Active Directory
- play_arrow Access profile
- play_arrow Address Pools
-
- play_arrow Secure Edge Service Management
- Juniper Secure Edge Overview
- Service Locations Overview
- Create and Manage Service Locations
- Edit and Delete Service Locations
- Sites Overview
- Create and Manage Sites
- Create and Manage Bulk Sites
- Edit and Delete Sites
- About the IPsec Profiles Page
- Create and Manage IPsec Profiles
- Edit or Delete an IPsec Profile
- External Probe Overview
- play_arrow Secure Edge Security Policy
- Secure Edge Policy Overview
- Add and Manage Secure Edge Policy Rules
- Edit, Clone, and Delete a Secure Edge Policy Rule
- Reorder a Security Policy Rule
- Select a Secure Edge Policy Source
- Select a Secure Edge Policy Destination
- Select Applications and Services
- Common Operations on a Secure Edge Policy
- Deploy Secure Edge Policies
- Add SRX Policy Rules to Secure Edge Policy (From Secure Edge Policy Page)
- play_arrow Secure Edge Security Subscriptions
- IPS Policies Overview
- IPS Policies Overview
- Create and Manage IPS Rules
- Edit, Clone, and Delete IPS Rules
- Create and Manage Exempt Rules
- Edit, Clone, and Delete Exempt Rule
- Web Filtering Profiles Overview
- Web Filtering Profiles Overview
- Create and Manage Web Filtering Profiles
- Edit, Clone, and Delete a Web Filtering Profile
- CASB Overview
- CASB Profiles Overview
- Create and Manage CASB Profiles
- Edit and Delete a CASB Profile
- CASB Rules Overview
- Add and Manage CASB Profile Rules
- Edit and Delete a CASB Rule
- Application Instances Overview
- Create and Manage Application Instances
- Edit and Delete an Application Instance
- Application Tagging Overview
- Content Filtering Policies Overview
- Content Filtering Policies Overview
- Create and Manage Content Filtering Policies
- Add and Manage Content Filtering Policy Rules
- Edit and Delete a Content Filtering Policy
- Edit, Clone, and Delete a Content Filtering Policy Rule
- SecIntel Profiles Overview
- SecIntel Profiles Overview
- Create and Manage Command and Control Profiles
- Create and Manage DNS Profiles
- Create and Manage Infected Hosts Profiles
- Edit, Clone, and Delete SecIntel Profile
- SecIntel Profile Groups Overview
- Create and Manage SecIntel Profile Groups
- Edit, Clone, and Delete SecIntel Profile Group
- Anti-malware Profiles Overview
- About Anti-malware Profiles
- Create and Manage Anti-malware Profiles
- Edit, Clone, and Delete Anti-malware Profile
- Create a DNS Security Profile
- Create an Encrypted Traffic Insights Profile
- play_arrow Secure Edge Service Administration
- Certificate Management Overview
- Certificate Management Overview
- Generate and Manage Certificates
- Upload and Download a Certificate
- Regenerate and Delete a Certificate
- Add Juniper Clouds Root CA Certificate on Microsoft Windows
- Add Juniper Clouds Root CA Certificate on MacOS
- Add Juniper Clouds Root CA Certificate in Google Chrome
- Add Juniper Clouds Root CA Certificate in Mozilla Firefox
- Proxy Auto Configuration Files Overview
- Proxy Auto Configuration (PAC) Files Overview
- Edit, Clone, and Delete a Proxy Auto Configuration File
- Distribute a Proxy Auto Configuration File URL to Web Browsers
- Manually Add a Proxy Auto Configuration File URL to a Web Browser
- Configure an Explicit Proxy Profile
- Decrypt Profiles Overview
- Decrypt Profiles Overview
- Create and Manage Decrypt Profiles
- Edit, Clone, and Delete a Decrypt Profile
- play_arrow Secure Edge Identity
- End User Authentication Overview
- About the End User Authentication Page
- Add and Manage End User Profiles
- Create a SAML Profile
- Create an LDAPS Profile
- Manage the Hosted Database
- Edit and Delete an End User Profile
- Add and Manage Groups
- Edit and Delete a Group
- Juniper Identity Management Service Overview
- Juniper Identity Management Service Overview
- JIMS Collector Onboarding Overview
- Onboard JIMS Collector
- Create JIMS Collector Service Accounts
- Install JIMS Collector
- Configure JIMS Collector to Get Information from the Directory Service
- Configure JIMS Collector to Get Microsoft Event Logs
- Configure JIMS Collector to Probe Unknown IP Addresses
- Delete JIMS Collector
- Authentication Settings Overview
- Configure the Authentication Frequency
- play_arrow Secure Edge CASB and DLP
- play_arrow Shared Services Firewall Policies
- play_arrow Rule Options
- play_arrow Redirect Profiles
-
- play_arrow Shared Services Objects
- play_arrow Addresses
- play_arrow GeoIP
- play_arrow Services
- play_arrow Applications
- play_arrow Schedules
- play_arrow URL Patterns
- play_arrow URL Categories
- play_arrow SSL Initiation Profile
-
- play_arrow Shared Services Advanced Threat Prevention
- Enroll an SRX Series Firewall using Juniper ATP Cloud Web Portal
- Remove an SRX Series Firewall From Juniper Advanced Threat Prevention Cloud
- Search for SRX Series Firewalls Within Juniper Advanced Threat Prevention Cloud
- Device Information
- File Inspection Profiles Overview
- Create File Inspection Profiles
- Email Management Overview
- Configure SMTP Email Management
- Configure IMAP Email Management
- Adaptive Threat Profiling Overview
- Create an Adaptive Threat Profiling Feed
- Allowlists Overview
- Create Allowlists
- Blocklists Overview
- Create Blocklists
- SecIntel Feeds Overview
- Configure DAG Filter
- Global Configuration for Infected Hosts
- Enable Logging
- Configure Threat Intelligence Sharing
- Configure Trusted Proxy Servers
- Configure Webhook
- play_arrow Administration
- play_arrow Subscriptions
- play_arrow Users & Roles
- play_arrow Single Sign-On Configuration
- play_arrow Two-Factor Authentication
- play_arrow Audit Logs
- play_arrow Service Updates
- play_arrow Jobs
- play_arrow Data Management
- play_arrow Log Streaming
- play_arrow URL Recategorization
- play_arrow API Security
- play_arrow Organization
- play_arrow ATP Mapping
- play_arrow ATP Audit Logs
- play_arrow ATP Application Tokens
-
ON THIS PAGE
Threats Overview
To access this page, click Monitor > Logs > Threats.
Use the Threats page to view information about security events based on IPS policies. Analyzing IPS and Content Security logs yields useful security management information such as abnormal events, attacks, viruses, or worms.
The following examples indicate the types of logs that the Threats page displays:
AV_VIRUS_DETECETED
AV_FILE_NOT_SCANNED_DROPPED_MT, IDP_ATTACK_LOG_EVENT
CONTENET_FILETER_BLOCKED
ANTISPAM_SPAM_DETECTED_MT
RT_AAMW - AAMW_HOST_INFECTED_EVENT_LOG
SMS_MALICIOUS_VERDICT
ANTI_VIRUS_ACTION_LOG
Using the time-range slider, you can focus on the area of activity that interests you the most. Once the time range is selected, all the data presented in your view is refreshed automatically. You can also use the custom button to set a custom time range.
To view your data, either select the Summary View tab or the Detail View tab.
This information is sourced from IPS and Content Security features.
Summary View
The data presented in the area graph is refreshed automatically based on the selected time range. You can use widgets to view critical information such as IPS severities, top sources, top destinations, top reporting devices, top IPS attacks, top source countries, and top destination countries.
Table 1 provides guidelines on using the widgets on the Detail View page.
Field | Description |
|---|---|
IPS Severities | View the top IPS severities of the events based on the severity level—critical, high, medium. |
Top Sources | View the top source IP addresses of the network traffic sorted by the number of event occurrences. |
Top Destinations | View the top destination IP addresses of the network traffic sorted by the number of event occurrences. |
Top Reporting/Attacked Devices | View the top devices that are attacked by IPS events that are sorted by the number of times users are active on the network. |
Top IPS Attacks | View the top IPS attacks in the network traffic sorted by the times devices are attacked. |
Top Source Countries | View the top source countries from where the event source originated sorted by the number of IP addresses. |
Top Destination Countries | View the top destination countries from where the event source originated sorted by the number of IP addresses. |
Top Viruses | View viruses with the maximum number of blocks sorted by count. |
Top Spam by Source | View the number of spam detected by the source IP addresses. |
Detail View
You can sort the events using the Group By option. For example, you can sort the events that are based on threat severity. The table includes information such as the rule that caused the event, the severity for the event, the event ID, the traffic information, and how and when the event was detected.
Click Export Logs to download the event logs. The Export Logs to ZIP window opens. The data is downloaded in CSV format within a ZIP folder.
Table 2 provides guidelines on using the fields on the Detail View page.
Fields | Description |
|---|---|
Time | View the time when the traffic log was generated. |
Generated by | View the name of the user who generated the log. |
Event Name | View the event name of the traffic log. |
Attack Name | View the attack name of the log, such as Trojan, worm, and virus. |
Threat Severity | View the threat severity of the event. |
User Name | View the username. |
URL | View the accessed URL name that triggered the traffic log. |
Nested Application | View the name of the Layer 7 application. |
Action | View the action taken for the event—warning, allow, and block. |
Source IP | View the source IP address (IPv4 or IPv6) from where the event occurred. |
Destination IP | View the destination IP address (IPv4 or IPv6) of the event. |
Destination Port | View the destination port of the event. |
Received Time | View the time when the traffic log was received by Juniper Security Director Cloud. |
Policy Name | View the policy name in the log. |
Source Country | View the source country name from where the event originated. |
Destination Country | View the destination country name from where the event occurred. |
Source Port | View the source port of the event. |
Description | View the description of the log. |
Name | View the name of the event. |
Category | View the event category of the threat—Anti-spam, Anti-virus, Web-filtering, and IPS. |
Client Hostname | View the hostname of the client associated with the traffic that triggered the event. For example, if a specific computer is infected, the name of that computer is displayed. |
Event Category | View the event category of the traffic log—firewall or APPTRACK. |
Argument | View the type of traffic—FTP and HTTP. |
Application | View the name of the application associated with the traffic that triggered the event. |
Host Name | The hostname of the device where the log was generated. |
Service Name | View the name of the Layer 4 service used for the traffic that triggered the event, such as FTP, HTTP, and SSH. |
Source Zone | View the source zone of the site. |
Destination zone | View the destination zone of the site. |
Protocol ID | View the protocol ID of the traffic that triggered the event. |
Roles | View the role names associated with the event. |
Reason | View the reason for the log generation, such as unrestricted access. |
NAT Source Port | View the source port of traffic after NAT. |
NAT Destination Port | View the destination port of traffic after NAT. |
NAT Source Rule Name | View the source NAT rule name. |
NAT Destination Rule Name | View the destination NAT rule name. |
NAT Source IP | View the source IP address after the IP address translation. |
NAT Destination IP | View the destination IP address after the IP address translation. |
Traffic Session ID | View the session ID mapped by site to an event. |
Path Name | View the pathname of the log. |
Logical System Name | View the logical system name. |
Rule Name | View the rule name. |
Profile Name | View the name of the Web filtering profile that triggered the log. |
Malware Info | View information about the malware causing the event. |
Source VRF Group Name | View the source VRF group name that generated the event. |
Destination VRF Group Name | View the destination VRF group name that generated the event. |
Filename | View the name of the file flagged for viruses. |
File Category | View the file type that was flagged for viruses, such as a PDF, a Word document, or an executable file. |
Verdict Number | View the configured verdict threshold number of the file detected as a virus. |
Virus Info | View the total number of virus signature hits. |
Virus db Version | View the signature database version. |
