Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

About the Threats Map (Live) Page

 

To access this page, select Monitor > Threats Map (Live) in Customer Portal.

Use this page to visualize incoming and outgoing threats between geographic regions. You can view blocked and allowed threat events based on feeds from intrusion prevention systems (IPS), antivirus, and antispam engines, unsuccessful login attempts, and screen options. You can also click a specific geographical location to view the event count and the top five inbound and outbound IP addresses.

The threat data is displayed starting from 12:00 AM (midnight) up to the current time (in your time zone) on that day and is updated every 30 seconds. The current date and time is displayed at the top right and a legend is displayed at the bottom left of the page.

If a threat occurs when you are viewing the page, an animation shows the country from which the threat originated (source) and the country in which the threat occurred (destination).

Note

For threats with unknown geographical IP addresses (private IP addresses), the animation shows the threat originating from the bottom center of the geographical map.

Tasks You Can Perform

You can perform the following tasks from this page:

  • Toggle between updating the data and allowing live updates—Click the Pause icon to stop the page from updating the threat map data and to stop animations. Click the Play icon to update the page data and resume animations.

  • Zoom in and out of the page—Click the zoom in (+) and zoom out () icons to zoom in and out of the page.

  • Pan the page—Click and drag the mouse to pan the page.

  • View country-specific details:

    • Click a country on the threat map to view threat information specific to that country. A Country-Name pop-up appears displaying country-specific information.

    • Click the View Details link in the Country-Name pop-up to view additional details. The Country-Name (Details) panel appears.

    For more information, see Table 1.

Table 1: Country-Specific Threat Information

Field

Description

Displayed In

Number-of-threat-events Threat Events since 12:00 am

Displays the total number of threat events (inbound and outbound) since midnight for that country.

Click the hyperlinked number to go to the All Events page, where you can view more information about the events.

Country-Name pop-up

Inbound (Number-of-threat-events)

Displays the total number of inbound threats for the country and the IP address and the number of events for that IP address for the top five inbound events.

Country-Name pop-up

Outbound (Number-of-threat-events)

Displays the total number of outbound threats for the country and the IP address and the number of events for that IP address for the top five outbound events.

Country-Name pop-up

Number-of-threat-events Events since 12:00 am

Displays the total number of threat events (inbound and outbound) since midnight for that country.

Click the hyperlinked number to go to the All Events page, where you can view more information about the events.

Country-Name (Details) panel

Number-of Inbound Events

Displays the total number of inbound threats for the country and the number of inbound threat events for each of the following categories:

  • IPS Threats

  • Virus

  • Spam

  • Device Authentication

  • Screen

Click the hyperlinked number for a category to go to the page for that category, where you can view more information about that category. For example, clicking the hyperlinked number for IPS threats takes you to the IPS Events page.

Click the Top 5 IP Addresses (Inbound) to view the IP address and the number of events for that IP address for the top five inbound events.

Country-Name (Details) panel

Number-of Outbound Events

Displays the total number of outbound threats for the country and the number of outbound threat events for each of the following categories:

  • IPS Threats

  • Virus

  • Spam

  • Device Authentication

  • Screen

Click the hyperlinked number for a category to go to the page for that category, where you can view more information about that category. For example, clicking the hyperlinked number for screens takes you to the Screen Events page.

Click the Top 5 IP Addresses (Outbound) to view the IP address and the number of events for that IP address for the top five outbound events.

Country-Name (Details) panel

Field Descriptions

Table 2 displays the fields the Threats Map (Live) page.

Table 2: Fields on the Threats Map (Live) Page

Field

Description

Total Threats Blocked & Allowed

Displays the total number of threats blocked and allowed. Click the hyperlinked number to go to the All Events page (filtered view of the Detail View tab), where you can view more information about the IPS, virus, spam, device authentication, and screen events.

Threats Blocked & Allowed

Displays the total number of threats blocked and allowed by the following categories:

  • IPS Threats

  • Virus

  • Spam

  • Device Authentication

  • Screen

Click the hyperlinked number for a category to go to the page for that category, where you can view more information about that category. For example, clicking the hyperlinked number for IPS threats takes you to the IPS Events page (filtered view of the Detail View tab).

Top Target Devices

Displays the top five targeted devices and the number of threats per device. Click the hyperlink for a device to go to the All Events page (filtered view of the Detail View tab), where you can view more information about the IPS, virus, spam, device authentication, and screen events for that device.

Top Destination Countries

Displays the top five destination countries and the number of threats per country. Click the hyperlink for a country to go to the All Events page (filtered view of the Detail View tab), where you can view more information about the IPS, virus, spam, device authentication, and screen events for that country.

Top Source Countries

Displays the top five source countries and the number of threats per country. Click the hyperlink for a country to go to the All Events page (filtered view of the Detail View tab), where you can view more information about the IPS, virus, spam, device authentication, and screen events for that country.

Note: For threats with unknown geographical IP addresses (private IP addresses), the country name is displayed as Undefined. So, when you click the hyperlinked threat count and go to the All Events page, the filter query uses Undefined as the source country.

Threat Types

The Threats Map (Live) page displays blocked and allowed threat events based on feeds from IPS, antivirus, and antispam engines, unsuccessful login attempts, and screen options. Table 3 describes different types of threats blocked and allowed.

Table 3: Types of Threats

Attack

Description

IPS threat events

Intrusion detection and prevention (IDP) attacks detected by the IDP module.

The information reported about the attack (displayed on the IPS Events page) includes information about:

  • Source of attack

  • Destination of attack

  • Type of attack

  • Session information

  • Severity

  • Policy information that permitted the traffic.

  • Action: traffic permitted or dropped.

Virus events

Virus attacks detected by the antivirus engine.

The information reported about the attack (displayed on the Antivirus Events page) includes information about:

  • Source of the infected file

  • Destination

  • Filename

  • URL used for accessing the file

Spam events

E-mail spam that is detected based on the blocklist spam e-mails.

The information reported about the attack (displayed on the Antispam Events page) includes information about:

  • Source

  • Action: E-mail is rejected or allowed.

  • Reason for identifying as e-mail spam.

Device authentications

The firewall authentication messages generated due to unauthorized attempts to access the network. The reported information (displayed on the All Events page) contains the reason for authentication failure and the source of the request.

Screen events

Events that are detected based on screen options.

The information reported about the attack (displayed on the Screen Events page) includes information about:

  • Internet Control Message Protocol (ICMP) screening

  • IP screening

  • TCP screening

  • UDP screening