Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Threat Monitoring Overview

 

You can monitor and get detailed information about all the top threats detected over time by category and technology. . Threats are defined as any IPS, antivirus, antispam, device authentication failure, screen, SecIntel, or Juniper Advanced Threat Prevention Cloud (Juniper ATP Cloud).

Using the time-frame slider, you can instantly focus on areas of unusual activity by dragging the time slider to the area of interest to you. The slider and the Custom button are available for both Summary View and Detailed View. You can select the time range and decide how to view the data, using the summary view or detail view tabs.

You can change the time range by manually moving the time-frame slider in the widget provided or by clicking the predefined time ranges available in the top right corner of the Threat Monitoring page. The data will be automatically reloaded with threats that occurred in the newly selected time range.

By default, you can view data for all the devices. To view data for a specific device, click on the link beside Devices and select one or more devices.

You can view, sort, search, and filter the threat information based on the following:

  • Source

  • Destination

  • Number of instances

  • Severity

  • Number of instances over time

  • How often the target is attacked

  • Severity by type of attack

  • Network attack interval overtime

Summary View

Click Summary View for a brief summary of all the threats in the network.

The widgets in the Summary view, displays critical information such as top threats by incident count, top source countries, top targeted devices, top destination countries, top attackers, top source zones, and top destination zones.

The following options are available to view the widgets in summary view:

  • Bubble Chart - When you select Bubble Chart to view the threats, the incidents are indicated through color codes.

  • Bar Chart - When you select Bar chart, the intensity of the incidents is indicated through bars.

  • Grid View – When you select Grid View, the data is shown in a tabular format.

See Table 1 for descriptions of the widgets in Summary view.

Table 1: Widgets in the Summary View

Widget

Description

Top Threats by Incident Count

Displays all the threats by incident count.

Top Source Countries

Displays the top five source countries under threat.

Top Targeted Devices

Shows the top five devices which are most likely to be under threat.

Top Destination Countries

Displays the top five destination countries under threat.

Top Attackers

Displays the top five attackers in the network.

Top Source Zones

Displays the top five source zones under threat.

Top Destination Zones

Displays the top five destination zones under threat.

Detailed View

Click Detail View for comprehensive details of threats in a tabular format that includes sortable columns. You can select specific parameters from the Group By drop-down menu and can also search and filter a specific attribute or event from the search window provided. You can now also drag and drop an event to the search window to apply filters.

Select Show raw log from the More drop down to view the real time logs received for a specific event that is selected.

Select Show event details from the More drop down menu to view the complete details of logs for a selected event. You can view general information, source information, destination information, and security information of logs.

Select Export to CSV option from the grid settings pane to export and download the log data in CSV file.

Select Show Hide Columns from the grid settings pane to show or hide various parameters in the grid.

See Table 2 for field descriptions in detail view.

Table 2: Fields in the Detailed view

Field

Description

Event Category

The event category of the threat.

Attack Name

Attack name of the threat.

Virus Name

The name of the virus.

URL

The URL from which the threat generated.

Malware Info

Information of the malware.

Threat Severity

The severity level of the threat.

Source IP

The source IP address from where the threat occurred.

Destination IP

The destination IP address of the threat.

Event Name

The event name of the threat.

Action

Action taken for the threat: deny, allow, and block.

Source Zone

The source zone of the threat.

Destination Zone

The destination zone of the threat.

Source Country

The source country name.

Destination Country

The destination country name from where the threat occurred.

Client Hostname

The host name of the client.

Service Name

The name of the application service.

User Name

The user name of the threat event.

Logical System Name

The name of the logical system.

Application

The application name from which the threats are generated.

Nested Application

Nested application that is running over the parent application.

Source Port

The source port of the threat.

Destination Port

Destination port of the threat.

Rule Name

The name of the rule.

Profile Name

The name of the threat monitoring profile that triggered the event.

Roles

Role names associated with the threat.

Reason

Reason for the generation of the threat.

NAT Source IP

The translated (or natted) source IP address. It can contain IPv4 or IPv6 addresses.

NAT Destination IP

The translated (also called natted) destination IP address.

NAT Source Port

Translated source port.

NAT Destination Port

Translated destination port.

NAT Source Rule Name

The NAT source rule name.

NAT Destination Rule Name

The NAT destination rule name.

Hostname

The host name of the targeted device.

Traffic Session ID

Number that identifies the session.

Logical Subsystem Name

The name of the logical system in JSA logs.

Description

Description of the threat.

Policy Name

The policy name which triggered the event.

Log Source

IP address of the log source.

Log Generated Time

The time when the log was generated.

Log Received Time

The time when the log was received.