Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Threat Map Overview

 

The threat map allows you to visualize geographical regions for incoming and outgoing traffic. You can view blocked and allowed threat events based on feeds from IPS, antivirus, and antispam engines. Unsuccessful login attempts for devices are also displayed. An event count for each attack object can be viewed by clicking a specific geographical location. This is useful for viewing unusual activity that could indicate a possible attack. If you have deployed your firewall devices across the globe, you can find the country that is attacking your firewall devices the most by using the threat map.

Note

The devices can be root device, logical systems (LSYS), or tenant systems (TSYS).

Threats are color-coded and can be seen at the bottom of the page. You also get a quick view of total number of threats blocked and allowed, an individual count of threats blocked and allowed for each event, as well as the top targeted devices, top destination countries, and top source countries.

You can click any individual source or destination point on the map to review information about the threat events, including the number of threat events, type of threat, time of events, source IP, and destination IP. You can also perform further analysis of the attack by clicking the attack type and viewing the filtered list of events from the Event Viewer.

Starting in Junos Space Security Director Release 16.1, you can click a country on the threat map to bring up the respective country page. You can view the total threat events since midnight, followed by inbound and outbound threat events. You see the highest top five inbound and outbound IP addresses. You can also view all IP addresses with the option to block one or more of them. In addition, you can block all traffic or only the inbound and outbound traffic for the selected country.

Click View Details to see more details for the country on the right panel. In addition, you can see total number of inbound and outbound threats for each event.

Table 1 describes different types of threats blocked and allowed.

Table 1: Types of Threats

Attack

Description

IPS Threat Events

Intrusion detection and prevention (IDP) attacks detected by the IDP module.

The information reported about the attack includes:

  • Source of attack

  • Destination of attack

  • Type of attack

  • Session information

  • Severity

  • Policy information that permitted the traffic.

  • Action: traffic permitted or dropped.

Spam Events

E-mail spam that is detected based on the blocklist spam e-mails.

The information reported about the attack includes:

  • Source

  • Action: E-mail is rejected or allowed.

  • Reason for identifying as e-mail spam.

Virus Events

Virus attacks detected by the antivirus engine.

The information reported about the attack includes:

  • Source of the infected file

  • Destination

  • Filename

  • URL used for accessing the file

Device Authentications

The firewall authentication messages generated due to unauthorized attempts to access the network. The reported information contains the reason for authentication failure and the source of the request.

Screen

A type of threat detected by SRX Series devices. The information reported about the attack includes:

  • Attack name

  • Action taken

  • Source of the attack

  • Destination of the attack

ATP Cloud

A type of threat detected by SRX Series devices in collaboration with ATP Cloud software. The information reported about the attack includes:

  • Malware name

  • Action taken

  • Infected host

  • Source of the attack

  • Destination of the attack

Note

Threats with unknown geographical IP addresses are displayed as undefined.

Related Documentation

Release History Table
Release
Description
16.1
Starting in Junos Space Security Director Release 16.1, you can click a country on the threat map to bring up the respective country page.