Threat Monitoring Overview
You can monitor and get detailed information about all the top threats detected over time by category and technology. . Threats are defined as any IPS, antivirus, antispam, device authentication failure, screen, SecIntel, or Juniper Advanced Threat Prevention Cloud (Juniper ATP Cloud).
Using the time-frame slider, you can instantly focus on areas of unusual activity by dragging the time slider to the area of interest to you. The slider and the Custom button are available for both Summary View and Detailed View. You can select the time range and decide how to view the data, using the summary view or detail view tabs.
You can change the time range by manually moving the time-frame slider in the widget provided or by clicking the predefined time ranges available in the top right corner of the Threat Monitoring page. The data will be automatically reloaded with threats that occurred in the newly selected time range.
By default, you can view data for all the devices. To view data for a specific device, click on the link beside Devices and select one or more devices.
You can view, sort, search, and filter the threat information based on the following:
Number of instances
Number of instances over time
How often the target is attacked
Severity by type of attack
Network attack interval overtime
Click Summary View for a brief summary of all the threats in the network.
The widgets in the Summary view, displays critical information such as top threats by incident count, top source countries, top targeted devices, top destination countries, top attackers, top source zones, and top destination zones.
The following options are available to view the widgets in summary view:
Bubble Chart - When you select Bubble Chart to view the threats, the incidents are indicated through color codes.
Bar Chart - When you select Bar chart, the intensity of the incidents is indicated through bars.
Grid View – When you select Grid View, the data is shown in a tabular format.
See Table 1 for descriptions of the widgets in Summary view.
Table 1: Widgets in the Summary View
Top Threats by Incident Count
Displays all the threats by incident count.
Top Source Countries
Displays the top five source countries under threat.
Top Targeted Devices
Shows the top five devices which are most likely to be under threat.
Top Destination Countries
Displays the top five destination countries under threat.
Displays the top five attackers in the network.
Top Source Zones
Displays the top five source zones under threat.
Top Destination Zones
Displays the top five destination zones under threat.
Click Detail View for comprehensive details of threats in a tabular format that includes sortable columns. You can select specific parameters from the Group By drop-down menu and can also search and filter a specific attribute or event from the search window provided. You can now also drag and drop an event to the search window to apply filters.
Select Show raw log from the More drop down to view the real time logs received for a specific event that is selected.
Select Show event details from the More drop down menu to view the complete details of logs for a selected event. You can view general information, source information, destination information, and security information of logs.
Select Export to CSV option from the grid settings pane to export and download the log data in CSV file.
Select Show Hide Columns from the grid settings pane to show or hide various parameters in the grid.
See Table 2 for field descriptions in detail view.
Table 2: Fields in the Detailed view
The event category of the threat.
Attack name of the threat.
The name of the virus.
The URL from which the threat generated.
Information of the malware.
The severity level of the threat.
The source IP address from where the threat occurred.
The destination IP address of the threat.
The event name of the threat.
Action taken for the threat: deny, allow, and block.
The source zone of the threat.
The destination zone of the threat.
The source country name.
The destination country name from where the threat occurred.
The host name of the client.
The name of the application service.
The user name of the threat event.
Logical System Name
The name of the logical system.
The application name from which the threats are generated.
Nested application that is running over the parent application.
The source port of the threat.
Destination port of the threat.
The name of the rule.
The name of the threat monitoring profile that triggered the event.
Role names associated with the threat.
Reason for the generation of the threat.
NAT Source IP
The translated (or natted) source IP address. It can contain IPv4 or IPv6 addresses.
NAT Destination IP
The translated (also called natted) destination IP address.
NAT Source Port
Translated source port.
NAT Destination Port
Translated destination port.
NAT Source Rule Name
The NAT source rule name.
NAT Destination Rule Name
The NAT destination rule name.
The host name of the targeted device.
Traffic Session ID
Number that identifies the session.
Logical Subsystem Name
The name of the logical system in JSA logs.
Description of the threat.
The policy name which triggered the event.
IP address of the log source.
Log Generated Time
The time when the log was generated.
Log Received Time
The time when the log was received.