Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

System Information and Updates

Checking Appliance Health

Click the System Health dropdown to view real-time operational status for the Juniper ATP Appliance inspection and detection engines.

Internet

Internet connection status

Behavior Engine

Core behavior analysis engine status

Static Engine

Static analysis engine status

Correlation

Hierarchical Reasoning Engine (HRE) machine learning component status

Web Collectors

Web collectors status is displayed if there are distributed Web Collector devices enabled.

Note:

If the current system is an All-in-One and no additional Collector device is configured, then the Web Collectors item in the dropdown menu will be absent.

Secondary Cores

Secondary Cores status is displayed if there are distributed Mac Mini Secondary or Windows Secondary Core devices enabled.

System Dashboard

The System Dashboard is also available from the Dashboard tab as well for monitoring system inspection and detection metrics:

The System Dashboard includes metrics for the following:

  • Scanned Traffic Objects/Offered Traffic Objects

  • Core Utilization (Windows and Mac OSX)

  • Objects Processed

  • Average Analysis Time (in Minutes) (Windows and Mac OSX)

  • Malware Objects

System Charts can be displayed for:

Last 24 Hours | Last Week | Last Month | Last 3 Months | Last Year

Collectors Dashboard

The Collectors Dashboard is another dashboard available from the Dashboard tab:

The Collectors Dashboard includes metrics for the following collector inspection and analysis Trend displays (options are select from the Trend dropdown menu):

  • Total Traffic (Mbps)

  • CPU Usage

  • Memory Usage

  • Found Objects

  • Malware Objects

System Charts can be displayed for:

Last 24 Hours | Last Week | Last Month | Last 3 Months | Last Year

The Collectors Dashboard Summary table provides configured and statistical information in the following columns:

Table 1: Collectors Dashboard Summary

Summary Column

Description

Plot

Click to display [multiple] plots for comparisons in the graph above; colors are displayed for each selected graphical plot line

Collector Name

Name of the installed Traffic Collector

IP Address

IP Address of the Collector

Memory

Memory Usage statistics

CPU

CPU usage statistics

Disk

Disk Usage

Total Traffic

Total Traffic Scanned in Kbps or Mbps

Objects

Objects analyzed

Malware Objects

Malware Objects detected

Last Malware Seen

Last malware incident detected and analyzed

Status

Last status check on the Collector (example: “83 seconds ago”)

Enabled

Green checkmark indicates that the Collector is currently enabled; a red X indicates that the Collector is disabled or offline.

Upgrading Juniper ATP Appliance Software and Security Content

Upgrading of software and security content is automatic when configured from the Central Manager Web UI Config>System Settings>System Settings page.

  • To enable automatic upgrades, check the “Software Update Enabled” and/or “Content Update Enabled” options on the System Settings page.

Ongoing updates take place on a regular schedule:

  • The software and content update (if enabled) checks for available updates every 30 minutes.

  • The Core detonation engine image upgrade check occurs daily at midnight.

CEF Logging Support for SIEM

Juniper ATP Appliance’s detection of malicious events generates incident and alert details that can be sent to connected SIEM platforms in CEF format via UDP.

Note:

Refer to the Juniper ATP Appliance CEF Logging Support for SIEM document, which focuses on CEF outputs for SIEM mapping and integration. Juniper ATP Appliance also provides JSON-based HTTP API results and ASCII TEXT notifications that are not discussed in this guide.

The Juniper ATP Appliance Central Manager WebUI Config>Notifications>SIEM Settings page provides the option to configure event and system audit notifications for SYSLOG or CEF-based SIEM servers. The servers, in turn, must be configured to receive the Juniper ATP Appliance notifications in CEF format.

syslog Trap Sink Server

When configuring the Juniper ATP Appliance to generate alert notifications in Syslog format, an administrator must confirm that the syslog trap-sink SIEM server support. The Syslog output is accessible for parsing only on the syslog server and cannot be viewed from the Juniper ATP Appliance CLI or Web UI.

CEF Format

Common Event Format (CEF) is an open standard syslog format for log management and interoperabily of security related information from different devices, network appliances and applications. This open log format is adopted by Juniper ATP Appliance for sending Juniper ATP Appliance malware event notifications to the configured channel.

The standard CEF format is:

The Juniper ATP Appliance CEF format is as follows:

The CEF format contains the most relevant malware event information, making it available for event consumers to parse and use the data interoperably. To integrate events, the syslog message format is used as a transport mechanism. This mechanism is structured to include a common prefix applied to each message, and contains the date and hostname as shown below:

Here is the common prefix as shown in Splunk:

Definitions for the primary CEF fields as well as the CEF Extensions are provided and detailed in the Juniper ATP Appliance CEF and Syslog Support for SIEM guide.

Note:

The Username field is included in the SIEM logs while sending audit logs.