Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Monitor ATP

You are here: Monitor > Logs > ATP.

Use the monitoring functionality to view the ATP page. Analyzing the Juniper ATP logs yields information such as malware name, action taken, infected host, source of an attack, and destination of an attack.

Note:

ATP page is available on all the SRX Series devices except the SRX5000 line of devices.

Table 1 describes the fields on the ATP page.

Table 1: Fields on the ATP Page

Field

Description

Last

Select the time from the list to view the activity that you are most interested in. Once the time is selected, all of the data presented in your view is refreshed automatically.

You can also use Customize to set a custom date and click Apply to view the specified ATP logs.

Refresh

Click the refresh icon to get the latest ATP log information.

Show Hide Columns

This icon is represented by three vertical dots.

Enables you to show or hide a column in the grid.

Export to CSV

You can export the ATP log data to a comma-separated value (.csv) file.

Select the three vertical dots on the right-side of the page and click Export to CSV. The CSV file is downloaded to your local machine. You can download only maximum of 100 ATP log data.

Filter Criteria

Use the filter text box present above the table grid. The search includes the logical operators as part of the filter string. In the filter text box, when you hover over the icon, it displays an example filter condition. When you start entering the search string, the icon indicates whether the filter string is valid or not.

The following filters are available:

  • Source IP

  • Destination IP

  • Session ID

  • Log type

  • User

  • Application

  • Source Zone

  • Destination Zone

  • Source Country

  • Destination Country

  • Source Port

  • Destination Port

  • Protocol

X

Click X to clear your search filters.

Save Filter

Click Save Filter to save filters after you specify the filtering criteria.

To save a filter:

  1. Enter the filter criteria you are looking for in the advanced search box.

  2. Click Save Filter.

  3. Enter a name for the filter and click the tick icon to save it.

Load Filter

Displays the saved filters list.

Hover over the saved filter name to view the query expression. You can delete the saved filter using the delete icon.

Time

Displays the time when the ATP log was received.

Log Type

Displays the ATP log type: Action, Malware event, SMTP action, and IMAP action.

Source Zone

Displays the source zone of the ATP log.

Source IP

Displays the source IP address from where the ATP log occurred.

Source Port

Displays the port number of the source.

User

Displays the username who downloaded the possible malware.

Destination Zone

Displays the destination zone of the ATP log.

Destination IP

Displays the destination IP of the ATP log occurred.

Destination Port

Displays the destination port of the ATP log.

Application

Displays the application name from which the ATP logs are generated.

Action

Displays the action taken from the event: log, permit, and log and permit.

Session ID

Displays the session ID of the ATP log.

Policy

Displays the name of policy that enforced this action.

List Hit

Displays the number of times the C&C server has attempted to contact hosts on your network.

URL

Displays the accessed URL name that triggered the event.

Sample SHA256

Displays the SHA-256 hash value of the downloaded file.

File Hash Lookup

Displays the hash of the file sent for matching against known malware.

File Name

Displays the name of the file, including the extension.

Protocol

Displays the protocol that the C&C server used to attempt communication.

File Category

Displays the type of file. Examples: PDF, executable, document.

Hostname

Displays the hostname of device that downloaded the possible malware.

Verdict Number

Displays the a score or threat level for a file.

Malware Info

Displays the malware name or brief description.

Send To

Displays the email address.

Send From

Displays the email address.

Tenant ID

Displays the internal unique identifier.