I'm working to get security alerts set up between an SRX340 and Eventlog Analyzer SIEM.
I've been getting alerts that look like this:
Alert Name : Default Threat,Event Name : Application Access Update,Message : Malicious Source(s) detected : 94.229.72.116
Log Message :
APPTRACK_SESSION_VOL_UPDATE: AppTrack volume update: xx.xx.1.93/64280->94.229.72.116/443 junos-https UNKNOWN UNKNOWN xxx.xxx.xxx.xxx/16925->94.229.72.116/443 source-nat-rule N/A 6 Managers trust untrust 57738 1(52) 0(0) 0 N/A N/A No ,Alert Severity : Critical
Actually, the recorded alert in the SIEM database starts with RT_FLOW.
For reference: from juniper.net:
APPTRACK_SESSION_VOL_UPDATE [user@host.1.1.1.2.129 source-address="4.0.0.1" source-port="33040" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="4.0.0.1" nat-source-port="33040" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" packets-from-client="371" bytes-from-client="19592" packets-from-server="584" bytes-from-server="686432" elapsed-time="60" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” category=” Web” sub-category=”Social-Networking”]
So, most of what I see in the alert is understandable. Sorry to bore you with those details. But there are a couple of important things that I don't understand:
where does the Alert Severity : Critical come from and why?
And,
where does "Malicious Source(s) come from and why?