In my opinion, best way is (which i use as well) ...
1. Define a default denying security policy at the bottom (i.e. low precedence in policy list), e.g.
set security policy from-zone untrust to-zone trust policy untrust-trusty-denyall match source-address any
set security policy from-zone untrust to-zone trust policy untrust-trusty-denyall match destination-address any
set security policy from-zone untrust to-zone trust policy untrust-trusty-denyall match application any
set security policy from-zone untrust to-zone trust policy untrust-trusty-denyall match then deny
set security policy from-zone untrust to-zone trust policy untrust-trusty-denyall match then log session-init
2. Log all denied traffic due to this security policy
set system syslog file Denied-Traffic any any
set system syslog file Denied-Traffic match RT_FLOW_SESSION_DENY
3. View log using "run show log Denied-Traffic"
regards