SRX Services Gateway
SRX Services Gateway


[ Edited ]
2 weeks ago

I'm working to get security alerts set up between an SRX340 and Eventlog Analyzer SIEM.

I've been getting alerts that look like this:

Alert Name : Default Threat,Event Name : Application Access Update,Message : Malicious Source(s) detected :

Log Message :
APPTRACK_SESSION_VOL_UPDATE: AppTrack volume update: xx.xx.1.93/64280-> junos-https UNKNOWN UNKNOWN> source-nat-rule N/A 6 Managers trust untrust 57738 1(52) 0(0) 0 N/A N/A No ,Alert Severity : Critical

Actually, the recorded alert in the SIEM database starts with RT_FLOW.


For reference: from
APPTRACK_SESSION_VOL_UPDATE [user@host. source-address="" source-port="33040" destination-address="" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="" nat-source-port="33040" nat-destination-address="" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" packets-from-client="371" bytes-from-client="19592" packets-from-server="584" bytes-from-server="686432" elapsed-time="60" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” category=” Web” sub-category=”Social-Networking”]


So, most of what I see in the alert is understandable.  Sorry to bore you with those details.  But there are a couple of important things that I don't understand:

where does the Alert Severity : Critical come from and why?


where does "Malicious Source(s) come from and why?