We are using Sky ATP with our SRX 340 and I was curious about why a machine ended up on the Infected Hosts list. It was a false positive but when i look at the security logs generated by the SRX, I see two entries for events AAMW_ACTION_LOG and the they are in reference to the file that was downloaded. When I look at those messages it has a verdict-number field that = -1. Its my understanding that the verdict should be somewhere between 1-10. What does the -1 mean? In Sky ATP the file shows up as a score of 6. So im a bit confused why the security log message says -1 as the verdict for the file and Sky Atp says its a 6. Are the AAMW_ACTION_LOG messages i see each stage of the analysis in Sky ATP? Thanks for the help. Here is the syslog message i am talking about:
<14>1 2019-03-11T15:30:00.363Z SRX340Host RT_AAMW - AAMW_ACTION_LOG [junos@2636.1.1.1.2.135 hostname="host.com" file-category="pdf" verdict-number="-1" action="PERMIT" list-hit="N/A" file-hash-lookup="FALSE" source-address="x.x.x.x" source-port="64014" destination-address="x.x.x.x" destination-port="443" protocol-id="6" application="HTTPS" nested-application="N/A" policy-name="Threat-Policy" username="N/A" roles="N/A" session-id-32="81554" source-zone-name="zone1" destination-zone-name="zone2" url="/url/to/something"]