From the forward traffic log, find the utmref identifier. 

Example:

date=2025-08-04 time=09:19:47 eventtime=1754270387495602905 tz="+0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=x.x.x.x srcport=52534 srcintf="port1" srcintfrole="undefined" dstip=x.x.x.x dstport=3389 dstintf="port1" dstintfrole="undefined" replysrcintf="port3" srccountry="Reserved" dstcountry="Reserved" sessionid=508 proto=6 action="server-rst" policyid=1 policytype="policy" poluuid="a2e6bfc8-6e92-51f0-df26-d5e3333f0d2d" policyname="abv" service="TCP-TCP3389" trandisp="snat+dnat" tranip=x.x.x.x tranport=3389 transip=x.x.x.x transport=52534 appid=15511 app="RDP" appcat="Remote.Access" apprisk="high" applist="default" duration=158 sentbyte=110069 rcvdbyte=363587 sentpkt=582 rcvdpkt=736 utmaction="allow" countapp=1 sentdelta=11683 rcvddelta=3156 durationdelta=38 sentpktdelta=67 rcvdpktdelta=36 utmref=0-0

Use the command 'execute log detail' to check the UTM detail.

The available UTM categories:

execute log detail
Available categories:
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: utm-anomaly
8: utm-voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: utm-dns
16: utm-ssh
17: utm-ssl
19: utm-file-filter
20: utm-icap
22: utm-sctp-filter
24: utm-virtual-patch
25: utm-casb

execute log detail 10 0-0
1 logs found.
1 logs returned.

1: date=2025-08-04 time=09:17:08 eventtime=1754270228548181976 tz="+0800" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" appid=15511 srcip=x.x.x.x srccountry="Reserved" dstip=x.x.x.x dstcountry="Reserved" srcport=52534 dstport=3389 srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 service="TCP-TCP3389" direction="outgoing" policyid=1 poluuid="a2e6bfc8-6e92-51f0-df26-d5e3333f0d2d" policytype="policy" sessionid=508 applist="default" action="pass" appcat="Remote.Access" app="RDP" incidentserialno=13631489 msg="Remote.Access: RDP" apprisk="high"