Skip to main content

Using the Insights Dashboard

The Insights page provides a preview of a dashboard feature that provides a management view over all enterprise devices, with a sample page view.

mobile-security-console-insights.PNG
  • Device Pool - The pie graph shows the distribution of devices with the app activated and protected, with pending activation statuses.

  • Critical Devices - The number of devices with one or more critical threats over the last 90 days is shown.

  • Risky Devices - The number of devices with one or more risky events over the last 90 days is shown.

  • OS Risk - Android and iOS devices are vulnerable due to outdated and vulnerable operating system versions, and must be updated to remove this risk.

  • Current Security Score - The current security score across all devices is based on an assessment of the Mobile Security app activation, risks, and threats. It increases as the activation of the app increases and as device risks and threats decrease.

    Note

    The security score calculation is based on Device Pool, Critical Devices, Risky Devices, and OS Risk data. It does not include the number of devices that had critical threats and risky events over the last 90 days. This score is calculated using data from the previous day.

  • Security Score Trend - A security score graph can be displayed over a daily, weekly, or monthly time frame.

  • Key Features - The enabled or disabled status values for key features of the solution, such as MDM Integration and Advanced App Analysis.

  • Top Critical Events - The top five critical threats are sorted based on the number of events occurring over the last 90 days.

  • Top Risky Events - The top five risky events are sorted based on the number of events occurring over the last 90 days.

The critical threats shown in the Insights Dashboard

This section provides information on the threats and their meanings. These threats display for the threat policy, where system administrators can set severity levels.

Mitigating a threat is making the threat less of a risk or removing the risk altogether. Each threat indicates if it has automatic or manual mitigation.

  • Automatic - changes to the device or other risk factors can change, and the threat can be automatically mitigated through the Mobile security console or app. The status of the threat then changes from a Pending state to a Fixed state.

  • Manual - an administrator must mark the threat as fixed or approved.

Item

Threat description

Default Severity

Mobile Security for Android

Mobile Security for iOS

Mobile Security for Chrome OS

Security for Chrome

Internal threat name, ID

Mitigation

Vector

Tag

Mitre tactics

App Pending Activation

App activation for the Mobile Threat Defense (MTD) application is not complete. Notification email: Indicates that the server detects the threat and sends a notification (email) without a device alert display within the application.

Low

Yes

Yes

Yes

DEVICE_PENDING_ACTIVATION, 200

Automatic

Device

host.device_pending_activation

n/a

Danger Zone Connected

The device connected to a Wi-Fi network where malicious attacks have been observed.

Low

Yes

Yes

Yes

DANGERZONE_CONNECTED, 79

Automatic

Network

network.danger_zone_connected

Initial Access, Network Effects

Danger Zone Nearby

The device is near a Wi-Fi network where malicious attacks have been observed.

Normal

Yes

Yes

Yes

DANGERZONE_NEARBY, 80

Automatic

Network

network.danger_zone_nearby

Initial Access, Network Effects

Detection Inactive

Mobile threat detection is inactive. No method of detection is active, either from the app or VPN.

Elevated

Yes

Yes

Yes

DETECTION_INACTIVE, 1007

Automatic

Device

host.detection_inactive

n/a

Detection Pending Activation

MTD detection is pending activation.

Low

Yes

Yes

Yes

DETECTION_PENDING_ACTIVATION, 1006

Automatic

Device

host.detection_pending_activation

n/a

Device Compromised via Phishing Attack

The device was compromised by a sophisticated kill chain attack that started with a phishing threat and ended leaving the device compromised. Type is composite. [f]

Critical

Yes

Yes

Yes

DEVICE_COMPROMISED_VIA_PHISHING_ATTACK, 123

Manual

Network

pattern.device_compromised_via_phishing_attack

Initial Access, Execution, Persistence, Privilege Escalation, Credential Access, Impact, Network Effects

High Risk Browser Extension

A Chrome extension is detected that has one or more privacy and/or security concerns that may put your personal and confidential information at risk.

Elevated

Yes

Automatic

App

chromeos.extension.high_risk

Persistence, Credential Access, Discovery, Collection, Execution

Inactive App

A certain amount of time has passed and the app has not communicated with the server. Notification email: [c]

Elevated

Yes

Yes

Yes

INACTIVE_APP, 100

Automatic

Device

app.dormant

n/a

Link Verification Disabled - Safari Extension

Link verification using the Safari browser extension is disabled on the device.

Elevated

-

-

-

SAFARI_EXTENSION_DISABLED, 151

Automatic

Network

network.safari_extension_disabled

n/a

MTD Is Not Activated on Both Work and Personal Profiles - Android Enterprise

The Mobile Threat Defense (MTD) application is not activated on both the personal and work profiles on this device. Install and activate the MTD app in both locations to ensure full device protection.

Elevated

Yes

-

-

ZIPS_NOT_RUNNING_ON_CONTAINER, 78

Automatic

Device

host.afw_both_profiles_not_activated

n/a

Out of Compliance App

One or more apps are found on the device that are marked as Out-of- Compliance apps.

Elevated

Yes

Yes

Yes

OUT_OF_COMPLIANCE_APP, 93

Automatic

App

host.app_out_of_compliance

Exfiltration, Collection, Impact

Out of Compliance Browser Extension

A Chrome extension is detected that is marked out of compliance with your organization's policies. It is recommended that you remove it from your Chrome browser.

Elevated

-

-

-

Yes

OOC_BROWSER_EXTENSION, 1003

Automatic

App

chromeos.extension.ooc

Persistence, Credential Access, Discovery, Collection, Execution

Phishing Protection - Link Tapped

A potentially malicious website address (URL) link was tapped on the device.

Elevated

Yes

Yes

Yes

Yes

MALICIOUS_WEBSITE, 9

Automatic

Device

host.site-insight.link-tapped

Initial Access, Credential Access, Network Effects

Phishing Protection - Link Visited

A user tapped a potentially malicious URL on the device. The user was warned of potential danger with the linked site and chose to continue to the website after the warning.

Elevated

Yes

Yes

Yes

Yes

MALICIOUS_WEBSITE_OPENED, 72

Automatic

Device

host.site-insight.link-visited

Initial Access, Credential Access, Network Effects, Execution, Privilege Escalation

Risky Site Blocked

A potentially malicious website address (URL) link was blocked on the device. [j]

Elevated

Yes

Yes

Yes

Yes

MAL_WEBSITE_BLOCKED, 137

Automatic

Device

content_filter.malsite_blocked

Initial Access

Risky Site - Link Tapped

A potentially malicious website address (URL) link was tapped on the device. [j]

Elevated

Yes

Yes

Yes

Yes

MAL_WEBSITE_TAPPED, 135

Automatic

Device

content_filter.malsite_tapped

Initial Access

Risky Site - Link Visited

A user tapped a potentially malicious link on the device. The user was warned of potential danger with the linked site and chose to continue to the website after the warning. [j]

Critical

Yes

Yes

Yes

Yes

MAL_WEBSITE_VISITED, 136

Automatic

Device

content_filter.malsite_visited

Initial Access

Sideloaded Browser Extension

A sideloaded extension is detected, which was not installed from an official web store. These extensions and their developers may not be verified and can present a security risk.

Elevated

-

-

-

Yes

SIDELOADED_BROWSER_EXTENSION, 1005

Automatic

App

chromeos.extension.sideloaded

Persistence, Credential Access, Discovery, Collection, Execution

Site Blocked

A user tapped on website content not approved by your organization and the site was blocked. [j]

Elevated

Yes

Yes

Yes

Yes

WEBSITE_BLOCKED, 134

Automatic

Device

content_filter.blocked

Initial Access

Site Warning - Link Tapped

Website content not approved by your organization was tapped on the device. [j]

Elevated

Yes

Yes

Yes

Yes

WEBSITE_TAPPED, 132

Automatic

Device

content_filter.website_tapped

Initial Access

Site Warning - Link Visited

A user tapped on website content not approved by your organization. The user was warned the website content does not comply with your organization's policies and chose to continue to the website after the warning. [j]

Elevated

Yes

Yes

Yes

Yes

WEBSITE_VISITED, 133

Automatic

Device

content_filter.website_visited

Initial Access

Suspicious Browser Extension

An unsafe extension is detected. It is strongly recommended that you remove the extension immediately.

Critical

-

-

-

Yes

SUSPICIOUS_BROWSER_EXTENSION, 1002

Automatic

App

chromeos.extension.suspicious

Persistence, Credential Access, Discovery, Collection, Execution

Suspicious iOS App

A known malicious app is detected and can attempt to take control of the device in some manner, such as elevation of privileges or spyware.

Critical

-

Yes

-

SUSPICIOUS_IPA, 42

Automatic

App

host.ipa.malicious

Initial Access, Persistence, Exfiltration, Impact, Credential Access, Execution, Collection

Suspicious Profile

A suspicious profile is a new profile introduced into the environment and is not explicitly trusted or untrusted. An administrator must review the profile and mark the profile as trusted or untrusted.

Elevated

-

Yes

-

SUSPICIOUS_PROFILE, 45

Automatic

Device

host.profile.suspicious

Initial Access, Persistence, Exfiltration, Impact, Credential Access, Execution, Collection

Untrusted Profile

An untrusted profile is a profile installed on one or more devices and is unsafe on your devices. An untrusted profile installed on devices can be used to control devices remotely, monitor and manipulate user activities, and hijack users' traffic.

Critical

-

Yes

-

UNTRUSTED_PROFILE, 24

Automatic

Device

host.profile.untrusted

Initial Access, Persistence, Exfiltration, Impact, Credential Access, Execution, Collection

Active ADB Session Detected

Android Debug Bridge (adb) is an advanced debugging tool typically used to interact with the device during development and troubleshooting sessions. An active adb session was detected and should be monitored closely.

Elevated

Yes

ACTIVE_ADB_SESSION, 187

Automatic

Device

ACTIVE_ADB_SESSION

Execution

File Pushed to a Sensitive Directory via ADB

Android Debug Bridge (adb) is an advanced debugging tool typically used during development and troubleshooting sessions. During an active adb session, a file was uploaded to a sensitive directory on the device, which is not normal and considered risky if not under active development or troubleshooting an incident.

Elevated

Yes

FILE_PUSHED_ADB, 186

Automatic

Device

FILE_PUSHED_ADB

Collection, Execution

Sensitive File Downloaded from the Device via ADB

Android Debug Bridge (adb) is an advanced debugging tool typically used during development and troubleshooting sessions. During an active adb session, a sensitive file was downloaded from the device, exposing a potential risk of data loss of sensitive information of the device or user.

Elevated

Yes

FILE_EXTRACTED_ADB, 185

Device

FILE_EXTRACTED_ADB

Collection, Execution

PDF - Malicious Document

There is harmful code or behavior within the PDF file, indicating a potential threat has been detected.

Elevated

Yes

MALICIOUS_PDF_DOCUMENT, 174

Automatic

Device

"Malicious PDF document"

Initial Access, Persistence, Credential Access, Impact, Collection, Exfiltration, Execution

PDF - Phishing Document

A potentially malicious URL was detected within the PDF file.

Elevated

Yes

PHISHING_PDF_DOCUMENT, 184

Automatic

Device

PHISHING_PDF_DOCUMENT

Initial Access, Persistence, Credential Access, Impact, Collection, Exfiltration, Execution

PDF - Unscanned Files

Unscanned PDFs pose potential risks. Immediate resume scan is advised.

Elevated

Yes

UNSCANNED_PDF_FILES, 189

Automatic

Device

UNSCANNED_PDF_FILES

iOS Shortcut Detection Disabled

The device is not configured to detect risky or malicious iOS shortcuts. This option must be enabled on the device.

Elevated

Yes

SHORTCUT_REQUIRED, 181

Automatic

Device

SHORTCUT_REQUIRED

Malicious iOS Shortcut Found

A potentially malicious iOS shortcut has been found to be installed on your device. iOS shortcuts might pose a significant security risk to your information. It is recommended to review the shortcut to determine whether or not it should be used.

Critical

Yes

SHORTCUT_SUSPICIOUS, 182

Automatic

Device

SHORTCUT_SUSPICIOUS

Risky iOS Shortcut Found

A potentially risky iOS shortcut has been found to be installed on your device. iOS shortcuts might pose a significant security risk to your information. It is recommended to review the shortcut to determine whether or not it should be used.

Elevated

Yes

SHORTCUT_RISKY, 183

Automatic

Device

SHORTCUT_RISKY

Risky events in the Insights Dashboard

The events categorized as risky events in the Insights dashboard display are:

Note

A mobile threat defense platform can detect "risky events" such as malicious apps, network anomalies, device vulnerability exploitation, jailbreaking/rooting, phishing attacks, device compromise indicators, and unusual device activities.

These events can include malicious app installation, network anomalies, device vulnerability exploitation, jailbreaking/rooting attempts, phishing attacks, device compromise indicators, and abnormal device activities. These alerts help protect against potential security threats.

  • Android Debug Bridge (ADB) Apps Not Verified

  • Android Device - Compatibility Not Test By Google

  • BlueBorne Vulnerability

  • Daemon Anomaly

  • Developer Options

  • Device Encryption

  • Device Pin

  • Google Play Protect Disabled

  • MITM - Fake SSL certificate

  • Rogue Access Point: Nearby

  • Sideloaded App(s)

  • Site Insight - Link Tapped

  • Stagefright Vulnerability

  • Suspicious Profile

  • Unknown Sources Enabled

  • USB Debugging Mode

  • Mobile security app is not activated on both work and personal profiles - Android for Work

Key features

The key features section shows a summary of the enabled or disabled status values for key features of the solution. These features show status for:

  • MDM Integration - Enables the synchronization of devices, defines group usage in policy and configuration items, and provides granular protection mechanisms. This feature is enabled if there is at least one MDM integration set up in Mobile Security Console.

  • SIEM Integration - Provides a secure method for pulling security events from the mobile security console. This is enabled if there is at least one SIEM integration setup in the Manage > Integrations > Data Export section of Mobile Security Console or with the Syslog pull integration.

  • Advanced App Analysis - Assesses mobile app risk among company devices, enabling intelligent identification of safe and risky apps, and setting security policies to mitigate risk. This is enabled by default for the enterprise under normal circumstances.

  • Phishing Detection - Enables administrators to warn and protect users from accessing harmful websites and links that may pose a danger. This is enabled in the key features of URL sharing or VPN-based phishing is enabled for at least one group within Mobile Security Console.

  • App Policy - Enables the application vetting capability. This feature is enabled if at least one app policy has been created under the Policy page.