Skip to main content

Threats Xplorer

Threats Xplorer is specially designed to offer you highly increased visibility over the detected threats in your network. The feature centralizes detection events from multiple GravityZone technologies and classifies them by category, threat type, remediation actions, and many others.

You can easily identify and analyze any event from your company over a specific time interval by using the available filters.

Smart_Views_-_General_view2.png

On the Threats Xplorer page, you can view the complete list of the detection events in your network. The grid displays the entries in reverse-chronological order, this way the most recent events are always at the beginning.

Important

  • The presented data is directly correlated with the selected period, company, and license key.

  • The grid displays the detection events from the last 90 days.

The feature centralizes detection events from the following modules:

  • Antimalware

  • Network Protection

  • Storage Protection

  • Exchange Protection

  • Device Control

  • Firewall

Analyzing Detection Events

Threats Xplorer provides a wide variety of columns and filters to help you navigate through the events list. You can either select filters from the drop-down menu or type in keywords that match your desired results.

Threats_Xplorer_-_Analyzing_events.PNG

The available columns and filters you can use are:

  • Detected on

    This column provides you with the exact time and date of the detection. Use the filter to view events that occurred in a predetermined time interval or a customized one.

  • Company

    This column displays detection events based on companies. You can select one or multiple companies and view the specific collection of events. You can also view events from all companies that you manage directly or from all companies you have access to by using the dedicated filters.

  • Category

    This column classifies the identified threats using general categories such as files, emails, websites, processes, and others.

  • Details

    This column provides specific information about the identified threat such as the path of the file or process, the web address of the website, the email subject, and more.

  • Action taken

    This section presents the action taken on the threat as well as the number of occurrences. For example, using the available filters you can view blocked, deleted, quarantined, reported items, and others.

  • Endpoint name

    This column provides you with the name of the device where the detection occurred. You can search for a specific device by typing its name in the filter search bar.

  • Command-line

    In this section, you can find details about the command-line used in the detected threat, if any.

  • Threat type

    This column presents the discovered threat type. You can select one or more types from the filter and identify the corresponding events. For more information about the available threat types, refer to the Glossary section.

  • IP

    In this section, you can find the IP address of the device where the detection occurred.

  • Endpoint type

    This column provides information about the device type, whether it is a server, workstation, container, or container host.

  • User

    In this column, you can find the username that was used in the attack.

  • Detecting module

    This section provides you with the name of the GravityZone module that identified the threat. You can use the filter options to refine the list of events.

  • Detecting technology

    This section provides information about the GravityZone technology used to identify the threat. You can use the filter options to refine the list of events.

  • Threat name

    This column presents the exact name of the identified threat. You can search for events with a specific threat by typing the name in the filter search bar.

  • Fileless attack

    This column provides details about the existence of a fileless attack.

  • SHA256

    You can use this column to find information about the hash of a file and the associated filter to discover events with a specific hash.

Note

  • The items number located above the columns on the left side of the page represents the total number of detection events according to the selected filters. Additionally, you can find the number of occurrences that specifies how many times an event was detected.

  • To manage the Threats Xplorer page, use the options available on the upper right side. You can export data, adjust columns and clear filters, remove the filters section, refresh the grid and adjust it to a compact view.

Detection details

The Detection details panel helps you perform an in-depth analysis providing event-specific information and several investigation and remediation actions.

To analyze an event select it from the grid and view its details in the opened panel on the right side. The panel includes:

Event details:

  • Information about the threat such as threat type and name, the action taken, the detecting module, and others.

  • Details about the detected item including the category and specific information like process ID, file path, URL, email subject, and others.

  • Endpoint details such as endpoint name, type and risk score, the assigned policy, any existing vulnerabilities or misconfigurations, and others.

    Threats_Xplorer_-_Detection_details_panel.png

Actions:

  • Scan: configure and start a scan task for the endpoint.

  • Isolate: use this action to isolate the endpoint from the rest of the network until the threat is resolved.

  • Add exclusion: create an exclusion for the detected item. This action is available for files and processes.

  • Add to Blocklist: add the detected item to Blocklist. This action is available only if the item hash is present.

  • Show detections: view all the security events on the endpoint within the last 24 hours.

  • Show in network: view the endpoint within the Network Inventory.

For an improved security analysis and overall accessibility, you can access the Threats Xplorer page also from Executive Summary.

Using Smart Views

Smart Views is focused on adding a new level of personalization in Threats Xplorer. You can now create your own customized views or use predefined ones and quickly switch between them as needed.  

In a single view, you can customize filters, and different time intervals, add or remove columns and scale their size.

Smart_View_Hybrid2.png

Smart Views provides you with a set of useful standard views with predefined filters, columns, and time intervals:

  • General view provides you with the default filters and columns.

  • Hybrid detections view filters different threats proactively detected by multiple GravityZone technologies.

  • Policy rule-based detections view organizes all events triggered by policy rule violations. 

  • Device Control activity view shows threats proactively detected by the Device Control module.

You can use any standard view as is or temporarily modify it to suit your needs. You can also clone a view or use it as a template to create your own. 

Note

  • Standard views and their changes can be saved only as new views.

  • GravityZone console retains the selected view even if you leave the section or log out until you change it yourself with another view. This way, you can always pick up from where you left and analyze the security events of interest.

Creating custom views

  1. Choose a standard view.

  2. Personalize according to your needs:

    Select, apply and add different filters

    Smart_Views_-_select_filters_-_edited.png

    Add or remove columns from the right-side panel

    Smart_Views_-_select_columns_-_edited.png

    Use the Discard changes button from the upper right corner of the page to undo your selections if necessary.

  3. Save your changes using the Save as button from the upper right corner of the page.

  4. Enter a name for the view and click Save. You can find the new view in the Custom section.

    Smart_Views_-_Final_view_-_edited.png

Editing custom views

You can edit a custom view anytime, however, please note that you need to save your changes after applying them. 

To edit a custom view:

  1. Choose a custom view.

  2. Personalize according to your needs. Use the Discard changes button to undo your selections if necessary.

  3. Save your changes using the Save button from the upper right corner of the page.

Renaming and deleting custom views

To delete or rename a custom view click the corresponding vertical ellipses from the views panel and select the action. 

Rename-delete_view.png

Exporting Detection Events

Threats Xplorer provides the possibility of accessing and managing the centralized data outside GravityZone Control Center. The export functionality helps you import the detection events in other software programs tailored for your business. 

To save detection events on your computer as a CSV file:

  1. Click Export.PNG Export view from the upper right side of the Threats Xplorer page. 

  2. Depending on your browser settings, the file may be downloaded automatically to a default download location, or a download window will appear, where you must specify the destination folder.  

    A pop-up notification on the Threats Xplorer page will inform you when the export is complete.

The saved file contains all the detection events corresponding to your filtering selection.

Note

You can export up to 500,000 detection events at a time.

In this section: