Threat View

The Threat View tab includes all data that was previously published in the old Security Report and displays it in a highly usable format. The Threat View tab provides comprehensive security data about the malicious hits within your networks over a specific time period. The default report displays a bar chart that shows the distribution of malicious hits throughout your networks within a 24-hour time frame by default but can be customized to display a specific time period. To export the Threat View table data in csv format, click Export. The default file name is security-activity_threat-view.csv. Exported data is limited to 10,000 records.

Performing Search Queries

The search feature supports using queries to perform searches using the integrated search query language.  Using the search query language, you can search all records in the Security Events report with customized queries. Using the search query options available in the Threat View report, you can:

• Run a search on any of the following fields:
• REQUESTS
• DEVICES
• PROPERTY
• USERS
• The = and the NOT (!=) operators.
• Use AND and OR operators.
• Use single and double quoted to enter values with spaces.
• Use parentheses to group search parts. 
• Use the wildcard symbol (*) as the last character of the search value for a partial match.
• Use the ENTER key to apply search.
• Use the TAB key to autocomplete search with the first available suggestion.

Sample Search Queries

The following are search query examples:

• target_domain=domain.*

• target_domain=domain.* AND confidence=High

Search by the target_domain field matches values by subdomains. E.g. target_domain = domain.com 
matches
'domain.com', 'office.domain.com', 'space.office.domain.com

Filtering the Threat View Tab

To filter Threat Insight events by specific criteria, select the applicable objects from the following drop-down menus located below the top action menu:

• Class: The threat class associated with the target domain.
• Level: The target domain's threat level rating. This can be High, Medium, Low, or Info.
• Policy: The security policy against which the malicious hit triggered.
• Property: The property or nature of the threat. By default, the portal includes all threat properties.
• Source: The location of the device within the network infrastructure. For example, the device can be an on-prem appliance or an endpoint device. You can select which records to view by selecting or deselecting from among the options available. 

• Show: Security and activity events can be filtered by choosing an option from the Show drop-down menu. 

  Note

  Depending on the availability of data records, not all filter options may be displayed.

The Threat Insight table displays the following information by specific criteria. Select the applicable objects from the following column drop-down menus:

• REQUESTS: The number of detections associated with the report. Clicking on a record's number of detections will display a table of the detections associated with the target domain. 
• DEVICES: The devices that triggered the hits. Clicking the number of devices in the DEVICE column associated with a user allows you to pivot off the record and display all devices associated with the user.
• PROPERTY: The property or nature of the threat. By default, the portal includes all threat properties.

• USERS: The users that triggered the event. For remote offices, the portal displays Unknown for these users. If you have configured access authentication, this displays the authenticated user who triggered the event.

  Note

  You can enable and disable custom fields by clicking on the icon located in the top, right-hand corner of the table, and selecting or deselecting which custom fields you want to view. All fields can be selected or deselected, or they can be returned to the default configuration by clicking Restore to default GRID setting.

  Export Records

  Click Export to download a CSV file of report records. The maximum number of exported Threat View report records is 10,000.