Filters

An easy-to-use filtering mechanism is provided that allows you to focus on the information that you are interested in. Click the plus icon to expand the Filters widget.

Note:

The use of filters is optional.

Click Filter by and select an item from the pull-down menu. Select from Home network, Host IP, Host name, Campaign UUID, Priority, Read, Status, Threat, or Threat class.

You can combine multiple filters to narrow the focus. You can also deploy multiple instances of some filters.

Delete an individual filter by clicking the Remove minus button next to its entry. Delete all the selected filters by clicking the cancel/close icon. This also collapses the Filters widget.

Click Apply reload to apply the selected filters.

Home network

Restrict the displayed entries by the Home network setting. Select Home network only or Unidentified networks only from the pull-down menu.

Host IP

Restrict the displayed entries to a specific source IP address, IP address range, or CIDR block.

Host name

Restrict the displayed entries to a specific source Host name. The full host name or label needs to be provided.

Campaign UUID

Restrict the displayed entries by the Campaign UUID. This is a 32-character hexadecimal string, for example, 7dabc0fc9b3f478a850e1089a923df3a.

Alternatively, enter the string null to select records that do not belong to any campaign.

Priority

Restrict the displayed entries by the Priority status. Select Infection, Watchlist, or Nuisances from the pull-down menu.

See the infections list for details.

Read

Restrict the displayed entries by their Read status. Select Read or Unread from the pull-down menu.

Status

Restrict the displayed entries by their status. Select Closed, or Open from the pull-down menu.

Threat

Restrict the displayed entries by a specific Threat. Select a threat from the pull-down menu. The menu is prepopulated with a list of cataloged threats.

Use the search function at the top of the menu to quickly find a threat name.

Threat class

Restrict the displayed entries to a specific class of events. Select the threat class from the pull-down menu. The menu is prepopulated with a catalog of classes, such as:

  • adware Malware that displays or downloads advertisements to an infected computer.

  • click-fraud Click-fraud targets pay per click online advertising.

  • command & control An infected machine belongs to a botnet and the machine can be remotely controlled by an attacker.

  • drive-by An attacker attempted to exploit a vulnerability on the machine in order to install additional malware on the target system.

  • exploit toolkit Detection of an exploit toolkit that attempted a drive-by download attack

  • fake-av Fake antivirus software or other kinds of rogue security software designed to trick or mislead your users.

  • inactive C&C The command & control server for this specific botnet is inactive.

  • VMware blocking test The domain block.lastline.com is used to test blocking of network connections and the selected events belong to this class.

  • VMware test The domain test.lastline.com is used to test the functionality of the setup and the selected events belong to this class.

  • malicious file download, malware distribution, and malware download The IP address or domain hosts malicious executables.

  • sinkhole A sinkhole is operated by a legitimate organization, so it does not pose a threat. However, hosts that try to contact such a host may be infected.

  • spyware Malware that attempts to steal sensitive information.

  • suspicious DNS Suspicious DNS domains are domains that are contacted by malware running on infected machines. Our proprietary techniques were able to proactively identify these domains as malicious.

  • unknown An unknown security risk was detected.

Use the search function at the top of the menu to quickly find a class name.