Filters

Restrict the displayed entries by the application family used by the host, for example, "Chrome" or "Firefox".

Restrict the displayed entries by the application used by the host, for example, "Google Chrome 80.0.3987.100" or "Firefox 73.0 (64-bit)".

Restrict the displayed entries by the type of host, for example, "mobile device", "server", or "endpoint".

Restrict the displayed entries by the Home network setting. Select Home network only or Unidentified networks only from the pull-down menu.

Restrict the displayed entries to a specific source IP address, IP address range, or CIDR block.

Restrict the displayed entries by the Hosts tags. Select the tags from the pull-down menu.

Restrict the displayed entries by the Hosts with threats status. Select Only hosts with threats or All hosts from the pull-down menu.

Restrict the displayed entries by the Campaign UUID. This is a 32-character hexadecimal string, for example, 7dabc0fc9b3f478a850e1089a923df3a.

Alternatively, enter the string null to select records that do not belong to any campaign.

Restrict the displayed entries by the operating system family on the host, for example, "Linux" or "Windows".

Restrict the displayed entries by the operating systems on the host, for example, "Ubuntu 18.04" or "Windows NT 10.0".

Restrict the displayed entries by the Priority status. Select Infection, Watchlist, or Nuisances from the pull-down menu.

See the infections list for details.

Restrict the displayed entries by their Read status. Select Read or Unread from the pull-down menu.

Restrict the displayed entries by their status. Select Closed, or Open from the pull-down menu.

Restrict the displayed entries by a specific Threat. Select a threat from the pull-down menu. The menu is prepopulated with a list of cataloged threats.

Use the search function at the top of the menu to quickly find a threat name.

Restrict the displayed entries to a specific class of events. Select the threat class from the pull-down menu. The menu is prepopulated with a catalog of classes, such as:

• adware — Malware that displays or downloads advertisements to an infected computer.

• click-fraud — Click-fraud targets pay per click online advertising.

• command & control — An infected machine belongs to a botnet and the machine can be remotely controlled by an attacker.

• drive-by — An attacker attempted to exploit a vulnerability on the machine in order to install additional malware on the target system.

• exploit toolkit — Detection of an exploit toolkit that attempted a drive-by download attack

• fake-av — Fake antivirus software or other kinds of rogue security software designed to trick or mislead your users.

• inactive C&C — The command & control server for this specific botnet is inactive.

• VMware blocking test — The domain block.lastline.com is used to test blocking of network connections and the selected events belong to this class.

• VMware test — The domain test.lastline.com is used to test the functionality of the setup and the selected events belong to this class.

• malicious file download, malware distribution, and malware download — The IP address or domain hosts malicious executables.

• sinkhole — A sinkhole is operated by a legitimate organization, so it does not pose a threat. However, hosts that try to contact such a host may be infected.

• spyware — Malware that attempts to steal sensitive information.

• suspicious DNS — Suspicious DNS domains are domains that are contacted by malware running on infected machines. Our proprietary techniques were able to proactively identify these domains as malicious.

• unknown — An unknown security risk was detected.

Use the search function at the top of the menu to quickly find a class name.