Detected threats

The Detected threats widget provides a graphical overview of the different kinds of threats detected in the network. This information is displayed in a layered circle. The divisions of the circles represent the number of hosts affected by the displayed incident types. Moving toward the outer circles provides a finer granularity and more specific information.

  • The innermost ring displays the three different types of incidents:

    • Infections are incidents that have been determined to be critical. These incidents have been given an impact score of 70 or above and are displayed in red.

    • Watchlist are incidents that have been determined to be of medium risk. Such incidents, while indicating a potential risk, may not need immediate attention; they are kept under close watch in case new evidence appears that modifies their status. These incidents have been given an impact score of between 30 and 69 and are displayed in orange.

    • Nuisances are incidents that are considered low or no risk. This typically corresponds to potentially unwanted/risky activity that does not necessarily indicate a compromise or infection on the monitored network. These incidents have been given an impact score of lower than 30 and are displayed in blue.

  • The middle ring displays the threat class together with the number of relevant incidents for each type of infection. Threat classes include command&control servers, malicious file downloads, crypto-miners, etc.

  • The outer ring represents the individual threat families that have been detected in the network. Threat families include ransomware, malicious binary files, etc.

The widget displays the threat name and a count of hosts where this threat has been observed when you hover your mouse over the graph.

When you click on an item in the graph, it zooms in and displays more details about the selected information type. Clicking again will zoom back out.

If you click an incident type in the inner ring, the graph zooms to display the matching incidents in the middle and outer ring. If you click a threat class in the middle ring, the graph zooms to display the matching threat families. If you click the outer ring, the graph zooms to display details about the selected threat.

The legend on the right side of the widget provides a count of the occurrences of the most frequent threats. When you hover your mouse over an item in the legend, a pop-up gives further information about the threat class, the number of incidents, and the number of affected hosts. Clicking on the item zooms the graph for the selected threat type and provides more contextual information.