Monitor and manage your endpoints in Nebula on the go with the ThreatDown Admin companion app. This app contains a limited feature set that allows Nebula administrators to view their console and take action on threats while away from their desks. The app is not available for OneView users.
Requirements
The following operating systems are supported for the ThreatDown Admin app.
- iOS: 26, 18, 17, 16, 15
- iPadOS: 26, 18, 17, 16, 15
- Android: 16, 15, 14, 13, 12, 11, 10, 9, 8, 7
Installation
Open the Apple App Store or Google Play Store and search for ThreatDown Admin, or click on the corresponding link from your mobile device.
iOS and iPadOS: ThreatDown Admin on the Apple App Store
Android: ThreatDown Admin - Apps on Google Play
Login
Once the app is installed, log in to the app with your Nebula credentials.
If you don't remember your Nebula password, tap Forgot Password and enter your email address to receive a password reset email.
- When two-factor authentication (2FA) is enabled for your account, a two-factor authentication code is required to log into the app.
- If you use Single Sign-On (SSO) to secure your Nebula environment, tap Sign in with SSO to log in through your SSO provider. Service Provider Initiated SSO must be enabled in Nebula. For more information, see Single sign-on in Nebula overview.
Navigation
When you log in to the app, you'll land on the Dashboard page. Click the hamburger button in the top-left to switch to the other pages. The sections below describe what you can do on each page.
Dashboard
The dashboard displays widgets that provide an overview of your endpoints, filterable by device type. For more information on widgets, see Dashboard page in Nebula. The following widgets are available on the Dashboard:
- Endpoint status: Displays the number of endpoints in each status. Tap on a status to navigate to the Endpoints page with the selected status as a filter. For information on what to do for each status, see Manage endpoints in Nebula.
- Detections by category: Displays the categories of detections found across your endpoints in the last 7 days. Use this to determine the attack vectors the endpoint agent is blocking within your environment.
- Endpoints by activity: Compares your total endpoint count to the number actively communicating with Nebula over the last 7 days. Use this metric to identify endpoints that may have lost connectivity.
- License usage: Displays the number of licenses used out of the number of licenses available. Use this to determine if you need to contact sales to add licenses.
Endpoints
The Endpoints page displays information for each endpoint managed in Nebula and allows you to perform actions on them from your mobile device. Only endpoints in Nebula groups that you manage are visible. Super Admins have access to all Nebula groups.
Filter endpoints
Tap the filter button to select filters and then tap Show Results to apply the filter. Choose between the following filters:
- Status
- Operating System
- Operating System version
- Operating System type
- Group
- Policy
- Endpoint Name
Tap Clear all to remove all applied filters.
Perform actions
Swipe left on an endpoint to perform an action on it. Choose between the following actions:
- Scan + Report
- Remediate
- Isolate Endpoint
- Scan + Quarantine
- Check for Protection Updates
- Remove Isolation
- Check for Agent Updates
- Update Agent
- Restart Endpoint
To perform actions on multiple endpoints at once, tap the Actions button and select the desired endpoints. Then choose between the actions at the bottom or tap More for additional options.
For detailed information on the available actions, see Perform actions on endpoints in Nebula.
Endpoint view
Tap on an endpoint to display the Endpoint View page. This screen has the following options:
- More details: View additional information such as policy name, agent version, Last User, MAC Address, and Location. We use a 3rd party IP lookup service to determine the device location, which is anonymized to a 25-mile radius for privacy reasons. The accuracy is expected within 99% on a country level, and around 60% on a city level for the United States. For more information, see Endpoint location data accuracy and privacy.
- Detections: View information about detected threats on this endpoint.
- Actions: Perform an action on the endpoint.
For more information on endpoint details, see Manage endpoints in Nebula.
Detections
The detections page displays threat activity in your Nebula environment from the last 90 days. Use this detailed information to learn more about each malicious activity and take action on those endpoints.
Filter and sort detections
Tap the filter button to select filters and then tap Show Results to apply the filter. Choose between the following filters:
- Endpoint Name
- Threat name
- Action taken
- Category
- Type
- Date
Tap Clear all to remove all applied filters.
To change how data is ordered, tap the sort button and select between Newest first or Oldest first.
Detection details
Tap on a detection to view more details. The following information is available:
- Threat name
- Action taken
- Detection category
- Detection type
- Detection location
- MD5 Hash
- SHA256 Hash
- Endpoint name
- Last user
- Scanned at
- Quarantined at
- Reported at
For a definition of each of these detection details, see Detection Log page in Nebula.
Tap Endpoint actions to perform an action on the endpoint with the detected threat.
Email Security
The Email Security page allows admins to review and categorize Email Security incidents from the Needs Attention page on the fly. These incidents include emails that users have requested for release, reported as phishing, or that Email Security was unable to confidently classify.
As admins and end-users categorize, report, and request the release of emails, the adaptive AI learns from these behaviors to improve the detection engine. This minimizes the work needed by admins and users over time.
Filter incidents
Tap the filter button to select filters and then tap Show Results to apply the filter. Choose between the following filters:
- Status
- Incident ID
- Created at
- Recipient Email
- Sender Email
Tap Clear all to remove all applied filters.
Categorize incidents
Swipe left on an incident or tap the incident and press Actions to categorize it. Choose between the following actions:
- Categorize as Phishing: The email remains quarantined and is logged as Phishing.
- Categorize as Spam: The email remains quarantined and is logged as Spam.
- Categorize as Safe: Marks the incident as safe and releases the email to the mailbox.
Email Incident Details
Tap on an incident to view more details. The following information is available:
- Incident Details: Key information including the subject, categorization, reporter, and who reported the incident.
- Escalated Email: The content of the flagged email, including recipient, sender, body, links, and attachments.
- Sender Relationship Assessment: An analysis of the history between the sender and recipient, such as whether this is the first email exchange between them.
- Sender Fingerprints: Identifying sender information, including the sender and reply-to email addresses and the mail server IP.
-
Categorization Confidence: The confidence score associated with the incident's assigned categorization.
Associated Emails: Other similar emails identified as part of the same threat campaign.
For more information on the Needs Attention page of Email Security, see Email Security Needs Attention page in Nebula.
Settings
The settings page lets you manage your settings and other Nebula users, and view the app version.
Account
From the Account page, you can toggle logging in with FaceID or biometrics if it is supported on your device.
Once you're done with the app, tap Sign out to log out of the ThreatDown Admin app. Otherwise, you will be automatically logged out based on your account session timeout settings. This setting must be configured from the Nebula console. For more information, see User profile settings in Nebula.
Users
From the Users page, you can add and delete other users.
- Tap Add user to add another Nebula user. Enter the email address, select a role, and select which groups the new administrator can access. For more information on user roles and the process of adding a user, see Manage Users in Nebula.
- Once a user is added, an invitation email is sent to the new administrator. The user has 14 days to accept the invitation. If the invitation expires, select their name and tap Resend Invite Email.
- If a user needs to be deleted from Nebula, select the user and tap Delete User.
Notifications
Enable push notifications to receive real-time alerts about threats and user activities in your environment. To receive notifications for the ThreatDown Admin app, you must first allow them and then configure them to be sent to the app.
From the Notifications page, click or toggle on Allow notifications. If you need to disable a specific notification, you can also use this page to toggle it off.
Once notifications have been allowed in the app, configure your Nebula notifications in the console to include the ThreatDown Admin app as a delivery method. For more information, see Set up notifications in Nebula.