The Monitor > Detection Center > Active Detections page in OneView displays information on threats found across all sites that haven't been quarantined yet. The Active Detections table helps admins more efficiently manage all threats that aren't quarantined. This table is a snapshot of the current threats on your endpoints.
Manage active detections
If there are active threats in your environment, we recommend reviewing and taking action on them from this page. Click the ellipsis icon in the top-right to view the available actions on this page:
- Quarantine: Neutralizes the threat and places it in a safe and secure location on the endpoint. This is so it can be restored at a later point in time if needed. The entry is moved from the Active Detections page to the Quarantined Detections page.
- Ignore & create exclusion: Removes the selected entry from the list and creates an exclusion to prevent the item from being detected again. All user roles are able to create exclusions with the exception of viewers. For more information on exclusions, see Overview of exclusions in OneView.
- Download .csv: Export a report in .csv format containing the selected rows of data.
-
Download .xlsx: Export a report in .xlsx format containing the selected rows of data.
- If the data size is too large to download, an email will be sent instead with a link to download the export.
View and sort data
The following data is available in the Active Detections table:
- Category: The protection triggered by the detection.
- Date: The date and time the detection was found.
- Endpoint: Click the endpoint name to go to the Overview page of the endpoint.
- Location: The location of the detection on the endpoint.
- Site: The OneView site the endpoint is assigned.
- Threat name: Click the name to open a glossary explanation of the detection.
- Type: The type of detection, such as a file or outbound connection.
Filter and sort the data using the following features on the Active Detections table.
- Filter results: Next to a column header, click the filter icon to narrow the results. When clicking on the filter icon, the filter list at the top of the screen shows which filters are applied. Click on a filtered item to remove it, or Reset filters to go back tot he default filter settings.
- Customize table columns: In the top-right of the table, click Add / Remove Columns to customize the table columns.
- Column pinning and auto-sizing: Next to a column header, click the hamburger menu button to display a checkbox list of different sub-filters you can apply. Click the hamburger menu button to pin or auto size for the selected column.
Expand active detection details
Under the Threat Name column, click one of the listed active threat names to view more details. In the Active Detections window, you can view the following information:
- Category: The protection triggered by the detection.
- Type: The type of detection, such as a file or outbound connection.
- Action taken: The current status of the detection, such as Found, Quarantined or Blocked.
- Endpoint: Click the endpoint name to go to the Overview page of the endpoint.
- Last user: The last user logged into the endpoint.
- Location: The location of the detection on the endpoint. Contents change with the type of detection.
- MD5 Hash: Cryptographically generated unique number identifying a file. May show as empty if a file was not present. Use as a key to search in Flight Recorder or to search external threat intelligence sites such as: www.virustotal.com
- SHA256 Hash: Cryptographically generated unique number identifying a file. May show as empty if a file was not present. Use as a key to search in Flight Recorder or to search external threat intelligence sites such as: www.virustotal.com
-
IP Address: If the detection is a Malicious Website, this field shows the website's IP Address.
- Port: If the detection is a Malicious Website, this field shows the port the connection used.
- Process Name: The file path of the process.
- Scanned At: The date and time the detection was scanned.
- Quarantined At: The date and time the detection was quarantined.
- Reported At: The time and date OneView reported the detection.
- Scan ID: The unique identifier of the scan for the detection.
- Detection Name: Click the name to open a glossary explanation of the detection.
- Domain: If the detection is a Malicious Website, this field shows the web URL.
- Group Name: Click the name of the group to view the endpoints that belong to the same group.
- Policy Name: Click the name of the policy to view the endpoints using the same policy.
- Detection history; Shows the history of the threat on the specific endpoint.
The available information in the window varies between types and how they are detected.