Skip to main content

Detection Log page in Nebula

Updated: 

The Detection Log page in Nebula displays information on all threats found on your endpoints with the action taken for each item. Clicking on each detection provides further information.

Detections are an audit trail, so items cannot be deleted on this page, and instead of updating the original detection, a new record is created when a new event occurs. Multiple detections can occur with the same threat name on an endpoint for the following reasons:

  • A scan is reporting an item is found and a repeated scan is reporting an item as quarantined.
  • The file is restored from the quarantined.
  • The same file is found or blocked multiple times across different scans.

Detection and threat types

Nebula protects your environment by detecting, blocking, or quarantining threats. Each detection includes a clickable link that provides details of the threat and similar common threats. For a detailed list of threat information, see Lab Detections.

For information on Potentially Unwanted Programs or PUP's, see What is a PUP? - How to avoid potentially unwanted programs.

View detections

You can see the list of all detections up to 365 days prior. On the left navigation menu, go to Monitor > Detection Center > Detection Log to view this section in Nebula.

Expand detection details

Under the Threat Name column, click one of the listed detection names to view more details. In the Detection Details window, you can view the following information:

  • Category: The protection triggered by the detection. Filter by malware, PUP, PUM, exploit, ransomware, remote intrusion, website, or vulnerable driver detections.
  • Type: The type of detection, such as a file or outbound connection. Filter by application, browser, exploit, extension, file, folder, inbound connection, module, outbound connection, process, registry key, or registry value.
  • Action taken: The current status of the detection, such as Found, Quarantined or Blocked.
  • Endpoint: Click the endpoint name to go to the Overview page of the endpoint.
  • Last user: The last user logged into the endpoint.
  • Location: The location of the detection on the endpoint. Contents change with the type of detection. 
  • MD5 Hash: Cryptographically generated unique number identifying a file. May show as empty if a file was not present. Use as a key to search in Flight Recorder or to search external threat intelligence sites such as: www.virustotal.com
  • SHA256 Hash: Cryptographically generated unique number identifying a file. May show as empty if a file was not present. Use as a key to search in Flight Recorder or to search external threat intelligence sites such as: www.virustotal.com
  • IP Address: If the detection is a Malicious Website, this field shows the website's IP Address.
  • Port: If the detection is a Malicious Website, this field shows the port the connection used.
  • Process Name: The file path of the process.
  • Scanned At: The date and time the detection was scanned.
  • Quarantined At: The date and time the detection was quarantined.
  • Reported At: The time and date Nebula reported the detection.
  • Scan ID: The unique identifier of the scan for the detection.
  • Detection Name: Click the name to open a glossary explanation of the detection.
  • Domain: If the detection is a Malicious Website, this field shows the web URL.
  • Group Name: Click the name of the group to view the endpoints that belong to the same group.
  • Policy Name: Click the name of the policy to view the endpoints using the same policy.
  • Detection history; Shows the history of the threat on the specific endpoint.

The available information in the window varies between types and how they are detected.

Actions taken

The Actions taken column on the Detection Log page shows what action occurred for each detected item. Refer to the table below for an explanation of each action:

Action taken Description
Blocked

Nebula blocked the action and stopped the threat. 

Categories of detections blocked:

  • Exploit
  • Website
  • Remote Intrusion: FTP, IMAP, POP3, RDP, MSSQL, SSH, SMTP
  • PUM
  • Vulnerable driver: Vulnerable high-level software components that can be abused by attackers. If needed, the application is needed, add an exclusino.
Found

Nebula reported the detection, though no action was taken.

Categories of detections found:

  • Malware, PUM, PUP, Ransomware
    • Can occur from real-time protection, on-demand or scheduled scans
  • Remote Intrusion: FTP, IMAP, POP3, RDP, MSSQL, SSH, SMTP
    • Occurs Brute Force Protection (BFP) is set to monitor and detect.

The Remediation Required status displays for endpoints when a Malware, PUM, PUP, or Ransomware threat is detected by a Scan + Report, or a scheduled Scan where Quarantine threats automatically is unchecked. For more information, see Manage endpoints in Nebula.

To clear the status:

  • Add exclusions if required.
  • Rescan the endpoint with one of the following options:
    • Click Remediate from the Endpoints page.
    • Click Actions > Scan + Quarantine from the Endpoints page. 
    • Click Quarantine from the Active Detections page.
    • Click Ignore & Create exclusion from the Active Detections page.
    • Edit schedules and check the Quarantine threats automatically checkbox, then wait for the scan to run again.

A Remote Intrusion detection found is displayed when the configured threshold of failed password attempts is exceeded within the timeframe. For more information, see Brute Force Protection policy settings in Nebula.

To prevent this:

  • Enable block mode.
  • Review infrastructure protecting endpoint or terminal server.
Deleted

Quarantined item was deleted from the endpoint, as a result of a delete task from the console, selecting an item in the quarantine list/index.
Quarantined

Nebula detected an item, made an encrypted copy of the item to local quarantine on the endpoint, and deleted the original. The quarantine list in the console is an index to items on the endpoint.

Categories of quarantined detections:

  • Malware
  • PUM
  • PUP
  • Ransomware

See Manage quarantine in Nebula for further details about managing the Quarantine function
Restored

Quarantined item was restored on the endpoint to its original location.

Actions menu

In the top-left, click the Actions button on the Detection Log page:

  • Download .csv: Export a report in .csv format containing the selected rows of data.
  • Download .xlsx: Export a report in .xlsx format containing the selected rows of data.
    • If the data size is too large to download, an email will be sent instead with a link to download the export.
  • Create exclusion: Create exclusions on the selected detections. Only Super Adminis can create exclusions. For more information on exclusions, see Overview of exclusions in Nebula
  • Create false positive request: Send a request to our research team to review if a blocked website is a false positive. If research deems the website safe, the website will be unblocked in the next few hours.

Create exclusions

A Super Admin can create an exclusion from the Detection Log page to prevent the item from being detected again. For more information on exclusions, see Overview of exclusions in Nebula. To create an exclusion from the Detection Log page: 

  1. Check the checkboxes for the detected items to be excluded.
  2. Click Actions > Create Exclusions.
  3. To enable the exclusion once it's created, toggle on Enable/disable.
  4. Confirm the selected entries and add a comment if desired.
  5. Select whether or not to apply the exclusion to all policies.
  6. Click Validate.
  7. Review the exclusions and click Save

Filter and sort detections

The main area of the Detection Log page shows the list of all detected threat data. Each column can be filtered to narrow the results. Use these column filters to focus on the most important information.

You can customize data in the results list in the following ways:

  • Click Add / Remove Columns above the results list to choose which columns to display.
  • Drag and drop certain column headers to the results bar to group data by those parameters.
  • Hover your cursor over a column header to reveal a hamburger icon 2020-08-06_13-31-16__1_.png with options to pin and auto-size this column or all columns.

Click on a column filter icon 2020-04-16_9-24-12__3_.png to narrow the results. When clicking on the filter icon, the filter list at the top of the screen shows which filters are applied. Click on a filtered item to remove it, or Clear Filters to remove them all.

You can filter columns for the following values:

  • Action Taken: The action that Nebula took on the detection. Filter by blocked, found, quarantined, deleted, or restored
  • Agent version: Version of the Endpoint agent.
  • Category: The protection that was triggered by the detection. Refer to the table below to see the available categories. 
  • Date: The date and time of the detection. Filter to sort by today, yesterday, last 7 days, last 30 days, or a custom date range.
  • Device: USB device the threat was detected on.
  • Endpoint: Click the endpoint name to go to the Overview page for the endpoint.
  • Group: Click the name of the group to view the endpoints that belong to that group on the Endpoints screen.
  • IP Address/CIDR: If the detection is a Malicious Website, this field shows the website's IP Address.
  • Location: The location of the detection on the endpoint. Contents change with the type of detection. 
  • MD5 Hash: Cryptographically generated unique number identifying a file. It may show as empty if a file is not present. Use as a key to search in Flight Recorder or to search external threat intelligence sites such as: www.virustotal.com
  • OS platform: Detected endpoints operating system.
  • OS release name: Detected endpoints operating system release name. 
  • OS type: Workstation or Server.
  • OS version: Detected endpoints operating system version number or build number.
  • SHA256 Hash: Cryptographically generated unique number identifying a file. It may show as empty if a file is not present. Use as a key to search in Flight Recorder or to search external threat intelligence sites such as: www.virustotal.com
  • Threat name: Click the name to open a glossary explanation of the detection.
  • Type: The type of detection. Refer to the table below to see the available types. 
  • User: Logged in user during this detected activity.

Detection categories and types

Category Protection layer Type

Malware

PUP

PUM

Vulnerable Driver

 Malware protection

Application

File

Folder

Module

Process

Registry Key

Registry Value

Exploit

 Exploit Protection

Exploit

Website

 Web Protection

Inbound Connection

Outbound Connection

Website

 Browser Phishing Protection

Browser

Ransomware

 Behavior Ransomware Protection

Application

File

Folder

Module

Process

Registry Key

Registry Value

Remote intrusion

 Brute Force Protection

Inbound Connection

Outbound Connection

Group detection details

To refine and collate results, one or more column headers may be dragged onto the group results bar.  Columns which may be grouped are:

  • Action taken
  • Category
  • Endpoint
  • Group
  • OS platform
  • OS type
  • Type

Still have questions?

Support is available via chat, phone or by creating a ticket. You can also use our virtual assistant for guided assistance.

Learn more