The Detection Log page in Nebula displays information on all threats found on your endpoints with the action taken for each item. Clicking on each detection provides further information.
Detections are an audit trail, so items cannot be deleted on this page, and instead of updating the original detection, a new record is created when a new event occurs. Multiple detections can occur with the same threat name on an endpoint for the following reasons:
- A scan is reporting an item is found and a repeated scan is reporting an item as quarantined.
- The file is restored from the quarantined.
- The same file is found or blocked multiple times across different scans.
Detection and threat types
Nebula protects your environment by detecting, blocking, or quarantining threats. Each detection includes a clickable link that provides details of the threat and similar common threats. For a detailed list of threat information, see Lab Detections.
For information on Potentially Unwanted Programs or PUP's, see What is a PUP? - How to avoid potentially unwanted programs.
View detections
You can see the list of all detections up to 365 days prior. On the left navigation menu, go to Monitor > Detection Center > Detection Log to view this section in Nebula.
Expand detection details
Under the Threat Name column, click one of the listed detection names to view more details. In the Detection Details window, you can view the following information:
- Category: The protection triggered by the detection. Filter by malware, PUP, PUM, exploit, ransomware, remote intrusion, website, or vulnerable driver detections.
- Type: The type of detection, such as a file or outbound connection. Filter by application, browser, exploit, extension, file, folder, inbound connection, module, outbound connection, process, registry key, or registry value.
- Action taken: The current status of the detection, such as Found, Quarantined or Blocked.
- Endpoint: Click the endpoint name to go to the Overview page of the endpoint.
- Last user: The last user logged into the endpoint.
- Location: The location of the detection on the endpoint. Contents change with the type of detection.
- MD5 Hash: Cryptographically generated unique number identifying a file. May show as empty if a file was not present. Use as a key to search in Flight Recorder or to search external threat intelligence sites such as: www.virustotal.com
- SHA256 Hash: Cryptographically generated unique number identifying a file. May show as empty if a file was not present. Use as a key to search in Flight Recorder or to search external threat intelligence sites such as: www.virustotal.com
-
IP Address: If the detection is a Malicious Website, this field shows the website's IP Address.
- Port: If the detection is a Malicious Website, this field shows the port the connection used.
- Process Name: The file path of the process.
- Scanned At: The date and time the detection was scanned.
- Quarantined At: The date and time the detection was quarantined.
- Reported At: The time and date Nebula reported the detection.
- Scan ID: The unique identifier of the scan for the detection.
- Detection Name: Click the name to open a glossary explanation of the detection.
- Domain: If the detection is a Malicious Website, this field shows the web URL.
- Group Name: Click the name of the group to view the endpoints that belong to the same group.
- Policy Name: Click the name of the policy to view the endpoints using the same policy.
- Detection history; Shows the history of the threat on the specific endpoint.
The available information in the window varies between types and how they are detected.
Actions taken
The Actions taken column on the Detection Log page shows what action occurred for each detected item. Refer to the table below for an explanation of each action:
Action taken | Description |
Blocked |
Nebula blocked the action and stopped the threat. Categories of detections blocked:
|
Found |
Nebula reported the detection, though no action was taken. Categories of detections found:
The Remediation Required status displays for endpoints when a Malware, PUM, PUP, or Ransomware threat is detected by a Scan + Report, or a scheduled Scan where Quarantine threats automatically is unchecked. For more information, see Manage endpoints in Nebula. To clear the status:
A Remote Intrusion detection found is displayed when the configured threshold of failed password attempts is exceeded within the timeframe. For more information, see Brute Force Protection policy settings in Nebula. To prevent this:
|
Deleted |
Quarantined item was deleted from the endpoint, as a result of a delete task from the console, selecting an item in the quarantine list/index. |
Quarantined |
Nebula detected an item, made an encrypted copy of the item to local quarantine on the endpoint, and deleted the original. The quarantine list in the console is an index to items on the endpoint. Categories of quarantined detections:
See Manage quarantine in Nebula for further details about managing the Quarantine function |
Restored |
Quarantined item was restored on the endpoint to its original location. |
Actions menu
In the top-left, click the Actions button on the Detection Log page:
- Download .csv: Export a report in .csv format containing the selected rows of data.
-
Download .xlsx: Export a report in .xlsx format containing the selected rows of data.
- If the data size is too large to download, an email will be sent instead with a link to download the export.
- Create exclusion: Create exclusions on the selected detections. Only Super Adminis can create exclusions. For more information on exclusions, see Overview of exclusions in Nebula
Create exclusions
A Super Admin can create an exclusion from the Detection Log page to prevent the item from being detected again. For more information on exclusions, see Overview of exclusions in Nebula. To create an exclusion from the Detection Log page:
- Check the checkboxes for the detected items to be excluded.
- Click Actions > Create Exclusions.
- To enable the exclusion once it's created, toggle on Enable/disable.
- Confirm the selected entries and add a comment if desired.
- Select whether or not to apply the exclusion to all policies.
- Click Validate.
- Review the exclusions and click Save.
Filter and sort detections
The main area of the Detection Log page shows the list of all detected threat data. Each column can be filtered to narrow the results. Use these column filters to focus on the most important information.
You can customize data in the results list in the following ways:
- Click Add / Remove Columns above the results list to choose which columns to display.
- Drag and drop certain column headers to the results bar to group data by those parameters.
- Hover your cursor over a column header to reveal a hamburger icon
with options to pin and auto-size this column or all columns.
Click on a column filter icon to narrow the results. When clicking on the filter icon, the filter list at the top of the screen shows which filters are applied. Click on a filtered item to remove it, or Clear Filters to remove them all.
You can filter columns for the following values:
- Action Taken: The action that Nebula took on the detection. Filter by blocked, found, quarantined, deleted, or restored
- Agent version: Version of the Endpoint agent.
- Category: The protection that was triggered by the detection. Refer to the table below to see the available categories.
- Date: The date and time of the detection. Filter to sort by today, yesterday, last 7 days, last 30 days, or a custom date range.
- Device: USB device the threat was detected on.
- Endpoint: Click the endpoint name to go to the Overview page for the endpoint.
- Group: Click the name of the group to view the endpoints that belong to that group on the Endpoints screen.
- IP Address/CIDR: If the detection is a Malicious Website, this field shows the website's IP Address.
- Location: The location of the detection on the endpoint. Contents change with the type of detection.
- MD5 Hash: Cryptographically generated unique number identifying a file. It may show as empty if a file is not present. Use as a key to search in Flight Recorder or to search external threat intelligence sites such as: www.virustotal.com
- OS platform: Detected endpoints operating system.
- OS release name: Detected endpoints operating system release name.
- OS type: Workstation or Server.
- OS version: Detected endpoints operating system version number or build number.
- SHA256 Hash: Cryptographically generated unique number identifying a file. It may show as empty if a file is not present. Use as a key to search in Flight Recorder or to search external threat intelligence sites such as: www.virustotal.com
- Threat name: Click the name to open a glossary explanation of the detection.
- Type: The type of detection. Refer to the table below to see the available types.
- User: Logged in user during this detected activity.
Detection categories and types
Category | Protection layer | Type |
Malware PUP PUM Vulnerable Driver |
Malware protection |
Application File Folder Module Process Registry Key Registry Value |
Exploit |
Exploit Protection |
Exploit |
Website |
Web Protection |
Inbound Connection Outbound Connection |
Website |
Browser Phishing Protection |
Browser |
Ransomware |
Behavior Ransomware Protection |
Application File Folder Module Process Registry Key Registry Value |
Remote intrusion |
Brute Force Protection |
Inbound Connection Outbound Connection |
Group detection details
To refine and collate results, one or more column headers may be dragged onto the group results bar. Columns which may be grouped are:
- Action taken
- Category
- Endpoint
- Group
- OS platform
- OS type
- Type