The Detections page in Nebula displays information on all threats, and potential threats, with the action taken for each item found on endpoints in your environment. Clicking on each detection provides further information.
Detections are an audit trail, so items cannot be deleted on this page, and instead of updating the original detection, a new record is created when a new event occurs. Multiple detections can occur with the same threat name on an endpoint for the following reasons:
- A scan is reporting an item is found and a repeated scan is reporting an item as quarantined.
- A threat name appears multiple times on the detections page with the same timestamp.
Detection and threat types
Nebula protects your environment by detecting, blocking, or quarantining threats. Each detection includes a clickable link that provides details of the threat and similar common threats. For a detailed list of threat information, see Lab Detections.
For information on Potentially Unwanted Programs or PUP's, see What is a PUP? - How to avoid potentially unwanted programs.
View detections
You can see the list of all detections up to 90 days prior. On the left navigation menu, go to Monitor > Detections to view this section in the Nebula console.
Expand detection details
Under the Threat Name column, click one of the listed detection names to view more details. In the Detection Details window, you can view the following information:
- Action Taken: The action that Nebula took on the detection.
- Category: The protection that was triggered by the detection.
- Detection Name: Click the name to open a glossary explanation of the detection.
- Domain: If the detection is a Malicious Website, this field shows the web URL.
- Endpoint: Click the endpoint name to go to the Overview page for the endpoint.
- Group Name: Click the name of the group to view the endpoints that belong to that group on the Endpoints screen.
- IP Address: If the detection is a Malicious Website, this field shows the website's IP Address.
- Location: The location of the detection on the endpoint. Contents change with the type of detection.
-
MD5 Hash: Cryptographically generated unique number identifying a file. May show as empty if a file was not present. Use as a key to search in Flight Recorder or to search external threat intelligence sites such as: www.virustotal.com
- Port: If the detection is a Malicious Website, this field shows the port the connection used.
- Process Name: The file path of the process.
- Reported At: The time and date Nebula reported the detection.
- SHA256 Hash: Cryptographically generated unique number identifying a file. May show as empty if a file was not present. Use as a key to search in Flight Recorder or to search external threat intelligence sites such as: www.virustotal.com
- Scanned At: The date and time the detection was scanned.
- Type: The type of detection, such as a file or outbound connection.
Actions taken
The Actions taken column on the Detections page shows what action occurred for each detected item. Refer to the table below for an explanation of each action:
Action taken | Description |
Blocked |
Nebula blocked the action and stopped the threat. Types of detections blocked:
|
Found |
Nebula reported the detection, though no action was taken. Types of detections found:
The Remediation Required status displays for endpoints when a Malware, PUM, PUP, or Ransomware threat is detected by a Scan + Report, or a scheduled Scan where Quarantine threats automatically is unchecked. For more information, see Manage endpoints in Nebula. To clear the status:
A Remote Intrusion detection found is displayed when the configured threshold of failed password attempts is exceeded within the timeframe. For more information, see Configure Brute Force Protection in Nebula. To prevent this:
|
Deleted |
Quarantined item was deleted from the endpoint, as a result of a delete task from the console, selecting an item in the quarantine list/index. |
Quarantined |
Nebula detected an item, made an encrypted copy of the item to local quarantine on the endpoint and deleted the original. The quarantine list in the console is an index to items on the endpoint. Types of quarantined detections:
See Quarantine page in Nebula for further details about managing the Quarantine function |
Restored |
Quarantine item was restored on the endpoint to its original location. |
Create exclusions
A Super Admin can create an exclusion from the Detections page to prevent the item from being detected again. For more information on exclusions, see Overview of exclusions in Nebula. To create an exclusion from the Detections page:
- Check the checkboxes for the detected items to be excluded.
- Click Create Exclusions.
- To enable the exclusion once it's created, toggle on Enable/disable.
- Confirm the selected entries and add a comment if desired.
- Select whether or not to apply the exclusion to all policies.
- Click Validate.
- Review the exclusions and click Save.
Filter and sort detections
The main area of the Detections screen shows the list of all detected threat data. Each column can be filtered to narrow the results. Use these column filters to focus on the most important information.
You can customize data in the results list in the following ways:
- Click Add / Remove Columns above the results list to choose which columns to display.
- Drag and drop certain column headers to the results bar to group data by those parameters.
- Hover your cursor over a column header to reveal a hamburger icon with options to pin and auto-size this column or all columns.
Click on a column filter icon to narrow the results. When clicking on the filter icon, the filter list at the top of the screen shows which filters are applied. Click on a filtered item to remove it, or Clear Filters to remove them all.
You can filter columns for the following values:
- Action Taken: The action that Nebula took on the detection. Filter by blocked, found, quarantined, deleted, or restored
- Agent version: Version of the Endpoint agent.
- Category: The protection that was triggered by the detection. Filter by malware, PUP, PUM, exploit, ransomware, remote intrusion, or website detections.
- Date: The date and time of the detection. Filter to sort by today, yesterday, last 7 days, last 30 days, or a custom date range.
- Device: USB device the threat was detected on.
- Endpoint: Click the endpoint name to go to the Overview page for the endpoint.
- Group: Click the name of the group to view the endpoints that belong to that group on the Endpoints screen.
- IP Address/CIDR: If the detection is a Malicious Website, this field shows the website's IP Address.
- Location: The location of the detection on the endpoint. Contents change with the type of detection.
- MD5 Hash: Cryptographically generated unique number identifying a file. It may show as empty if a file is not present. Use as a key to search in Flight Recorder or to search external threat intelligence sites such as: www.virustotal.com
- OS platform: Detected endpoints operating system.
- OS release name: Detected endpoints operating system release name.
- OS type: Workstation or Server.
- OS version: Detected endpoints operating system version number or build number.
- SHA256 Hash: Cryptographically generated unique number identifying a file. It may show as empty if a file is not present. Use as a key to search in Flight Recorder or to search external threat intelligence sites such as: www.virustotal.com
- Threat name: Click the name to open a glossary explanation of the detection.
- Type: The type of detection. Filter by exploit, extension, file, folder, inbound connection, module, outbound connection, process, registry key, or registry value.
- User: Logged in user during this detected activity.
Group detection details
To refine and collate results, one or more column headers may be dragged onto the group results bar. Columns which may be grouped are:
- Action taken
- Category
- Device type
- Endpoint
- Group
- OS platform
- Type