Nebula offers detailed endpoint management through the Endpoints screen. Select one or more endpoints from the page to perform actions across endpoints in your environment. For more information, see Perform actions on endpoints in Nebula.
On the left navigation pane, go to Manage > Endpoints to access your endpoints.
WebSocket communication status
View the endpoint's real-time WebSocket communication status indicator to the left of each endpoint name. The indicator shows the following status colors and options:
Icon | Status |
Active: The green status indicator displays when the WebSocket connection on the endpoint is active. Real-time communication occurs between the endpoint and Nebula to receive and process tasks or changes. This also affects the Last Connected date in the console, which is the last time the endpoint connected to the ThreatDown servers. |
|
Inactive: The gray status indicator displays during any of the following:
Note: Endpoints check in with a 5-minute polling interval for tasks and changes. If the status indicator is gray, filter endpoints by Today in the Last Sync column to verify active communication. If endpoints are using the 5-minute polling interval to check for tasks and changes, the Last sync date should continue to update, even when the green dot doesn't display or the Last connected date isn't updating. |
The Status column uses icons to show endpoints needing attention. The table below lists the different endpoint statuses. On the Endpoint screen you can click an icon to view additional details or to act on the endpoint.
Icon | Status |
Needs attention indicator: Displays if the endpoint is not configured correctly or has a problem. To view status indicators, see Status indicator error messages in Nebula. | |
Active Detections: Displays the number of endpoints with active infections that require remediation. This is prompted by un-remediated endpoints which have Found detections. Recommendation:
|
|
Remediation pending: Displays a remediation of threats is pending on the endpoint. A Quarantine Threats Task is queued for the endpoint to execute, this expires after 3 days. Recommendation:
|
|
Remediation in progress: Displays the endpoint is being remediated. | |
Restart required: Displays the number of endpoints that need a system reboot. Endpoints must reboot to complete remediation or make changes to software. Recommendation:
|
|
Reboot pending: A reboot command is still pending. A Reboot Task is queued for the endpoint to execute, this expires after 3 days. Recommendation:
|
|
Scan needed: Displays the number of endpoints not scanned within the last 7 days, including not having a first scan. Regular scans are important to keep endpoints free of threats. Endpoints will scan autonomously, offline, but need to connect to return scan results. Recommendation:
|
|
Scan pending: Displays a scan is pending on the endpoint. There will be a Scan Task queued for the endpoint to pick up and execute, which expires after 3 days. Recommendation:
|
|
Scan in progress: Displays a scan that is currently running on the endpoint. | |
Suspicious activity: Displays the number of endpoints with suspicious activities found. Investigate suspicious activity to keep your endpoints protected. For Endpoint Detection and Response. Recommendation: After investigating, click the Remediate or Close Incident options. |
|
Endpoints isolated: Displays the number of endpoints that have their communication or access restricted to prevent threats from spreading between endpoints. For Endpoint Detection and Response. Recommendation: After resolving the endpoint issue, click the Remove Isolation option. |
|
Agent update available: Displays the number of endpoints that need a software update. Recommendation:
|
Filter endpoints
Nebula uses filters to simplify management tasks across many endpoints. The main area of the Endpoints screen shows the list of all endpoint data. Each column can be filtered to narrow the results. Use these column filters to focus on the most important information.
You can customize data in the results list in the following ways:
- Click Add / Remove Columns above the results list to choose which columns to display.
- Drag and drop certain column headers to the results bar to group data by those parameters.
- Use the filters in the column headers to view specific data or Clear Filters to remove them all.
- Hover your cursor over a column header to reveal a hamburger icon with options to pin and auto-size columns.
The Endpoints filter allows a search by endpoint name. Click the Endpoints filter icon and enter an endpoint host name or alias to narrow the endpoints displayed.
The Last Sync filter lists endpoints based on when they last checked in. Times shown are based on your browser's time zone.
Add or remove table columns
Click Add / Remove Columns above the results table to choose the column headers displayed on your results table. This will narrow or widen the endpoint information displayed on the results table, allowing you to customize your Endpoints page. Click and drag a column header left or right to rearrange the column order. Or, click and drag the edge of a column header to narrow or widen the column.
For endpoint review, we recommend displaying the following columns on the Endpoints page:
- Endpoint: Filter by the endpoint hostname.
- Group: Filter by the endpoint's group.
- Policy: Filter by the endpoint's policy.
- Status: Filter by status icon for each endpoint.
- Last Sync: Filter to determine if endpoints are checking in with Nebula regularly.
- Last Scan date: Filter to investigate the last scan time.
- Protection Service Version: Filter to check the endpoint protection service version.
- OS release name: Filter for operating systems on each endpoint.
- Protection Status: Filter to find endpoints that are unprotected or having issues with the software. For more information, see Endpoint protection statuses in Nebula.
Pin and auto-size columns
Hover your cursor over a column header to reveal a hamburger icon with options to pin and auto-size columns. These options allow you to customize your Endpoints results table further. Click the hamburger icon to reveal the following options in the drop-down menu:
- Pin left: Pins selected column to the left side of your results table. Column remains static while scrolling left or right on the results table.
-
Pin right: Pins selected column to the right side of your results table. Column remains static while scrolling left or right on the results table.
- Unpin: This option is only visible for left or right pinned columns. This un-pins the column and returns it to its original place in the results table.
- Auto-size this column: Automatically adjusts the selected column's width to fit the text in the cells.
- Auto-size all columns: Automatically adjusts the column width for all your columns to fit the text in the cells.
Export endpoint data
Data in the Endpoints results table can be copied and pasted into another file or downloaded as a spreadsheet. Click and drag your cursor to select data in the Endpoints results table, then right-click the highlighted data to display a context menu with the following options:
- Download .csv: Exports the selected data as a .cvs file to your local machine.
-
Download .xlsx: Exports the selected data as a .xlsx file to your local machine.
- If the data size is too large to download, an email will be sent instead with a link to download the export.
- Copy: Copies the selected data to your clipboard.
- Copy with Headers: Copies the selected data and the column headers of the selected rows to your clipboard.
Endpoint details
In the table, click an endpoint name to open a slide out with the endpoints details. All dates and times shown are relative to your browser settings.
- Overview: Displays the endpoint name, version information, host and agent information, Operating System, Network Interfaces, Memory information, and Storage device information.
- Active Detections: Displays detections found that need remediation. These detections are found either by the Scan + Report action or by a scan with the automatic quarantine option disabled.
- Quarantined Detections: Displays files quarantined by the Scan + Quarantine action or scheduled scans with the automatic quarantine option enabled. Quarantined files are isolated from the endpoint operating system to prevent potential infection. Displays quarantined files up to 30 days old.
- Detection Log: Displays all detections. Selectable by type and actions taken.
- Suspicious Activity: Displays Suspicious Activity events found. Requires an Endpoint Detection and Response subscription.
- Events: Displays logged activities on the endpoint and their severity.
- Tasks: Displays the status of requested or completed operations on the endpoint.
- Scan History: Displays scan records up to 30 days old, their Total Detections, Type, and Origin.
- Software: Displays the software installed on the endpoint.
- Updates: Displays the latest software updates on the endpoint.
- Startup Programs: Displays startup programs on the endpoints.
Refresh assets using Actions > Refresh Assets or schedule an Asset Inventory Scan to force a refresh at a specified time. Scheduled asset refreshes can be helpful if you need frequent Endpoint Properties updates.
When you refresh assets on your endpoint, the following tabs/sections update:
-
Overview
- Memory Objects: Physical and virtual memory of the endpoints.
- Storage Devices: Connected storage, USB storage, and other devices.
- Software: Software installed on the endpoint.
- Updates: Software updates that occurred on the endpoint.
- Startup Programs: Registry entries for installed startup programs on the endpoint.