Detections page in Nebula

The Detections section in Nebula displays information on all threats, and potential threats, with the action taken for each item found on endpoints in your environment. Clicking into each detection provides further information.

Detections are an audit trail, so items cannot be deleted on this page. Multiple detections can occur with the same threat name on an endpoint for the following reasons:

• A scan is reporting an item is found and a repeated scan is reporting an item as quarantined.
• A threat name shows up multiple times in the detections page with the same timestamp.

Detection and threat types

Malwarebytes protects your environment by detecting, blocking, or quarantining threats. Each detection includes a clickable link that provides details of the threat and similar common threats. For a detailed list of Malwarebytes threat information, see Malwarebytes Labs Detections.

For information on Potentially Unwanted Programs or PUP's, see What is a PUP? - How to avoid potentially unwanted programs.

Actions taken

View detections

You can see the list of all detections in descending order up to a 90 days prior. On the left navigation menu, go to Detections to view this section in the Nebula console.

Filter and sort detections

The main area of the Detections screen shows the list of all detected threat data. Each column can be filtered to narrow the results. Use these column filters to focus on the most important information.

You can customize data in the results list in the following ways:

• Click Add / Remove Columns above the results list to choose which columns to display.
• Drag and drop certain column headers to the results bar to group data by those parameters.
• Use the filters  in the column headers to view specific data, on all columns.
• Hover your cursor over a column header to reveal a hamburger icon  with options to pin and auto-size this column or all columns.

You can filter columns for the following values:

• Action Taken: The action that Malwarebytes took on the detection. Filter by blocked, found, quarantined, deleted, or restored
• Agent version: Version of the Malwarebytes Endpoint agent.
• Category: The protection that was triggered by the detection. Filter by malware, PUP, PUM, exploit, ransomware, remote intrusion, or website detections.
• Date: The date and time of the detection. Filter to sort by today, yesterday, last 7 days, last 30 days, or a custom date range.
• Endpoint: Click the endpoint name to go to the Overview page for the endpoint.
• Group: Click the name of the group to view the endpoints that belong to that group on the Endpoints screen.
• IP Address/CIDR: If the detection is a Malicious Website, this field shows the website's IP Address.
• Location: The location of the detection on the endpoint. Contents change with the type of detection. 
• MD5 Hash: Cryptographically generated unique number identifying a file. May show as empty if a file was not present. Use as a key to search in Flight Recorder or to search external threat intelligence sites such as: www.virustotal.com
• OS platform: Detected endpoints operating system.
• OS release name: Detected endpoints operating system release name. 
• OS type: Workstation or Server.
• OS version: Detected endpoints operating system version number or build number.
• SHA256 Hash: Cryptographically generated unique number identifying a file. May show as empty if a file was not present. Use as a key to search in Flight Recorder or to search external threat intelligence sites such as: www.virustotal.com
• Threat name: Click the name to open a glossary explanation of the detection.
• Type: The type of detection. Filter by by exploit, extension, file, folder, inbound connection, module, outbound connection, process, registry key, or registry value.
• User: Logged in user during this detected activity.

When clicking on filters, the filter list in the middle of the screen shows which filters are applied. Click on a filtered item to remove it, or Clear Filters to remove them all.

Group detection details

One or more column headers may be dragged onto the group results bar, to refine and collate results.  Columns which may be grouped are:

• Action taken
• Category
• Device type
• Endpoint
• Group
• OS platform
• Type

Expand detection details

Under the Threat Name column, click one of the listed detection names to view more details. In the Detection Details window, you can view the following information:

• Action Taken: The action that Malwarebytes took on the detection.
• Affected Applications: Detected application name.
• Category: The protection that was triggered by the detection.
• Detection Name: Click the name to open a glossary explanation of the detection.
• Domain: If the detection is a Malicious Website, this field shows the web url.
• Endpoint: Click the endpoint name to go to the Overview page for the endpoint.
• Group Name: Click the name of the group to view the endpoints that belong to that group on the Endpoints screen.
• IP Address: If the detection is a Malicious Website, this field shows the website's IP Address.
• Location: The location of the detection on the endpoint. Contents change with the type of detection. 
• MD5 Hash: Cryptographically generated unique number identifying a file. May show as empty if a file was not present. Use as a key to search in Flight Recorder or to search external threat intelligence sites such as: www.virustotal.com
  
• Port: If the detection is a Malicious Website, this field shows the port the connection used.
• Process Name: The file path of the process.
• Reported At: The time and date Malwarebytes reported the detection.
• SHA256 Hash: Cryptographically generated unique number identifying a file. May show as empty if a file was not present. Use as a key to search in Flight Recorder or to search external threat intelligence sites such as: www.virustotal.com
• Scanned At: The date and time the detection was scanned.
• Type: The type of detection, such as a file or outbound connection.

Return to the Malwarebytes Nebula Administrator Guide.