TD Website

Platform Navigation

Dashboards

The Security Detections dashboard is the main triage hub, consolidating alerts from all data sources. Analysts use it to review, prioritize, and manage detections across the environment.

Other dashboards provide forensic visibility into specific data sources. These are useful not only for detecting breaches but also for validating security controls, proving systems are uncompromised, and supporting incident response.

Dashboards Menu

  • Customer Portal – High-level reporting and summaries.

  • My SOC – Preconfigured views for common SOC needs, such as tracking emerging threats and SOC statistics.

  • Endpoint – Data from DFIR endpoint agents (Windows/Mac/Linux), including system event logs, network connections, logons, and benchmarks (e.g., CIS checks).

  • Cloud – Audit and assessment events from cloud environments like O365, AWS, and GCP.

  • Network – Data from ThreatDefence NDR sensors, including flow visibility and network intrusion detections.

Navigation & Filtering

Dashboards include filters and search controls to refine alerts and focus investigations.

Dashboard Filters and Views

  • Time Range – Defaults to Last 24 hours. Adjust via Show dates for custom ranges (e.g., last 30 days).

  • Menu Filters – Predefined options for narrowing down alerts, including:

    • Alert Status (Open, Closed, In Progress)

    • Tenant (e.g., threatdefence, tdsoc, acme)

    • Data Source (e.g., Keycloak, O365, NDR, Dark Web, Mailgun, google_workspace.drive)

    • Technique (e.g., Indicator, Exploit Public-Facing, Valid Accounts)

    • AI Outcome, MSP, Severity, Tags

  • Manual Filters – Click on visualizations to filter interactively. For complex queries or automation, use text-based Lucene queries.

Key Sections

  • Security Detections Table – Lists alerts by name and severity. Analysts can sort, filter, and drill into specific alerts.

  • Charts & Aggregations – Visual breakdowns including:

    • Anomalies (e.g., open high-risk alerts)

    • Detection Types (spikes, informational, indicators)

    • Techniques (e.g., LOGIN_ERROR, persistence)

    • Impacted Sites/Tenants

    • Indicators (IPs, domains, geo locations)

    • Detection Sources by Severity

    • Top 5 Entities – Most frequent hosts or users

  • Detections Feed – A paginated log of all alerts, expandable for full context, interactions, and investigation options.

This structured navigation lets analysts move quickly from high-level monitoring to detailed investigations, reducing response times and improving situational awareness.

PreviousAnalyst Cheat SheetNextSecurity Detections

Last updated