Security module lists

The security lists show the information collected by Advanced EDR in connection with computer protection activities. They provide highly detailed information because they contain the raw data used to generate the widgets.

There are two ways to access the security lists:

From the top menu, select Status. From the side panel, select Security. Click any of the available widgets to access its associated list. Depending on the item you click on the widget, you access different lists with predefined filters.

Or
From the top menu, select Status. From the My lists side panel, click Add. A dialog box opens that shows all lists available in Advanced EDR.
Select any of the lists in the Security section. The list opens with no filters applied.

Select any of the entries on the list to open a new page with more details about that particular item.

Computer protection status

This list shows all computers on the network, with filters that enable you to search for computers and mobile devices that are unprotected for some specific reason.

To ensure correct operation of the security software, the computers on the network must communicate with the Cytomic cloud. For the list of URLs that must be accessible from your computers, see section Access to service URLs.

Field	Description	Values
Computer	Computer name.	Character string
Computer status	Agent reinstallation: Reinstalling the agent. Agent reinstallation error. Protection reinstallation: Reinstalling the protection. Protection reinstallation error. Pending restart. Computer isolation status: Computer in the process of being isolated. Isolated computer. Computer in the process of stopping being isolated. “RDP attack containment” mode: Computer in “RDP attack containment” mode. Ending "RDP attack containment" mode. Verbose mode: Computer in Verbose mode.	Icon
Group	Folder in the Advanced EDR folder tree that the computer belongs to.	Character string 'All' group Native group Active Directory group
Advanced protection	Advanced protection status.	Installing Error. If it is a known error, the cause of the error appears. If it is an unknown error, the error code appears instead. Enabled Disabled No license
Updated protection	Indicates whether or not the installed protection module is updated to the latest version released. Point the mouse to the field to see the version of the installed protection.	Updated Not updated (7 days without updating since last release) Pending restart
Knowledge	Indicates whether or not the signature file found on the computer is updated to the latest version. Point the mouse to the field to see the date that the file was last updated.	Updated Not updated (3 days without updating since last release)
Connection to knowledge	Indicates whether the computer can communicate with the Cytomic cloud to send monitored events and download security intelligence.	Connection OK One or more services are not accessible Information not available
Last connection	Date when the Advanced EDR status was last sent to the Cytomic cloud.	Date
Fields in the Computer Protection Status list

Fields displayed in the exported file

Field	Description	Values
Client	Customer account the service belongs to.	Character string
Computer type	Type of device.	Workstation Laptop Server
Computer	Computer name.	Character string
IP address	The computer primary IP address.	Character string
Domain	Windows domain the computer belongs to.	Character string
Description	Description assigned to the computer.	Character string
Group	Folder in the Advanced EDR folder tree that the computer belongs to.	Character string
Agent version	Internal version of the Cytomic agent module.	Character string
Installation date	Date when the Advanced EDR software was successfully installed on the computer.	Date
Last update on	Date the agent was last updated.	Date
Platform	Operating system installed on the computer.	Windows Linux macOS
Operating system	Operating system installed on the computer, internal version, and patch status.	Character string
Updated protection	Indicates whether or not the installed protection module is updated to the latest version released.	Binary value
Protection version	Internal version of the protection module.	Character string
Updated knowledge	Indicates whether or not the signature file found on the computer is the latest version.	Binary value
Last update on	Date the signature file was last updated.	Date
Advanced protection File antivirus Program blocking	Status of the associated protection.	Not installed Error: If it is a known error, the cause of the error appears. If it is an unknown error, the error code appears instead. Enabled Disabled No license
Advanced protection mode (Windows)	Current configuration of the advanced protection module. Operating mode.	Audit Hardening Lock
Advanced protection mode (Linux)	Current configuration of the advanced protection module. Malicious activity detection.	Audit Do not detect Block
Isolation status	Indicates whether or not the computer is isolated from the rest of the network.	Isolated Not isolated
Error date	If an error occurred installing Advanced EDR, date and time of the error.	Date
Installation error	If an error occurred installing Advanced EDR, error description.	Character string
Installation error code	Shows codes that identify the installation error occurred.	Codes are separated by “;”: Error code Extended error code Extended error subcode
Other security products	Name of any third-party antivirus product found on the computer at the time of installing Advanced EDR.	Character string
Connection for collective intelligence	Shows the status of the connection between the computer and the servers that store signature files and security intelligence.	OK With problems
Connection for sending events	Shows the status of the connection between the computer and the servers that receive the events monitored on protected computers.	OK With problems
“RDP attack containment” mode	Status of the “RDP attack containment” mode.	All No Yes
Fields in the Computer Protection Status exported file

Filter tool

Field	Description	Values
Computer type	Type of device.	Workstation Laptop Server
Search computer	Computer name.	Character string
Last connection	Date when the Advanced EDR status was last sent to the Cytomic cloud.	All Less than 24 hours ago Less than 3 days ago Less than 7 days ago Less than 30 days ago More than 3 days ago More than 7 days ago More than 30 days ago
Updated protection	Indicates whether or not the installed protection is updated to the latest version released.	All Yes No Pending restart
Platform	Operating system installed on the computer.	All Windows Linux macOS Android
Updated knowledge	Indicates whether or not the signature file found on the computer is the latest version.	Binary value
Connection to knowledge servers	Indicates whether the computer can communicate with the Cytomic cloud to send monitored events and download security intelligence.	All OK With problems: One or more services are not accessible
Protection status	Status of the protection module installed on the computer.	Installing... Properly protected Protection with errors Disabled protection No license Install error
Isolation status	Computer isolation status.	Not isolated Isolated Isolating Stopping isolation
“RDP attack containment” mode	Status of the “RDP attack containment” mode.	All No Yes
Filters available in the Computer Protection Status list

Computer Details page

Click a row in the list to open the computer details page. For more information, see Computer details.

Malware/PUP activity

This list shows the threats detected on the computers protected by Advanced EDR. It provides you with the necessary information to find the source of a problem, assess the severity of an incident and, if required, take the necessary remediation measures and update the organization security policies.

Field	Comment	Values
Computer	Name of the computer where the threat was detected.	Character string
Threat	Name of the detected threat.	Character string
Path	Full path to the infected file.	Character string
Run sometime	The threat ran and the computer might be compromised.	Binary value
Accessed data	The threat accessed data on the user computer.	Binary value
Made external connections	The threat communicated with remote computers to send or receive data.	Binary value
Action	Action taken on the malware.	Quarantined Blocked Disinfected Deleted Detected Allowed (audit mode)
Date	Date when the threat was detected on the computer.	Date
Fields in the Malware/PUP Activity list

Fields displayed in the exported file

The context menu of the Malware/PUP Activity list shows two options: Export and Export List and Details. This section describes the content of the file generated when you select Export. For more information about the Export List and Details option, see Exported Excel files.

Field	Comment	Values
Computer	Name of the computer where the threat was detected.	Character string
Threat	Name of the detected threat.	Character string
Path	Full path to the infected file.	Character string
Action	Action taken on the malware.	Quarantined Blocked Disinfected Deleted Allowed Allowed (audit mode)
Run	The threat ran and the computer might be compromised.	Binary value
Accessed data	The threat accessed data on the user computer.	Binary value
External connections	The threat communicated with remote computers to send or receive data.	Binary value
Excluded	The threat was excluded by you to allow it to run.	Binary value
Date	Date when the threat was detected on the computer.	Date
Dwell time	Time that the threat was on the customer network without classification.	Character string
User	User account under which the threat was run.	Character string
MD5	MD5 hash of the detected file.	Character string
SHA-256	SHA-256 hash of the detected file.	Character string
Infection source computer	Name of the computer, if the infection attempt originated from another computer on the customer network.	Character string
Infection source IP address	IP address of the computer, if the infection attempt originated from another computer on the customer network.	Character string
Infection source user	The user that was logged in to the computer the infection attempt originated from, if applicable.	Character string
Fields in the Malware/PUP Activity exported file

Filter tool

Field	Comment	Values
Search	Computer: Device on which the threat was detected. Threat: Name of the threat. Hash: String that identifies the file. Infection source: Search by the user, IP address, or name of the computer the infected file came from.	Character string
Type	Type of threat.	Malware PUP
Dates	Set a time period, from the current moment back.	Last 24 hours Last 7 days Last month Last year
Run	The threat ran and the computer might be compromised.	Binary value
Action	Action taken on the threat.	Quarantined Blocked Disinfected Deleted Allowed Detected
Accessed data	The threat accessed data on the user computer.	Binary value
External connections	The threat communicated with remote computers to send or receive data.	Binary value
Filters available in the Malware/PUP Activity list

Details page

This page shows detailed information about the program classified as malware/PUP. See Malware and PUP detection.

Exploit activity

This list shows all computers with programs compromised by vulnerability exploit attempts. It provides you with the necessary information to find the source of a problem, assess the severity of an incident and, if required, take the necessary remediation measures and update the organization security policies.

Field	Comment	Values
Computer	Name of the computer where the threat was detected.	Character string
Compromised program or driver	Program affected by the exploit attack, or vulnerable driver loaded.	Character string
Exploit technique	Identifier of the technique used to exploit the program or driver vulnerability.	Character string
Exploit run	Indicates whether the exploit managed to run or was blocked before it could affect the vulnerable program.	Binary value
Action	Allowed (audit mode): The user is informed that the exploit has carried out its programmed actions. Because audit mode is enabled, threats are detected, but they are not blocked or removed. See Audit mode Allowed: The anti-exploit protection is configured in Audit mode. The exploit ran. Allowed: The anti-exploit protection is configured in Audit mode. The exploit ran. Not applicable if the exploit technique is Vulnerable driver. Blocked: The exploit was blocked before it could run. Allowed by the user: The computer user was asked for permission to end the compromised process, but decided to let the exploit run. Process ended: The exploit was deleted, but managed to partially run. Not applicable if the exploit technique is Vulnerable driver. Pending restart: The user was informed of the need to restart the computer to completely remove the exploit. In the meantime, the exploit continues to run. Not applicable if the exploit technique is Vulnerable driver.	Enumeration
Date	Date when the exploit attempt was detected on the computer.	Date
Fields in the Exploit Activity list

Fields displayed in the exported file

The context menu of the Exploit Activity list shows two options: Export and Export List and Details. This section describes the content of the file generated when you select Export. For more information about the Export List and Details option, see Exported Excel files.

Field	Comment	Values
Computer	Name of the computer where the threat was detected.	Character string
Compromised program or driver	Program affected by the exploit attack, or vulnerable driver loaded.	Character string
Exploit technique	Identifier of the technique used to exploit the program vulnerability.	Enumeration
User	User account under which the program that received the exploit attack was run.	Character string
Action	Allowed: The anti-exploit protection is configured in Audit mode. The exploit ran. Not applicable if the exploit technique is Vulnerable driver. Blocked: The exploit was blocked before it could run. Allowed by the user: The computer user was asked for permission to end the compromised process, but decided to let the exploit run. Process ended: The exploit was deleted, but managed to partially run. Not applicable if the exploit technique is Vulnerable driver. Pending restart: The user was informed of the need to restart the computer to completely remove the exploit. In the meantime, the exploit continues to run. Not applicable if the exploit technique Vulnerable driver. Allowed (Audit mode): The user is informed that the exploit carried out its programmed actions. Because Audit mode is enabled, threats are detected, but they are not blocked or removed. See Audit mode.	Enumeration
Exploit run	Indicates whether the exploit managed to run or was blocked before it could affect the vulnerable program.	Binary value
Date	Date when the exploit attempt was detected on the computer.	Date
Fields in the Exploit Activity exported file

Filter tool

Field	Comment	Values
Search	Computer: Device on which the threat was detected. Hash: String that identifies the compromised program. Compromised program: Name or path of the compromised file.	Enumeration
Dates	Set a time period, from the current moment back.	Last 24 hours Last 7 days Last month
Exploit run	Indicates whether the exploit managed to run or was blocked before it could affect the vulnerable program.	Binary value
Action	Allowed (Audit mode): The user is informed that the exploit carried out its programmed actions. Because Audit mode is enabled, threats are detected, but they are not blocked or removed. See Audit mode. Allowed: The anti-exploit protection is configured in Audit mode. The exploit ran. Not applicable if the exploit technique is Vulnerable driver. Blocked: The exploit was blocked before it could run. Allowed by the user: The computer user was asked for permission to end the compromised process, but decided to let the exploit run. Process ended: The exploit was deleted, but managed to partially run. Not applicable if the exploit technique is Vulnerable driver. Pending restart: The user was informed of the need to restart the computer to completely remove the exploit. In the meantime, the exploit continues to run. Not applicable if the exploit technique is Vulnerable driver.	Enumeration
Filters available in the Exploit Activity list

Details page

This page shows detailed information about the program classified as an exploit. See Exploit detection.

If the exploit technique is Vulnerable driver, see Driver details

Blocks by advanced security policies

This list shows all programs blocked by advanced security policies. These policies prevent the execution of scripts and unknown programs that use advanced infection techniques.

Field	Comment	Values
Computer	Name of the computer where the threat was detected.	Character string
User	User account under which the threat tried to run.	Character string
Path	Full path to the blocked file.	Character string
Action	Action taken on the file.	Detected Blocked Allowed (audit mode)
Policy	For more information, see Advanced security policies.	PowerShell with suspicious parameters PowerShell run by the user Unknown script Locally compiled program Document with macros Registry modification to run when Windows starts Program blocking by MD5 value Program blocking by name
Date	Date when the threat was detected on the computer.	Date
Fields in the Blocks by Advanced Security Policies list

Fields displayed in the exported file

The context menu of the Blocks by Advanced Security Policies list shows two options: Export and Export List and Details. This section describes the content of the file generated when you select Export. For more information about the Export List and Details option, see Exported Excel files.

Field	Comment	Values
Computer	Name of the computer where the threat was detected.	Character string
Policy	For more information, see Advanced security policies.	PowerShell with suspicious parameters PowerShell run by the user Unknown script Locally compiled program Document with macros Registry modification to run when Windows starts Program blocking by MD5 value Program blocking by name
Path	Full path to the file.	Character string
Action	Action taken on the file.	Detected Blocked Allowed (audit mode)
Date	Date when the threat was detected on the computer.	Date
User	User account under which the threat tried to run.	Character string
MD5	MD5 hash of the blocked program.	Character string
SHA-256	SHA-256 hash of the blocked program.	Character string
Fields in the Blocks by Advanced Security Policies exported file

Filter tool

Field	Comment	Values
Search	Computer: Name of the device where the detection was made. Compromised program: Name of the program blocked by the security policy. User: Searches by the name of the user that was logged in to the computer at the time the detection was made.	Character string
Dates	Set a time period, from the current moment back.	Last 24 hours Last 7 days Last month Last year
Action	Action taken on the threat.	Blocked Detected
Policy applied	For more information, see Advanced security policies.	PowerShell with suspicious parameters PowerShell run by the user Unknown script Locally compiled program Document with macros Registry modification to run when Windows starts Program blocking by MD5 value Program blocking by name
Filters available in the Blocks by Advanced Security Policies list

Details page

This page shows detailed information about the program blocked by the advanced security policies. See Block by advanced security policy.

Network attack activity

This list shows all network attacks detected and blocked by the Network Attack Protection module.

Field	Description	Values
Computer	Computer name.	Character string
Network attack	Name of the network attack. For more information, see https://www.pandasecurity.com/en/support/card?id=700145	Character string.
Local IP address	The computer local IP address.	IP address
Action	Action taken.	Detected Blocked
Remote IP address	IP address from which the attack originated.	IP address
Date	Date the attack was detected or blocked.	Date
Fields in the Network Attack Activity list

Fields displayed in the exported file

Field	Description	Values
Computer	Computer name.	Character string
Network attack	Type of network attack.	Character string
Action	Action taken on the attack.	Detected Block
Local IP address	The computer local IP address.	IP address
Remote IP address	Remote IP address of the attack.	IP address
Local port	Local port on which the attack was detected or blocked.	Character string
Remote port	Remote port from which the attack was detected or blocked.	Character string
Date	Date the attack was detected.	Date
Number of occurrences	Number of detections of the same type of attack with the same source IP address in the space of an hour.	Character string
Fields in the Network Attack Activity exported file

Filter tool

Field	Description	Values
Computer	Computer name.	Character string
Network attack	Type of network attack.	Character string
Dates	Date range.	Last 24 hours Last 7 days Last month
Action	Action taken on the threat.	Detected Blocked
Filters available in the Network Attack Activity list

Details page

Field	Description	Values
Network attack	Type of network attack. For more details, click the icon.	Character string
Action	Action taken on the detection. For more information about how to manage detected threats blocked, see Stopping detecting suspicious network traffic.	Detected Blocked
Computer	Name of the computer where the threat was detected, IP address, and folder it belongs to in the group tree.	Name: Name of the computer. IP address: IP address of the computer where the attack was detected. Group: Folder within the Advanced EDR group tree that the computer belongs to.
Local IP address	The computer local IP address.	IP address
Remote IP address	Remote IP address of the network attack.	IP address
Local port	Local port on which the attack was detected or blocked.	Character string
Remote port	Remote port from which the attack was detected or blocked.	Character string
Detection date	Date the network attack was detected.	Date
Number of occurrences	Number of detections of the same type of attack with the same source IP address in the space of an hour.	Character string
Fields on the Network Attack Detection page