The Nuix Adaptive Security application interface

After you log into the application, a Dashboard with the latest alerts appears.

The buttons found in the main navigation bar provide easy access to configurations and monitoring.

These buttons also allow for interaction with the data being collected, as described in the following table.

Button

Description

Function

Picture 7

Dashboard

Provides a visual summary of alerts and activity in the environment.

Picture 8

Alerts

Displays all alerts from the endpoint agents.

Collections icon.

Collections

Manage, configure, and schedule collections. Run targeted collections to obtain specific files from endpoints across the network.

Picture 12

Search

Allows you to find specific information within the Adaptive Security application.

Picture 15

Investigate

Provides easy access to the information collected from the endpoint agents.

Picture 16

Configuration

Access and manage endpoint agent configuration including logic rules, namespaces, and hash lists.

Picture 17

Endpoints

View, configure, and manage endpoints. View by groups, all hosts, or server hosts.

Picture 18

Tasks

Shows the list of tasks created on all the endpoints.

Picture 20

System

Provides the system settings, server, and preferences.

Picture 19

User Profile

Provides information about the currently logged-in user, including the user name, server address, server status, and the application version.

 

The following sections provide an overview of each of the following tabs in the application.

Dashboard

The Dashboard tab, shown in the following image, provides quick access to the most relevant alerts, endpoints, and activity in your deployed environment.

The top of the application has arrows for use in moving back and forth between previously viewed tabs. Clicking the magnifying glass displays the Search dialog box.

Nuix Adaptive Security application dashboard.

The information and functions that are available on this tab are described in the following table.

Number

Function

Description

1

Active Alerts

Provides a visual representation of the alerts generated, using the following categories:

Total Active: Lists the total number of alerts on endpoints with a status of Active.

Unassigned: Lists the total number of unassigned alerts.

Prevented: Lists the total number of alerts that resulted in a process being blocked.

2

Active Alerts History Chart

Provides a chart that displays the alerts in the following categories: Critical, Medium, Low, and Unknown. The number in the chart represents the number of alerts for the category. Clicking on a box opens the Investigate page, with the insight displayed depending on the category selected.

The alerts can be displayed by Daily or Weekly, depending on the button selected. The alerts list can also be set to show All Alerts or Assigned to Me, depending on the alerts list option selected.

Use the arrows on the time at the bottom to change the time period forward or backward from the date displayed.

3

Endpoints Status

Displays a list of the number of endpoints listed in the following categories: Total, Active or Inactive. To the right of this list is a chart that displays how long an endpoint has been inactive. The longer an endpoint is inactive, the darker the color in the graph becomes.

4

Alerted Endpoints

Displays a visual representation of the endpoints with the following categories.

With active alerts: Lists the number of endpoints with active alerts. Clicking on the Critical or Medium buttons displays these alerts on the Investigate tab.

Isolated: Lists the number of isolated endpoints. If there are any isolated endpoints, the arrow is red.

High Value: Lists the number of endpoints in the High Value group.

5

Worst Offenders - Last 7 Days

Displays a list of the number of alerts generated by each endpoint, with the endpoint generating the most alerts at the top of the list. The chart to the right of the list displays the Critical and Medium alerts over the last seven days.

6

Latest Alerts

Provides a list of the recent alerts Nuix Adaptive Security has captured. Each column can be reorganized using the menu that appears when right-clicking on an alert. Data can be reloaded using the Refresh button, which is set to Disabled by default.

7

Filter Editor

(Optional) Allows you to create a query to modify the data shown in the Latest Alerts section. The query being used is shown on the left side. Click the X to stop using a specific query.

 

Alerts

The Alerts tab, shown in the following image, lists alerts generated by Nuix Adaptive Security. The alerts are generated by the logic rules in the agent that are executed on the endpoint. Alerts are notifications that specific events occurred on the endpoint.

Using the Alerts module.

The information and functions that are available on this tab are described in the following table.

Number

Function

Description

1

Filters

Use the filters to refine the data using the following: Quick Filter, Date Range, Assigned, Status, Endpoint, and Keywords.

Click Hide/Show Advanced to make the advanced filters options appear or disappear.

Click the pin at the top to make the tab auto-hide. Click the pin again to make the tab not auto-hide.

2

Results

Use one of the Sort by filters. Click Show in Groups in combination with any filters to group the results. The results can be shown in ascending or descending order.

3

Alert

This is one of the individual alerts in the list.

4

Detail

Shows the detailed information for the alert selected on the alert list. The information is presented in the following categories: Summary, Rule and Related Events.

Summary shows the metadata information for an alert if there is any available.

You can also investigate or print the alert.

5

Categories

Shows alerts by the categories listed.

6

Toolbar Options

On the right side of the tab, use the following options for each:

Change Alert Status

Assignment options

7

Reload

Updates the data in Nuix Adaptive Security. Data can be reloaded using the Reload button, which is set to Disabled by default.


 

Collections

The Collections tab, as shown in the following image, is where you can manage, configure, and schedule collections in the Nuix Adaptive Security application. Run targeted collections to obtain specific files from endpoints across the network. Types of targeted file collections include:

Incident Response Collection

Browser History Files

User Documents

Email Stores and Archives

All Image and Media Files

Configuring and running collections on endpoints.

The information and functions that are available on this tab are described in the following table.

Number

Function

Description

1

Collections Explorer

In the Collections Explorer, you can do the following:

+ New Collection: Create and run a new collection.

Adaptive Server Storage: View the available server storage.

In Progress: View the number of collections in progress.

Search: Search for saved collections.

2

Collections List

In the Collections List, you can do the following:

View collection status: The status options include Finished, Active, Canceled, Failed, and Timeout.

Search: Search for collections using the host name.

Sort by: Filter collections based on specified criteria.

3

Configuration Wizard

Create configurations using the Collection Configuration Wizard. The configuration acts as a template for the collection. The configuration defines what you are searching for and how you want to search during a collection.

4

Collections Toolbar

On the Collections Toolbar, you can delete, download, cancel, and rerun the selected collections.

5

Configuration Details

In the Configuration Details, you can view the selected host’s Collection Configuration details.

‎ 

The Search tab, shown in the following image, lets you find specific information by searching for files, endpoints, or processes.

Using the Search module.

The information and functions that are available on this tab are described in the following table.

Number

Function

Description

1

Search dialog box

Use this box to create searches for the following criteria: File Search, Endpoint By Host, Endpoint by IP, Find File, and Find Process. Search names are limited to 50 characters.

2

Recent Searches list

The list of previous searches.

3

Search Results

Clicking a search in the Recent Searches list on the left side shows the search criteria on the right side of the tab. To see the results, click the search tab.

4

Tabs list

Use this menu to select which of the tabs appears. The tab being viewed is marked with a check mark.


 

Investigate

The Investigate tab, shown in the following image, is used to examine data and data sources in more detail.

The tab also has an area that gathers your investigations in one place.

Using the Investigate module.

The information and functions that are available on this tab are described in the following table.

Number

Function

Description

1

Insights tab

Click an Insight data source to further examine the source on the tab on the right.

Click the pin at the top to make the tab auto-hide. Click the pin again to make the tab not auto-hide.

2

Investigations tab

Collect all your Investigations in one place. Click an Investigation to display that Investigation on the tab on the right.

Click the pin at the top to make the tab auto-hide. Click the pin again to make the tab not auto-hide.

3

Search bar

Search for an insight name.

4

Insights

These are divided into three categories:

Overview

Behaviors

Artifacts

These data sources are categories built into Nuix Adaptive Security to allow for better organization of data.

5

Investigations and Workspace options

Open Insights can be saved or printed:

Save Insights to New or Existing Investigation: Saves selected tabs in the Workspace to a new or Existing investigation.

Print workspace: Prints the open tabs from the workspace.

6

Tab control

Use this menu to select which of the tabs that are open is to be viewed on the right tab. The tab being viewed is marked with a check mark. Close all tabs by clicking the X.

7

Tabs

Use the tabs to switch between open Insights.

8

Menu options

On the right tab, switch to the following for each Insight or Investigation:

Microsoft Defender status

Investigate

Alerts (available when using Alerts insight)

Endpoint actions

Expand row height

Refresh data

Print

Grid settings

View delete

9

Filters

Adjust the Timespan by clicking a Start Date or End Date.

Use the clock button to select a quick timespan.

Use the default of All endpoints or use Select to select an Endpoint from the list.

Enter a term in the search bar to find the term within the data on the tab, and the results automatically adjust based on the input.

Click Sync to synchronize the data across all the open tabs. Reset returns the data to its starting state. Filter is another way to initiate a search that does not use the automatic update feature.

10

Grid data

Information or data for a selected Insight or Investigation, shown in greater detail.

 


‎ 

Configuration

The Configuration tab, shown in the following image, defines the agent settings, logic rule set, namespaces, and hash lists.

Configurations are applied to connected agents through the Endpoints tab. The configuration can also be embedded into an agent installer through this tab by selecting Download Agent.

Using the Configuration module.

The information and functions that are available on this tab are described in the following table.

Number

Function

Description

1

New Logic Rules

Use this option to create a new logic rule set.

2

Configuration list

Shows the list of the agent configurations.

3

Logic Rules

Logic rules are used to perform actions based on events generated by the endpoint.

4

Namespaces

Add the namespace filters. Order is important when setting up a namespace filter.

5

Hash Lists

Examine the available hash lists, add, or import hash lists.

6

Creating or changing logic rules

The Rule Sources includes the following options when working with rule sets:

+Add

Import

Export

Copy

You can also rename or delete rule sets.

7

Logic Rule Actions

The following options are available when working with rules:

Compile

Save All

Save As

Publish

Delete configuration record


 

Endpoints

The Endpoints tab, shown in the following image, lists all Nuix Adaptive Security endpoints with an agent configured and installed. All endpoints are listed whether or not the agent is online with the Nuix Adaptive Security Endpoint Server.

You can view endpoints by group, all hosts, or hosts connected to the selected server.

Using the Endpoint module.

The information and functions that are available on this tab are described in the following table.

Number

Function

Description

1

Add Group

Add a new endpoint group to categorize endpoints.

2

Search

Use the search to find a specific endpoint.

3

Endpoint group list

View the list of endpoint groups. Select a group to view the list of endpoints in that group.

4

Groups

View the endpoint groups details. You can select to view the groups in ascending or descending order.

5

All Hosts

View all hosts connected in your environment. Use filters to search for specific hosts.

6

Server Hosts

View hosts associated with a specific server. The list of endpoints in your Nuix Adaptive Security network.

7

Group details

Use the filters to refine the data using the following categories: Group By, Agent Versions, Platform, Settings, Servers, Rule Set, Namespaces, Hash List, and Keywords.

Use Clear to clear the filters. Click Apply to update the lists of results based on the Filters or Keywords box.

Click Advanced to use Boolean operators.

Endpoint details

View the endpoint details, as show in following image, for more information about the endpoint.

Viewing endpoint details.

The information and functions that are available on this tab are described in the following table.

Number

Function

Description

1

Overview

Provides general information for each endpoint. The information on this tab is divided into five separate categories:

Summary: Summarizes information relating to the endpoint and its use of the Nuix Adaptive Security Endpoint Agent.

Status: Displays the status for Streaming, Network Isolation, and Microsoft Defender for the selected endpoint.

System: Provides information about the endpoint’s hardware and operating system.

2

Latest Alerts

Lists the latest alerts triggered by the endpoint. The alerts can be organized using one of the Sort by filters. Click Show in Groups along with any of these filters to group the results. The results can be shown in ascending or descending order.

3

Latest Tasks

Displays a list of completed tasks for the endpoint, with the most recent tasks shown at the top of the list.

4

Comms Session

Shows network data between the Nuix Adaptive Security Endpoint Server and the individual endpoint.

5

Surveys

Gives detailed information about an endpoint’s hardware and software configurations at a specific point in time. This contains the following tabs:

Survey

System

Processors

Firmware

Logical Drives

Adapters

6

File System

Displays the directory and file listing of the endpoint. Files can be downloaded, queried, or deleted by selecting the option from the context menu. Right-clicking on a column allows you to sort and make changes to how the data appears.

7

Collections

Displays the active and completed collections for the selected endpoint.

8

Microsoft Defender

Displays whether Microsoft Defender is enabled or disabled on the endpoint.


 

Tasks

The Tasks tab, shown in the following image, lists all jobs that have been created for the endpoints on the network.

Using the Tasks module.

The information and functions that are available on this tab are described in the following table.

Number

Function

Description

1

Filters

Use one of the following filters in the Tasks list: Quick Filter, Task Type, Date Rage-From Date and To Date, Endpoints, and Keywords

Click Reset to return the data to its original presentation.

Click Filter to filter tasks according to the selected filter criteria.

Click Hide/Show Advanced to make the advanced filters options appear or disappear.

2

Task notification

A number appears when a new Task is added. This notification appears if any other tab is open besides Tasks.

3

Results

Use one of the Sort by filters to change the sort order of the tasks.

Click Show in Groups in combination with any of these filters to group the results. These results can also be organized in ascending or descending order.

4

Task Summary

Lists all the tasks meeting the criteria of the advanced filters.

5

Categories

Shows tasks by the categories listed at the top of the window: Total, Active, Active 24 Hours, Finished Last Hour, Failed Last Hour, Total Expired.

6

Task details tab

The detail for the task selected on the left side appears on the right side of the tab. Multiple tabs can be open at the same time.

7

Reload

Data can be reloaded using the Reload button, which is set to Disabled by default.

8

Tabs control

Use this menu to select which of the tabs that are open is to be viewed on the right tab. The tab being viewed is marked with a check mark. Close all tabs by clicking the X.

9

Reload

Click to reload the task information.


 

Event statistics

The Event Statistics, as shown in the following image, is where you can view daily event details about the endpoints in your environment.

Use the Event Statistics module to find daily event details about the endpoints in your environment.

The information and functions that are available in this module are described in the following table.

Number

Function

Description

1

Process Statistics

The Process Statistics header displays the overall process event counts for the connected endpoints during the previous day.

2

Most Frequent Processes

Most Frequent Processes displays four reports describing the frequency of the process event paths. By default, the reports display the most frequent 100 paths and the least frequent 100 paths.

3

Process Anomalies

Process Anomalies displays five reports describing the frequency of the process event command lines. By default, the reports display the most frequent 100 paths and the least frequent 100 paths.

4

Namespace Statistics

Namespace Statistics displays four reports describing the frequency of DNS namespace queries.

5

Report Details

The report details will vary depending on the selected event category.

Most Frequent Processes reports:

Path - Occurrences of paths from all connected endpoints.

Host - Occurrences of paths for each endpoint.

Hash - Occurrences of paths grouped by the MD5 hash value of the executable.

Host/Hash - Occurrences of paths grouped by both the endpoint and the MD5 hash value.

Process Anomalies reports:

Command Line - Occurrences of command lines from all connected endpoints.

Hash - Occurrences of command lines grouped by the MD5 hash value of the executable.

Parent Path - Occurrences of command lines grouped by both the MD5 hash value of the executable and the full path of the parent executable.

Host/Command Line - Occurrences of command lines per each endpoint.

Host/Hash/Command Line - Occurrences of command lines grouped by both the endpoint and the MD5 Hash value of the executable.

Namespace Statistics reports:

Query - Occurrences of DNS queries from all connected endpoints.

Host - Occurrences of DNS queries grouped by endpoint.

Process - Occurrences of DNS queries grouped by process full path.

Process/Host - Occurrences of DNS queries by both endpoint and process full path.

 

System

The System tab, shown in the following image, contains information about settings, servers, and preferences.

The settings tab provides the static configuration settings for the agent. This is typically set up during the installation process.

The servers tab is where you can view all of the Nuix Adaptive Security endpoint servers in your environment. You can also add, edit, or delete servers on this tab. This is where you add a server for redundancy, as a DMZ, or for backup. This is not where you add servers for a multiple server environment which is done during the installation process.

The preferences tab contains information about local storage and your version of Nuix Adaptive Security.

Viewing system settings, servers, and preferences.

The information and functions that are available on this tab are described in the following table.

Number

Function

Description

1

Agent Settings list

In the agent settings list you can do the following:

Create + New Settings with the name and target version.

View the published and draft setting versions with the platform and version.

Select a setting to view the details.

2

Settings

The Settings tab provides the static configuration settings for the agent. This is typically set up during the installation process.

3

Servers

The Servers tab is where you can view all of the Nuix Adaptive Security endpoint servers in your environment. You can also add, edit, or delete servers on this tab. This is where you add a server for redundancy or backup. This is not where you add servers for a multiple server environment.

4

Preferences

Click Clear Local Storage to remove any values stored locally, including those listed in the infotip, which are:

Workspace insight tabs

Items on the login screen

Layout customizations

Recent searches

View the About information which includes the application version, hardware key, and license status.

Set screen user preferences.

User profile

The following information is available by clicking the user information icon, as shown in the following image.

The user profile information.

User Name: The name of the user who is logged in to Nuix Adaptive Security.

Logged In Since: The timestamp of when the user first logged in.

Server: Lists the IP address of the Nuix Adaptive Security Endpoint Server.

Server Version: Displays the software version for the Nuix Adaptive Security Endpoint Server.

Application Version: Displays the software version of Nuix Adaptive Security application.

Selected Time Zone: Displays the time zone.