Forensic Drawer

An LLM-generated natural language summary explaining what happened, why it matters, and recommended next steps. Generated asynchronously during Layer 3 enrichment. Includes confidence level and key observations.

Visual decomposition of the composite risk score (0-100). Shows every individual signal that contributed to the final score: base event score, threat feed matches, behavioral detections, OSINT findings. Each signal shows its point value and source.

Embedded Google Maps view showing the geographic location of the source IP. Displays country, region, city, coordinates, ISP, ASN and organization. For impossible travel events, shows both locations with a connecting line and the calculated speed.

IP reputation data including: Tor exit node status, VPN detection, proxy detection, datacenter/hosting detection, and ASN classification. Shows whether the IP belongs to a residential ISP, cloud provider, or known anonymization network.

Threat feed match results across all 15 integrated feeds: Spamhaus DROP/EDROP, Feodo Tracker, Emerging Threats, CINS Army, blocklist.de, GreenSnow, URLhaus, SC Malaysia Investor Alerts, and more. Each match shows the feed name, listing reason, and when the IP was last reported.

RIOT classification (known good service), noise detection (background scanner), and malicious scanner badge. Helps distinguish targeted attacks from internet-wide scanning noise.

Open ports list, CVE count, hostnames, and CPE identifiers for the source IP. Provides infrastructure fingerprinting without requiring a Shodan API key.

Risk score (none/low/medium/high/critical), threat associations, and feed sources. Community-driven threat intelligence with indicator linking.

Abuse confidence percentage (0-100%), total reports count, last reported date, and abuse categories. High-confidence IPs (>90%) are flagged prominently. Fetched asynchronously.

Maps detected threats to MITRE ATT&CK techniques and tactics. Shows technique ID (e.g. T1110.001), technique name, tactic phase, and a brief description. Helps security teams understand the attack in the context of known adversary behavior.

For request-layer attacks (SQLi, XSS, path traversal, SSRF), maps findings to OWASP Top 10 categories. Shows the matched payload pattern and the specific OWASP category (e.g. A03:2021 Injection).

HTTP request details captured by the SDK middleware: method, path, query parameters, status code, request ID, and response time. Shows the full URL and any suspicious patterns detected in the request.

Browser-side context relayed via the browser SDK: timezone, language, languages list, touch capability, platform, screen resolution, viewport size, color depth, cookie status, Do Not Track, connection type, downlink speed, page URL (sensitive query params redacted), page referrer, and page title.

Server-side metadata auto-collected by the SDK: hostname, runtime version, process ID, and SDK name/version. Helps identify which server instance processed the request.

Shows which SDK sent the event, its version, the source type (sdk, agent, or api), and the ingestor processing timestamp. Useful for debugging SDK configuration issues.

Parsed user-agent string showing browser name and version, OS name and version, device type (desktop, mobile, tablet, bot), and the raw user-agent string for reference.

Recent event history for the same actor (user). Shows the last 20 events with timestamps, event types, risk scores, and IP addresses. Helps identify patterns like repeated failures followed by a success (account compromise indicator).

Click-through from events table

Click any event row to open the drawer. The selected row is highlighted. Use keyboard arrow keys to navigate between events while the drawer is open.

URL state preservation

Opening the drawer updates the URL with the event ID (e.g. /events?id=evt_abc123). This means you can share a direct link to a specific event investigation.

Filter by actor or IP

Click the actor ID or IP address in the drawer to filter the events table by that value. This quickly shows all events from the same user or IP.

Keyboard shortcuts

Press Escape to close the drawer. Press J/K to move to the next/previous event. Press B to block the IP, W to add to watchlist, I to create an incident.