Skip to content
Contact us
  • There are no suggestions because the search field is empty.

Threat Monitoring workflow and threats

Threat workflow 

UpGuard’s Threat Monitoring workflow has four queues: Open, Investigating, Remediating, and Closed. Threats detected by Threat Monitoring are put into one of two queues: Open or Closed. 

Queue Description How threats land here
Open Threats that require attention. Threats automatically land here if the AI Threat Analyst has identified the threat and has determined that it warrants your review. Automatic scans
Investigating

Open threats that are currently being investigated.                           

Move threats to Investigating when the nature of the event is unclear or when its threat level needs verified.

 Manually (e.g. moved from Open to Investigating)
Remediating

Open threats that are currently being remediated.

Move threats to Remediating if remediation is complex, time-consuming or requires action from another person.

 Manually (e.g. moved from Investigating to Remediating)
Closed  Identified threats that were either: automatically closed by the AI Threat Analyst, manually moved to Closed after going through the remediation workflow, or manually closed for another reason.

Threats in closed are assigned a status: remediated, dismissed, or waived.

Automatically (closed by AI)

Manually (e.g. from Remediating to Closed)

How to read a threat

  1. Click the Breach Risk icon from UpGuard’s left-hand navigation.
  2. Click Threat Monitoring from the left navigation. 
  3. Select a threat.
Threat
  1. Threat summary: what the threat is, why it’s been identified as a threat, and what the recommended remediation strategy is. 
  2. Details & Metadata: threat details (associated Transform, severity, date detected, threat type, source, etc).  
  3. Preview: Lists particular snapshots of where the threat signal was detected. Mentions of the detected keyword are highlighted by default but you can search for other values as needed. Preview is not available for Stealer logs, in this case information is in the metadata. 
  4. Timeline: A timeline with actions related to the threat (when the threat was detected, when it was changed into a workflow queue, etc).  

Filter threats

Use filters to hone in on the threats you want to work with.

  1. Click the Breach Risk icon from UpGuard’s left-hand navigation.
  2. Click Threat Monitoring from the left navigation.
  3. Use the Filters panel to apply the desired filters.

You can filter by: 

  • Dates (pre-set date ranges)
  • Transforms
  • Severity
  • Threat type
  • Source
  • Text (contains or does not contain)

Move a threat to a different queue 

For threats in Open, Investigating, or Closed:

  1. Click the Breach Risk icon from UpGuard’s left-hand navigation.
  2. Click Threat Monitoring from the left navigation.
  3. Select a threat.
  4. Move the threat to the appropriate queue using the buttons in the threat’s upper-right corner.  The options available depend on which queue the threat is currently in. 
Threat's current queue Move the threat to
Open
  • Investigating
  • Remediating
  • Closed
Investigating
  • Remediating
  • Closed
Closed
  • Reopen (moves the threat to Investigating) 

For threats in Remediating:

Mark the remediation request as completed via the remediation workflow in Breach Risk. When the remediation request is marked as Remediated or Waived the threat is automatically moved to Closed in Threat Monitoring.  

Comment on a threat

Add comments to threats in Open, Investigating, or Closed threats to communicate with internal stakeholders or leave reference notes. Commenting on an Open threat automatically moves it to Investigating.

  1. Click the Breach Risk icon from UpGuard’s left-hand navigation.
  2. Click Threat Monitoring from the left navigation.
  3. Select a threat.
  4. Click the comment button.
  5. Type your comment
  6. Click Add comment.

Your comment is now added to the threat and visible to anyone with access to view the threat.

Dismiss a threat

Dismiss a threat when:

  • it’s a false positive: this threat is not actually related to your Transform.
  • the ‘threat’ is related to the Transform, but it is not something that needs to be investigated.

How to dismiss a threat

  1. Click the Breach Risk icon from UpGuard’s left-hand navigation.
  2. Click Threat Monitoring from the left navigation.
  3. Select the threat you want to dismiss.
  4. Click Dismiss in the threat’s top-right.

Your threat is moved to Closed and assigned the status Dismissed.

Bulk edit threats

Bulk select threats to:

  • move all selected threats to Investigating
  • mark all selected threats as remediated (threats are moved to Closed)
  • dismiss all selected threats (threats are moved to Closed)

Bulk select threats in Open or Investigating

  • Click the checkbox next to each threat you want to select.
  • Click the checkbox above the threat list to mass select all visible threats.

Apply filters and then mass select all visible threats. By default, only visible threats will be selected. If there are multiple pages of threats, you’ll see an option to Select all ‘#’ threats.

Export threats

Export threats in Open, Investigating, Remediating, or Closed. Threats are exposed as .xlsx files.

  1. Click the Breach Risk icon from UpGuard’s left-hand navigation.
  2. Click Threat Monitoring from the left navigation.
    1. Select the queue corresponding with the threats you want to export: Open, Investigating, Remediating, or Closed. Each queue must be exported individually, you cannot export threats from multiple tabs at time.
  3. Modify export settings:
    1. Filters: export the tab’s full list or a filtered list.
    2. Frequency: one-time or recurring (weekly, monthly, quarterly, yearly).
    3. Delivery: reports or email and reports.
  4. Click Export

Your report begins exporting immediately and will be delivered to you in Reports>Generated reports (and via email depending on your selections).