Category filter
The XDR Dashboard: The Central Hub for Global Threat Visibility
Modern cybersecurity operations demand complete visibility into every endpoint within an organization. As threats continue to evolve beyond the scope of traditional antivirus and endpoint detection tools, security teams require a unified system that can continuously analyze endpoint activity, detect anomalies, and initiate an appropriate response. An Extended Detection and Response (XDR) solution serves precisely this purpose, offering centralized visibility and intelligent correlation across all monitored endpoints.
Glossary of Key Terms
| Term | Definition |
|---|---|
| Endpoint | A device on which the XDR agent is deployed, allowing it to collect telemetry data, monitor system behavior, and report potential security events back to the console. |
| Threat | Any activity, process, or entity with the potential to harm an endpoint or compromise data (e.g., malware, unauthorized actions, vulnerability exploitation). It corresponds to a detected pattern of suspicious behavior indicating a potential breach. |
| Anomaly | Any endpoint activity that deviates from usual patterns. It serves as an early indicator for investigation, even if it does not immediately indicate a confirmed threat. |
| Adversary | Any individual, group, or automated entity attempting to compromise endpoints, data, or networks. |
| Panel | An individual dashboard section displaying specific data or metrics derived from endpoint telemetry and threat analysis to help administrators interpret activity. |
| Severity | The assessed impact or potential risk of a threat or incident, indicating how harmful it could be if unaddressed, aiding in response prioritization. |
| XDR Agent | Software installed on an endpoint enabling communication with the Hexnode XDR console. It continuously monitors system activity, processes, network connections, and file events. |
| Environment | The complete collection of an organization’s endpoints, users, networks, configurations, and security posture where the XDR agent is deployed and threats are managed. |
| Administrators | Technicians using the Hexnode XDR console to review detections, investigate incidents, assess impact, and coordinate remediation actions. |
First Steps: Get Started with Hexnode XDR
The very first steps administrators must complete are part of the initial onboarding through the Hexnode XDR Get Started process, designed to align the console with operational needs.
The Get Started section presents two choices:
- Quick Overview: Explore documentation, watch learning modules, or interact with Hexnode Genie for on-demand explanations.
- Start Onboarding: Guides administrators through integrating XDR, deploying it via a chosen management system, or performing manual installation (command-line or package deployment).
Once completed and the agent begins communicating, administrators gain access to the Hexnode XDR Dashboard, the central hub for all active detections and endpoint telemetry.
Overview of the XDR Dashboard
The XDR Dashboard presents an organized overview of all security-related activities across deployed endpoints. It helps administrators assess threat posture, identify incidents, and prioritize responses.
- Real-time Insights: Every metric and visualization reflects real-time telemetry.
- Time Filtering: Data can be filtered by specific date ranges up to a maximum of 90 days.
- Trend Comparison: All time-based panels automatically compare current metrics with the previous equivalent time range (e.g., this week vs. last week).
Dashboard Components
The dashboard translates complex telemetry into actionable intelligence through the following analytical panels:
- Incident Landscape
- Threats
- Critical Events
- Activity Feed
- Threat Activity
- Recent Incidents
- MITRE ATT&CK & Events
- Endpoint Remediation
- Incident Allocation
XDR Dashboard Panels Breakdown
1. Incident Landscape
Provides a summarized view of key threat metrics to help administrators understand the organization’s current threat exposure.
| Metric | Description |
|---|---|
| Total Incidents | Cumulative number of identified incidents (Threats + Alerts). Threats are harmful activities; Alerts are notifications triggered by predefined Alert Profiles. |
| Open Incidents | Count of incidents (threats or alerts) remaining unassigned to any technician, indicating pending workload. |
| Threats | Total number of threats detected across all monitored endpoints in the selected period. |
| Alerts | Total number of alerts generated based on configured Alert Profiles. |
| Vulnerable Devices | Number of endpoints affected by threats within the chosen time range. |
2. Threats
A visual pie chart showing the distribution of threats across different severity levels as a percentage.
| Severity Level | Color Representation |
|---|---|
| Low | Blue |
| Medium | Green |
| High | Yellow |
3. Critical Events Panel
Lists the most severe threats and alerts chronologically. Allows administrators to quickly review high-priority detections as they occur.
- Data Displayed: Incident name, category, and time since identified.
- Color Coding: Green (Low), Blue (Medium), Yellow (High), Red (Critical).
4. Activity Feed Panel
A continuous, consolidated timeline of operational and administrative actions within the console to maintain awareness and support traceability.
- Activities Tracked: Technician updates, policy changes, remediation actions, incident assignments, and audit events.
- Data Displayed: Endpoint involved, user performing the action, activity type, and time elapsed.
5. Threat Activity
A line graph presenting a time-based view of how threats appear across endpoints to help spot spikes, patterns, and changing volumes.
- Y-axis: Count (number of threats) detected.
- X-axis: Time aligned with the selected range (days, weeks, or months).
6. Recent Incidents
A table view listing the 10 most recent incidents in chronological order (newest first). Clicking an incident redirects to its detailed view.
| Column | Description |
|---|---|
| Incident Name | Identifies the incident based on threat or alert type. |
| Host Name | Specifies the affected endpoint for quick identification. |
| Severity | Indicates the risk level to help prioritize entries. |
| Timestamp | The exact time the incident was detected by the XDR agent. |
7. MITRE ATT&CK & Events
Maps threat activity against the globally recognized MITRE ATT&CK framework to help administrators understand attacker intent, methods, and potential impact. Displayed as a bar graph (Y-axis: number of events/threats; X-axis: 14 MITRE tactics).
MITRE ATT&CK Tactics Mapped:
| Tactic | Description |
|---|---|
| Initial Access | Attempts to gain entry via phishing, vulnerable services, or malicious files. |
| Execution | Running malicious code, scripts, or commands on the endpoint. |
| Persistence | Maintaining long-term access, surviving reboots or credential changes. |
| Reconnaissance | Collecting information about endpoints, users, or the environment prior to an attack. |
| Resource Development | Preparing tools, infrastructure, or malicious files for later use. |
| Privilege Escalation | Attempting to gain higher-level permissions for deeper control. |
| Defense Evasion | Avoiding detection by hiding processes or disabling security tools. |
| Credential Access | Stealing passwords, tokens, or authentication data. |
| Discovery | Searching the system to learn about files, networks, or nearby endpoints. |
| Lateral Movement | Moving from one compromised endpoint to another within the network. |
| Collection | Gathering sensitive data (documents, keystrokes, screenshots). |
| Command and Control (C2) | Establishing communication with an external server for commands or data transfer. |
| Exfiltration | Sending collected data out to an attacker-controlled location. |
| Impact | Directly affecting system integrity via file corruption, encryption, or disruption. |
8. Endpoint Remediation
A pie chart overview of the actions taken to respond to threats, showing the percentage of each remediation method used.
| Remediation Action | Description | Color Code |
|---|---|---|
| Kill | Terminates a malicious or suspicious process to prevent further harm. | Green |
| Isolate | Places the endpoint in a restricted sandbox network, preventing communication with other endpoints. | Blue |
| Quarantine | Moves a suspicious file to a secure, isolated location so it cannot be executed. | Yellow |
| Delete | Permanently removes a malicious or high-risk file to eliminate the threat. | Red |
9. Incident Allocation
A pie chart showing how incidents are distributed between technicians to manage workload and identify pending items.
| Allocation Status | Description | Color Code |
|---|---|---|
| Assigned | Incidents allocated to a technician for tracking and remediation. | Green |
| Unassigned | Pending incidents requiring administrative attention for assignment and resolution. | Red |
