Topology Map - Overview

The Threat Topology map shows the connections between hosts and any detected threats, providing an intuitive overview of your network's security status.

Views

A View is a filter with a predefined query that is applied to the data before it is displayed on the topology map. When a view is selected, the corresponding filter is applied, restricting the scope of data that will be displayed and can be searched on the map.

Internal IP Settings:

Internal IP settings contain a list of predefined IP address ranges in CIDR format, that are considered as internal. Admins can add their internal IP address ranges to this list. These are added to the Internal traffic predefined view, allowing a focused view of internal network traffic on the map. It also impacts the Host type displayed on the map. For more information, see Internal IP Settings.

Excluded Views:

Administrators can create Excluded Views to hide specific information on the topology map. You can either create a query to exclude certain data or define a range of IP addresses to be excluded on the topology map. For example, to avoid monitoring test devices on the topology map, you can create an excluded view for their IP address range.

Any data that matches an excluded view will not be shown on the map regardless of any View or Search definitions.

For more information, see Excluded Views.

Visualizing Connections

Lines show the connections between the hosts. You can hover a line to see the number of distinct connections made between the hosts. There are different representations for the Host type, depending on whether it is an internal or external host.

There are two options that control the set of events represented on the topology map:

  • Threats (Default) - Only threat-related information is reported as Alerts

  • All - All event records

Color Coding

Hosts are color-coded according to the Threat type, as shown in the legends on the right side. If a host has multiple threat types, the system displays the highest priority threat first and lists the other threat types in descending order of priority.

Filtering and Searching

You can configure the map's event data time frame, with optional search criteria for more specific data retrieval. For more information on the search query syntax, see Searching the Threat Topology Map.

If the data volume exceeds the display limit, the system shows a warning message and only partial results are displayed. In such cases, it is recommended to refine your search criteria or reduce the time frame to retrieve a more specific data set.

Hosts Grouping

Hosts can be grouped by Threat type, Host type, Country, Origin, and Subnet to reduce the number of data points on the map and to improve readability. By default, hosts are grouped by Threat type and Host type.

Hosts Tags and Details

You can configure tags for hosts and have it displayed on the map when you select the Show tags option.

You can also view the related details for any selected host. The details include:

  • Alerts - Alerts detected that include the host.

  • Applications - Logs related to Application control.

  • Matched Indicators - Indicators that matched the host.

By leveraging these features, the Threat Topology map helps you effectively monitor and manage network security, ensuring a clear understanding of connections and potential threats.