Event Explorer

Use Event Explorer as your command center to investigate user activity. Get a complete view of events so you can:

  • Investigate suspicious behavior in real time.

  • Hunt threats proactively before they escalate.

  • Drill into details across accounts, devices, IPs, and more.

IMPORTANT:

To access Event Explorer, navigate to the ITDR platform.

Search & Filtering

Find relevant events quickly to speed up investigations and stay focused.

  • Build advanced searches using OR and Group filters.

  • Search across standard filters — Identifiers, Lists, Risks, and Signals — to focus on what matters most. Search for event data within the last 180 days.

  • Use Quick Filters for one-click access to common investigations (e.g., Account Takeover, Credential Stuffing, etc.).

NOTE:

Event Explorer List searches are historical, showing items that were on the List when the event happened. Expired items may appear in results even if they’re no longer on the List.

Dynamic Views of Aggregated Events

Pivot across perspectives to spot trends and anomalies quickly.

  • Toggle between the Events, Accounts, IPs, Sessions, Prints, Emails, or Phones tabs to view results from different angles.

    NOTE:

    Each tab (except Events) shows resulting events grouped by that attribute. For example, the Accounts tab organizes events by your selected filters, grouped by Account.

  • Refine filters to update graphs and tables instantly.

  • Select any row to view detailed information about that attribute.

Collaboration & Sharing

Share insights and investigations with your team to collaborate effectively.

  • Bookmark any search, including selected filters, and share it with your team by copy/pasting the URL.

  • Export up to 10,000 rows from any table to review and share internally.

Seamless Investigation Across the Platform

Start in Explorer and follow the investigation wherever it leads to uncover patterns and hunt threats efficiently.

  • Start investigating in Event Explorer, then continue to Account Intelligence, SignalPrint, or Lists.

  • Use detail panels to view rich metadata for any attribute and add it directly to a List.

  • Use tables to add multiple attributes to a List to move from overview to deep investigation in seconds. Note: Do not add Events to a List.

Attach custom data to the events you send ITDR to process. Add this information to the API request using the workspaceCustomData field in JSON format. Use custom data across ITDR (Event Explorer, Lists, Monitors, Rule Sets, etc.). Limit custom data to 8 KB in size.

Send events with older timestamps to show the state of the signals at the time ITDR processed the events.

View Event Details

Use the Event Details panel to review a snapshot of a specific event and understand what happened, who was involved, and why the activity may be significant. The panel includes three sections: Key Event Details, Scores & Signals, and Event Metadata.

Key Event Details

Review the core attributes of the event:

  • Event Type — identify the category of activity that occurred.

  • Occurred — identify the exact time the system recorded the event.

  • Account Information — identify the user associated with the activity, including the email address, account ID, and identity provider or integration source (for example, Auth0, Okta).

  • Session ID — identify the session token associated with the event.

Use this section to understand the event in context.

Scores & Signals

Review the system’s assessment of the event’s risk profile and the indicators used to evaluate severity:

  • Composite Score — review a combined value (0–100) derived from the event’s risk and anomaly scores. A score of 100 indicates a highly risky event.

  • Risk Score — review a value between 0 (safe) and 100 (risky), informed by OSINT data and internal detection algorithms.

  • Anomaly Score — review how unusual the activity is compared to the user’s historical behavior. Scores range from 0 (normal) to 100 (highly unusual).

  • Impossible Travel — identify instances where a user appears to move between two geographic locations within a timeframe that would be physically impossible.

  • Risk Signals — review the underlying factors that explain why the event received its score.

Use these indicators to understand both the severity of an event and the factors contributing to its risk.

Event Metadata

Review contextual details associated with the event in the following subsections:

  1. IP

  2. Session

  3. Device

  4. Email

  5. Phone

  6. Payment

Use each subsection to correlate activity, detect patterns, and determine whether a bad actor has left a trail across multiple events or systems.

If your organization provides custom workspace data (key-value pairs defined within your organization), review this information at the end of the Event Metadata section to support investigation and validation of user activity.