These are the AppIDs of the hosts receiving the malware. The severity is derived from what class of malware was detected. The True Positive Rate (
tpr) is calculated with respect to the global count of the same AppID associated with any other rule, whether or not it caused a compromise.
The table below the bubble graph shows the sortable raw data. The first column is the invariant extracted from the events. If you have an account with MetaFlows, you can click on certain invariants to see if your sensors have detected it. The other columns should be self-explanatory. Hovering over a bubble or set of overlapping bubbles shows the raw data represented by the bubble(s) selected. This selection is sticky so that you can go to the table and inspect the data or click on the links within the table. To see all rows in the table, click outside any bubble.
|Content AppID||Description||Global True Positives (
||Global Hits (
||Avg Priority (
||Global Priority (
||Global True Positive Rate (