All Events: event-based investigation

  • Updated on Dec 18, 2025
  • Published on Dec 17, 2025
  • 4 minute(s) read
Prev Next

With the All Events page of the Administration Interface, Threat View enables you to investigate your threat exposure based on events. In the list widget, all events are listed, including non-threat events such as Network Information. In the world map, only threat events are visualized.

With the available filters you can quickly zoom into a small and specific set of events and gain insights into the activity of a specific user. To enhance clarity, the world map visualization is limited to time periods of the previous day or the last 7 days.

The time period and threat event filters apply to both widgets; the filters for the user ID, session ID, and device ID are only available for the list widget.

To access All Events, open the Threat View Dashboard and navigate to Latest Events > View More.

Investigation parameters

The data source is the same as that for the Latest Events list on the Dashboard, but on the All Events page, filters for the time period and threat event are available as parameters for event-based investigations. Select the threat event and time period you wish to analyze from the dropdown menus on the top of the All Events page.

Available time periods:

  • Today (default value): this covers all the events of “today” since the last time the data was processed.

  • Previous day

  • Previous 7 days

Available threat events:

  • All

    You can select any threat event Threat View provides for analysis. For more information, see also Types of monitored threats.

    The Network information parameter is part of the All Events list but, because it is not a threat, it is not included in the Threat type:... dropdown menu.

Visualizations

Based on the selected parameters, the All Events page visualizes the data for the selected threat event that matches the selected time period the list and world map widget.

World map

The world map shows circles in the countries where those devices, on which the events occurred during the selected time window, were located at that time. The circle radius increases with the number of detected events. If you hover the mouse pointer over a highlighted country, Threat View displays a tooltip with the country name and the absolute number of events.

As the world map widget operates with processed event information, if the time period filter is set to Today, real-time data cannot be reliably visualized. In that case, the page will display a static world map and an information that no aggregated data is available.

To facilitate locating countries, and especially smaller countries, the countries in the map are displayed in different colors. Threat View also provides buttons to zoom into and out of the map, and a Reset button to quickly resize the map to its default display size.

List

The All Events list includes any event matching the selected time period and threat event, and provides the following information for the matched events in a table:

  • Event type

  • Threat event

  • Time (as timestamp in UTC)

  • User ID

  • Session ID

  • Device ID

  • Operating system

  • Location (as country code)

The list includes all events, threat events as well as non-threat events. It is paginated to enable convenient navigation and prevent the need of having to retrieve and verify all of these events.

Event details

For Network Information and Malware, i.e.,  the parameters Threat View obtains from the OneSpan Threat Protection SDKs, the Threat View Administration Interface also provides a separate Event Details page. To open this page and view the details, click on the three dots at the end of the row for any Network Information or Malware entry of the All Events list. Click on View Event Details.

The page displays the following default sections, regardless of the page’s root parameter:

  • ID Information

  • Device Information

  • Geolocation

  • App Data

The page displays specific sections, based on the selected event:

  • Malware: to provide more information about the detected malware.

  • Network information: to provide general network information, Wi-Fi information, and proxy settings.

If any type of information is not available, the affected sections are grayed out on the page.

Available filters

To allow more detailed analyses, the All Events list can be filtered by the following parameters/table columns:

  • User ID

  • Session ID

  • Device ID

To filter the All Events list

  • In the All Events list, hover your mouse pointer over the value you want to analyze more closely. This will display two icons, the filter and the clipboard icons.

    The values in these columns are displayed abridged but are processed, copied, and pasted as full values.

  • To filter on that value, you have two options:

    1. Click the filter icon to directly view the filtered results from the selected value.

    2. Click the clipboard icon to copy the value and use it with the filter button above the table:

      1. Click the filter button above the list.

      2. From the Columns menu, select the column on which you want to focus.

      3. In the Value field, paste the copied value.

        Threat View validates the input in this field and displays an error message in the filter menu for the following:

        1. If you select Device ID or Session ID and do not enter a value.

        2. If you select Device ID and the entered value is not hexadecimal.

      4. Click Apply.

      5. To return to the entire list, click the X in the filter field.