Understanding ThreatScope Mobile XDR

Last updated September 3, 2023 by Appdome

Intro

ThreatScope Mobile XDR provides visibility on the actual attacks and threats that an Appdome-protected app faces when released in production. The data in the dashboard updates every 24 hours, which means that security can track in real-time how attacks evolve and react quickly to emerging trends. There are no requirements or prerequisites needed, no API integrations are required from the Operation teams and no code changes are needed from the mobile development teams, in order for attacks and threats that a protected app faces to appear in the dashboard.

Setting up Access to ThreatScope Dashboard

Access to protected apps threat data on ThreatScope Dashboard is gated only to viewer accounts that meet the following conditions:

    • The viewer account is licensed to access ThreatScope Dashboard
      Request Appdome support to activate the license for the accounts that should have access to threat data.
  • Threat data has originated from teams of which the viewer is a member
    The viewer account should be configured by the team leader of each production team. For details, see section Configuring the Viewer Account.
  • The viewer has the View ThreatScope entitlement in the team
    For details, see section Adding the View ThreatScope Entitlement to the Viewer’s Account below.

Configuring the Viewer Account

To configure the viewer account, the team leader needs to:

  1. Open the User Menu.
    User Menu Threatscope
  2. Click on Team Management.
  3. Expand each production team by clicking the Expand Action Icon button.
  4. Review the team member list.
    If the requested viewer’s account does not appear, invite the viewer by clicking the Invite Others button Invitemembericon.
  5. Type the viewer account’s name and hit enter. When done, click Invite.
    Invite Members Threatscope
  6. After the viewer accepts the invitation, proceed to the next step of adding the required entitlements to the team.

Add View ThreatScope Entitlement to Members Account

In order to add the View ThreatScope entitlement to a member’s account of a production team, the team leader should follow these steps:

  1. Click on Team Management account in the user menu and click the  Addentitlementicon button to add entitlements.
    A list of the entitlements available for the account will be displayed.
  2. Click the View ThreatScope entitlement.
    Viewthreatscopebutton

Troubleshooting Access to ThreatScope Dashboard

This section provides troubleshooting information for resolving the following issues:

  • Lack of the View ThreatScope entitlement
    Viewer is a member of a team but does not have the View ThreatScope entitlement
  • Viewer is not a member of any team
  • Viewer or View ThreatScope entitlement was removed
    Viewer was a member of a team or had the view entitlements, then the viewer was removed from the team or the view entitlement was removed.

Lack of the View ThreatScope entitlement

No Entitled Team Threatscope

Cause:

The viewer attempted to access the ThreatScope dashboard, while the viewer’s account is a member of at least one team, that team does not have the View ThreatScope entitlement permissions.

Remediation:

Add the View ThreatScope entitlement to each team to give the viewer access to threat data. For additional information, see the section on Setting up access to ThreatScope Dashboard.

Viewer is not a member of any team

No Team Workspace Used Threatscope

Cause:

The viewer tried to access the ThreatScope dashboard by using the All My Teams workspace, while the viewer’s account is not a member of any team.

Remediation:

Request the production team leader to invite the viewer’s account to join the team and add the View ThreatScope entitlement in each team that the viewer should access to threat data. For further information, see section Setting up access to ThreatScope Dashboard.

Viewer or View ThreatScope entitlement was removed

Forbidden Pop Up Threatscope

If the Viewer was a member of a team or had the view entitlements, and then the viewer was removed from the team or the view entitlement was removed, the following notification is displayed when trying to access the dashboard.

Cause:

The viewer tried to access a team in the ThreatScope dashboard, however the viewer’s account was removed from a team or the View ThreatScope entitlement was removed from the viewer’s account in that team.

Remediation:

Request the production team leader to invite the viewer’s account to join the team and add the View ThreatScope entitlement in each team that the viewer should access to threat data. For further information, see section Setting up access to ThreatScope Dashboard.

Reviewing the Dashboard Structure

The dashboard allows you to perform the following tasks:

  • Select the viewing scope
  • Select the date range
  • Review the geographical source of threats
  • View all threats and attacks
  • Use the Threat Stream widget
  • Display top defenses breakdown
  • View protection level
  • Filter threat intelligence
  • Review threat streams

Selecting the Viewing Scope

The dashboard viewer allows defining the scope of data items (threats) to be displayed, from the following options:

  • A specific team
    Viewing only threats associated to apps built by the selected team
    View Threatscope Bar
  • All my teams
    Viewing threats associated to apps built from all teams that the ThreatScope viewer is entitled to access
    View Threatscope Teamsbar

  • Personal workspace
    View Threatscope Personalworkspace 0bar

Selecting the Date Range

The Set Date Range section allows defining the date range of data items (threats) to be displayed. By default the date range is defined as the last 30 days, but this range can be extended in accordance with the ThreatScope dashboard license.

Threatscope Daterange

 

Reviewing the geographical source of threats

The GeoSource section displays a map that allows viewing the country from which the threats and attacks originate.
Countries are colors based on the volume of threats detected in the region. For clarification, see the legend on the right.

Attack Map Threatscope

Hover over the requested country to see a breakdown of the information by the following items:

  • Country name
  • Date range
    Only threats from the listed date range are aggregated.
  • Threat stream breakdown
    The sum of threats categorized by Threat Stream and the percentage of the threat stream out of the total.
  • Total threats and attacks
    The sum of all threats and attacks that originated from the country on which the mouse hovers.
    Attack Map Threatscope Russia
    Countrytooltip

To select one or more countries:

  • To select a single country, click the requested country on the map or select the check box of this country. Alternatively, click the check box of a selected country to clear the selection.
  • To select multiple countries, select the check boxes of each requested country if they have not already been selected.
    Selectmultiplecountries Threatscope
    Select multiple countries threat scope

Types of Geography-based data input

The following types of geography-based data input exist:

  • Non-specific
    This is the default data input. In this case , the data input used for mapping the threat to its location is the public IP as recorded in Appdome’s analytics server.
    Because attackers can mask their real the public IP by using network components such as VPN and proxy, this data is considered non-specific, namely: cannot be used for accurately identifying the source of the attack.
  • Specific
    The data input used for this case is the device location data (GPS). Because access to location data requires declaring a specific permission in the app and the user consent, this type of threat geo-source is not the default option and requires opting in when building the app on Appdome.
Note:
It is 
the responsibility of the app’s developer to add the required location permission and request user consent to access the device’s location, since Appdome will not add location permissions to the protected and trigger any access to location data without check if the user has granted access to the location data.

What can be inferred from the data

  • Ability to create a focus list of countries that generate the most attacks
    Customers that have a web application firewall (WAF) in place can use this data stream to apply different security policies based on the threat landscape of the app and the app’s user base.
  • Visibility on how the threat types are distributed within a given country
    This can enable tracking which vectors are used by different local and global actors.
  • You can use the Snapshots feature to download the current view of the selected GeoSource.
    Dropdown Threatscope

Reviewing Unique Devices Data

Currently, after applying selected filters, the displayed sum of Threat Events and Attacks represents the accumulation of all events that occurred, on a large number of devices. 

Each device may experience multiple events, and the distribution of events between devices can result in different insights. For example, If there are 1000 events, but 990 of them occurred in one device, the situation might be different than 1000 devices being involved.

In order to gain more insights regarding the distribution of events, Appdome provides users the ability to generate a report that describes how many devices were involved in each of the chosen event types.

  1. Apply selected ThreatScope filters
    Note: The user must choose at lease one specific Event Type or Reason Code in order to produce the report.
  2. Click on the download drop down button on top right
  3. Select Download Unique Device ID report
  4. The report is downloaded – listing number of unique devices per event, according to the selected filters.

Threat Scope Download Options Unique Devices

The report will return in Json format, each object includes the name of the attack and the amount of involved devices:

{
	"<FAC Event Name #1>": {
		"eventType": "< Event externalID>",
		"impactedDevices": "< # of unique device IDs for externalID in selected filters>"
	},
	"<FAC Event Name #2>": {
		"eventType": "< Event externalID>",
		"impactedDevices": "< # of unique device IDs for externalID in selected filters>”
	}
}

Viewing All Threats and Attacks

The Viewing Trend: All Threats and Attacks section displays all threats and attacks per threat stream, when each line represent a time interval based on the selected time period (date range): days, weeks, or months.

Totalthreatsandattacks Threatscope

This section contains the following components:

  • Date range selector
    Use the date range buttons (Days/Weeks/Months) on the top center to control the time period represented by each dot on the trend.
    Note:The MONTHS view selector is only available when the ThreatScope dashboard date range is three months or longer.
  • Daily Average Widget
    Calculated by dividing the total number of attacks and threats by the number of days in the ThreatScope dashboard date range.
  • Threat Stream Graph Legends
    Enables filtering out Threat Streams by clicking on the matching legend in the Viewing Trend: All Threats and Attacks.
    All changes made only affect the Viewing Trend: All Threats and Attacks tile. For example, the screenshot below demonstrates how Intelligence Missed threat stream can be filtered out.

Hover a dot somewhere over the trend line to see the following data items:

  • Date
    Displays the date range represented by each dot on the trend line; day, week, or month.
  • Total Detected/Protected
    The value of this field represents the number of attacks and threats associated to the threat stream being hovered in the date range listed in the Date field.
    This field name is Total Protected when the trend line relates to threat streams in which Appdome blocked the attack; otherwise the name is Total Detected.
  • Total Per Day/Week/Month
    Sums the total number of attacks and threats from all threat streams for the date range listed in the Date field.
  • Defense Mode
    This value specifies the enforcement mode for the given threat stream, which is labeled with one of the following values:

    • Intel
      Indicates that intelligence was collected without any enforcement (ThreatScope Only Configuration).
      Totalthreatsandattacks Threatscope2
    • Appdome
      Indicates that Appdome is responsible for enforcing against attacks.
      Trends Threatscope Attacks
    • App
      Indicates that the App is responsible for enforcing against attacks.
      Trends Threatscope Attacks

Using the Threat Stream widget

The Threat Stream Widget displays the distribution of threats and attacks of the selected date range between the various threat streams.

Threatstreamwidget

 

What can be inferred from the data?

  • Evaluate the risk level of released apps
    By tracking blocked and app-enforced threats.
  • Compare intelligence gathered by released apps
    With real volume of attacks and threats.

Filtering the display

Click on any Threat Steam tile to apply the selected threat steam as a filter. You can also filter by multiple threats, by clicking on more than one threat stream to add them to the filter.

Threatstreamwidget Threatscope

Displaying Top Defenses Breakdown

The Top Defenses section allows displaying a breakdown of the top defenses by App, OS, and manufacturer.

Displayingtopdefensesbreakdown

What can be inferred from the data?

The data displayed in this section allows generating a list of the characteristics of the apps and devices that are most targeted by the attacks.

Hover over a graph line in any of the Top Defenses Breakdown tile to display the following breakdown:

  • App/OS/Device
    List the top attack’s identifier.
  • Total Detected\Protected
    The value of this field represents the number of attacks and threats associated to the threat stream being hovered in the date range listed in the Date field.
    This field name is Total Protected when the trend line relates to threat streams in which Appdome blocked the attack; otherwise the name is Total Detected.
  • Defense Mode
    See description in section Viewing all threats and attacks.
  • Threat Event
    See description in section Viewing all threats and attacks.

The Average widget

Op10defensesbydevice
Top10defensesbyos Threatscope
Top10defensesbyapp Threatscope

The Average widget displays the following information:

  • Avg. Attacks per App
    Calculated by dividing the total number of attacks and threats in the Top Defenses By App tile divided by the number of listed apps.
  • Avg. Attacks per OS
    Calculated by dividing the total number of attacks & threats in the Top Defenses By OS tile divided by the number of listed OS versions.
  • Avg. Attacks per Device
    Calculated by dividing the total number of attacks & threats in the Top Defenses By Device tile divided by the number of listed manufacturers.

Viewing Protection Level for All Attacks

The section Viewing Protection Level: All Attacks displays a summary of the number of detections associated to protections classified as attacks, namely: vectors that directly target the protected app.

Viewingprotectionlevelallattacks Threatscope

  • Click a graph bar to navigate to the Knowledge Base article for a given protection.
  • Hover over a graph bar to show the tooltip, with the following breakdown:
    • Total Detected\Protected
      The value of this field represents the number of attacks and threats associated to the threat stream being hovered.
      This field name is Total Protected when the trend line relates to threat streams in which Appdome blocked the attack; otherwise the name is Total Detected.
    • Total Attacks
      Sums all attacks across all threat streams for the given attack.
    • Defense Mode
      See description in section Viewing all threats and attacks.
    • Threat Event
      See description in section Viewing all threats and attacks.
    • Description
      Short description of the attack.
      Viewingprotectionlevelallattacks Threatscop2

What can be inferred from the data?

The data displayed in this section allows:

  • Determining the most prominent attacks to which the app is exposed.
  • Assessing the risk level of apps that are not built with Appdome enforcement.

Viewing Protection Level for All Threats

The section Viewing Protection Level: All Threats displays a summary of the number of detections associated to protections classified as threats. Threats are defined as system-wide vector, meaning they can affect all apps running on the device.

Viewprotlevelallthreats

  • Click a graph bar to navigate to the Knowledge Base article for a given protection.
  • Hover over a graph bar to show the tooltip, with the following breakdown:
    • Total Detected\Protected
      The value of this field represents the number of attacks and threats associated to the threat stream being hovered.
      This field name is Total Protected when the trend line relates to threat streams in which Appdome blocked the attack; otherwise the name is Total Detected.
    • Total Attacks
      Sums all attacks across all threat streams for the given threat.
    • Defense Mode
      See description in section Viewing all threats and attacks.
    • Threat Event
      See description in section Viewing all threats and attacks.
    • Description
      Short description of the attack.
      Viewprotlevelallthreats 2

Filtering Threat Intelligence

Threat-Inspect™

The Threat-Inspect™ menu on the left side panel allows to easily filter and create custom views of the Threat Scope data.

Threat Inspect Menu

1. Select the Data displayed form one of the following categories

Threat Inspect All Data Button All Data – Displays all accumulated data by the number of individual events. If a specific device experiences several events of the same type, all events will be counted.

Threat Inspect Impacted Devices Button Impacted Devices – Summarizes the number of unique devices any event occurred on. If one specific device experiences a certain event a number of times, it will still be counted as one device.

Threat Inspect Ibuilt To Test Button Build to Test Events – Summarizes the Threat Events data only for apps that were build with the Build-to-Test feature. These apps are built specifically for testing via third party vendors. Learn more about Appdome’s Build-to-Test

2. Filter the data

You can filter the data using each one of the following filters, you can combine filters to create unique views and gain further insight on the events your Appdome-built apps are facing.

The filters that can be used for controlling the displayed data are:

  • Threat Stream – The type of defense implemented in Threat Events.
  • Event Type – The protections name on FAC.
  • Task ID – The unique ID for a protected app on FAC.
  • Bundle ID – The app’s identifier as listed in the AndroidManifest.xml or Info.plist file.
  • Fusion Set Name – The name of the fusion set to which the protected app is subscribed.
  • Fusion Set ID – The ID of the fusion set to which the protected app is subscribed.
  • Manufacturer – The device manufacturer associated to the detected attack.
  • OS – The platform associated to the detected attack.
  • OS Version – The OS Version associated to the detected attack.
  • Country – For further information, see section Reviewing the geographical source of threats.
  • ReasonCode – The Threat/Attack user-facing code from the mobile device. The Reason Code is used in the “ThreatScope™ User Remediation Center”, to understand the specific events or metadata that triggered the threat. Customer support organizations can use this information to instruct the mobile user on how to remediate the threat and get back to using the mobile app.Threat Scope Filters Example

3. Create View

When the data is filtered, you can save it by creating a view.

Threat Inspect Create View

You can access your custom views via the main drop-down menu.

Threatscope Drop Down Menu See Custom Views

Learn more about Threat Inspect. 

Filtering by Specific Builds

Filterbyspecificbuilds

The section View Specific Builds with Threats Only allows:

  • Applying a filter to the ThreatScope by using specific builds of protected apps.
    Using the search bar the viewer can find a specific build by looking for any of the attributes shown below. Tile filter is synchronized with the filter pane. For further information, see section Filter Pane.
  • Scrolling through the list of protected apps which are associated to the attacks & threats shown in the dashboard. The Build ID of the threat can by copied by clicking on the copy icon Copyiconupdated;

Avg. Attack Widgets

Attack Widgets Threatscope

In some cases you may want to get a sense of the base line of attacks and threats to which the app is exposed. This helps to determine when the protected app is being actively attacked as part of a focused campaign, by comparing the current volume of threats to the average line to identify anomalies.

Reviewing Threat Streams

Attacks displayed in the dashboard are categorized by Threat Streams, which will allow the security team investigating the attack trends to prioritize the effort and set clear steps to mitigate each threat by its associated stream. A Threat Stream is defined by the enforcement and intelligence policy set for a protection within a fusion set.

The Threat Streams are configured as following:

  • New Threats
    • Enforcement Policy – No enforcement.
    • Intelligence Policy – No intelligence is sent to the app. Threat event is not active.
    • Summary – The app will not receive the threat event on attacks, and because the app is not aware of attacks and Appdome does not block the attacks the app is not protected.
  • Appdome Protected
    • Enforcement Policy – Appdome blocked against the attacks
    • Intelligence Policy – No intelligence is sent to the app. Threat event is not active.
    • Summary – The app is protected because Appdome blocks the attack, but the app does not receive the threat event following the attacks. The intelligence is sent to and visible on ThreatScope dashboard.
  • Defense & Intel
    • Enforcement Policy – Appdome blocked against the attacks.
    • Intelligence Policy – Threat Event was configured as In-App Defense.
    • Summary – The app is protected. Appdome blocks the attack and the app receives the threat event, which means that analytics can be captured.
  • Intel Missed
    • Enforcement Policy – Appdome blocked against the attacks
    • Intelligence Policy – Threat Event was configured as In-App Defense, however Receiver | Observer is not properly implemented for consuming the Threat Event
    • Summary – The app is protected since Appdome will block the attack, however the app will not receive the threat event following the attacks which means that analytics will not be captured.
  • Attacks Detected
    • Enforcement Policy – The app is responsible for enforcing against the attack
    • Intelligence Policy – Threat Event configured as In-App Detection.
    • Summary – The app will receive the threat event on attacks; however, because the app is responsible for enforcing, the protection level depends on the implementation of the app.

The following threat streams are visualized in various areas in the dashboard:

  1. Filter Pane
    Action
    Selecting or clearing will respectively filter in or out which Threat Streams are displayed in the dashboard. Changes to the Threat Stream filter affect the entire dashboard.
    Threatstreams
  2. Viewing Trend: All Threats and Attacks legend
    Action
    Selecting a Threat Streams legend in the Viewing Trend: All Threats and Attacks tile filters out the stream. Changes affect only the Viewing Trend: All Threats and Attacks tile.
    Totalthreatsandattacks Threatscope2 Copy
  3. Threat Stream Widgets
    Action

    Selecting any of the following widgets: Attack Missed, Threat Intel Missed, Attacks Stopped, and Attacks Captured apply a filter of the threat streams associated to the widget. Selecting a widget affects the entire dashboard.

    For further information, see section Using the Threat Stream widget.
    Threatstreamwidget01 Threatstreamwidget02

  4. Top Defense Breakdown
    Action
    Hovering over each threat stream (differentiated by color) within a graph bar displays a tooltip that summarizes the stream.
    Topdefensebreakdown01 Topdefensebreakdown02
    Topdefensebreakdown03
    Topdefensebreakdown04

Viewing Protection Level – All Attacks and All Threats

Action

Hovering over each threat stream (differentiated by color) within a graph bar displays a tooltip that summarizes the stream.

Viewing Protection Level All Attacks030

Viewing Protection Level All Attacks02

Viewing Protection Level All Attacks00 Viewing Protection Level All Attacks030

Related Articles

If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project.

NEED HELP?

let's solve it together

HilaMaking your security project a success!
By filling out this form, you opt-in to recieve emails from us.