Asset context panel
The asset context panel is the central investigation surface in Sekoia. It gives analysts immediate access to an asset's identity, recent activity, and related security events without leaving the investigation workflow.
The panel is available to all clients from any alert, event, case, or the asset listing table. It eliminates the need to pivot between a CMDB, EDR console, or identity provider to answer basic questions about an asset.
Reveal add-on module
The Reveal add-on module extends this panel with vulnerability data, endpoint hygiene, security controls, points of interest, and attack path visualization. See Asset context panel — Reveal capabilities.
Access the asset context panel
You can open the panel from several entry points depending on where you are working.
- From an alert: click the affected host, user, or IP. Use this to verify whether the asset is critical or recently involved in other detections during triage.
- From an event: click any field linked to an asset such as a hostname, username, or IP. Use this to identify who or what generated the event.
- From a case: click any listed affected asset. Use this to correlate incidents affecting the same asset.
- From the asset listing: navigate to Configure > Assets, then click the asset context panel icon on the right side of the asset row. Use this to review all known context for an asset outside of an active investigation.
Overview tab
The Overview tab summarizes the asset's identity and recent security activity. Use it to assess how critical the asset is and whether it has been involved in recent detections before taking action.
Header card
The header card displays the asset's name, type, and organizational context.
| Field | Description |
|---|---|
| Name and type | Host, account, or network |
| Criticality | Configured criticality score (0–100) |
| Verified by | User who verified the asset |
| Status | Reviewed or unreviewed |
| Communities | Communities the asset belongs to |
| First seen | When the asset was first observed by a discovery source |
| Last seen | When the asset was last observed by a discovery source |
Field availability
Displayed fields differ by asset type and discovery source.
Ransomware triage scenario
A ransomware alert targets FIN-SRV01. The header card shows it is a finance system tagged as critical and owned by the CFO's department. This routes containment to the right team immediately, reducing dwell time.
Details card
The details card lists the technical identifiers used to recognize and correlate the asset across data sources.
| Asset type | Displayed fields |
|---|---|
| All types | Description, tags, identified by |
| Hosts | Hostname, IP addresses, Sekoia agent, operating system, domain/FQDN |
| Users | Username, full name, role, email, department, account state, last password change, key privileges |
| Networks (coming soon) | IP/CIDR ranges, VLAN/segment |
Select View more details to open the full list of known fields for the asset. You can mark any field as a favorite from this view. Favorites are personal and persist on a per-asset-type basis. Select Your favorite details: to open all fields you have marked as Favorites. Favorites are personal and persist on a per–asset-type bas
Lateral movement identification
A host appears in a lateral movement alert with IP 10.10.2.45. The details card shows the same IP belongs to HR-LAPTOP07, last seen by CrowdStrike and identified as Windows 11. Identity and scope are confirmed in seconds.
Seen in (last 30 days) card
The Seen in card shows how frequently the asset has appeared in recent security activity across alerts, cases, points of interest, and events over the last 30 days.
Each counter links to its respective filtered view for direct drill-down.
Last 5 severe alerts and cases card
This card lists the five most severe alerts and cases involving the asset over the last 30 days, ordered by severity then recency.
| Field | Description |
|---|---|
| Name | Alert or case title |
| Severity | Configured severity level |
| Age | Time since the item was created |
Lateral movement correlation
ADMIN-LAPTOP01 triggered a suspicious PsExec alert and a credential dumping case. Linking both identifies lateral movement tied to a stolen admin account.
Timeline tab
The Timeline tab provides a unified chronological record of significant activity for the asset. It brings together alerts, case associations, and raw events into a single stream.
Each entry is timestamped and categorized by type (alert, case, event) and color-coded by severity. Clicking an entry opens the corresponding detail view.
Reveal enrichment
With the Reveal add-on module, the timeline also includes points of interest, vulnerability changes, and hygiene state changes. See Asset context panel — Reveal capabilities.
Related events tab
The Related events tab provides direct access to all events associated with the asset. Use it to visualize activity volume and examine underlying telemetry without leaving the asset context.
Top of the view
- Event histogram: shows event distribution over time to help identify unusual activity windows.
- Filter bar: adjust the time range, connector, or field filters.
- Totals: displays event count and the number of events linked to alerts.
Event list
Each row includes the timestamp, event type and action, a short description, linked assets, and quick actions to expand the raw event or assign it to a case.
What Reveal adds to this panel
The Reveal add-on module extends the asset context panel with capabilities that go beyond identity and activity:
- Endpoint Hygiene — firewall and disk encryption status for host assets.
- Vulnerabilities — known CVE exposures from connected vulnerability scanners, with unified risk scoring.
- Security controls — a view of which detection and protection technologies cover the asset, and where gaps exist.
- Points of Interest — behavioral anomalies surfaced on the asset timeline, such as unusual authentication patterns or rare login locations.
- Attack Path Visualization — a graph of connected hosts and users that may form a lateral movement path from the asset.
To learn more, see Asset context panel — Reveal capabilities.
Related links
- Asset context panel — Reveal capabilities: Vulnerability data, endpoint hygiene, security controls, points of interest, and attack path visualization.
- Getting started with Reveal: How to enable Reveal and configure the required data sources.
- Collect — Assets: How assets are configured, discovered, and managed in Sekoia.
- Points of Interest: How Reveal surfaces behavioral anomalies on assets during triage and investigation.