# Threats

The Threats view shows all threat events across every Highflame product in a single unified table. Use it to investigate detections, triage alerts, and understand the scope of an incident.

Navigate to **Highflame Studio** → **Observatory** → **Threats**.

***

## Event table

The event table lists threat events in reverse chronological order. Each row represents a single detection:

| Column        | Description                                                                       |
| ------------- | --------------------------------------------------------------------------------- |
| **Timestamp** | When the event was recorded                                                       |
| **Source**    | Which product recorded the event (Gateway, Shield, Browser Security, Code Agents) |
| **Entity**    | The user, agent, or device involved                                               |
| **Category**  | Threat category (prompt injection, data exfiltration, token theft, etc.)          |
| **Severity**  | Risk level: Critical, High, Medium, Low                                           |
| **Action**    | Whether the operation was blocked, monitored, or flagged                          |
| **Session**   | Link to the session context, if available                                         |

***

## Faceted search

Filter the event table using any combination of:

* **Time range** — last 15 minutes to 90 days, or a custom range
* **Source** (product) — Agent Gateway, Shield SDK, Browser Security, Code Agents, Red Teaming
* **Severity** — Critical, High, Medium, Low
* **Decision** — blocked, monitored, alerted, allowed
* **Threat category** — prompt injection, data exfiltration, token theft, etc.
* **Policy category** — secrets, pii, security, agentic\_security, trust\_safety, agent\_identity
* **Policy severity** — severity level of the matching Cedar policy annotation
* **Mode** — enforce, monitor, alert (the enforcement mode that was active)
* **Event type** — prompt, tool\_call, file\_read, file\_write, connect\_server, response
* **User** — filter to a specific user or user group
* **Agent** — filter to an agent identity
* **Tool** — filter to events involving a specific tool name
* **Application** — filter to a specific application ID
* **Source IDE** — Cursor, Claude Code, GitHub Copilot, VS Code (for Code Agent events)

Facets are computed live and show the count of matching events for each value. Filters are additive — each one narrows the result set. The result count updates as you apply filters.

***

## Event detail panel

Click any row to open the event detail panel on the right. The panel shows:

### Summary

* Timestamp, source product, entity, category, severity, action taken
* The specific threat flags matched (e.g., `prompt_injection:jailbreak`, `pii:credit_card`)
* The platform or endpoint involved

### Evidence

Raw content that triggered the detection, redacted according to your data handling policy:

* For prompt injection: the prompt text with matched patterns highlighted
* For data exfiltration: the request URL, headers (sanitized), and matched data patterns
* For token theft: the destination domain and token type
* For browser violations: the browser API intercepted and matched content

### Context

* **Session** — link to the full session timeline if this event is part of a tracked session
* **Trace** — link to the distributed trace if the event occurred within an instrumented agent workflow
* **Entity history** — recent events for the same user, agent, or device
* **Related events** — other events correlated with this one (same session, same time window, same entity)

***

## Policy gap detection

When a threat event is recorded in Monitor mode (the operation was allowed but logged), Observatory checks whether a Block-mode policy exists that would have stopped it. If no blocking policy covers this threat category for this entity, the event is annotated with a **Policy Gap** badge.

The policy gap indicator links directly to the policy configuration for the relevant product, making it easy to harden your posture after reviewing Monitor-mode detections.

***

## Alert signal indicators

Events associated with a fired alert rule are shown with an alert badge. Clicking the badge opens the alert configuration and shows the delivery status (Slack, webhook, Splunk).

To configure alert rules, see [Alerts](/integrations/alerts.md).

***

## Exporting

Export filtered events as CSV from the **Export** button in the Threats view. For streaming ingestion into your SIEM, configure a webhook or Splunk HEC destination in [Alerts](/integrations/alerts.md).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.highflame.ai/observatory/threats.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.