Threats
The Threats view shows all threat events across every Highflame product in a single unified table. Use it to investigate detections, triage alerts, and understand the scope of an incident.
Navigate to Highflame Studio → Observatory → Threats.
Event table
The event table lists threat events in reverse chronological order. Each row represents a single detection:
Timestamp
When the event was recorded
Source
Which product recorded the event (Gateway, Shield, Browser Security, Code Agents)
Entity
The user, agent, or device involved
Category
Threat category (prompt injection, data exfiltration, token theft, etc.)
Severity
Risk level: Critical, High, Medium, Low
Action
Whether the operation was blocked, monitored, or flagged
Session
Link to the session context, if available
Faceted search
Filter the event table using any combination of:
Time range — last 15 minutes to 90 days, or a custom range
Source (product) — Agent Gateway, Shield SDK, Browser Security, Code Agents, Red Teaming
Severity — Critical, High, Medium, Low
Decision — blocked, monitored, alerted, allowed
Threat category — prompt injection, data exfiltration, token theft, etc.
Policy category — secrets, pii, security, agentic_security, trust_safety, agent_identity
Policy severity — severity level of the matching Cedar policy annotation
Mode — enforce, monitor, alert (the enforcement mode that was active)
Event type — prompt, tool_call, file_read, file_write, connect_server, response
User — filter to a specific user or user group
Agent — filter to an agent identity
Tool — filter to events involving a specific tool name
Application — filter to a specific application ID
Source IDE — Cursor, Claude Code, GitHub Copilot, VS Code (for Code Agent events)
Facets are computed live and show the count of matching events for each value. Filters are additive — each one narrows the result set. The result count updates as you apply filters.
Event detail panel
Click any row to open the event detail panel on the right. The panel shows:
Summary
Timestamp, source product, entity, category, severity, action taken
The specific threat flags matched (e.g.,
prompt_injection:jailbreak,pii:credit_card)The platform or endpoint involved
Evidence
Raw content that triggered the detection, redacted according to your data handling policy:
For prompt injection: the prompt text with matched patterns highlighted
For data exfiltration: the request URL, headers (sanitized), and matched data patterns
For token theft: the destination domain and token type
For browser violations: the browser API intercepted and matched content
Context
Session — link to the full session timeline if this event is part of a tracked session
Trace — link to the distributed trace if the event occurred within an instrumented agent workflow
Entity history — recent events for the same user, agent, or device
Related events — other events correlated with this one (same session, same time window, same entity)
Policy gap detection
When a threat event is recorded in Monitor mode (the operation was allowed but logged), Observatory checks whether a Block-mode policy exists that would have stopped it. If no blocking policy covers this threat category for this entity, the event is annotated with a Policy Gap badge.
The policy gap indicator links directly to the policy configuration for the relevant product, making it easy to harden your posture after reviewing Monitor-mode detections.
Alert signal indicators
Events associated with a fired alert rule are shown with an alert badge. Clicking the badge opens the alert configuration and shows the delivery status (Slack, webhook, Splunk).
To configure alert rules, see Alerts.
Exporting
Export filtered events as CSV from the Export button in the Threats view. For streaming ingestion into your SIEM, configure a webhook or Splunk HEC destination in Alerts.
Last updated