Affected Users

The Affected Users tab on the Security Threat screen allows you to view the users that a specific threat targeted across your network.

You can access the Affected Users tab from the User or Endpoint information screens by clicking a Security Threat name in the table.

  • Unique Affected Users Over Time: Provides a graphical representation of which users the threat affected and the time of the detection

    • Click Analyze Impact to start a historical investigation to analyze whether the threat has affected other endpoints on your network and generate a root cause analysis.


      Performing an impact analysis from the Threat Information screen requires a valid Apex One Endpoint Sensor license and enabling the Enable Sensor feature for the appropriate Apex One Security Agent or Apex One (Mac) policies.

      For more information, see Analyzing Impact on Affected Users.

    • Click Start Retro Scan to scan historical web access logs for callback attempts to C&C servers and other related activities on your network.


      Performing a Retro Scan from the Threat Information screen requires adding at least one Deep Discovery Inspector server on the Server Registration screen on Apex Central and enabling Retro Scan on the registered Deep Discovery Inspector server.

      For more information, see Performing a Retro Scan on Affected Users.

    • Hover over a user icon to view all users affected by this specific threat and its detection history in your environment

      • Recently detected: The threat detection occurred during scanning

      • Previously undetected: The threat detection occurred during an impact analysis of log data

    • Change the displayed time interval by changing the Zoom value.

    • Change the end date by scrolling through the dates displayed under the graph.

  • Details: Provides more detailed information about the threats displayed on the Unique Affected Users Over Time graph