We recommend using Google Chrome to access the user interface.

GUI overview

The user interface of cognitix Threat Defender consists of two main areas: the menu bar on the left side of the screen and the content area.

At the top of the menu bar, you can see the APPLY/APPLY CHANGES button. If you change the Threat Defender configuration, the changes have to be applied before they take effect:

  •  - This button indicates pending changes. When it is clicked, the button disappears to indicate that the configuration is being applied.
  •  - This button is displayed when the configuration does not contain pending changes.

The menu bar also grants access to the available menus on the first navigation level (see the sections below for further information on the individual menus).

The content area takes up the main part of the screen. The information displayed here depends on the selected menu item.
At the top of the content area, you see the second and third navigation levels of the selected menu item, if applicable.

For further information on the user interface of cognitix Threat Defender, refer to the User Interface chapter in the documentation.

Overview of the Menu Structure


After successfully logging in, you arrive at the Analytics dashboards. Here, you can find out what's going on in your network and start to dive into the depth of the network traffic.

We provide three dashboards for network analysis and one for general system information:

  • Threat Intelligence (information on threat intelligence incidents, policy rules and actions, IPS events, etc.)
  • Network Intelligence (information on interfaces, protocols and applications, flow direction, etc.)
  • User Intelligence (information on source and destination assets, users, URLs, etc.)
  • System dashboard (information on the system hardware)

For more detailed information, see Analytics / Reporting.


Here, you can find all the required information and settings to create rules and policies to manage your network traffic.

Note: Double-clicking on a rule leads you to the detailed rule settings - either independent rule settings for global rules or rule settings within an Advanced Correlation scenario.


Here, you can manage your network assets and users and access the assets and users logs:

  • Assets
  • Asset MAC Addresses
  • Asset IP Addresses
  • Asset Logs
  • Asset Setting
  • Users
  • User API Logs
  • User API Setting
  • Backup/Restore (of the assets and users databases)


Here, you can check the status (up/down, link speed, group, and number of errors) of all interfaces used by Threat Defender for analysis (Processing Interfaces) and for the configuration (Management Interface).

The processing interfaces can be used as:

  • Bridge (default)
  • VirtualWire
  • SPAN (to receive mirrored traffic - this port only receives packets from a device mirroring that traffic (switch))
  • Port Extender (to connect a switch as port extender)


Under Logging, you have access to the local logs and audit logs including a search function. You can also set up logging channels:

  • Local Logs
  • Audit Logs
  • Audit Log Channels (via e-mail, webhook, desktop notification) 
  • Report Channels (via sylog, JSONL, IPFIX)


The Settings chapter is very important for configuring cognitix Threat Defender:

  • General (configure the hostname, GDPR settings, time settings)
  • Proxy
  • System Users
  • Updates (see what software version is currently running and install any available updates)
  • Update Schedules (schedule automatic updates)
  • License
  • Configurations (create and install backup files of the system configuration)
  • System Actions (reboot or shut down Threat Defender, reset the reporting data and databases)


This section assists you with troubleshooting Threat Defender:

  • Troubleshooting (manually create downloadable troubleshoot reports)
  • Flow Table Reporting
  • System Health

By the way...

If you require additional information, see the Threat Defender user documentation.