The implemented user interface is quite easy to understand and self-explanatory. See the following sections for some general information.

The cognitix Threat Defender user interface requires

  • Google Chrome,
  • Mozilla Firefox or
  • Safari.

GUI overview

The user interface consists of two main areas: the menu bar on the left side of the screen and the content area.

The Menu Bar

The menu bar contains the following elements from top to bottom:

  • The APPLY button. If you change the Threat Defender configuration, the changes have to be applied before they take effect. Hover the mouse over the button to see a tooltip that indicates if there are pending changes. An arrow in the APPLY button icon also indicates that there are changes that have to be applied:
    •  - Pending changes. Click the APPLY button to activate the new configuration.
    •  - No pending changes.
  • The menu bar grants access to the available menus on the first navigation level. See the following chapters for further information on the individual menus.
  • Click  Documentation to open the Threat Defender documentation in a new browser tab.
  • Click  Support to send an email to our support team or to search the cognitix knowledge base.
  • Under  cognitix GmbH, you find details about your hardware and software.
  • Click  Sign out to log off from Threat Defender.
  • In expanded view, the menu bar shows the icons and the titles of the corresponding menus and elements. To increase the space of the content area, click  Collapse Menu to only display the icons. Click  to expand the menu bar.

The Content Area

The content area takes up the main part of the screen. The information displayed here depends on the selected menu item.
At the top of the content area, you see the second navigation level of the selected menu item.

For further information, see the description of the individual menu items in the following sections.

Structure Overview


After successfully logging in, you reach the Analytics dashboard. Here, you can find out what's going on in your network and start to dive into the depth of the network traffic.

We divided this dashboard in four chapters for the network analysis and one for general system information:

  • Network Intelligence (information on interfaces, protocols, flow direction)
  • User Intelligence (information on source IPs, destination IPs, destination countries)
  • Security Intelligence (information on policy rules, IPS rules, URL categories)

For more detailed information, see Analytics / Reporting.


Here, you can find all the required information and settings for the rules and regulations for your network traffic.

Note: Double-clicking on a rule leads you to the detailed rule settings - either independent rule settings for global rules or rule settings within an Advanced Correlation scenario.


Here, you can configure special security backends of the Threat Defender:


Here, you can check the status (up/down), link speed, group, and number of errors of all interfaces used by the Threat Defender for analysis (Processing Interfaces) and for the configuration (Management Interface).

The processing interfaces can be used as:

  • Bridge (default)
  • VirtualWire
  • SPAN (to receive mirrored traffic - this port only receives packets from a device mirroring that traffic (switch))


Under Logging, you have access to the local logs including a search function.

You can configure the logging system to export the entries to your own IPFIX (via TCP only!) or Syslog server.


The Settings chapter is very important for using the Threat Defender. Here, you can configure the hostname, time settings, system users, backup/restore the Threat Defender configuration or perform a reboot. Furthermore, you can install updates, manage the license and reset the reporting data.

Under Updates, you see the software version the Threat Defender is running at the moment. In addition, you can see when the Threat Defender last checked for software updates and if any updates are available. If a software update is available, you can install it from here. If the update requires a reboot, this is displayed so that you can schedule the installation as required.

In the License tab, you can view, enable/disable, add, and delete your license. Only one licence can be active at a time.


In this section you can create a troubleshoot report manually, e.g. if the support needs to have a closer look into the system.

You can download the current flow table entries here as well. By default, this is an anonymised report where the IP addresses are encrypted.

The Countries tab shows the used country names and its codes used in our reporting.

General Handling

General Symbols








  • All changes have to be transferred to the system by clicking the  APPLY button.

Chart Elements

  • A single click leads brings you one level down (into the depth).

Table Entries

  • - jump into the Advanced Correlation scenario.
  • Double-click - edit the specific entry.
  • If a rule is a part of an Advanced Correlation scenario, the rules are grouped together with the (linked) name of the Advanced Correlation scenario as header.
  • If you want to reorder the entries, you first have to enable reordering. Disable reordering when the rules are in the desired sequence.
    Important: This really reorders your rules and affects how the Thread Defender handles the analysed data.

Nice To Know

  • Under Policy > Rules, the Hits column shows a small real time chart of the rule hits. Double-click it to access the rule settings showing a bigger statistics chart.
  • Under Policy > Event Tracking Tables, click on the real time counter in the Counts column of an event tracking table to show its content.