Skip to main content
Skip table of contents


Related logs and observations that share a common metadata value are referred to as clusters. Clustering logs and observations makes it faster to view potentially related activity and address security events. Search results which are a peer in at least one cluster display the following icon in the far-left column:

Clicking any cell in a cluster row opens the Inspector panel on the right. The following fields are unique to the Observation Cluster Inspector:

Cluster (1 of x)If more than one cluster has been created for the selected row, click the arrow to cycle through additional clusters.
Common Field

Displays the name of the metadata field in common across the cluster.

Clustered Logs

Displays the number of logs that share a common event with the selected observation.

Clicking on the x Items link opens the Clustered Logs panel, which shows the clustered logs in more detail.

Clicking Open in Search in the Clustered Logs panel shows the entire cluster in a separate search.

FirstThe date and time the first peer was triggered.
LastThe date and time the most recent peer was triggered.

Cluster Formation

Both collected logs and observations generated by Axon Analytics can be part of a cluster. Logs and observations can be a part of multiple clusters. In order to be eligible to join a cluster, the log or observation must have at least one of the following Common Events:

  • Improbable Travel

  • Threat Detected

  • Scheduled Task Created

  • Process Started

  • Access Denied

  • Role Modified

  • Role Assigned

In order to form a cluster, logs and observations must share a metadata value in one of the following fields:

  • Target Host IP
  • Origin Host Name
  • Target Account Name

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.