Experience
The Experience module is SenseOn's observation and event browser. It gives you direct access to the stream of security observations generated by your endpoints and network sensors, with flexible filtering and export options for deeper ad-hoc analysis.
What You Can Do with Experience
- Browse every security observation across your estate in near-real time
- Filter by score, state, status, host name, IP address, user, analytic type, and more
- Export observation sets for use in reports or external tooling
- Pivot directly from an observation into a case in the Investigate module
Navigating the Observation List
When you open Experience, observations are displayed in a paginated table, sorted by score descending by default. Each row shows:
- Observation score — a numeric confidence/severity score
- Detection name — the analytic that triggered the observation
- Affected host and user (where available)
- Timestamp of first and last activity
- Case linkage — whether the observation has been associated with a case
Click any row to expand the full observation detail, including raw telemetry fields, MITRE ATT&CK mapping, and associated case information.
Filtering Observations
Use the filter bar at the top of the page to narrow the observation list. Filters can be combined.
Score filter
Set a minimum score to hide low-confidence observations. The score range is 0–100.
State and status filters
| Filter | Options |
|---|---|
| State | Trusted, Untrusted |
| Status | Open, In Progress, In Review, Closed |
| Flagged | Yes / No |
Field query
For advanced filtering, enter a field query expression. This allows you to filter on any telemetry field using the format:
field_name:value
Examples:
host_name:DC01
user:jsmith
analytic_uid:lateral-movement-001
Multiple expressions can be combined with AND:
host_name:DC01 AND user:jsmith
Sorting
Click any column header to sort the observation list. Supported sort options include:
- Score (default: descending)
- Timestamp (ascending or descending)
- Host name (alphabetical)
Exporting Observations
To export the current filtered observation set:
- Apply any filters you need.
- Click the Export button in the top-right corner.
- Choose your format (CSV).
- The export will include all columns visible in the table plus additional telemetry fields.
Export limits: Exports are capped at 10,000 rows per request. For larger datasets, use Hunt Lab to write a direct query.
Pivoting to Investigate
If an observation is already linked to a case, click the case badge to open the case in the Investigate module. If it is not yet linked, you can create a new case from the observation detail panel.
Relationship to Other Modules
| Module | How Experience relates |
|---|---|
| Overview | The Overview "New observations" card links here |
| Investigate | Cases are built from one or more observations |
| Hunt Lab | Use for queries across raw telemetry beyond what Experience filters support |
| Dashboards | Dashboard widgets aggregate observation data over time |