Cytracom ControlOne: Reporting

Topic

This article discusses reporting in ControlOne.

Environment

  • Cytracom ControlOne

Description

Index

All ControlOne traffic is monitored and logged. This lets network administrators filter to specific endpoints, and ports, and allow or block events. 

Note: Users must have, at minimum, the "View" permission for reporting to view sessions and config changes.

Navigating to the reporting page

In the ControlOne Portal, click Reporting in the Navigation menu. 

C1_Navmenu_Reporting.png

The default reporting screen will open, showing unfiltered live traffic. 

C1 Reporting Overview.png

Reporting screen overview

The reporting screen's live grid shows all unfltered live traffic. 

  1. Sessions: This tab lets you view current and past connections.
  2. Events: This tab shows network events for connections to ControlOne.
  3. Time range selector: This drop-down menu lets you narrow the time range for entries in the main grid. 
  4. Pause: This button lets you pause real-time reporting. 
  5. Show filters: Clicking this option will open the filters menu, letting you filter your traffic by multiple parameters. See the Using filters section below. 
  6. Reset grid: Clicking this button will reset the live grid view.
  7. The live grid: This is the list of sessions or events (depending on your tab selection), either live or based on your filtering criteria. 

Viewing sessions

Sessions in the live grid

The live grid displays multiple types of session information, such as timestamp, source zone, destination zone and gateway. A green circle in the leftmost column indicates a current live session. 

C1Reporting_SessionCategories.png

Customizing information categories

You can customize your information categories by clicking the kebab (three dots) menu icon, then selecting Show columns from the drop-down menu. 

C1Reporting_ColumnSelector.png

A new menu will open, allowing you to select the categories which will display as columns in the live grid. 

C1Reporting_ColumnsMenu.png

Filtering sessions

You can use filters to show sessions based on specific criteria. 

1. On the Reporting page, click the Show Filters button near the top left-hand corner of the screen. 

C1Reporting_ShowFilters.png

2. The Filters menu will expand on the left-hand side of the screen .

C1Reporting_FiltersMenu.png

You can filter by the following criteria:

  • Gateway
  • Zone
  • User
  • Device
  • Verdict (Allowed/Blocked/In process)
  • Source IP Address
  • Source Port
  • Destination IP Address
  • Destination Port
  • Protocol (TCP/UDP/ICMP/Any)

Expanded session information

Click a session in the live grid. A sidebar will appear with expanded information about that session. 

C1Reporting_ExpInfo.png

  1. Permission status: Allowed or Not Allowed
  2. Username: This section will also show autnentication method
  3. Source information: IP address, source port, machine type, and OS
  4. Geolocation: Shows the originating machine on Google Maps
  5. Destination: The IP address the sender is trying to reach
  6. Tags: Click any displayed tag to filter based on that criterion
  7. Session timeline: This is a graphical representation of universal threat management (UTM) operations over the course of the session. Red items indicate connections blocked by the UTM sensor. 
  8. Raw JSON: Click this option to display detailed key/value pairs describing the session. 

Viewing events

Events are state changes to the connection or machine. They can include timeouts, new network component creation, configuration changes, etc.

Events in the live grid

The live grid displays the following event information:

C1_LiveGridEvents.png

  • Timestamp: The most recent time the event was reported in the live grid.
  • Gateway: The ControlOne Gateway from which the connection originates
  • Zone: The ControlOne Zone in which the event occurred.
  • User: The registered ControlOne user account linked to the event.
  • Event type: There are two event types: Audit, and Agent. 
  • Event Subtype: Filter for the event action. Actions include Connect, Disconnect, Timeout, Device Posture Failure, and Teleport. 
  • Summary: A synopsis of the reported event.

Click the kebab (three dots) menu to sort column information by ascending or descendfng order, or to change what columns are displayed.

C1Reporting_EventsSortColumns.png

Filtering events

You can use filters to show sessions based on specific criteria.  Use the droop-down menus under the Filters column to select your filtering criteria.

C1Reporting_EventFilters.png 

Expanded event information

Click an event in the live grid. A sidebar will appear with expanded information about that event. 

C1Reporting_ExpandedEvents.png

  1. Permission status: Allowed or Not Allowed
  2. Summary: This section shows the username, device name, and connection status.
  3. Source: This section displays Authentication type, source IP, machine type, and  the originating machine on Google Maps.
  4. Tags: Click any displayed tag to filter based on that criterion

Additional Resources

Still have questions? Click here to learn how to contact Cytracom Technical Support or open a ticket.

Was this article helpful?
0 out of 0 found this helpful