Articles in this section

See more

Advanced Reporting and Analytics

SVN Support Team
  • Updated
Follow 
Announcement
Our new documentation site is alive!
You can view our latest documents here.

Overview

Sensei has rich and customizable views and reports that you can enjoy analyzing both the big picture and also the detailed per-connection events. Reports can be customized, filtered, generated, and scheduled to be sent to your emails. It also provides smart explorers with a comprehensive view of network activity, current threat levels and security policy enforcement. You can generate ad-hoc graphical views of summary traffic and threat activity, view sessions in real-time or historical and search in views. With the help of Sensei reporting capabilities, you can quickly identify and react to network security threats across the network (responsive reporting capability).

 

To view the Sensei reports, navigate to  -->.

Figure 1: Viewing Sensei Reports

Report Views

There are six types of predefined Sensei Report Views. Each one is displayed in a different tab on the Sensei Reports page:

  1. Connections: Connection Tab shows the various applications in your network that are making connections both internally and externally in your network. These connections may be of any protocol and not just HTTP/HTTPS traffic.

This tab shows;

  • The application and application categories

  • the protocols used for the connections,

  • the duration of the connection, and many other details.

There are more than twenty different types charts in the Connections Tab.

Figure 2: Charts Displayed in Connections Report View

  1. Threats: Threat Tab shows any threat that has been recognized based on the Essential Security and Advanced Security capabilities of the engine. If your engine detects a security risk such as malware activity, a phishing server connection or a spam site connection, etc, you can view the statistics of these security violations here.


    Figure 3: Charts Displayed in Threats Report View

  2. Blocks: Blocks Tab shows everything that has been blocked based on your web/app controls. If the engine blocks any connection based on your defined policy rules, you can find all statistics about this blocked connection here.


    Figure 4: Charts Displayed in Blocks Report View

  3. Web: Web Tab shows web-based traffic (generated by browsing websites or API calls) reports
    This Tab provides detailed information about the website category, the method used (GET, POST, etc), the hostname, and other information.


    Figure 5: Charts Displayed in Web Report View

  4. DNS: DNS Tab provides information about most frequent DNS requests and other DNS-related information.


    Figure 6: Charts Displayed in DNS Report View

  5. TLS: TLS Tab shows TLS session information such as the host/IP in which most TLS sessions are created, used ports general categories of the sessions, and other metrics


    Figure 7: Charts Displayed in TLS Report View

Creating a Custom Report View

IMPORTANT NOTE: Custom Report Feature is not available for Free Edition. To benefit from the custom report feature, you must have one of the paid Sensei subscriptions . For more information about plans & pricing.

To create a new report view,

  1. Click  tab on the Sensei Reports page.

  2. Click . This will open the Configure View window.


    Figure 8: Creating A New Report View

  3. Enter a name (for example, Top 10) for your new Report View.

    Figure 9: Configure View Window to Set a Name and Select Charts

  4. Select the charts that you want to view in your New Report View. There are more than 40 types of charts that you can use for a new report view.

  5. Scroll down to the bottom of the charts list in the window and then click  . This will create a new report view tab(here it’s Top 10) consists of your selected charts.

    Figure 10: Customized Report View

You can examine your Customized Report View on the Sensei Reports page to analyze your network traffic.

Configuring the Report View

You can add a new chart to your report; view or delete any chart from your report view easily. To configure your customized report view,

  1. Click the tab you want to configure(here it’s Top 10) on the Sensei Reports page.

  2. Click  icon on the right side of the panel. This will open the Configure View window.


    Figure 11: Add/Remove Chart(s) to/from Report View

  3. Select the charts that you want to add to the report view.

  4. Unselect the charts that you want to remove from the report view.

  5. Scroll down to the bottom of the charts list and then click . This will update your report view tab.

Deleting the Custom Report View

To delete your customized report view,

  1. Click on the tab you want to delete (here it’s Top 10) on the Sensei Reports page.

  2. Click on . This will pop up a confirmation message box.

  3. Click on the “Yes” button to confirm the deletion of the report view.


    Figure 12: Confirmation Message To Delete A View

Adding Filter in a Report View

You can apply filters to the report view to drill down to the data you want to see. You can have up to 30 predefined filter data elements. you can use “equals” and “not equals” operators.

To apply a filter on a report view;

  1. You can either click 

or

  1. Drill down to the field you want to view

Add Filter Button

  1. Click  button at the top of the Sensei Reports page. This will pop up a window to select the data metric, operator, and value that you wish to be filtered.


    Figure 13: Setting A Filter Type/Metric

  2. Select the reporting metric (such as Destination IP) in the first dropdown menu in the Add Filter window.


    Figure 14: Setting A Filter Operator

  3. Select the operator (Equals or NotEquals) in the second dropdown menu in the Add Filter window.

  4. Set a value that you want to be filtered for the report.

  5. Click  The filter is automatically applied to the charts.

Drill Down On a Chart

  1. Select one of the charts on the Sensei Reports page. So that you specify the reporting metrics as a filter parameter.

  2. Click on a pie that you wish to be filtered on the chart. So that you specify the data value as a filter parameter. This will open a hoverable dropdown menu.

  3. Click on the “Drill Down” menu item. A filter is automatically applied to the charts.


    Figure 15: Drill Down on A Chart For a Filtered Report

You can view the filters beside the Add Filter button at the top of the page.

Figure 16: Applied Filters For a Report

Removing A Filter in a Report View

To remove an applied filter for a report, click on the red circle with an x icon 

Figure 17: Removing An Applied Filter For a Report

Refreshing the Report View

By default, the charts are automatically refreshed every minute but you can increase the interval. The interval options are 1 minute, 5 minutes, and 15 minutes.

To change the refresh time interval,

  1. Click  Report Settings. This will open the Report Settings window.

  2. Click on the Refresh Interval dropdown list and select one of the options. (1 Minute, 5 Minutes, 15 Minutes)

  3. Click “Refresh Reports” to apply the new settings.

  4. Click the “x” icon to close the Report Settings window.

Figure 18: Setting Refresh Interval For Reports

To refresh the report view, click “Refresh” . During the refresh operation of the report view, an hourglass  icon is displayed on the header bar of the charts.

Adding/Sorting Charts in Report View

You can add new charts to the predefined Report Views and sort/change the order of the charts in the Report Views.

To add or sort charts in a Report View,

  1. Click “Add & Sort Charts”  icon at the top right corner of the Sensei Reports page. This will open a window all available charts are listed in.

  2. To add, click on the check box to select the chart you want.

  3. To move up or down , drag and drop the chart that you want to move.

    Figure 19: Sorting Charts in A Report View

  4. Click  button at the bottom of the “Add & Sort Charts” window. This will pop up a notification window indicating that the dashboard has been changed.

  5. Click the “Refresh” button on the window to close it and return to the Sensei Reports page.


    Figure 20: A Message Indicating that Dashboard Changed

Exporting PDF

IMPORTANT NOTE: Export PDF Feature is not available for Free Edition. To benefit from the custom report feature, you must have one of the paid Sensei subscriptions. For more information about plans & pricing.

You can export your reports to PDF files by clicking on the “Export to PDF”  button on the top right corner of the Sensei Reports page.

Adding Charts For a Scheduled Report

You can add a chart for scheduled reports easily by clicking the envelope  icon on the header bar of the chart.

Resizing the Chart Window

You can maximize or restore the chart windows easily by clicking the arrow icon  on the header bar of the chart.

In a maximized Chart Window there is a dropdown menu that has “Top 10” by default. This menu lets you select how many items show up in the charts/graphs. Options in the menu are Top 5, Top 10, Top 25, Top 50, Top 100.


Figure 21: Maximized Chart Window

Live Sessions Explorer Feature

Sensei Reports” page provides “Live Sessions Explorer” separately for each predefined Report Views. These explorers allow you to see the most recent connections, blocks, web sessions, DNS requests, and TLS sessions depending on which report you are currently viewing. Explorer screen renders detailed connection logs in a searchable, sortable fashion. You can change the refresh interval so it can refresh more or less frequently. This view is useful to get insight into the current activity that is taking place on your network.

Connections:

Connections Report View has two types of explorers:

  1. Activity Explorer

  2. Live Sessions Explorer

You can find detailed information about these Explorers in the following subsection:

  1. Activity Explorer: Click the  button at the top right corner of the Connections Report View, to view the Connection Activity Details.

In the Connection Activity Details window, you can view Applications and Web-based connections for the last 24 hours in two different tabs separately.

You can view the time range of the report at the top left corner of the Connection Activity Details window.

Figure 22: Time range of the Connection Activity Explorer

In Applications Tab, you can view the connection details for each hour in a table with 3 columns:

  • Datetime: Time of the connection such as 04/24/2021 10:00.
  • Source: Source IP/hostname of the connection.
  • Activity: Application Category Name, Number of Sessions, Destination IP, Upload/Download Size.

You can scroll down to view the rest of the connection activity details list.

Figure 23: Application-Based Connection Activity Details

In Web Tab, you can view the connection details for each hour in a table with 3 columns:

  • Datetime: Time of the connection such as 04/24/2021 10:00.
  • Source: Source IP/hostname of the connection.
  • Activity: Destination IP/hostname, Number of Visits, Web Categories, Upload/Download Size.

You can scroll down to view the rest of the connection activity details list.

Figure 24: Web-Based Connection Activity Details

  1. Live Sessions Explorer: Click the  button at the top right corner of the Connections Report View, to view the Sessions Details. Live sessions Explorer is a very useful tool that helps you for

  • Troubleshooting for a block event

  • defining a policy rule to allow/block a connection

  • finding the policy that the connection matches.

  • examining the application name and the application category of the session.

  • determining the destination hostname/location(country ), destination IP address & destination port.

Figure 25: Live Sessions Explorer

Threats:

Threats view tab provides you viewing the details of the security events detected in your network such as phishing/hacking site visits easily.

To view Live Security Sessions Details, click the  button at the top right corner of the Threats Report View.

Figure 26: Live Security Events Monitor

 

Blocks:

Blocks view tab provides you with viewing the details of the blocked connections in your network according to your policy rules.

To view Live Blocked Sessions Details, click  button at the top right corner of the Blocks Report View.

Figure 27: Live Blocked Sessions Explorer

Web:

Web view tab provides you with viewing the details of the web connections in your network.

To view Live Web Sessions Details, click  button at the top right corner of the Web Report View.

Figure 28: Live Web Sessions Details

 

DNS:

DNS view tab provides you viewing the details of the DNS queries in your network.

To view Live DNS Sessions Detail, click  button at the top right corner of the DNS Report View.

Figure 29: Live DNS Sessions Details

TLS:

TLS view tab provides you with viewing the details of the TLS queries in your network.

To view Live TLS Sessions Detail, click the  button at the top right corner of the TLS Report View.

Figure 30: Live TLS Sessions Details

 

Configuring Live Sessions Explorer

You can configure the Session Details report by using the configuration pane at the top of the live sessions Explorer page.

Figure 31: Live Sessions Explorer Configuration Pane

 

Records

You can view the details of the last 100 sessions by default. Also, you can view the total number of session records at the top of the window.

Figure 32: Number of loaded/total session records

Important Note: Maximum number of loaded records in a report is
limited to 100.

Add/Remove Field(Column)

To add/remove a field(column) to/from Session Details report,

  1. Click the “Show Columns” button at the top of the page, this will open a scrollable check box list.

  2. Select/unselect the data type(column) that you wish to add/remove to/from the list.

Figure 33: Add/Remove Fields/Columns

You can view the following fields(columns) on the session details page.

Field Name Description
Block Whether the session is blocked or not. Grey triangle icon means pass. Red circle with slash icon means block
Start Start time of the session
End End time of the session
Protocol TCP or UDP
Src IP Source IP address of the session
Src Hostname Source Hostname of the session, if not resolved Source IP address listed.
Src Port Source Port number of the session
Src Username Source Username of the session
Dst IP Destination IP address of the session
Dst Hostname Destination Hostname of the session, if not resolved Destination IP address listed
Dst Port Destination Port number of the session
Dst Username Destination Username of the session
App Category Application Category of the session
Security Category Security Category of the session
Application Application Name of the session
Packets In Number of received packets during the session
Packets Out Number of transmitted packets during the session
Bytes In Number of received bytes during the session
Bytes Out Number of transmitted bytes during the session
Iface Name of the Network Interface the session pass through
Vlan Vlan ID of the session pass through
Block Message Sub category information of the blocked Session
Block Category Info of the which DB is the reason to the block. Web or Application.
Block Signature The application or web categories’s of the blocked session
Method HTTP request method (Get, post, put, etc.)
Status HTTP response status code (100-599)
Version HTTP version (1.1, 2.0 etc.)
AA Authoritative Answer, in a response, indicates if the DNS server is authoritative for the queried hostname
RA Recursion Available, in a response, indicates if the replying DNS server supports recursion
RD Recursion Desired, indicates if the client means a recursive query
TC TrunCation, indicates that this message was truncated due to excessive length
Request DNS Request
Response DNS Query Response
Query Class Class code
Query Type Type of RR in numeric form
Query DNS Query in the session
Answer Answer for the DNS Query
Response Code Response Code for the DNS Query
TTLS Count of seconds that the RR stays valid
Total Answer Number of answer for the DNS Query
Encryption The type of encryption, SSL or TLS.
Policy Name & Details of Sensei Policy the session pass through
Actions

Info - Red circle with (i) icon: Provides session details 

Action - Red Circle with slash (/) icon: Helps you to block the session 

Action - Green circle with checkmark icon: Helps you to allow the session 

Query - Blue circle with a question mark (?) İcon: To query whois record for the destination

Table 1: Field Names For Details of A Session

Sorting

You can sort the Session Details report by any field you want. The report is sorted by Start Time as a default. To change the sort type of Session Details report,

  1. Click the first dropdown menu at the top left corner of the page.

  2. Select the field that you wish to sort by. This will automatically refresh the report.

Figure 34: Sorting Session Details Report

You can also select the sort order as Ascending or Descending for Session Details Report. It is sorted in descending order by default.

To change the sort order,

  1. Click the second dropdown menu at the top left corner of the page.

  2. Select one of the options(Ascending/Descending) as you want. This will automatically refresh the report.

Figure 35: Changing the Sort Order of the Session Details Report

 

Changing the Time Range

By default, the report is displayed for the current date. You can create a report for a specified time range. To view session details report for a specific time period,

  1. Click the field with the label Start Time. This will open a calendar.

  2. Select the date you want.

Figure 36: Setting Start Time of the Report

  1. Click on the red clock icon at the bottom of the window to select a time.

 

Figure 37: Setting Start Hour/Minute of the Report

  1. Click the buttons with up/down arrow icons to set the hour and minute of the report.

  2. Click the field with the label “End Time”. This will open a calendar, select the date you want to set.

  3. Set the end time of the report as explained in steps 2-4

  4. Click anywhere outside of the calendar on the page.

  5. Wait for the refresh interval.

WARNING: Since the default refresh interval of the Session Details Report is None, you must set the refresh interval at least 1 minute to view the report created for a specific time period.

Changing the Refresh Interval

By default, the session details report is not refreshed but you can set enable refresh feature for the report. The Refresh interval can be 1 minute, 5 minutes, and 15 minutes.

To change the refresh time interval,

  1. Click the Refresh Interval dropbox menu at the top of the page.

  2. Select one of the options

Figure 38: Setting the Refresh Interval of the Session Details Report

You can search for a string value in the following fields in the Session Details Report: Source IP, Source Username, Destination IP, Destination Hostname, Destination Username, Protocol, Application Category, Application, Policy, VLAN, Interface, Source Username

To search in the Session Details Report,

  1. Click the Filter by dropbox menu next to the Refresh İnterval dropbox.

  2. Select the field you want to search in.

  3. Enter a value in the search bar.

  4. Click the Search button.

Figure 39: Selecting Field to Search In

Figure 40: Search bar

Exporting PDF

You can export the Live Session Details Report to a PDF file easily by clicking the  .

Allow/Block a Connection

While viewing the live sessions you may notice that network traffic that should be blocked is allowed or a network connection that should be allowed is blocked. You don’t need to go to the policy configuration page from the report view. You can easily allow or block a connection on the live session Explorer page.

To allow/block a connection in live session Explorer,

  1. Find the session in the session detail report.

  2. Click the red circle with a slash icon in the Action column to block the connection.

  3. Or Click the green circle with a checkmark icon in the Action column to allow the connection.

  4. Select that you want to block the Category , Application or Hostname.

Related articles

Powered by Zendesk