Sensor Dashboard

The Sensor dashboard is accessible by selecting Sensor and then selecting Dashboard.

This dashboard provides a quick, high‑level overview of the system so that users can easily understand and monitor assets, connections, and alerts.

It is designed for:

  • Users who need a simple, visual status view of assets and traffic.
  • Operators and security analysts who need to quickly assess where risks and alerts are concentrated.

Important: The Sensor dashboard currently has a fixed layout with exactly six charts. Users cannot add, remove, resize, or rearrange widgets on this dashboard.

The six charts are:

  1. Asset Types
  2. Connection Alert Matrix (Today)
  3. Asset Alert Matrix (Today)
  4. Protocols (Today)
  5. Total Internal Connections
  6. Total Connections with External

Dashboard behavior and limitations

On the Sensor dashboard:

  • Fixed set of widgets

    • The dashboard always shows the same six charts listed above.
    • There is no configuration to add new widgets or hide existing ones.

  • No widget add/remove

    • There is no Add widgets action.
    • There is no close (X) button or equivalent to remove a widget.

  • No widget resize or drag‑and‑drop

    • Widget sizes are fixed by the system.
    • The layout and relative positions of the six charts cannot be changed by the user.

  • Time range

    • Some charts explicitly show data for Today (for example, Connection Alert Matrix (Today), Asset Alert Matrix (Today), Protocols (Today)).
    • Time ranges for these widgets are defined by the product design and are not configurable from the dashboard.

Asset Types

The Asset Types chart displays a summary of assets grouped by their type.

Typical asset types include (examples, depending on your environment):

  • Computer / Desktop / Laptop
  • Industrial Device – PLC
  • Industrial Device – HMI
  • Industrial Device – Controller
  • Servers
  • Network devices
  • Others / Generic

For each asset type, the chart shows:

  • The asset type name.
  • The number of assets of that type.
  • Additional classification or status‑based counts (if applicable), such as assets in different states or risk categories.

At the bottom of the widget, the Total Assets value shows the overall number of assets currently known to the system.

Use this chart to:

  • Understand how many assets you have by category.
  • Confirm that asset discovery and classification are working as expected.
  • Identify which asset types dominate your environment (for example, a high number of PLCs or HMIs in an ICS network).

Connection Alert Matrix (Today)

The Connection Alert Matrix (Today) chart provides a matrix view of connection‑related alerts that occurred within Today.

The matrix is structured as follows:

  • Rows – Asset Level Each row represents the asset’s criticality level, for example:

    • Critical
    • High
    • Medium
    • Low

  • Columns – Alert’s Level Each column represents the alert severity/criticality, for example:

    • Critical
    • High
    • Medium
    • Low

  • Cells – Number of connection alerts Each cell shows the count of connection alerts for the corresponding combination of:

    • Asset criticality (row), and
    • Alert severity (column)

This chart focuses on alerts generated for connections (for example, suspicious or policy‑violating network flows).

How to interpret

  • A high number of alerts in the Critical asset / Critical alert cell indicates serious problems on your most important assets.
  • Concentration of alerts in Medium or Low asset levels might suggest non‑critical assets are misconfigured or under attack, but risk impact is lower.
  • If certain rows or columns are consistently zero, either:
    • No alerts of that type are triggered, or
    • Policies are not configured to generate such alerts.

Configuration references

  • Asset criticality

    • Can be defined at asset type level in Device Type Settings (applies to all assets of that type).
    • Can be overridden per individual asset in the Asset/Device detail view.

  • Alert criticality

    • Is configured on the Policy page when creating or editing a detection or rule.
    • Changes to policy criticality will be reflected in how alerts appear in this matrix going forward.

Asset Alert Matrix (Today)

The Asset Alert Matrix (Today) chart is similar in layout to the Connection Alert Matrix but focuses on asset‑level alerts instead of connection‑level alerts.

Examples of asset‑level alerts might include:

  • Configuration issues on a device.
  • Detected vulnerabilities or posture deviations.
  • Policy violations directly tied to the asset rather than a specific connection.

The matrix structure:

  • Rows – Asset Level

    • Critical
    • High
    • Medium
    • Low

  • Columns – Alert’s Level

    • Critical
    • High
    • Medium
    • Low

  • Cells – Number of asset alerts

    • Each cell shows how many asset‑level alerts occurred Today for assets with the given criticality and alert level.

How to interpret

  • Large values in the Critical asset row indicate your most critical assets are frequently generating alerts and may require immediate attention.
  • If you see alerts concentrated in Medium or Low asset levels, you can prioritize based on your risk appetite.
  • The pattern across all cells helps you understand whether issues are localized to a small number of highly critical assets or spread more broadly across the environment.

Configuration references

  • Configuration of Asset criticality and Alert criticality is the same as in the Connection Alert Matrix:
    • Asset criticality: Device Type Settings or individual Asset/Device detail.
    • Alert criticality: Policy configuration.

Protocols (Today)

The Protocols (Today) chart is a time‑series line chart showing the number of connections per protocol over the course of Today.

Each protocol is represented by a distinct line, for example:

  • HTTP
  • DNS
  • TCP
  • UDP
  • ICS/OT protocols such as S7COMM, Modbus‑TCP, EtherNet/IP, PROFINET‑DCP
  • ARP
  • Others (grouping of less common protocols)

For the selected time frame (Today), the chart displays:

  • The timeline on the x‑axis (time of day).
  • The connection count on the y‑axis.
  • One line per protocol type, showing how connection volume changes over time.

How to use

  • Identify peaks or anomalies: Sudden spikes for a specific protocol may indicate unusual activity or an incident.
  • Compare protocols: See which protocols generate the most traffic and when.
  • Correlate with alerts: If you see spikes in alerts at certain times, check whether those align with spikes in specific protocol lines.

Depending on product configuration, colors assigned to each protocol may be defined in a protocol or visualization settings area.

Total Internal Connections

The Total Internal Connections chart is a donut chart that summarizes connections between internal assets.

This chart provides:

  • The total number of internal connections recorded (for the underlying data period used by the widget).
  • A percentage breakdown by protocol, each represented as a segment of the donut.

Protocols typically shown include (examples):

  • HTTP
  • DNS
  • UDP
  • ARP
  • PROFINET‑DCP
  • Other internal protocols grouped into Others

How to interpret

  • The center value or bottom label shows the total number of internal connections.
  • Each donut segment shows:
    • The protocol name (in the legend).
    • The percentage of internal connections that use that protocol.

This chart answers questions such as:

  • Which protocols dominate internal traffic?
  • Is there an unexpected percentage of a particular protocol inside the network (for example, an ICS protocol where none is expected, or a non‑standard protocol dominating traffic)?

Total Connections with External

The Total Connections with External chart is another donut chart, but it focuses specifically on connections between internal assets and external or remote hosts.

It shows:

  • The total number of external connections (for the underlying data period used by the widget).
  • The percentage distribution by protocol for those external connections.

Common protocols in this chart might include:

  • DNS
  • TCP
  • UDP
  • HTTP / HTTPS
  • EtherNet/IP
  • Modbus‑TCP
  • Others (aggregated)

How to interpret

  • The total value indicates the overall volume of external communication observed.
  • The protocol slices indicate which protocols are being used to communicate outside the environment.
  • Abnormally high usage of certain protocols to external destinations might warrant investigation, especially for protocols that are typically internal/ICS only.

Use this chart to quickly:

  • Monitor external exposure of your environment over the network.
  • Validate that only expected protocols are commonly used for external communications.
  • Support investigations into suspicious outbound activity.

Summary

The Sensor dashboard is a read‑only, fixed‑layout overview consisting of these six charts:

  1. Asset Types
  2. Connection Alert Matrix (Today)
  3. Asset Alert Matrix (Today)
  4. Protocols (Today)
  5. Total Internal Connections
  6. Total Connections with External

Users cannot:

  • Add new widgets.
  • Remove existing widgets.
  • Resize widgets.
  • Rearrange widget positions.

Instead, the dashboard is optimized to present a consistent, at‑a‑glance view of:

  • Asset distribution.
  • Connection‑level and asset‑level alerts.
  • Protocol usage over time.
  • Internal versus external connection patterns.
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
Network Map
On This Page
Sensor DashboardDashboard behavior and limitationsAsset TypesConnection Alert Matrix (Today)How to interpretConfiguration referencesAsset Alert Matrix (Today)How to interpretConfiguration referencesProtocols (Today)How to useTotal Internal ConnectionsHow to interpretTotal Connections with ExternalHow to interpretSummary