The Elisity Microsegmentation platform provides rich policy and traffic telemetry while also offering effective search and filtering functionality for day two operations.
With Elisity, an administrator can monitor log-on/log-off events, visualize user/device/application traffic vectors, troubleshoot policy consumption and violations, and quickly analyze system events and logs.
If you are looking for details on the Traffic View within the Policy Matrix, see this article.
Traffic Analytics
When it is time to drive deeper into the telemetry collected by Cloud Control Center, an administrator can navigate to the Traffic Analytics page to discover an abundance of data presented in an easily digestible format. The Traffic Analytics page provides comprehensive visibility into network traffic patterns, communication relationships, and policy enforcement behavior across your Elisity deployment.
Traffic Analytics Dashboard Overview
The Traffic Analytics dashboard provides a comprehensive view of network traffic with multiple visualization and filtering options. The interface organizes traffic data by selectable groupings, displays key metrics, and provides granular filtering capabilities to help administrators analyze network behavior patterns.
View Controls and Grouping Options
View Toggle: Located in the top-left corner, this control switches between visualization modes:
- Traffic Vectors (Sankey diagram icon) displays traffic flows as a visual diagram showing communication paths
- Traffic Records (List icon) presents traffic data in a detailed tabular format
Grouped By: Located immediately to the right of the View Toggle, the Grouped By dropdown determines how traffic data is organized and displayed throughout the dashboard.
| Grouping Option | Description |
|---|---|
| Policy Group | Organizes traffic by Policy Groups, showing communication patterns between defined groups of devices or users |
| Device | Displays traffic organized by individual devices, useful for investigating specific device behavior or troubleshooting |
| Distribution Zone | Organizes traffic by Distribution Zone, showing communication patterns between network zones |
Traffic Metrics
Three metric cards display aggregated traffic statistics based on the current grouping and filter selections:
| Metric | Description |
|---|---|
| Total Unique Traffic Vectors | Count of distinct communication paths between the selected source and destination within the time range - only applies to one-to-one mappings between Devices and Policy Groups. |
| Total Bytes | Aggregate data volume transferred, with directional indicators showing upload and download traffic distribution |
| Total Packets | Total packet count across all traffic vectors, with directional indicators showing transmission patterns |
Time Range and Aggregation Controls
Time controls allow administrators to define the analysis period and aggregation granularity:
Time Aggregation: Select MONTHLY, DAILY, or WEEKLY to control how traffic data is grouped over time. This affects both the visualization granularity and the metric calculations.
Top Talkers Limit: The Top 20 Talkers dropdown (or Top 10, Top 30) limits the number of traffic vectors displayed, showing only the highest-volume communications based on the selected metric.
Date Range Selector: Located at the bottom of the page, the date range picker allows administrators to define the start and end times for traffic analysis. The interface displays the currently selected range and allows custom range selection.
Visualization Controls
Internet Traffic Toggle: Located in the bottom toolbar, this control filters traffic to show or hide communications with internet destinations.
Fullscreen Mode: The fullscreen icon in the bottom toolbar expands the Traffic Analytics view to occupy the entire browser window, maximizing visualization space for detailed analysis.
Legend: Help icons throughout the interface provide contextual information about specific features and filtering options.
Filtering Traffic Data
Traffic Analytics provides a powerful filtering system to refine the displayed data. Filters are accessed via the FILTERS button in the top-right corner of the dashboard. When filters are active, a badge displays the count of applied filters.
Quick Filters (Left Panel)
The left filter panel provides granular control over which traffic is displayed. Filters are organized into collapsible sections, allowing administrators to refine traffic views based on multiple criteria simultaneously:
| Filter Category | Description |
|---|---|
| Policy Action | Filter by policy enforcement action (Allow, Deny) |
| Policy Status | Filters based on traffic with the following Policy Status: All, No Policy, Simulated Policy, or Active Policy |
| Side A | Filter traffic by source entities (Policy Groups, Devices, or Distribution Zones depending on grouping selection) |
| Side B | Filter traffic by destination entities (Policy Groups, Devices, or Distribution Zones depending on grouping selection) |
| Ports | Filter by specific network ports or port ranges |
| Protocols | Filter by network protocol (TCP, UDP, ICMP, etc.) |
| Service Names | Filter by detected application or service names. Service Names include standard protocols such as HTTP, HTTPS, and SSH, as well as custom applications defined under Settings > System > Application. See Manage Custom Application Definitions for configuration details. |
Advanced Filtering
Elisity offers several methods for filtering traffic such as click-through analytics for assets and Policy Group intersections, and manually-created filters. Filters can be saved, exported, and imported for reuse and sharing between team members in Cloud Control Center.
Click the FILTERS button in the top-right corner to open the advanced filter modal. This modal provides granular filtering capabilities organized into four tabs:
RBAC Site Label Filtering Dependency: For roles with limited Site Permissions (restricted to specific sites rather than all sites), the Site Label filter option requires the View Site Labels permission. Without this permission, users cannot use Site Label as a filter criteria in Traffic Analytics.
To enable Site Label filtering, ensure View Site Labels is enabled under the Site Labels and Distribution Zones privilege section in the role configuration. See the RBAC Privilege Reference for details.
SOURCE Tab - Create filters for traffic source (originating) entities. Available filter attributes depend on the current Grouped By selection.
In Policy Group View, you can filter by Policy Group, Policy Set, IP/Subnet, Site Label, or Site Tag.
In Device View, you can filter by Policy Group, Policy Set, Site Label, Site Tag, IP Address/Subnet, Device Type, Device Category, Device Genre, Device ID, Hostname, and User Account Name.
DESTINATION Tab - Provides the same filtering capabilities as the SOURCE tab, but applies filters to traffic destination (receiving) entities. This allows you to create asymmetric filters where source and destination criteria differ.
ADDITIONAL FILTERS Tab - Contains specialized filters and the ability to create custom filter combinations.
Traffic Exclusion Filter: A toggle control that enables or disables traffic exclusion rules. When enabled, this filter excludes specific traffic patterns from the visualization based on predefined exclusion criteria configured in your environment. This is useful for removing noise from analytics views, such as excluding known management traffic, monitoring systems, or other traffic that is not relevant to your current analysis.
Below the Traffic Exclusion Filter toggle, you can create custom filters using three-field combinations:
- Search Type: Select the attribute to filter on (Service Names, Ports, etc.)
- Condition: Choose the matching logic (Is Any Of or Is None Of)
- Value: Enter or select the specific values to match against
Multiple custom filters can be added using the ADD NEW FILTER link. All filters in this tab are applied using AND logic (traffic must match all specified conditions).
SAVED FILTERS Tab - Provides access to previously saved filter configurations. Click any saved filter to instantly apply its configuration to the current view.
Creating, Saving, and Sharing Custom Filters
Once you've configured your filter criteria across any combination of tabs, use the buttons at the bottom of the filter modal:
- SAVE FILTER: Saves the current filter configuration with a custom name for future reuse
- IMPORT FILTER: Imports a previously exported filter configuration file
- CLEAR FILTERS: Removes all active filters and returns to the unfiltered view
Saved filters can be exported, shared with other administrators, and imported into different Cloud Control Center environments.
In Additional Filters, you can also enable and modify the Traffic Exclusion filter to determine what traffic should be excluded from the analytics view and a minimum traffic threshold. Traffic volumes under the minimum threshold will be excluded from the analytics view, allowing administrators to filter out smaller ephemeral flows while still visualizing higher traffic volumes on excluded services, enabling effective filtering for network "noise." If the minimum threshold is set to '0', only unidirectional flows are filtered.
Filter Persistence: Filters remain active as you navigate between Traffic Vectors and Traffic Records views, or switch between Policy Group, Device, and Distribution Zone groupings. This allows you to examine the same filtered dataset from multiple perspectives without reconfiguring filters.
Traffic Vectors View
The Traffic Vectors visualization provides an interactive way to understand traffic movement within your network. The interface uses a Sankey diagram to represent source and destination traffic, along with the protocols and ports involved. Use the View Toggle in the top-left corner to switch between Traffic Vectors and Traffic Records. Use the Grouped By dropdown to organize traffic by Policy Group, Device, or Distribution Zone.
Interacting with Traffic Vectors
The following interactions apply across all Grouped By options. When grouped by Policy Group, Side A and Side B display Policy Group names. When grouped by Device, they display device names or IP addresses. When grouped by Distribution Zone, they display zone names.
- Hovering over a name: Displays a tooltip with contextual details. For Policy Groups, the tooltip shows the full name and asset count. For devices, it shows Policy Group, Device Category, Site Label, Asset Type, and IP Address.
- Clicking a name: Opens the details page for that entity in a new window. For Policy Groups, this opens Policy Group Details. For devices, this opens Device Details.
-
Clicking the colored bar adjacent to a name: Automatically creates a filter for the traffic Source or Destination based on the side of the chart clicked. This refines the view to show a detailed breakdown of the ports and protocols associated with that entity.
-
Clicking a flow segment: Generates filters for both the source and destination entities, revealing the ports and protocols involved in the traffic between them.
- Clicking a port or service name: Automatically applies a filter for the selected port or service.
Device View Tooltip Details
When grouped by Device, hovering over a device name or IP address displays additional details in the tooltip:
- Policy Group — The Policy Group assigned to the asset. Selecting the Policy Group name opens Policy Group Details. Selecting the filter icon opens the Devices view pre-filtered to that group.
- Device Category — The classification of the asset (endpoint, server, infrastructure device, etc.).
- Site Label — The site label associated with the asset. Selecting it opens the Devices view pre-filtered to that site.
- Asset Type — The type of device (physical asset, virtual machine, etc.).
- IP Address — The management or observed IP address of the asset.
Traffic Records View
Traffic Records presents traffic analytics in a categorical, real-time table aimed at providing critical details about traffic. All of the same filtering capabilities available in Traffic Vectors view are available in Records view using the Grouped By (Policy Group, Device, Distribution Zone), Policy Action (Allow/Deny), Policy Status, and Advanced Filtering functions.
Exporting Traffic Records
Admins in Cloud Control Center can export traffic records from the Traffic Records pane by clicking the Export data button at the top right of the table. Options are available for exporting all traffic records or exporting records using the currently applied filter. A maximum of 50,000 records can be exported per CSV file.
Export is available for all three Grouped By options with the following granularity:
- Policy Group — Daily and Hourly export
- Device — Daily and Hourly export
- Distribution Zone — Daily export only
Traffic Analytics from Device Details
Navigate to Devices in the CCC sidebar and click a device to open Device Details. Select the ANALYTICS tab to access per-device traffic analysis. Three view icons in the top-left corner toggle between different analytics views.
Traffic Vectors (Sankey View)
The default view displays a Sankey chart showing which assets the device has communicated with on the network, including traffic direction, protocols, and volume. Summary cards at the top display Total Unique Traffic Vectors, Total Bytes (with directional breakdown), and Total Packets (with directional breakdown).
Click TRAFFIC ANALYTICS in the top-right corner to open the full Traffic Analytics dashboard with the device filter pre-applied.
Filtering Traffic Flows
Two quick filters are available above the Sankey chart to narrow traffic results:
- Policy Action — Filter by Allow or Deny to view only traffic that was permitted or blocked by policy.
- Policy Status — Filter by All, Active, No Policy, or Simulated to view traffic based on the enforcement state of the governing policy.
For more granular filtering, click FILTERS in the top-right to open the Additional Filters panel. This panel provides a filter builder with Search Type, Condition, and Values fields, and includes a Traffic Exclusion Filter toggle to exclude specific traffic patterns from the analysis.
Usage Hours
Click the grid icon in the top-left corner of the Analytics tab to switch to the Usage Hours view. This view tracks device traffic activity and Policy Group association over a rolling 30-day period.
The view displays a row for each day (labeled by day of week and date) with hourly columns from 12AM to 11PM. Each cell represents a one-hour interval and indicates whether traffic was observed and which Policy Group the device was associated with during that period:
- Green cells — Traffic was observed during this hour. Hovering over a cell reveals the Policy Group the device was classified into during that interval.
- Red / striped cells — A Policy Group association change occurred during this hour, indicating the device was reclassified.
- Empty cells — No traffic was observed during this hour.
Use the Policy Status filter to narrow results to specific policy states. Navigate the date range using the controls at the bottom of the view. This view enables administrators to identify when a device is active on the network, detect Policy Group reclassification events, and correlate traffic patterns with policy changes over time.
From the Policy Matrix
When viewing traffic from the Policy Matrix, click a policy intersection to view traffic details for that specific Policy Group-to-Policy Group relationship. Click TRAFFIC ANALYTICS in the top-right to view the same data in the full Traffic Analytics dashboard.
NOTE: When accessing Traffic Analytics from the Policy Matrix traffic view, the Traffic Exclusion Filter toggle is available to exclude specific traffic patterns from the analysis. See the Traffic View in the Policy Matrix article for more details.
Behavior for "Unknown" and "Unassigned" Policy Groups in Analytics
Traffic in Analytics is categorized based on the following behavior:
Unassigned Policy Group:
- Includes only devices discovered within the Elisity framework that cannot be matched to any Policy Group.
- Appears in both the Policy Matrix and Analytics views.
Unknown:
- Represents traffic destined to or originating from devices outside the Elisity framework that do not fall into any static (network-based) Policy Group.
- Only visible in the Analytics view under the Unknown filter.
- Does not appear in the Policy Matrix as Unknown is not a Policy Group in the system, but rather a logical grouping for analytics purposes.
This differentiation ensures better visibility into traffic patterns and simplifies the identification of unmanaged or external assets within the Traffic Vectors view.