Overview
The Insights engine in Cloud Control Center provides a data-driven view into asset classification and segmentation posture across your network. Insights analyzes devices, traffic patterns, and network behavior to provide intelligent recommendations for Policy Groups, device classifications, and policy rules. By surfacing identity gaps and policy opportunities, Insights accelerates the process of building meaningful segmentation policies and improving coverage over time.
Insights provides recommendations in four key areas: Dynamic Policy Group suggestions for unclassified devices, Static Policy Group suggestions for subnet-based segmentation, AI-powered device category classification, and policy suggestions for improving enforcement coverage.
Enabling and Accessing Insights
Enabling Insights
Before using the Insights engine in Cloud Control Center, it must be explicitly enabled. Navigate to Settings in the left navigation menu and scroll to the Insights section. Toggle Enable Insights to activate the feature.
Once enabled, Cloud Control Center begins analyzing assets and observed flows for classification and policy suggestions.
Accessing Insights
To access the Insights dashboard, navigate to Insights in the left navigation menu. The Insights page displays a Network Summary with two key metrics panels and a comprehensive table of all available insights.
The dashboard provides:
| Dashboard Element | Description |
|---|---|
| Total Insights | Aggregate count of all insights across categories including Devices (category classification suggestions), Dynamic Policy Groups, Static Policy Groups, Policies, and Traffic Review |
| Open Insights | Count of insights that have not yet been accepted or rejected, representing actionable recommendations awaiting review |
| Time Range Filter | Dropdown filter in the top-right corner allowing selection of Full Time Range, Last 24 hours, Last week, or Last month to focus on recent insights |
| Insights Table | Comprehensive list of all insights with Priority, Name, Category, Suggestion For, Description, Last Updated timestamp, and Status (Accept/Reject buttons) |
Time Range Filtering
The Insights dashboard includes a time range filter that allows you to focus on recently generated insights. Select from Full Time Range (default), Last 24 hours, Last week, or Last month using the dropdown in the top-right corner of the page.
Time range filtering updates both the Total Insights and Open Insights counters, as well as the insights table below, to display only recommendations within the selected timeframe.
Accepting and Rejecting Insights
Insights can be accepted or rejected directly from the main Insights table without entering dedicated workflows. Each insight row displays a checkmark icon to accept, an X icon to reject, and a Review button to open the insight details before taking action. Device category insights also display a confidence score indicating the strength of the underlying recommendation.
Accepting Insights
Clicking the checkmark icon on an insight opens a confirmation dialog displaying the number of recommendations being accepted. For example, accepting a Dynamic Policy Group insight may create multiple Policy Groups at once.
After confirming, Cloud Control Center immediately applies the recommendation. For device category insights, the device category is updated. For Policy Group insights, the Policy Groups are created or devices are assigned. For policy insights, the suggested policies are added to the Policy Matrix in Simulation Mode.
Rejecting Insights
Clicking the X icon dismisses the insight without applying the recommendation. Rejected insights are removed from the Open Insights count and no longer appear in the insights table. This allows you to focus on relevant recommendations while ignoring suggestions that do not align with your network architecture or security requirements.
AI-Powered Device Category Classification
Cloud Control Center uses machine learning to analyze device behavior and propose device category classifications. The AI classification engine operates within a private, tenant-isolated environment and examines two distinct data sources to generate recommendations: MAC address adjacency analysis and traffic pattern analysis. Each recommendation includes a confidence score indicating the strength of the supporting evidence. These recommendations help reduce manual categorization effort and improve device visibility in the IdentityGraph.
Classification Methods
Insights provides device category recommendations using two AI-powered analysis methods:
| Classification Method | Description |
|---|---|
| MAC Adjacency Analysis | Analyzes MAC address patterns to identify devices with adjacent or similar MAC addresses that belong to the same category. Devices manufactured by the same vendor often receive sequential MAC addresses, allowing the system to infer category based on proximity to known classified devices. |
| Traffic Pattern Analysis | Examines observed traffic patterns including port/protocol combinations and communication behaviors. Devices with similar traffic profiles to known classified devices are recommended for the same category. |
Reviewing Insight Details
Device category insights appear in the main Insights table with the Category set to Devices. The Name column identifies which classification method was used: Category - MAC Adjacency or Category - Traffic Pattern. Clicking an insight name opens the Insight Details dialog.
Both classification methods share the same Insight Details layout. The dialog header displays a Confidence Score badge (0–100) indicating how strongly the evidence supports the recommendation. Higher scores indicate stronger evidence; lower scores warrant closer review before accepting. The dialog footer provides Accept, Reject, and Close buttons, along with a Create Automation link for creating an automation rule directly from the recommendation.
The top section of the dialog displays device identification fields and the proposed category transition:
| Field | Description |
|---|---|
| MAC Address | The MAC address of the device receiving the category recommendation |
| IP Address | The IP address of the device |
| Vendor | The device manufacturer |
| Type | The device type classification |
| Site Label | The Site Label associated with the device |
| Policy Set | The Policy Set the device belongs to |
| Current Category | The current category assignment (Unclassified) |
| Suggested Category | The recommended category based on the classification analysis |
| Current Policy Group | The current Policy Group assignment |
| New Policy Group | The Policy Group the device will be assigned to after accepting the category change, based on Policy Group match criteria |
Below the device and category fields, the dialog displays the method-specific evidence that supports the recommendation.
MAC Adjacency Evidence
MAC Adjacency insights identify devices with adjacent MAC addresses that share a common category. The evidence section displays:
| Field | Description |
|---|---|
| Number of Similar Devices | Count of devices with adjacent MAC addresses that share the suggested category |
| MAC Prefix | The shared MAC address prefix (OUI and partial device identifier) common to similar devices |
| Average MAC Distance | Numerical distance between MAC addresses, indicating how closely related the devices are in the manufacturer's address space |
Traffic Pattern Evidence
Traffic Pattern insights compare a device's observed traffic against known classified devices. The evidence section displays:
| Field | Description |
|---|---|
| Number of Port/Protocol Matches | Count of matching port and protocol combinations between the device and known devices in the suggested category |
| Port/Protocol Table | Detailed breakdown of observed traffic patterns showing Port/Protocol (e.g., ICMP, TCP port 22), traffic Volume (Low, Medium, High), and Number of Devices exhibiting the same pattern |
Automating Insights Actions
Cloud Control Center supports automation rules that automatically approve or reject device category recommendations based on configurable criteria. Automation rules reduce manual review overhead in large-scale deployments by applying consistent logic to high-volume, predictable recommendations while preserving administrator control over more complex or sensitive classifications.
To access the Automations dashboard, navigate to Insights and select the Automations tab.
The dashboard displays two summary metrics at the top — HOURS SAVED (LAST 6 MONTHS) and INPUTS AUTOMATED (LAST 6 MONTHS) — representing the cumulative impact of automation rules. Below the metrics, the automations table lists all configured rules.
| Column | Description |
|---|---|
| Name | The name assigned to the automation rule |
| Description | Summary of the rule's purpose and behavior |
| Action | Whether the rule accepts or rejects matching recommendations |
| Status | Current state of the rule (Active or Paused) |
| Insight Category | The category of insight the rule applies to (Devices) |
| Date Modified | Timestamp of the last modification to the rule |
| Actions | Three-dot menu with Edit, Duplicate, Pause, and Delete options |
Managing Automation Rules
Each automation rule in the table has an Actions menu (three-dot icon) that provides the following options:
- Edit — modify the rule's name, description, criteria, or confidence threshold
- Duplicate — create a copy of the rule for creating variations with different thresholds or categories
- Pause — temporarily suspend the rule without deleting it; paused rules are not evaluated during the hourly cycle
- Delete — permanently remove the rule
Creating Automation Rules
Click + Create Automation in the top-right corner of the Automations tab to open the creation form. Each rule defines the criteria that trigger an automatic accept or reject action on matching device category recommendations.
| Field | Description |
|---|---|
| Name | A descriptive name for the automation rule |
| Description | Free-text description of the rule's purpose (255 character limit) |
| Insight Category | The type of insight the rule applies to (Devices) |
| Action | Whether matching recommendations are automatically accepted or rejected |
| Source Category | The current device category that recommendations must originate from. Device category insights only evaluate Unclassified devices, so this field is fixed to Unclassified and is not modifiable |
| Target Category | The suggested device category that the recommendation proposes. Select from the dropdown to restrict the rule to recommendations targeting a specific category |
| Classification Method | Restricts the rule to a specific classification method (MAC Adjacency or Traffic) or applies to both |
| Random MAC Filter | Include or exclude devices with randomized MAC addresses from rule evaluation |
| Confidence Threshold | Adjustable slider (0–100) that defines which confidence scores the rule acts on. Insights with a score inside the selected range are automatically processed; those outside remain in the queue for manual review |
Rule Evaluation Behavior
Automation rules are evaluated as part of the hourly Insights evaluation cycle. When the evaluation runs, reject rules are processed before approve rules to ensure that potentially risky recommendations are filtered out before approval logic executes. A recommendation that matches a reject rule is dismissed immediately and is not evaluated against approve rules.
All automated actions are recorded in Monitoring > Audit Logs. Each log entry includes the Category (Insight), Action (Resolved), and a Details field containing the adjudication source (AUTOMATION), adjudication status (ACCEPTED or REJECTED), and the classification method that triggered the action. To review automated insight activity, navigate to the Audit Logs page and search for "insight" to filter relevant entries.
Dynamic Policy Group Suggestions
The Dynamic Policy Group Recommendations tool in Insights simplifies device classification by suggesting appropriate Policy Groups for unclassified assets. This feature analyzes devices in the Unassigned Policy Group using predefined match criteria—primarily based on category metadata—and proposes new groups with default security levels.
Policy Group Suggestions are customized based on customer vertical. Healthcare/Clinics, Manufacturing/Industrial, Corporate/Enterprise, and Education verticals all have unique Policy Group Suggestions. This setting is configured by your Elisity Engineer.
Dynamic Policy Group insights appear in the main Insights table with the Name set to Dynamic Policy Group and Category set to Policies. Click the checkmark icon to immediately create the suggested Policy Groups, or click the insight name to review the recommendations in the dedicated Dynamic Policy Group workflow.
Reviewing and Modifying Recommendations
The Policy Group Review screen presents a list of proposed Policy Groups for creation. Each suggestion can be customized before acceptance.
Policy Group Preference
Before reviewing suggestions, you can choose which Policy Groups to display using the Policy Group Preference toggle:
- Policy Groups with Assets (default): Displays only Policy Groups that currently have detected assets. This is the recommended option for initial adoption as it reduces the risk of unexpected asset reclassification.
- All Policy Groups: Displays all Policy Groups in the system regardless of whether assets have been detected. Use this option when you want to proactively create Policy Groups for infrastructure that may not yet be visible or for future network segments.
| Column | Description | How to Modify |
| Genre | Network domain classification (IT, IoT, OT, IoMT) | Click dropdown to select |
| Policy Group Name | Suggested name with category icon. Names are configurable by your Elisity Engineer | Double-click to edit |
| Impact | Classification priority (High, Medium, Low) - directly linked to Security Level | Modify via Security Level |
| Description | Brief system-created summary of the device classification | Double-click to edit |
| Assets | Number of unclassified devices that meet the match criteria | Click to preview device list |
| Security Level | Default Security Level assigned by Elisity (1-4) | Click dropdown to select |
To understand why a Policy Group is being recommended, click the Policy Group name to view the match criteria, such as "Category = Physical Security Systems."
To inspect which devices match this criteria, click the device count in the Assets column to see a preview list of affected devices including MAC address, IP, and hostname (if available). Clicking VIEW DETAILS will take you to the device details page for the selected device.
Genre Selection
Administrators can categorize Policy Groups by network domain using the Genre column. This organizational feature helps distinguish between different types of network environments and device classifications.
| Genre | Description |
| IT | Information Technology devices (workstations, servers, corporate infrastructure) |
| IoT | Internet of Things devices (sensors, smart devices, connected equipment) |
| OT | Operational Technology devices (industrial control systems, manufacturing equipment) |
| IoMT | Internet of Medical Things (medical devices, healthcare equipment) |
Genre selections are displayed in the Order Preview and help administrators understand the network domain purpose of each Policy Group at a glance.
Policy Group Order Preview
Before creating suggested Policy Groups, administrators can preview how new groups will be integrated into the existing Policy Group order of precedence. Policy Group creation impacts device classification depending on where new groups are placed in the priority order, and will often result in devices being reclassified.
To access the Order Preview, click the ORDER PREVIEW button in the top-right corner of the Policy Group Review table.
The Policy Group Order modal displays a complete view of Policy Group precedence, showing both existing and newly suggested groups in priority order.
| Column | Description |
| Order | Numerical ranking (lower numbers = higher priority) |
| Policy Group Name | Name with category icon |
| Genre | IT, IoT, OT, IoMT categorization (if assigned) |
| Security Level | Security Level 1-4 with color coding |
| Description | Brief summary of the Policy Group |
Suggested Badge: Newly proposed Policy Groups are marked with a blue "Suggested" badge, allowing you to distinguish which groups will be added versus which already exist.
Understanding Impact: The Order Preview helps assess the reclassification impact of creating new Policy Groups. Devices are classified into the first matching Policy Group based on priority order, so new groups inserted higher in the order may reclassify devices from lower-priority groups.
Learn more about Policy Group order of precedence.
Creating Policy Groups
Once reviewed, select one or more recommended Policy Groups using the checkboxes and click REVIEW POLICY GROUPS to proceed to the summary screen.
The Summary screen categorizes selected groups by Impact Level and provides a final review of the Genre, Policy Group name, description, matched device count, and Security Level. This is your opportunity to validate what is being created before finalizing the action.
Policy Group names can be clicked to view match criteria details. Device counts can be clicked to see the list of affected devices.
Click CREATE POLICY GROUPS to complete the creation process. The new Policy Groups will appear immediately in the Policy Groups dashboard and are available for policy authoring and assignment.
Security Levels
Each recommended Policy Group includes a default Security Level that represents the potential impact of devices in that group:
| Security Level | Impact Classification |
| Security Level 1 | Low Impact |
| Security Level 2 | Medium Impact |
| Security Level 3 | High Impact |
| Security Level 4 | Critical (system-reserved) |
Security Levels can be modified during the review process or after creation to reflect organizational standards and enforcement requirements.
Evaluation Behavior
| Behavior | Description |
| Evaluated Devices | Only unclassified devices (in the Unassigned Policy Group) are evaluated |
| Matching Logic | Match criteria is derived from a predefined global library using static attributes like Category or Type |
| Execution Timing | Evaluations run automatically every hour and are also executed on-demand when opening the Insights view |
Static Policy Group Suggestions
The Static Policy Group Suggestions tool in Insights provides a guided workflow for creating common Static Policy Groups using CIDR-based match criteria. These suggestions are based on deployment patterns used across existing Elisity environments and reflect how administrators are commonly segmenting infrastructure and services during initial rollout.
This feature allows you to quickly build Policy Groups for known subnets such as guest wireless, remote access, or DHCP/DNS infrastructure. These Policy Groups function identically to manually created Static Policy Groups, and can be prioritized over dynamic groups to influence classification behavior.
To learn more about Static Policy Groups and how they interact with Dynamic Groups, see Policy Groups.
Static Policy Group insights appear in the main Insights table with the Name set to Static Policy Group and Category set to Policies. Click REVIEW INSIGHT to launch the workflow (the ACCEPT button is not available for Static Policy Groups because subnet assignment is required).
Launching the Static Policy Group Suggestions Workflow
Click REVIEW INSIGHT on a Static Policy Group insight to begin the workflow.
Step 1: Reviewing Suggested Policy Groups
The first step presents a predefined list of suggested Policy Groups with default Security Levels. Group names and Security Levels can be modified if needed.
Select which Policy Groups you would like to create and click Review Policy Groups to proceed to defining IP ranges.
Step 2: Assigning Subnets
For each selected Policy Group, you must assign one or more subnets in CIDR format. Cloud Control Center provides two methods for adding IP/Subnet information:
Method 1: Manual Entry
To manually add individual IP addresses or subnets:
- Click the Add IP/Subnet dropdown for the desired Policy Group
- Select Add IP/Subnets Manually
- In the dialog that appears, enter the subnet in CIDR format (e.g., 10.100.102.0/24)
- Optionally add a description to identify the subnet's purpose
- Click Add Another IP/Subnet to add additional entries, or click Add to save
- Repeat for each Policy Group as needed
The screenshot below shows the Add IP/Subnet dropdown with two options: Add IP/Subnets Manually for individual entries, or Bulk Upload IP/Subnets for template-based uploads.
When selecting manual entry, a dialog opens where you can enter the subnet in CIDR notation along with an optional description. The interface displays a character count and allows you to add multiple subnets in a single session using the Add Another IP/Subnet link.
Method 2: Bulk Upload via Excel Template
For Policy Groups requiring multiple subnets, the bulk upload method streamlines the process using an Excel template:
- Click the Add IP/Subnet dropdown for the desired Policy Group
- Select Bulk Upload IP/Subnets
- Click Download Template to retrieve the Excel template file
- Open the template in Excel and add your subnet information:
- Column A (Subnet): Enter each subnet in CIDR notation (e.g., 10.100.102.0/24)
- Column B (Description): Add optional descriptions for each subnet
- Save the file as .xlsx format
- Return to Cloud Control Center and click Click to upload or drag and drop the file
- Review the uploaded entries for accuracy
- Click Add to import the subnets
The bulk upload dialog provides a two-step process. First, download the Excel template by clicking Download Template. Then, after filling in the template with your subnet information, upload it using the file picker or drag-and-drop interface. The dialog accepts .xlsx files up to 3MB in size.
The downloadable template is a simple Excel spreadsheet with two columns. Column A is labeled Subnet (required) where you enter CIDR notation, and Column B is labeled Description (optional) for documenting each subnet's purpose.
After uploading the file, Cloud Control Center validates and displays the imported subnets in a verification screen. This allows you to review all entries before adding them to the Policy Group. The validation process checks that each subnet is in valid CIDR format and ensures that the subnets are not already assigned to other Static Policy Groups in the system.
Input Validation
Both manual entry and bulk upload methods perform validation to ensure data integrity:
- CIDR Format Validation: The system verifies that each subnet is entered in valid CIDR notation (e.g., 192.168.1.0/24 or 10.0.0.5/32 for single IP addresses)
- Duplicate Prevention: Cloud Control Center checks that the subnets you are attempting to add are not already assigned to other Static Policy Groups in the system
- Conflict Detection: The validation process identifies overlapping subnet ranges that could cause classification conflicts
If validation errors are detected, the system displays specific error messages indicating which entries need to be corrected before proceeding.
Template Format Requirements:
- The template uses two columns: Subnet (required) and Description (optional)
- Subnets must be in valid CIDR notation (e.g., 192.168.1.0/24 or 10.0.0.5/32 for single IPs)
- Descriptions are optional but recommended for documentation and troubleshooting purposes
- Maximum file size: 3MB (.xlsx format only)
Step 3: Review Assignments
After assigning subnets using either method, review your selections. Each Policy Group displays the number of assigned subnets. You can add additional subnets or remove entries as needed before proceeding.
Click Next or Review Policy Groups to continue to the summary.
Step 4: Summary and Creation
The Summary screen displays all selected Policy Groups with their Security Levels and assigned subnet counts. Review the configuration to ensure accuracy.
Click Create Policy Groups to finalize the creation.
The groups will appear immediately in the Policy Groups dashboard and are available for policy authoring and classification.
Completion
Once finished, a confirmation screen provides quick access to the Policy Groups view, the policy matrix, or return to Insights.
Policy Suggestions
Policy Suggestions presents administrators with recommended policies based purely on the relationships between classified Policy Groups. Intended for low to medium impact Policy Groups, this feature is intended to quickly implement policies which make sense even before traffic is observed - like denying traffic from Unverified PCs to Physical Security Systems. The engine evaluates existing Policy Group definitions (with Security Levels 1 and 2 only) and highlights potential communication paths between groups that lack explicit policy coverage. These suggestions help accelerate segmentation, particularly in environments where policy constructs exist but enforcement is still maturing.
Each suggestion specifies a source and destination Policy Group, a proposed action (Allow or Deny), and a calculated impact level. These recommendations are placed in Simulation Mode by default, allowing safe evaluation in the Policy Matrix without live enforcement.
Policy Suggestions insights appear in the main Insights table with the Name set to Policy Suggestions and Category set to Policies. The Suggestion for column displays the number of policies recommended (e.g., "4 Policies" or "196 Policies"). Click the checkmark icon to immediately apply all suggested policies for that policy set, or click the insight name to review suggestions in the dedicated Policy Suggestions workflow.
Policy Suggestions Workflow
The Policy Suggestions feature in the Insights section of Cloud Control Center helps administrators build foundational segmentation policy based on existing identity constructs. This workflow is designed to improve enforcement coverage within the Default Policy Set, which is the only supported policy set for this feature at this time.
NOTE: Policy Suggestions currently operate only on the Default Policy Set. Custom or site-specific policy sets are not included in the evaluation.
Step 1: Before
This initial view displays the current state of the Default Policy Set Policy Matrix. The matrix shows all existing policies between classified Policy Groups, and provides a baseline Deployment Score that reflects current coverage.
Click How Can I Improve? to continue.
Step 2: After
The After screen overlays the Policy Matrix with recommended policies between Policy Groups that do not currently have defined relationships. These suggestions are based on identity and security posture—not on observed traffic—and are generated by comparing group classifications against a predefined security policy framework.
- Solid green or red cells represent suggested policies (Allow or Deny).
- Partially transparent cells indicate already existing policies or policies which are not applicable for the current filter (low or medium impact filter).
- The projected Estimated Deployment Score reflects the policy coverage improvement if all suggestions were accepted. Note that this will be a small improvement, as simulated policies are only worth 10% of enforced policies towards the deployment score.
Use filters to filter suggestions by impact level. Any policies which are not relevant to the filter will be transparent, with applicable policies highlighted.
Step 3: Summary
This final screen displays a list of all recommended policies categorized by impact level. For each entry, you see:
- Source and Destination Policy Groups
- Proposed action (Allow or Deny)
- Projected impact on the Deployment Score
Select the policies you wish to apply and click Create Policies. All policies created through this workflow are placed in Simulation Mode by default.
Policy Suggestions: Traffic Review
After suggested policies have been in simulation for a defined period (configurable by your Elisity Engineer, see below), they are automatically evaluated using observed traffic data. The Traffic Review feature uses this telemetry to provide guidance on whether a simulated policy should be promoted to enforcement or remain in simulation.
The traffic review timer can be configured by your Elisity Engineer to control how long the platform observes device traffic before recommending policies. This behavior is driven by the Security Level of the associated Policy Group along with a timing profile.
| Timing Profile | Security Level 1 | Security Level 2 |
|---|---|---|
| Aggressive | 30 minutes | 1 hour |
| Standard | 2 days | 4 days |
| Conservative | 7 days | 15 days |
| Extended | 15 days | 30 days |
Shorter timers lead to faster recommendations but may reflect more short-term behavior. Longer timers provide a more conservative approach, allowing broader observation before action is suggested.
- If no traffic has been observed and the policy is Deny All, the system will recommend promotion to enforcement.
- If traffic has been observed, the policy will remain in simulation for further evaluation.
- Permit All policies and custom profiles are handled similarly, with traffic being observed
Important: Only traffic observed while the policy is in simulation is considered. Traffic history prior to simulation is not used in these evaluations.
This feedback loop allows administrators to safely iterate and validate segmentation policies before enforcement, reducing the risk of disruption.