Endpoint Analytics UI

The Endpoint Analytics web interface offers a streamlined and intuitive platform for managing and monitoring all connected devices within a network. It is accessed by pointing any supported browser to the DNS or IP address of the appliance’s management interface. The embedded web server is secured with HTTPS and supports the use of SSL certificates for verification. URLs can also be automatically redirected to HTTPS.

This section introduces the different pages and views of the web interface and provides detailed instructions for leveraging their associated functions.

Dashboard

The Dashboard tab/page is the web interface’s landing page upon login and consists of an at-a-glance summary of the state of the entire Endpoint Analytics system.

This page allows individual users to configure their layout to display the endpoint, profile, and system data visualizations best suited to their workflows and gives them convenient access to critical statistics and data.

Clicking the Edit button will put the dashboard into edit mode, where the user can add, remove, and resize the following widgets to tailor the layout to their specific usage scenario:

• 24-hour Event Stats

• Connection Types

• Custom Data Names

• DHCP Client FQDNs

• DNS Zones

• Endpoint Directory

• Endpoint Stats

• Endpoints by Profile

• Endpoint Risk Levels

• MAC Vendors

• Endpoints by Risk

• RADIUS Authentication Status

• Healthcare Endpoints

• Healthcare Endpoints - Make/Model

Clicking a widget or one of its elements drills down into the endpoint or profile data displayed and brings up more detailed information. Additional details can also be viewed by mousing over widget elements.

Hint

Dashboard layouts and settings are saved per user and will be loaded upon login.

The Endpoint Analytics web interface also includes the following helpful features:

System status overview

The help/question mark button in the web interface’s banner opens an overview of the status of the Endpoint Analytics system, its individual software components, and any connections to Active Directory, DNS servers, or other third-party services.

Streamlined access to help and support

The Request Support/System Status page also offers quick access to a full range of troubleshooting options and allows the user to easily contact Plixer Technical Support or access their support portal.

Endpoints

The Endpoints tab/page in the web interface functions as a single pane-of-glass endpoint monitoring and administration tool that streamlines how users inspect, track, and manage endpoints on their networks. It allows the user to switch between different endpoint data views and includes options to download data for offline analysis.

Endpoint profiles

Endpoint Analytics’ endpoint profiling engine actively anaylzes all discovered devices and monitors network activity to assign each endpoint a profile based on collected data. These profiles (and profile groups) are used by the web interface to provide quick access to essential endpoint data and simplify device management processes.

How profiles are assigned

The system relies on several collector modules that use various means to collect endpoint and traffic data, which are forwarded to a central server module. The endpoint profiling engine then aggregates the data for processes and uses it to assign profiles to all discovered endpoints.

Endpoint Analytics uses MAC addresses as the primary identifier for endpoints, but in certain scenarios, the IP address is the sole identifier available. In such cases, only “IP-learned” attributes can be captured for use by the endpoint profiling engine.

Note

When assigning profiles and monitoring the network edge for changes, Endpoint Analytics prioritizes “MAC-learned” over IP-learned attributes and will always rely on the former, when available, to make decisions and resolve conflicts.

Profiles that are assigned to similar endpoints are further grouped into factory-defined profile groups for more efficient sorting and management within the web interface.

Endpoint identity attributes

The following table lists all identity attributes used by Endpoint Analytics’ endpoint profiling engine to compare against profile rules for endpoint classification:

Note

In the web interface, an endpoint’s profile match score indicates the relative degree of certainty that the endpoint has been assigned the correct profile. The profile match score is also used by Endpoint Analytics to determine if and when an endpoint should be moved out of and/or into a new profile assignment.

Attribute	Description	IP-learned only?
Active Directory	Endpoint data maintained in Active Directory (domain membership, AD computer name, OS, OS version, service pack, AD domain name)	No
Custom data	User-defined attributes	No
DHCP client FQDN	Fully qualified domain name included in the DHCP request	No
DHCP client vendor	Unique vendor class identifier included in the DHCP request	No
DHCP hostname	Hostname included in the DHCP request	No
DHCP requested options	Additional options requested in the DHCP request (Option 55/81)	No
DHCP options	Full list of DHCP options supported by the client included in the DHCP request	No
DNS name	DNS name the IP address resolves to via reverse lookup	Yes
Discovery protocol	Data in the LLDP/CDP message that identifies the device to upstream neighbors	No
IP address	Full host (or subnet) address being used by the endpoint	No
MAC address/vendor	Full MAC address of the endpoint or OUI of the device manufacturer	No
RADIUS accounting data	RADIUS username of the endpoint (successful RADIUS authentication required)	No
Server banner	Contents of web/SMTP server banner returned by the endpoint to connecting clients	Yes
SNMP system description	Contents of SNMP system description collected from devices polled	No
Stack information	TCP stack parameters observed by Endpoint Analytics when the endpoint opens a TCP connection with another endpoint (TTL, window size, TCP options list)	Yes
Open TCP ports	TCP ports observed to be accepting after traffic analysis	Yes
Network traffic	Characteristics observed in communications with other hosts on a specific UDP/TCP port	Yes
Web URL	URL visited via HTTP	Yes
Web user agent	HTTP user agent string obtained through a browser	Yes
Dicom association (healthcare)	Medical imaging-specific attributes	No
Device identifier (healthcare)	Attributes linked to medical device hardware details	No
Make and model (healthcare)	Attributes linked to medical device identifier details	No

Endpoints menu

The Endpoints menu group of the Endpoint Analytics web interface allows the user to toggle between a wide range of sorting and viewing options in order to quickly look up profiles, profile groups, and other vital endpoint data.

Clicking on a link in any of the views will either drill down into the category or, in the case of MAC and IP addresses, open the Endpoint Summary page for that endpoint.

Note

In the main page of each view, groupings (profiles, profile groups, MAC vendors, etc.) that do not contain any discovered endpoints will not be displayed.

Directory

The Directory view lists all currently enabled profiles that have at least one endpoint, along with their profile groups and the number of endpoints that have been assigned that profile. The table also includes a Not Profiled category for endpoints that have been discovered but have not yet been assigned a profile.

To view the endpoints under a profile as well as additional details about them, click on the profile name on the main Endpoints Directory page.

By Network Device

The By Network Device view lists all network infrastructure device (NID) groups and the number of endpoints associated with each one. Clicking on a group name will bring up a table of all network devices in that group as well as their IP addresses.

From there, click on the IP address of an NID to view a list of all endpoints connected to the device, sorted by port number.

The Query Now button on this page will trigger an immediate SNMP poll and update the Endpoint Analytics database with the latest device data.

By Profile Group

The By Profile Group view lists all profile groups and the number of endpoints that have been assigned profiles within each group.

To view a table of all profiles and endpoints under a group, click on the profile group name.

By MAC Vendor

The By MAC Vendor view lists all MAC Vendor names and the number of endpoints registered with each MAC Vendor ID (OUI).

To view all endpoints with the same OUI, click on the MAC Vendor name in the list.

By Computer OS

The By Computer OS view lists all operating systems (OSs) currently used by discovered devices and the number of endpoints using each OS.

To view all endpoints using a specific OS, click on the OS name in the list.

By Computer Domain Names

The By Computer Domain Name view lists all domain names used by discovered endpoints and the number of endpoints that belong to each domain.

To view all endpoints belonging to a specific domain, click on the domain name in the list.

By Custom Data

The By Custom Data view lists all custom data objects that have been attached to endpoints and the number of endpoints associated with each one.

To view all endpoints with the same custom data object attached, click on the custom data string in the list.

By RADIUS Usernames

The By RADIUS Username view lists all RADIUS usernames used for authentication with discovered endpoints.

To view all endpoints tied to a specific RADIUS username, click on the name in the list.

Risk

The Risk view lists all endpoints, along with their assigned profiles and a breakdown of individual risk scores by assessment tool/service.

Note

A - in one of the risk columns for an endpoint indicates that no risk data is available for that source.

By VLAN

The By VLAN view lists all NID groups and the number of VLANs under each group. Clicking on an NID group name will bring up a table of the VLANs belonging to the group and the number of profiles associated with each one.

To view a list of profiles associated with a specific VLAN, click on the VLAN name in the list.

Network Topology

The Network Topology view displays a graphical representation of the network as discovered by Endpoint Analytics. The main page displays all NID groups containing devices with connected endpoints as well as an Ungrouped category for devices that have not been assigned to any NID groups. From there, the different elements of the visualization can be used to drill down and view the NIDs in each group and the endpoints connected to each one.

Hint

NIDs that have been polled recently will be displayed in green, while those that have been unreachable since they were added will be displayed in red.

IP-Only Endpoints

The IP-Only view lists all profiles assigned to endpoints that have not yet been mapped to their corresponding MAC addresses. The main table can be filtered by subnet group (requires the subnet groups to have been previously added).

From the main table, clicking on a profile name will display a page with all IP-only endpoints under that profile, where clicking on an individual IP address will bring up the Endpoint Summary Page.

Retired

The Retired Endpoints view lists all profiles assigned to endpoints that have been inactive for the configured endpoint timeout setting and flagged as retired.

Hint

For additional information about retired endpoints and the endpoint timeout setting, see the data processing section of the Endpoint Analytics configuration guides.

From the main table, clicking on a profile name will display all retired endpoints under that profile, along with their last known IP, profile match score, last location, and the date they were retired.

Unconnected Ports View

The Unconnected Ports View option displays a list of all device ports that have been reported as being down during the most recent SNMP poll sorted by the NIDs they’re attached to.

Clicking on either the name or IP address of an NID will open the Edit Network Device page.

View Endpoint Events

The View Endpoint Events option displays a history of all events triggered by endpoints discovered by Endpoint Analytics. An event’s details and management options will be accessible from this page until it is manually cleared from the system or automatically removed due to the event history setting.

To manually clear events from the system, tick the corresponding checkboxes in the first column of the table, and then click the Delete Selected button. Individual endpoints can also be cleared from their Endpoint Summary page.

Endpoint Summary page

The Endpoint Summary page contains all current and historical information about each endpoint discovered by Endpoint Analytics and can be accessed from any view or page in the web interface that contains links to an endpoint’s MAC or IP address.

This page also allows the user to manually clear or delete the endpoint from the Endpoint Analytics database or add custom data objects using the buttons near the bottom of the page.

The Endpoint Summary page is divided into the following tabs:

Endpoint Summary

The main tab contains a high-level overview of all endpoint details, including:

• Profile match score for the currently assigned profile

• Risk level

• VLAN information extracted from RADIUS accounting data

• Any custom data objects associated with the endpoint

The Show Other Profiles link will display all other profiles that were considered by the Endpoint Profiling Engine but not used due to lower profile match scores.

Hint

If Microsoft Defender integration has been configured, the main Endpoint Summary tab will also include a link to the Microsoft Defender overview for the endpoint as well as additional buttons to scan, isolate, or unisolate the device.

Note

Endpoints connected via a Cisco hybrid wireless access point will be labeled as such under their Current Location details. When inspecting device ports, this will be displayed in the Wireless Endpoint View tab.

Risk

The Risk tab contains a summary of all risk information for the endpoint, with subtabs for individual risk assessment tool reports.

Profile Data

The Profile Data tab contains additional profile-related details for the endpoint and is further divided into seven subtabs for the following information:

• DHCP - DHCP lease requests and response data observed by the system

• Active Directory - Microsoft AD data items (only available if the system has been configured to collect data from AD servers on the network and AD information has been linked to the endpoint)

• RADIUS - Any RADIUS accounting information forwarded from RADIUS clients on the network (if configured)

• Software - Information collected if open port, user agent, web and SMTP server banner, and/or web URL data have been captured

• Traffic - Endpoint communications that have matched configured traffic profile rules

• Healthcare - Healthcare-specific device data associated with the endpoint

• Miscellaneous - Network stack information collected for the endpoint

Endpoint Events

The Endpoint Events tab lists all events triggered by the endpoint throughout its migration between profile assignments, as well as additional details for each event. For more information on events in Endpoint Analytics, see the subsection on configuring events.

MAC History

The MAC History tab contains all historical data tied to the MAC address of the endpoint, divided into three subtabs:

• MAC History by Port - Lists the network device ports the endpoint has been connected to

• MAC History by IP - Lists all IP addresses used by the endpoint

• MAC History by Profile - Lists all profiles that have been assigned to the endpoint

IP History

The IP History tab contains all historical data tied to the current IP address of the endpoint, divided into two subtabs:

• IP History by MAC - Lists all MAC addresses that have used the current IP address

• IP History by Profile - Lists all profiles that have been assigned to endpoints using the current IP address

Note

The period of time covered by the MAC and IP history data for an endpoint can be adjusted by changing the Historical Limit setting. For more information and instructions, see the data processing section of the Endpoint Analytics configuration guides.

Risk assessment

Endpoint Analytics evaluates endpoint risk by applying multiple assessment methods to the data collected by the system.

Endpoints are assigned an overall risk level based on the following risk assessment methods and solutions:

Risk Assessment Method	Description
Identity-Based Risk: Identity	Based on security vulnerability information associated with the endpoint’s assigned profile
Identity-Based Risk: OS	Based on security vulnerability information associated with the endpoint’s operating system
Duplicate MAC	Based on the detection of identical MAC addresses at multiple wired locations (expires after 24 hours) or both wired and wireless (persistent)
Tenable	Based on highest endpoint risk vulnerability discovered by a Tenable.io (if enabled) For additional information and configuration instructions, see the subsection on Tenable.io integration.
Microsoft Defender	Based on highest endpoint risk vulnerability reported by Microsoft Defender (if enabled) For additional details and configuration instructions, see the subsection on Microsoft Defender integration.

The overall risk level and individual risk scores by assessment are listed under the Endpoints > Risk view.

Configuration

The Configuration tab contains different submenus that allow Endpoint Analytics’ various features and functions to be configured or modified. For more information on the different Configuration submenus, see the Configuration Guides section of this manual.

Utilities

The Utilities tab contains additional tools for searching for or displaying endpoint data and allows the user to backup the database and view system log data.

Search

The Utilities > Search submenu of the web interface comprises additional search functions that allow the user to quickly look up endpoints, profiles, and other related data.

The Search submenu has three different search options:

Advanced Search

The Advanced Search page complements the quick search tool in the web interface banner by allowing the user to perform search operations involving different comparison operators and endpoint attributes. The user is also able to build more complex database queries by using any combination of endpoint attribute filters with the logical operators AND and OR.

Note

Advanced search results will not include records for IP-only endpoints.

The user can also perform the following actions from the results page:

• Refine Search - Return to the main Advanced Search page to add or change search parameters

• Edit Columns - Show or hide data columns in the search results

• Save - Save the current search configuration for later use (Use the Load a Saved Search dropdown to select a search query to load)

Endpoint History

The Endpoint History option of the Search submenu allows the user to view the saved historical data for a MAC (by port, IP, or profile) or IP address (by MAC or profile).

In an 802.1X-enabled network, the User History query can be used to search for usernames that have been authenticated on the switches polled by Endpoint Analytics and view all switch port(s) through which a username has been successfully authenticated.

Data Search

The Data Search option can be used to search for endpoints using categories that are not covered by other search options, such as hostnames, system descriptions, and web user agents.

The Data column of the search results displays the data items that matched the query string, while MAC and IP addresses are direct links to Endpoint Summary pages.

Utilities menu

In addition to the Search submenu, the Utilities menu group contains several other data management and troubleshooting tools for Endpoint Analytics:

Profile Data

Allows the user to search for and/or view identity attributes that have been captured from discovered endpoints and drill down into the profile data to inspect the MAC or IP addresses associated with an attribute

Custom Data

Allows the user to add custom data objects to a MAC address, view (and/or edit) all custom data objects, or import custom data objects in bulk from a CSV file

A template for the batch import CSV file can be downloaded from the Import Custom Data page.

System Summary

Displays top-level system statistics and provides access to the following troubleshooting tools:

• Display Server Log - Shows the last 500 entries in the server module log file (most recent first)

• Backup Database - Creates a snapshot of the database, including all configuration and endpoint data, and saves the database backup file to a PC or file share as a GZIP (.gz) file

• Cleanup Database - Permanently deletes all web user agents, open TCP ports, and traffic data not currently being used

• Enable/Disable Automated Database Cleanup - Enable or disable automated database cleanups

Licenses

Lists all third-party license acknowledgements for Endpoint Analytics

Update Registered MAC Vendors

Allows the user to update the appliance’s OUI table (used to resolve MAC vendors) with the latest available data published by the IEEE

If the appliance is not able to access the Internet, download the latest IEEE OUI file, extract ieee.txt to the workstation, and select the file using the Update from File option.

Note

A re-model is required to apply the latest changes whenever the table of registered MAC vendors is updated.

Reports

The Reports tab of the web interface is designed to offer quick access to a number of predefined reports, which are generated after aggregating and analyzing endpoint and profile statistics.

All reports include links that allow the user to drill down into the category and/or view the Endpoint Summary page for a MAC or IP address.

Hint

The Reports menu is an alternative means of opening the pages linked to in the web interface’s dashboard widgets and can be used to access the statistics and data even when the corresponding widgets are not being used.

The following reports are available from the submenu:

• DHCP Client FQDN Statistics: Displays statistics for DHCP client FQDNs grouped by domain name

• Endpoint Names: Lists all endpoints for which at least one of the following name attributes has been discovered: DNS name, DHCP hostname/domain name/FQDN, or Active Directory DNS name

• Endpoint Statistics: Summarizes statistics for all discovered endpoints, split into the following tabs: Profile Name, MAC Vendor, DNS Name, OS, Domain Name, and RADIUS User Name

• Endpoints by Connection Type: Shows the distribution of discovered endpoints by network connection type in a pie chart

• Endpoints by Profile - Top 10: Shows the top ten profiles based on the number of endpoints using that assignment in a pie chart

• Healthcare Endpoints: Lists all healthcare-related endpoints discovered on the network, split into two tabs: Device Information and HL7 UDI (Unique Device Identifier)

• Healthcare Imaging Endpoints: Lists all healthcare imaging endpoints discovered on the network, along with the IP address and AE title information for each imaging device

• Profile Statistics: Displays a summary of profile statistics with profile groups and distribution percentages in table format

• RADIUS Authentication: Shows the distribution of endpoints by RADIUS authentication status in a pie chart