Download Unauthorized and Prevented connections logs for Workload groups

Typically, Workload groups are first placed in the Observe mode (with or without applying Policies). All inbound connections that violate the Policies (if Policies are applied) are tracked as Unauthorized attempts detected for a Workload group. If Policies are not applied, all inbound connections are flagged as Unauthorized attempts.

After you observe the efficacy of the Policies, you tweak the Policies to allow only desired traffic to and from Workload groups. To enforce the final list of Policies, you move the Workload groups to the Enforce mode and enable the Zero Trust mode for the Workload Groups. The inbound connections that violate the enforced Policies are blocked and tracked as Prevented attempts for a Workload group.

Download Unauthorized or Prevented attempts connections log

Download the connections log for Unauthorized attempts and/or Prevented attempts for a Workload group from the fly panel of the Workload group. The connections log is downloaded as a CSV file, and this file is downloaded from the Flow Explorer feature on Xshield. This CSV file contains the details of the short-lived and long-lived inbound sessions.

The CSV file you download from the Workload group's fly panel may show more records (rows) than the number of attempts displayed on the fly panel. This is because although the fly panel displays the number of unique Unauthorized or Prevented inbound sessions, for long-lived Unauthorized or Prevented inbound sessions, the actual flow records that are downloaded are split into multiple rows on the CSV file. See Interpret traffic flows downloaded from Flow Explorer for more details.

The count for the Unauthorized attempts and/or Prevented attempts is the total number of unique inbound sessions (session IDs) to the Workload group in the last 7 days.

  1. Go to Assets & Groups > Workload Groups.

  2. Click a Workload group.

  3. In the fly panel of the Workload group, click the Download icon next to Unauthorized attempts detected or Prevented attempts.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.