// 04 The Console

When someone asks why a connection was blocked, can you answer in 30 seconds?

Technical reference for Shield, Intrusion's prevention-first network security platform. Shield blocks malicious traffic at the network layer using the Global Threat Engine and 8.5 billion IP and DNS combinations refined since 2001.

At a Glance

What it doesBlocks malicious network traffic at the network layer using reputation-based threat intelligence.
Who it's forSecurity teams needing prevention-first network defense.
How it deploysShield's five products cover cloud, Shield OnPremise, endpoint, monitoring, and management.
What you getPrevention of known-bad connections with full evidence of what was blocked.

Most consoles are built for analyst triage queues. This one is built for the engineer defending a decision in a Slack thread or a security committee meeting. Open the event log. Click the event. There is your answer.

Built for the architect tuning the policy. Not for the analyst chasing the alert.

Event log. Forensic detail. Export.

The console is three things: a chronological event stream of every block, a one-click forensic record per event, and CSV/Excel export for incident reports and audit. No alert priority scoring. No queue.

// What You See When You Open It

The event log. Last 24 hours.

Representative view. Each row is a blocked connection with full forensic context one click away. Filter by platform, time, source, destination, threat category, or policy.

Command Hub · Event Log · Last 24h · 1,247 blocked events
StatusSource · DestinationCategoryTime
Blocked10.4.21.118185.220.101.42:443C214:23:11.082
Blocked10.4.21.118185.220.101.42:443C214:23:09.741
Blocked10.4.18.92 → DNS query: malicious-domain.exampleDNS14:22:58.215
Blocked192.0.2.14410.4.0.0/16 (port scan)Scan14:22:41.003
Blocked10.4.7.55198.51.100.23:8080Botnet14:22:33.890
Blocked10.4.7.55198.51.100.23:8080Botnet14:21:33.124
// The Investigation Flow

Open the log. Click the event. Done.

Most "investigation workflows" in security tooling are six clicks deep with custom queries. This one is two clicks. The forensic record is already attached to the block.

The QuestionThe Path
"Why was 10.4.21.118 blocked from reaching 185.220.101.42?"Open event log. Filter by source IP. Click the event. Reputation context, threat category, policy attribution, microsecond timestamp.
"What was blocked in the last hour across all platforms?"Set time filter. Default view is all enforcement platforms. Filter by platform if needed.
"This looks like a false positive. How do I unblock?"Click the event. Add destination to allowlist. Per-platform or global. Effective on platform refresh cycle.
"I need to give the audit team last week's blocks for this segment."Filter by segment, set time range, export to CSV or Excel.
"How do I forward these events to my SIEM long-term?"Configure Syslog forwarding once on Shield OnPremise. Events flow to your SIEM as they happen.
// The Three Roles

Observer. User. Administrator.

Role-based access per group. Observer reads. User operates. Administrator governs. Each user gets a role per group; users can hold different roles in different groups.

// Read Only

Observer

  • View event log
  • Drill into forensic detail
  • Export filtered event sets
  • No policy modification
// Operate

User

  • Everything Observer can do
  • Allowlist and suppress
  • Switch enforcement mode
  • Adjust per-direction policy on Stratus
// Govern

Administrator

  • Everything User can do
  • Add and remove users
  • Assign roles per group
  • Configure SIEM forwarding
// What This Console Does Not Do

No alert queue. No urgency scoring. No SSO.

If your evaluation criteria includes an alert prioritization workflow, a public API for programmatic queries, or SSO integration with your IdP, you need to know that up front.

THE BOUNDARY.

Calibrating expectations now prevents wasted POVs later.

No SSO or enterprise IdP integration. Local accounts with role-based access.

No public API. CSV and Excel export only. Syslog forwarding from Shield OnPremise to SIEM.

No native integrations with ticketing, PSA, RMM, or SOAR. Forward via SIEM for downstream automation.

No Shield Sentinel view. Sentinel runs independently. Three platforms enforce. One watches.

No alerts. Shield blocks. The console shows what was blocked, not what needs triage. If your team needs an alert queue, this is not the workflow.

Want to see Command Hub against your traffic?

30 minute walkthrough with a sales engineer. Real event log. Real policy tuning.

Request a POV

RECOMMENDED NEXT STEP

Ready to see what Shield finds in your environment?

Request a POV Book a Meeting Talk to an Engineer