>
    Strata Copilot
    View Data in a Visualization Map
    Focus
    Download PDF
    Focus
    1. Home
    2. Device Security
    3. Device Security Administration Guide
    4. Discover IoT Devices and Take Inventory
    5. Network Visualizations
    6. View Data in a Visualization Map
    Download PDF
    Device Security

    View Data in a Visualization Map

    Table of Contents

    View Data in a Visualization Map

    Organize how to visualize the devices on your network using device attributes or Purdue levels.
    Where Can I Use This?What Do I Need?
    • Device Security (Managed by Strata Cloud Manager)
    • OT Device Security subscription
    Options for navigating a visualization map and viewing its data apply to various types of visualization methods, such as device attributes, Purdue levels, and process zones.
    Visualization MapNodes (Groups and Devices)
    The nodes on each level of a map are depicted as circles and the dashed lines between nodes represent network connections. A node can be a group of objects such as subnets, VLAN-IDs, device categories, device profiles, vendors, or risk levels, or a node can be a single device within one of these groups. The number that’s shown within the circle of a group indicates how many devices are in it. Some groups have colored segments around the edge of their circle. These indicate the proportion of devices within it that have a particular risk severity. Critical is red, high is orange, and medium is yellow. A low risk level is the remaining gray that circumscribes the circle. The size of the circle for a group indicates the proportion of devices in it in relation to other groups on the map.
    Highlight
    The highlight tool, located at the top of a visualization map, helps you find devices with certain characteristics. To use it, enter one or more filters using query language and then click Highlight. Device Security highlights all groups and devices that match the filters. The length of the ring denotes the proportion of items in a group matching the highlight definition. You can then drill down to the highlighted devices that match the filters.
    Interactions
    • Hover: Hover your cursor over a group of devices to see a pop-up panel with information about the groups and devices within it. You can hover your cursor over a group that contains other groups to see information about devices within all the groups or you can hover your cursor over one of the inner groups to see information just about that one. Hovering over a device displays a pop-up panel with information about that device.
    • Click once: Clicking a group or device once puts it in focus and displays an information panel about it on the right side of the map. Clicking the External Link icon at the top of a device information panel opens the Device Details page for the device, where you can see relevant information.
    • Click twice: Clicking a group twice (double-clicking or clicking on a focused group or device) drills into it to see its contents and the network connections of its contents to other groups. Clicking a device twice shows its network connections to other devices.
    • Reposition nodes: You can also drag groups and devices to reposition them on the map. This feature only works on the main map display. When you double-click a particular group, the new group in focus always appears centered on the map.
    • Use the table and breadcrumbs: Use links in the table to navigate through map layers by clicking links in table columns to drill down deeper into the map and clicking links in the breadcrumbs above the table to move up to higher layers.
    Map Name and Totals
    A summary of various totals appears below the map name in the upper left of the page.
    For example, the first number might be the number of subnets, the second the number of categories, and the third the number of devices on a map. If the scope contains more than 500 nodes, consider reducing the scope so the map can display them.
    After creating a map and engaging with it, you might make some changes and tweaks and decide you want to save the edited map. To do that, click the Edit Map icon next to the map name. Device Security displays the Update Network Visualization Map panel where you can change the map name, description, the visualization method, and scope and then Confirm your changes. Another option in the Update Network Visualization Map panel is Map Builder. Click Map Builder to view the map and make edits to the visualization method (Device Grouping) and scope. By clicking Update after adding or removing filters to the scope, you can see how your changes affect the contents of the map. When done, click Update Map, which returns you to Update Network Visualization Map. Review your modified settings and, if satisfied, Confirm the changes. If you aren’t yet satisfied, click Map Builder again to return to the map and continue making adjustments as necessary.
    Legend
    On the left of a visualization map are zoom in (+) and zoom out (-) icons and an information icon that opens a legend of what the colors and icons mean. Click to expand it.
    Basic
    • When viewing an individual device, its risk level is indicated by the color at 1:00 on the circle.
    • When viewing a device group, the risk level or levels of the devices within it are indicated by red, orange, and yellow around the edge of the circle. The amount of each color is the proportion of devices at that risk level in relation to the overall number of devices in the group.
    • When using the highlight tool to find devices with a particular attribute, a blue ring—or segment of a ring—appears within the edge of a group, its length indicating the proportion of devices with the highlighted attribute in the group. The longer the blue segment is, the more highlighted devices there are proportionally.
    Risk Level
    • The color for each risk level is identified.
    Icons
    • A green globe indicates that one or more devices in a group have connections to normal internet sites.
    • A red globe indicates that one or more devices have connections to malicious internet sites.
    • A three-pronged yellow icon indicates that there are one or more connections to off-map devices; that is, to devices that are on the local network but aren’t within the scope defined for this visualization map.
    • A laptop icon indicates that one or more devices have connections to IP endpoints on the local network. An IP endpoint is the source or destination of a network connection for which Device Security has learned an IP address but not a MAC address.
    Map Management
    In the Map Management section, you can control what types of devices and connections to display on the map. By selecting and clearing their check boxes, you can toggle the icons on and off on the map.
    • Inner Connection: Select or clear the check box to show or hide inner connections, which are connections within the same device grouping. Because connections between groups are typically of more interest, this is toggled off by default. To see inner connections (connections between devices in the same group), toggle on Inner connections.
    • Device visualization maps sometimes include IP Endpoints, Off-map Devices, and Internet Connections (Normal and Malicious) whenever it’s necessary to show connections between devices defined within the scope of a visualization map and destinations outside that scope. Off-map devices (dark yellow shaded circles) and IP endpoints (gray shaded circles) are located in the local, private network, and internet addresses are sites in the external public network (green shaded circles for normal sites and red shaded for malicious sites). An IP endpoint is a device for which Device Security knows an IP address. An out-of-scope device is one for which Device Security knows both an IP address and a MAC address but is outside the map scope. As with other device groups, you can also drill into groups of out-of-scope devices and endpoints and internet addresses. Click the group once to put it in focus and open an information panel. Click it twice to zoom into it and view its contents.

    Process Zones

    If you manage operational technology (OT) devices, you can group them into process zones from a visualization map. After you assign devices to a process zone, the map displays zone containers around the grouped devices, and a right-side panel lists each zone with its name, device count, and members. When you edit a zone, status icons appear on individual device nodes to indicate selection state. For step-by-step instructions, see Create and Manage Process Zones.
    The visualization map also surfaces conduits, the controlled communication paths between zones defined by the IEC 62443 model. You can apply a protocol filter to limit the map to specific industrial protocols (such as Modbus), and zones display criticality and Target Security Level (SL-T) badges that reflect the values you set when managing the zone. For more information about process zones, see Process Zones.

    © 2026 Palo Alto Networks, Inc. All rights reserved.