Appearance
Console Overview
The Telovix Console is the operator control plane. It runs as a single application served at the configured port (15483 (Telovix self-hosted default)) and provides the operator web UI, sensor management, policy delivery, alert triage, compliance reporting, and settings for the entire deployment.
The Console is most useful day-to-day. Installation gets you the platform; ongoing value comes from how quickly teams can spot unhealthy sensors, triage alerts, scope policies, investigate incidents, and track compliance posture over time.
Where to start
| If you are... | Start here |
|---|---|
| Installing the Console for the first time | Console Installation then return to complete the setup wizard |
| Enrolling your first sensor | Quick Start for an end-to-end walkthrough |
| Investigating an active alert | Alert Inbox and Triage |
| Tracing a suspicious process or binary | Process Tree and Investigate |
| Scoping a policy or enforcement rule | Fleet Management to target the right sensors, then Security Policies |
| Monitoring compliance posture | Compliance |
| Setting up 5G Core or O-RAN monitoring | Ensure the telecom vertical is active in Settings, then see Telecom and O-RAN Overview |
| Integrating with a SIEM or webhook | SIEM Integration or Webhook Notifications |
| Managing users and roles | RBAC and User Management |
| Configuring the AI assistant | AI Assistant |
Navigation sections
The Console is organized into the following sections. The Telco section is only visible when the Console is configured for the telecom vertical.
Fleet and sensors
| Page | What you do there |
|---|---|
| Sensors | List all enrolled sensors, filter by health state, role, flavor, tags, or cluster. View sensor detail including trust state, heartbeat history, events, enforcement state, and resource metrics. |
| Sensor Groups | Create and manage sensor groups for scoped policy assignment and upgrade targeting. |
| Enrollment Tokens | Generate and manage enrollment tokens for VM/bare-metal and Kubernetes deployments. |
Detection and response
| Page | What you do there |
|---|---|
| Alerts | Alert inbox with triage queue. Filter by severity, event kind, sensor, or time range. Open alerts for full event context, process tree, and AI triage. |
| Investigations | Case management for multi-alert incidents. Link events, add notes and evidence, assign owners, track resolution. |
| Attack Chains | View correlated event sequences that match known attack patterns across one or more sensors. |
| Live Feed | Real-time event stream from all connected sensors. |
| Events | Queryable event history from ClickHouse. Search, filter, and pivot from any event to its context. |
| Events: Analytics | Aggregated event statistics by kind, sensor, role, and time window. |
| Events: Audit | Console operator audit log (logins, policy changes, enforcement actions). |
| Events: Search | Saved search sets and full-text event search. |
Runtime Blocks and policies
| Page | What you do there |
|---|---|
| Policies | Policy pack catalog, current assignments, enforcement state per sensor. |
| Enforcement | Enforcement rules (built-in templates and custom), impact preview, exceptions. |
| Custom Rules | Operator-authored TracingPolicy YAML rules. |
| Suppression | Suppression rules to silence specific event kinds or patterns. |
| Baselines | Behavioral baseline review and approval. |
| Guardian Profiles | Process execution profiles and deviation alerting. |
| Guardian Fingerprints | Per-binary behavioral fingerprints used by Guardian Profiles. |
| Guardian Policies | Policies built on Guardian Profile deviations. |
| Admission | Kubernetes admission webhook rules. |
| Custom Flags | SQL-based alert rules that query ClickHouse event history. |
Visibility and analytics
| Page | What you do there |
|---|---|
| Network | Fleet-wide network view: active connections, listening services, DNS activity. |
| SBOM | Software bill of materials from Trivy container image scans. |
| Processes | Process execution fingerprint view across the fleet. |
| Process Tree | Ancestor chain reconstruction for a specific event or process. |
| Shell Sessions | SSH and shell session records with associated event activity. |
| Kubernetes | Kubernetes cluster and pod security posture, network policy compliance, workload inventory. |
| O-Cloud | O-Cloud infrastructure view (CNF placement, resource utilization). |
| Runtime Inspector | Live process and connection table from a specific sensor. |
| Entity | Behavioral profile for a specific process binary across the fleet. |
| Correlate | Cross-sensor event correlation for a specific event or entity. |
| Anomaly | Behavioral anomaly scores and baseline deviation summaries. |
| Baselines (analytics) | Behavioral baseline data and learning status per sensor/binary. |
| Activity | Fleet-level activity timeline. |
| Agent Health | Sensor health and event pipeline metrics dashboard. |
| Event Metrics | Detailed eBPF event pipeline counters per sensor. |
Compliance
| Page | What you do there |
|---|---|
| Compliance | CIS v8, NIS2, 3GPP TS 33.117, and O-RAN WG11 posture with per-control evidence. |
| Reports | Scheduled compliance report management and export. |
Telecom (telecom vertical only)
| Page | What you do there |
|---|---|
| Telco Overview | 5G/4G NF inventory, risk summary, protocol KPI summary, active alerts. |
| 5G Core | Per-NF detailed view: AMF, SMF, UPF, and other 5G Core function metrics. |
| O-RAN | O-RAN interface status: O1, O2, E2, xApp monitoring, WG11 security checks. |
| RAN | RAN node inventory, F1AP/E1AP/XnAP interface status, cell-level metrics. |
| User Plane | GTP-U tunnel inventory, PFCP session state, user plane anomaly detection. |
| Protocols | SCTP, Diameter, RADIUS, SIP, M3UA protocol metrics and anomaly detection. |
| SLO | NF SLO dashboard: availability vs targets, breach history, MTTR. |
| Topology | NF topology map showing peer relationships and interface coverage. |
| Security | Telecom-specific security findings: TLS posture, privilege escalation, rogue processes. |
| Capture | Protocol capture snapshot viewer (PCAPNG data from the telecom sensor). |
Settings and administration
| Page | What you do there |
|---|---|
| Settings | Console configuration: database, ClickHouse, SMTP, LLM, update settings, vertical. |
| Team | User management: create accounts, manage roles, invite members, revoke sessions. |
| License | License status, validity window, node count usage. |
| Notifications | Health notification rules. |
| Alerting | Alert notification rules and webhook destinations. |
| SIEM Integrations | SIEM forwarding destinations (Sentinel, Splunk, Elastic, generic HTTP). |
| Sources | API key management. |
Roles and permissions
The Console has five roles. Role checks are enforced at the API handler level.
| Role | Tier | Capabilities |
|---|---|---|
viewer | 1 | Read-only access to fleet view, events, alerts, and compliance pages. Cannot create, modify, or delete anything. |
analyst | 2 | Everything in viewer, plus: create and manage investigations, add notes, run AI triage. |
sensor_owner | 3 | Scoped operator access. Can manage sensors explicitly assigned to this user but cannot access unscoped fleet data. Same API permissions as operator within the assigned scope. |
operator | 3 | Full sensor management, policy assignment, enforcement rule creation, investigation management, alert triage, custom rules. Cannot create users or modify Console infrastructure settings. |
admin | 4 | All operator capabilities, plus: user management, Console settings, sensor revocation and deletion, billing/license management. |
sensor_owner and operator share the same permission tier (3). The difference is scope: sensor_owner users have their accessible sensors restricted to an explicitly assigned list; operator users can access all sensors (unless cluster-level scope is configured).
Authentication
Session TTL: 12 hours by default. Sessions expire after 28 minutes of inactivity with a warning, and auto-logout occurs at 30 minutes.
Remember me: 30-day session when selected at login.
Passwords: Minimum length is 12 characters.
TOTP MFA: Available for all accounts. Uses TOTP standard (SHA1, 6 digits, 30-second period). Enable from user account settings. When MFA is enabled, login requires a TOTP code after the password is accepted.
SSO: SAML 2.0 and OIDC are supported. Configuration is stored in the database and managed from Settings.
Vertical and platform context
The vertical setting controls which navigation sections and features are active:
standard: All sections except the Telco navigation group are visible. Telecom-specific compliance frameworks, AI tools, and dashboards are hidden.telecom: All sections including the full Telco navigation group are active. 3GPP TS 33.117, O-RAN WG11, CIS Telecom, and NIS2 Telecom compliance frameworks are selectable.
Set the vertical during the setup wizard. You can change it at any time from Settings, but the service requires a restart for the change to take effect across all active sessions. No database migration is needed.
Attempting to navigate to /app/telco/* routes on a standard vertical Console redirects to the dashboard.
AI assistant
The Console includes an AI assistant accessible from a panel available on most pages. The assistant has 44 tools that query fleet data, events, baselines, and compliance state. It can correlate events, reconstruct process ancestry, query NGAP KPIs, and help write detection rules.
The LLM provider is configurable from Settings: Anthropic, OpenAI, Gemini, a custom OpenAI-compatible endpoint, or a Telovix-managed endpoint for Telovix Cloud deployments. The assistant is disabled by default; enable it by configuring a provider and API key in Settings.
See AI Assistant for the full tool list and configuration.