Monitoring and Auditing OT/ICS Sessions

active session management administrators can manage ongoing ot/ics session manager connections in real time 1 navigate to policy > active sessions 2 the list will display active tcp connections, showing the host ip, host name protocol (tcp), user, client ip, instance name and session start time 3 administrators can select an active session and click kill selected sessions this immediately breaks the tcp stream and closes the connection session logging every ot/ics connection is logged for compliance and post incident analysis 1 go to logging > session logs 2 each entry includes the session start/end time, total duration, and the instance name identifying the specific user 3 these logs provide a definitive record of who accessed which ot/it resource and for how long traffic analysis because ot/ics session manager handles raw data, kron pam can generate packet capture files for detailed analysis 1 in session logs , click the actions icon for a specific tcp session 2 select download pcap file 3 this file can be opened in tools like wireshark to inspect the actual data exchanged during the session