Investigate an IP address

Completed

Examine possible communication between your devices and external internet protocol (IP) addresses.

Identifying all devices in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of the breach. You can then quarantine associated files, and infected devices.

You can find information from the following sections in the IP address view:

  • IP worldwide

  • Reverse DNS names

  • Alerts related to this IP

  • IP in organization

  • Prevalence

IP Worldwide and Reverse DNS names

The IP address details section shows attributes of the IP address such as its ASN and its Reverse DNS names.

The Alerts related to this IP section provides a list of alerts that are associated with the IP.

IP in organization

The IP in the organization section provides details on the prevalence of the IP address in the organization.

Prevalence

The Prevalence section displays how many devices have connected to this IP address and when the IP was first and last seen. You can filter the results of this section by time period; the default period is 30 days.

Most recent observed devices with IP

The most recent observed devices with IP section provides a chronological view on the events and associated alerts that were observed on the IP address.

Investigate an external IP:

  1. Select IP from the Search bar drop-down menu.

  2. Enter the IP address in the Search field.

  3. Select the search icon or press Enter.

Details about the IP address are displayed, including registration details (if available), reverse IPs (for example, domains), prevalence of devices in the organization that communicated with this IP Address (during the selected time period), and the devices in the organization that were observed communicating with this IP address.