Advanced IP Defense in Activity Insights
Use the Activity Insights: Threats dashboard in Strata Cloud Manager to visualize Advanced IP Defense threat trends, categories, and direct-to-IP detections.
| Where Can I Use This? | What Do I Need? |
|---|
|
|
- Advanced IP Defense license
- Log forwarding to Strata Logging Service configured
|
The
Activity Insights: Threats dashboard in
Strata Cloud Manager provides a holistic view of threat activity across your
Prisma Access and NGFW environments.
Advanced IP Defense is integrated as a core security subscription alongside
Advanced Threat Prevention,
Advanced DNS Security,
Advanced WildFire, and
Advanced URL Filtering, giving you a unified view of all threat activity in a single pane.
To access Activity Insights for Advanced IP Defense, select in Strata Cloud Manager. Use the license filter to select Advanced IP Defense to isolate Advanced IP Defense-specific threat data from other security subscriptions.
Threat Chart
The threat chart displays a breakdown of Advanced IP Defense detections organized into threat categories and subcategories. Advanced IP Defense maps its IP attribute categories into the following primary threat categories used across all security subscriptions:
- Reconnaissance & Pre-Attack—Scanning, brute-force, and security scraping activities used to discover or probe targets before launching attacks.
- Malware—Malware downloading and memory extraction payloads detected through IP attribution.
- Exploitation and Code-execution—Vulnerable IPs, compromised devices and servers, exposed services, and brute-force attempts exploiting software flaws or insecure configurations.
- Command & Control (C2) & Exfiltration—Malware C2 infrastructure, hardcoded C2 IPs, and IPs communicated with by malware during sandbox analysis.
- Disruption & Extortion—DDoS, botnet, and spamming activities causing operational disruption or resource exhaustion.
- Network Protocol Abuse—Tor exit nodes, proxies, and VPN services used to evade or manipulate core protocols for evasion.
- Adversary Infrastructure—Bulletproof hosting, community IOCs, and domains resolving to malicious or grey IPs.
Each primary category contains granular subcategories that map to specific Advanced IP Defense IP attributes such as malware_c2, tor_exit, scanning_brute_force, and bulletproof. Select a category in the chart to drill down into its subcategories and see the specific attribute detections.
Direct-to-IP Filter
Activity Insights includes a dedicated direct-to-IP filter that allows you to isolate threats where the connection was made without a prior DNS resolution. This filter is specific to Advanced IP Defense and helps you identify outbound C2 channels or data exfiltration attempts that bypass DNS-based security controls. When you apply the direct-to-IP filter, the threat chart and threat table update to show only connections flagged as direct-to-IP.
Threat Table
Below the threat chart, the threat table provides a paginated list of individual Advanced IP Defense detections with detailed information including the matched IP attributes, policy action taken, severity, source and destination IPs, and direct-to-IP flag. You can sort and filter the table to investigate specific threats, and clicking a row opens the full threat log entry with all available fields.
