Advanced IP Defense in Threat Search
Use Threat Search in Strata Cloud Manager to search and filter Advanced IP Defense threat logs by IP attributes, categories, direct-to-IP flag, and other Advanced IP Defense-specific fields.
| Where Can I Use This? | What Do I Need? |
|---|
|
|
- Advanced IP Defense license
- Log forwarding to Strata Logging Service configured
|
Threat Search (under ) in
Strata Cloud Manager provides ad hoc search and filtering of threat logs across all security subscriptions. For
Advanced IP Defense, Threat Search exposes
Advanced IP Defense-specific log fields that allow you to investigate individual connections, identify patterns across your environment, and correlate
Advanced IP Defense detections with other security events.
Advanced IP Defense Log Fields
The following fields are available when searching threat logs generated by Advanced IP Defense:
| Field Name | Field ID | Description |
|---|
| AIPD Profile Name | aipd_profile | The name of the Advanced IP Defense profile that triggered the event. |
| AIPD Category [Attributes] | aipd_ip_attrs | The category and attributes of the IP address identified by the match field, formatted as Category [Attribute]. For example, Netblock Owner [cdn_provider] or Malware & C2 [malware_c2]. |
| AIPD Match Field | aipd_match_field | Indicates whether Advanced IP Defense inspected the source or destination IP address of the traffic. |
| AIPD Direct to IP | aipd_dns_seen | Indicates whether the connection was a direct-to-IP request (no prior DNS resolution). This applies to outbound traffic only. |
| AIPD ASN | aipd_asn | The Autonomous System Number (ASN) associated with the IP address inspected by Advanced IP Defense. |
| AIPD Source EDL | aipd_src_of_edl | The External Dynamic List (EDL) that the IP address matched during Advanced IP Defense inspection. |
| AIPD Session State | aipd_session_state | The state of the session at the time the connection was blocked by Advanced IP Defense. |
| AIPD Rule | aipd_rule | The name of the specific rule matched within the Advanced IP Defense profile. |
Filtering by IP Attributes
The AIPD Category [Attributes] field supports auto-suggestion filtering in the query bar. When you select this field and an operator (such as contains or not_contains), the auto-suggestion box displays all available categories. After you select a category, the suggestion offers AND/OR operators or individual attributes within that category.
You can query at two levels of granularity:
- Category level—For example, AIPD Category [Attributes] = 'Netblock Owner' matches all Netblock Owner attributes.
- Attribute level—For example, AIPD Category [Attributes] = 'Netblock Owner [cdn_provider]' matches only CDN provider IPs.
Clicking a category or attribute value directly in the log results populates the query filter automatically, allowing you to quickly pivot from a specific detection to all related events.
Common Search Patterns
- Investigate direct-to-IP C2—Filter for aipd_dns_seen = true and aipd_ip_attrs contains 'Malware & C2' to find connections that bypassed DNS and connected to known C2 infrastructure.
- Assess anonymizer exposure—Filter for aipd_ip_attrs contains 'Anonymizers & Proxies' to identify all connections through Tor, open proxies, or commercial VPNs.
- Validate allowlist effectiveness—Filter for aipd_ip_attrs contains 'Netblock Owner' to verify that cloud provider traffic is being correctly identified and allowed by your policy rules.
- Review a specific profile's detections—Filter for aipd_profile = 'profile-name' to see all detections generated by a specific Advanced IP Defense profile.
