When IoT Security receives sufficient network traffic metadata, it uses AI and machine learning to identify the devices generating the traffic. However, there are times when it doesn’t receive enough to identify devices uniquely. For example, IoT Security might be aware that there is traffic to and from a specific IP address but, because the device is in a different Layer 3 domain from the firewall logging the network traffic metadata, it never learns its MAC address. The device might be behind a router, a NAT device, or a wireless tethering device, so the firewall only gets its IP address. If DHCP is providing network settings to network devices, it’s possible that different devices use the same IP address at different times. As a result, the network behavior associated with the IP address will keep changing as different types of device take turns using it. When IoT Security is aware of an IP address that is the source and destination of traffic but it doesn’t know its MAC address and the network behavior isn’t stable enough to deduce that it’s a statically assigned IP address, IoT Security categorizes it as an IP endpoint.

Another way that IoT Security can learn about IP endpoints is through third-party integrations. IoT Security can receive device data by integrating with a network management or asset management solution and by using SNMP to query network switches about the devices connected to them.

If IoT Security observes stable traffic patterns associated with an IP endpoint and there are no changes to any of its major device attributes for seven days, it moves it to the Devices page. There are eight major device attributes that IoT Security watches for changes: device profile, category, vendor, model, OS, hostname, serial number, and site ID. A change to any of these attributes indicates that the device using the IP address has changed, so if they all remain unchanged for seven days, it’s reasonable to assume that the device identity is stable.

After adding the IP endpoint to the Devices page, IoT Security continues tracking its attributes on a daily basis. If there’s a change to any of its device attributes later, IoT Security immediately moves it to the Identified IP Endpoints table where it continues tracking these attributes. You can see a total of all IP endpoints discovered on the network or learned from integrated third-party products and a total and a list of all identified IP endpoints on AssetsDevicesIP Endpoints.

At the top of the page are data filters for sites, device types, and time periods (1 Day, 1 Week, and 1 Month). The sites filter controls the data displayed for IP endpoints and identified IP endpoints per site, per site group, or for all sites. The filter for device types controls the display of data by types such as Industrial, Medical, Office, Traditional IT, All IoT, and All Devices. The time filter displays data that IoT Security discovered or learned within the past day, week, or month.

You might wonder why the device type filter affects the total number of IP endpoints. After all, IoT Security is not yet able to identify what type of device an IP endpoint is. However, for some of them, it already has an approximate idea—enough to distinguish an IT device from an IoT device, for instance. That’s why you might see a different total number of IP endpoints when the filter is, say, All Devices and when it’s All IoT.

To see the history of an identified IP endpoint, click its IP address. For example, the history below shows that IoT Security initially identified this IP endpoint as a Windows PC and then revised that to a Windows tablet. IoT Security maintains a history of up to 10 changes over the past 30 days.

If the behavior of an identified IP endpoint eventually settles to a consistently stable pattern again and there are no further changes to its major device attributes for seven consecutive days, IoT Security moves it back to the Devices page. You can also see the historical record of the last ten changes on its Device Details page.

The relationship between the internal database of IP endpoints, the Devices table, and Identified IP Endpoints table is shown below.