Investigate an IP Address

Cortex® XDR™ aggregates and enables you to view a summary of all information and threat intelligence regarding specific IP addresses.
The IP Address View provides a powerful way to investigate and take action on IP addresses by reducing the number of steps it takes to collect, research, and threat hunt related incidents. Cortex XDR automatically aggregates and displays a summary of all the information Cortex XDR and threat intelligence services have regarding a specific IP address over a defined 24-hour or 7-day time frame.
To help you determine whether an IP address is malicious, the IP Address View displays an interactive visual representation of the collected activity for a specific IP address.
To investigate an IP address:
  1. Open the IP View for an IP address.
    You can access the view from an IP address in Cortex XDR console, where available, by either right-click >
    Open IP View
    , selecting the IP address or using the default keyboard shortcut
    combination, or searching for a specific IP address in the Quick Launcher.
    To change the default keyboard shortcut, select
    Settings ( )
    Server Settings
    Keyboard Shortcuts
    . The shortcut value must be a keyboard letter, A through Z, and cannot be the same as the
    Quick Launcher
    defined shortcut.
  2. Review the overview for the IP address.
    The overview displays network operations, incidents, actions, and threat intelligence information relating to a specific IP address and provides a summary of the network operations and processes related to the IP address.
    1. Review the auto generated summary of the number of network operations and processes related to the IP that occurred over the past 7 days.
    2. Add an
      to the IP address.
    3. Review the location of the IP address. By default, Cortex XDR displays information on whether the IP address is an internal or external IP address.
      • External
        Connection Type: Incoming
        displaying IP address is located outside of your organization. Displays the country flag if the location information is available.
      • Internal
        Connection Type: Outgoing
        displaying IP address is from within your organization. The XDR Agent icon is displayed if the corresponding endpoint identified by the IP address has an agent is installed at that point in time.
    4. Identify the IOC severity.
      The color of the IP address value is color-coded to indicate the IOC severity.
      • Low—Blue
      • Medium—Yellow
      • High—Red
    5. Review any available threat intelligence for the IP address.
      Depending on the threat intelligence sources that you integrate with Cortex XDR, you can review any of the following threat intelligence.
      • Virus Total
        score and report
        Requires a license key. Select
        Settings ( )
        Threat Intelligence
      • Whois
        identification data for the specific IP address.
      • IOC
        Rule, if applicable, including the IOC
        Number of hits
        , and
      • EDL
        IP address if the IP address was added to an EDL.
    6. Review any related incidents:
      Related Incidents
      lists the most recent incidents that contain the specific IP address as part of the incident
      Key Artifacts
      according to the
      Last Updated
      timestamp. If the IP address belongs to an endpoint with a Cortex XDR agent installed, the incidents are displayed according to the host name rather than the IP address. To dive deeper into specific incidents, select the Incident ID. To view all the related incidents, select
      View All
      . Cortex XDR displays
      Recently Updated Incidents
      which filters incidents for those that contain the IP address.
  3. Filter the IP address information you want to visualize.
    Select from the following criteria to refine the scope of your IP address information you want visualized. Each selection aggregates the displayed data.
    The type of information you want to display.
    • Host Insights
      —Pivot to the Asset View of the host associated with the IP address.
    • Network Connections
      —Display the IP View of the network connections made with the IP address.
    The main set of values you want to display. The values depend on the selected
    Connection Type
    • All Aggregations
      —Summary of all the related IP address data.
    • Destination/Source Country
    • Destination/Source Port
    • Destination/Source IP
    • Destination/Source Process
    • App-ID
    The set of values you want to apply as the secondary set of aggregations. Must differ than your
    • Destination Country
    • Destination/Source Port
    • Destination/Source IP
    • Destination/Source Process
    • App-ID
    Node Size
    The node size to display for the type of values.
    • Number of Connections
    • Total Traffic
    • Total Download
    • Total Upload
    The number of the
    aggregated connections.
    • Top 5
    • Top 3
    • Bottom 5
    • Bottom 3
    Connection Type
    Type of connection you want to display your defined set of values.
    • Incoming
    • Outgoing
    Time period over which to display your defined set of values.
    • 24 Hours
    • 7 Days
    Select to apply your selections and update the information displayed in the visualization pane. If necessary,
    to retrieve data.
  4. Review the selected data.
    • Select each node to additional information.
    • Select
      Recent Outgoing Connections
      to view the most recent connections made by this IP address.
      Search all Outgoing Connections
      to run a Network Connections query on the all the connections made by this IP address.
  5. After reviewing the available information for the IP address, take action if desired:
    Depending on the current IOC and EDL status, select
    • Edit Rule
    • Disable Rule
    • Delete Rule
    • Add to EDL

Recommended For You