Investigate an IP Address

The
IP Address View
provides a powerful way to investigate and take action on IP addresses by reducing the number of steps it takes to collect, research, and threat hunt related incidents. Cortex XDR automatically aggregates and displays a summary of all the information Cortex XDR and threat intelligence services have regarding a specific IP address over a defined 24-hour or 7-day time frame.
To help you determine whether an IP address is malicious, the IP Address View displays an interactive visual representation of the collected activity for a specific IP address.
ip-view.png
To investigate an IP address:
  1. Open the IP View for an IP address.
    You can access the view from every IP address in Cortex XDR console by either right-click >
    Open IP View
    , selecting the IP address or using the default keyboard shortcut
    Ctrl/CMD+Shift+E
    combination, or searching for a specific IP address in the Quick Launcher.
    To change the default keyboard shortcut, navigate to
    gear.png
    Settings
    General
    Keyboard Shortcuts
    . The shortcut value must be a keyboard letter, A through Z, and cannot be the same as the
    Quick Launcher
    defined shortcut.
  2. Review the overview for the IP address.
    The overview displays network operations, incidents, actions, and threat intelligence information relating to a specific IP address and provides a summary of the network operations and processes related to the IP address.
    1. Review the auto generated summary of the number of network operations and processes related to the IP that occurred over the past 7 days.
    2. Add an
      Alias
      or
      Comment
      to the IP address.
    3. Review the location of the IP address.
      • External
        —IP address is located outside of your organization. Displays the country flag if the location information is available.
      • Internal
        —IP address is from within your organization. The XDR Agent icon is displayed if the corresponding endpoint identified by the IP address has an agent is installed at that point in time.
    4. Identify the IOC severity.
      The color of the IP address value is color-coded to indicate the IOC severity.
      • Low—Blue
      • Medium—Yellow
      • High—Red
    5. Review any available threat intelligence for the IP address.
      Depending on the threat intelligence sources that you integrate with Cortex XDR, you can review any of the following threat intelligence.
      • Virus Total
        score and report
        Requires a license key. Navigate to
        gear.png
        Settings
        Integrations
        Threat Intelligence
        .
      • Whois
        identification data for the specific IP address.
      • IOC
        Rule, if applicable, including the IOC
        Severity
        ,
        Number of hits
        , and
        Source
        .
      • EDL
        IP address if the IP address was added to an EDL.
    6. Review any related incidents:
      Related Incidents
      lists the most recent incidents that contain the specific IP address as part of the incident
      Key Artifacts
      according to the
      Last Updated
      timestamp. If the IP address belongs to an endpoint with a Cortex XDR agent installed, the incidents are displayed according to the host name rather than the IP address. To dive deeper into specific incidents, select the Incident ID. To view all the related incidents, select
      View All
      . Cortex XDR displays
      Recently Updated Incidents
      which filters incidents for those that contain the IP address.
  3. Filter the IP address information you want to visualize.
    Select from the following criteria to refine the scope of your IP address information you want visualized. Each selection aggregates the displayed data.
    Filter
    Description
    Type
    The type of information you want to display.
    • Host Insights
      —Pivot to the Asset View of the host associated with the IP address.
    • Network Connections
      —Display the IP View of the network connections made with the IP address.
    Primary
    The main set of values you want to display. The values depend on the selected
    Connection Type
    .
    • All Aggregations
      —Summary of all the related IP address data.
    • Destination/Source Country
    • Destination/Source Port
    • Destination/Source IP
    • Destination/Source Process
    • App-ID
    Secondary
    The set of values you want to apply as the secondary set of aggregations. Must differ than your
    Primary
    selection:
    • Destination Country
    • Destination/Source Port
    • Destination/Source IP
    • Destination/Source Process
    • App-ID
    Node Size
    The node size to display for the type of values.
    • Number of Connections
    • Total Traffic
    • Total Download
    • Total Upload
    Showing
    The number of the
    Primary
    and
    Secondary
    aggregated connections.
    • Top 5
    • Top 3
    • Bottom 5
    • Bottom 3
    Connection Type
    Type of connection you want to display your defined set of values.
    • Incoming
    • Outgoing
    Timeframe
    Time period over which to display your defined set of values.
    • 24 Hours
    • 7 Days
    Select ip-view-cluster-enter.png to apply your selections and update the information displayed in the visualization pane. If necessary,
    Refresh
    to retrieve data.
  4. Review the selected data.
    • Select each node to additional information.
    • Select
      Recent Outgoing Connections
      to view the most recent connections made by this IP address.
      Search all Outgoing Connections
      to run a Network Connections query on the all the connections made by this IP address.
  5. After reviewing the available information for the IP address, take action if desired:
    Depending on the current IOC and EDL status, select
    Actions
    to:
    • Edit Rule
    • Disable Rule
    • Delete Rule
    • Add to EDL

Recommended For You