Investigate an IP Address

IP Address View
provides a powerful way to investigate and take action on IP addresses by reducing the number of steps it takes to collect, research, and threat hunt related incidents. Cortex XDR automatically aggregates and displays a summary of all the information Cortex XDR and threat intelligence services have regarding a specific IP address over a defined 24-hour or 7-day time frame.
To help you determine whether an IP address is malicious, the IP Address View displays an interactive visual representation of the collected activity for a specific IP address.
To investigate an IP address:
  1. Open the IP View for an IP address.
    You can access the view from every IP address in Cortex XDR console by either right-click >
    Open IP View
    , selecting the IP address or using the default keyboard shortcut
    combination, or searching for a specific IP address in the Quick Launcher.
    To change the default keyboard shortcut, navigate to
    Keyboard Shortcuts
    . The shortcut value must be a keyboard letter, A through Z, and cannot be the same as the
    Quick Launcher
    defined shortcut.
  2. Review the overview for the IP address.
    The overview displays network operations, incidents, actions, and threat intelligence information relating to a specific IP address and provides a summary of the network operations and processes related to the IP address.
    1. Review the auto generated summary of the number of network operations and processes related to the IP that occurred over the past 7 days.
    2. Add an
      to the IP address.
    3. Review the location of the IP address.
      • External
        —IP address is located outside of your organization. Displays the country flag if the location information is available.
      • Internal
        —IP address is from within your organization. The XDR Agent icon is displayed if the corresponding endpoint identified by the IP address has an agent is installed at that point in time.
    4. Identify the IOC severity.
      The color of the IP address value is color-coded to indicate the IOC severity.
      • Low—Blue
      • Medium—Yellow
      • High—Red
    5. Review any available threat intelligence for the IP address.
      Depending on the threat intelligence sources that you integrate with Cortex XDR, you can review any of the following threat intelligence.
      • Virus Total
        score and report
        Requires a license key. Navigate to
        Threat Intelligence
      • Whois
        identification data for the specific IP address.
      • IOC
        Rule, if applicable, including the IOC
        Number of hits
        , and
      • EDL
        IP address if the IP address was added to an EDL.
    6. Review any related incidents:
      Related Incidents
      lists the last 3 incidents which contain the specific IP address as part of the incident
      Key Artifacts
      according to the
      Last Updated
      timestamp. To dive deeper into specific incidents, you can select the Incident ID. If more than three incidents are displayed, select
      View All
      . Cortex XDR displays
      Recently Updated Incidents
      which filters incidents for those that contain the IP address.
  3. Filter the IP address information you want to visualize.
    Select from the following criteria to refine the scope of your IP address information you want visualized. Each selection aggregates the displayed data.
    The type of information you want to display.
    • Host Insights
      —Pivot to the Asset View of the IP addresses associated with the host.
    • Network Inventory
      —Display additional IP address associated with the IP address and host.
    The main set of values you want to display. The values depend on the selected
    Connection Type
    • All Aggregations
      —Summary of all the related IP address data.
    • Destination/Source Country
    • Destination/Source Port
    • Destination/Source IP
    • Destination/Source Process
    • App-ID
    The set of values you want to apply as the secondary set of aggregations. Must differ than your
    • Destination Country
    • Destination/Source Port
    • Destination/Source IP
    • Destination/Source Process
    • App-ID
    Node Size
    The node size to display for the type of values.
    • Number of Connections
    • Total Traffic
    • Total Download
    • Total Upload
    The number of the
    aggregated values are incoming or outgoing connections.
    • Top 5
    • Top 3
    • Bottom 5
    • Bottom 3
    Connection Type
    Type of connection you want to display your defined set of values.
    • Incoming
    • Outgoing
    Time period over which to display your defined set of values.
    • 24 Hours
    • 7 Days
    Select ip-view-cluster-enter.png to apply your selections and update the information displayed in the visualization pane. If necessary,
    to retrieve data.
  4. Review the selected data.
    • Select each node to additional information.
    • Select
      Recent Outgoing Connections
      to view the most recent connections made by this IP address.
      Search all Outgoing Connections
      to run a Network Connections query on the all the connections made by this IP address.
  5. After reviewing the available information for the IP address, take action if desired:
    Depending on the current IOC and EDL status, select
    • Edit Rule
    • Disable Rule
    • Delete Rule
    • Add to EDL

Recommended For You