IP profiles are presented as informational screens for specific workstations in a monitored network, similarly in concept with MOREAL dashboards which in turn focus on a network as a whole. For a more technical introduction, refer to the IP Profiles technical article. Additionally, for more information regarding the meaning of metrics listed in IP Profiles please consult the MOREAL Metrics documentation.
IP profiles consist of two views:
Statistics view: This page has a similar layout to MOREAL dashboards but the displayed information is specially selected to provide meaningful statistics for this level of analysis. The behavior of an entity may be observed across multiple dimensions, including the dimension of time.
Alerts table: This page presents a list of recent alerts for a given IP, allowing an analyst to jump from the bird-eye view given by the statistics page to a more detailed view of the events related to this entity.
You may visit the profile for a specific IP, either by clicking at the “Most active IPs” button under the organization management page, or by clicking at the “View IP Profile” button in the detailed view of a specific alert.
IP Profiles – Statistics view
The Statistics section of an IP profile
The left column in the “statistics” view contains filters you can use to change the displayed time window and optionally select a specific network device in case the given entity is connected to more than one.
IP profile filtering options
IP profile filtering options sidebar
The available filters are:
Time range: Changes the displayed time window. You may limit your analysis to the time since last login, the last 24 hours, the last week or view the whole retention period (currently last 30 days)
Devices: Optionally select a specific network device in case the given entity is connected to more than one.
IP profile header
IP profile header
Title: Organization Name / IP (Asset friendly name, if given).
Entity description box: The asset criticality value (if available) and the timestamp (Last seen) of the latest traffic event for this IP
Number of Alerts: The number of recent alerts (for the selected time window) including ThreatDB, Anomaly Detection and Behavioral Clustering alerts.
Communication diversity box – This information box lists (for the selected time window):
The number of countries the given IP has been observed to communicate with based on inbound & outbound traffic logs
The number of services the given IP has been observed to use based on inbound, outbound, & private traffic logs
The number of external IPs the given IP has been observed to communicate with based on inbound & outbound traffic logs
IP profile line charts
The IP profile screen consists of the following two line charts:
For a given time & device context, this line chart shows the number of total IP connections (inbound, outbound, private) varying through time.
This line-chart displays the number of alerts varying throughout the selected time window and grouped by the alert type (ThreatDB, Anomaly Detection, Behavioral Clustering). For more information regarding these alert types refer to the related technical articles.
IP profile Top-N lists
Top Services, Top countries and Top ISPs sample lists
Top Services: this list contains the top 5 different services in terms of the number of connections that the given IP has been observed to use in inbound, outbound & private traffic logs.
Top Countries: this list contains the top 5 countries in terms of the number of connections that the given IP has been observed to communicate with based on inbound & outbound traffic logs.
Top ISPs: this list contains the top 5 ISPs in terms of the number of connections that the given IP has been observed to communicate with based on inbound & outbound traffic logs.
Top Cities, Top external IPs and Top Threat IDs sample lists
Top Cities: this list contains the top 5 cities in terms of the number of connections that the given IP has been observed to communicate with based on inbound & outbound traffic logs.
Top External IPs: this list contains the top 5 external IPs in terms of the number of connections that the given IP has been observed to communicate with based on inbound & outbound traffic logs.
Top Threat IDs: this list contains the top 5 unique threat IDs in terms of the number of occurrences as observed in inbound, outbound & private threat logs.
IP profiles – Alerts view
The Alerts view of an IP profile
The left column in the Alerts view contains filters you can use to limit your assessment to a sub-list of alerts with specific characteristics. The available filters are:
Alert type: View only a specific alert type (ThreatDB, Anomaly Detection, Behavioral Clustering)
Alert status: View only pending, acknowledged or resolved incidents
Alert criticality: View only critical or less critical alerts
Time range: View only alerts produced in a specific time window
Devices: select a specific device when the monitored IP address appears in more than one
The central area displays the filtered list of alerts which has the same layout and functionality as the list in the central Alerts management page.
Thank you!
Your feedback has been received and will be reviewed shortly!