Javascript is required for MOREAL Online Documentation to function properly. Please enable Javascript by adjusting your browser settings.

IP profiles

IP profiles are presented as informational screens for specific workstations in a monitored network, similarly in concept with MOREAL dashboards which in turn focus on a network as a whole. For a more technical introduction, refer to the IP Profiles technical article. Additionally, for more information regarding the meaning of metrics listed in IP Profiles please consult the MOREAL Metrics documentation.

IP profiles consist of two views:

  • Statistics view: This page has a similar layout to MOREAL dashboards but the displayed information is specially selected to provide meaningful statistics for this level of analysis. The behavior of an entity may be observed across multiple dimensions, including the dimension of time.
  • Alerts table: This page presents a list of recent alerts for a given IP, allowing an analyst to jump from the bird-eye view given by the statistics page to a more detailed view of the events related to this entity.

You may visit the profile for a specific IP, either by clicking at the “Most active IPs” button under the organization management page, or by clicking at the “View IP Profile” button in the detailed view of a specific alert.

 

IP Profiles – Statistics view

The Statistics section of an IP profile

The left column in the “statistics” view contains filters you can use to change the displayed time window and optionally select a specific network device in case the given entity is connected to more than one.

IP profile filtering options

IP profile filtering options sidebar

The available filters are:

  • Time range: Changes the displayed time window. You may limit your analysis to the time since last login, the last 24 hours, the last week or view the whole retention period (currently last 30 days)
  • Devices: Optionally select a specific network device in case the given entity is connected to more than one.

 

IP profile header

IP profile header

Title: Organization Name / IP (Asset friendly name, if given).

Entity description box: The asset criticality value (if available) and the timestamp (Last seen) of the latest traffic event for this IP

Number of Alerts: The number of recent alerts (for the selected time window) including ThreatDB, Anomaly Detection and Behavioral Clustering alerts.

Communication diversity box – This information box lists (for the selected time window):

  • The number of countries the given IP has been observed to communicate with based on inbound & outbound traffic logs
  • The number of services the given IP has been observed to use based on inbound, outbound, & private traffic logs
  • The number of external IPs the given IP has been observed to communicate with based on inbound & outbound traffic logs

 

IP profile line charts

The IP profile screen consists of the following two line charts:

For a given time & device context, this line chart shows the number of total IP connections (inbound, outbound, private) varying through time.

This line-chart displays the number of alerts varying throughout the selected time window and grouped by the alert type (ThreatDB, Anomaly Detection, Behavioral Clustering). For more information regarding these alert types refer to the related technical articles.

IP profile Top-N lists

Top Services, Top countries and Top ISPs sample lists

  • Top Services: this list contains the top 5 different services in terms of the number of connections that the given IP has been observed to use in inbound, outbound & private traffic logs.
  • Top Countries: this list contains the top 5 countries in terms of the number of connections that the given IP has been observed to communicate with based on inbound & outbound traffic logs.
  • Top ISPs: this list contains the top 5 ISPs in terms of the number of connections that the given IP has been observed to communicate with based on inbound & outbound traffic logs.

Top Cities, Top external IPs and Top Threat IDs sample lists

  • Top Cities: this list contains the top 5 cities in terms of the number of connections that the given IP has been observed to communicate with based on inbound & outbound traffic logs.
  • Top External IPs: this list contains the top 5 external IPs in terms of the number of connections that the given IP has been observed to communicate with based on inbound & outbound traffic logs.
  • Top Threat IDs: this list contains the top 5 unique threat IDs in terms of the number of occurrences as observed in inbound, outbound & private threat logs.

IP profiles – Alerts view

The Alerts view of an IP profile

The left column in the Alerts view contains filters you can use to limit your assessment to a sub-list of alerts with specific characteristics. The available filters are:

  • Alert type: View only a specific alert type (ThreatDB, Anomaly Detection, Behavioral Clustering)
  • Alert status: View only pending, acknowledged or resolved incidents
  • Alert criticality: View only critical or less critical alerts
  • Time range: View only alerts produced in a specific time window
  • Devices: select a specific device when the monitored IP address appears in more than one

The central area displays the filtered list of alerts which has the same layout and functionality as the list in the central Alerts management page.