MOREAL IP profiles are presented as informational screens focused on specific workstations in a monitored network, with concrete sets of features that characterize “behaviors” for monitored entities. They allow an analyst to drill down in order to inspect critical and ephemeral assets, making it easier to detect the root causes of network and security issues. IP profiles consist of two “views”:
- Statistics view : This page has a similar layout to MOREAL dashboards but the displayed information is specially selected to provide meaningful statistics for this level of analysis. The “behavior” of an entity may be observed across multiple dimensions, including the dimension of time.
- Alerts table : This page presents a list of recent alerts for a given IP, allowing an analyst to jump from the bird-eye view given by the statistics page to a more detailed view of the events related to this entity.
You may visit the profile for a specific IP, either by clicking at the “Most active IPs” button under the organization management page, or by clicking at the “View IP Profile” button in the detailed view of a specific alert.
IP-profile “statistics” view
The Statistics view in an IP Profile
This picture demonstrates the information presented in the statistics section of the IP profile for the address 192.168.1.155. The listed example showcases how one may extract useful conclusions by inspecting traffic statistics side-by-side with security alerts associated with this entity (both Anomaly Detection and Behavioral Clustering alerts can be seen here). The presented information has been carefully selected to provide a useful overview of the “behavior” of this entity in multiple dimensions, including the dimension of time.
- The left column in the “statistics” view contains filters you can use to change the displayed time window and optionally select a specific network device in case the given entity is connected to more than one.
- The central area displays line-charts, information boxes and Top-N lists similar to the ones found in dashboards.
Description of the displayed widgets
The displayed widgets from top-to-bottom and left-to-right are:
- Entity description box: The IP address along with the most recent event timestamp recorded in traffic logs. If the IP is a critical asset, the description of the IP as input by the customer is also displayed.
- Number of Alerts : The number of recent alerts (for the selected time window) including ThreatDB, Anomaly Detection and Behavioral Clustering alerts
- Communication “diversity” box : This information box lists the number of countries this IP communicates with, the number of distinct services in network connections and the number of distinct external IPs communicating with the given IP.
- Traffic line-chart: This line-chart displays the number of connections throughout the selected window.
- Alerts line-chart: This line-chart displays the number of alerts varying throughout the selected window and grouped by the alert type (ThreatDB, Anomaly Detection, Behavioral Clustering). For more information regarding these alert types refer to the related technical articles.
- Top services (traffic): This list displays the top services appearing in the network traffic of this IP along with the number of connections for each of these services.
- Top countries (traffic): This list displays the top countries with entities communicating with this IP along with the number of connections to external entities in these countries.
- Top ISPs: This list displays the top distinct networks (as expressed by a unique Autonomous System Number) communicating with this IP address along with the number of connections for each of these networks.
- Top Cities: This list displays the top cities with entities communicating with this IP along with the number of connections to external entities in these cities.
- Top external IPs: This list displays the top unique external addresses in terms of network connections along with the number of connections between the monitored IP address and each of these external entities.
- Top threat IDs: This list displays the top unique Threat IDs with multiple occurrences in threat logs along with the number of occurrences this IP was associated with these specific threats.
IP-profile alerts view
The Alerts view in an IP Profile
The left column in the “alerts” view contains filters you can use to limit your assessment to a sub-list of alerts with specific characteristics. The available filters are:
- Alert type : View only a specific alert type (ThreatDB, Anomaly Detection, Behavioral Clustering)
- Alert status : View only pending, acknowledged or resolved incidents.
- Alert criticality: View only critical or less critical alerts
- Time range : View only alerts produced in a specific time window
- Devices : select a specific device when the monitored IP address appears in more than one.
The central area displays the filtered list of alerts which has the same layout and functionality as the list in the central Alerts management page
For more information, regarding the meaning of metrics listed in IP profiles please consult the “MOREAL Metrics” documentation