Investigate an IP Address - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-18
Category
Administrator Guide
Abstract

Cortex XDR aggregates and enables you to view a summary of all information and threat intelligence regarding specific IP addresses.

The IP Address View provides a powerful way to investigate and take action on IP addresses by reducing the number of steps it takes to collect, research, and threat hunt related incidents. Cortex XDR automatically aggregates and displays a summary of all the information Cortex XDR and threat intelligence services have regarding a specific IP address over a defined 24-hour or 7-day time frame.

To help you determine whether an IP address is malicious, the IP Address View displays an interactive visual representation of the collected activity for a specific IP address.

To investigate an IP address:

  1. Open the IP View for an IP address.

    You can access the view from an IP address in Cortex XDR console, where available, by either right-clicking Open IP View, selecting the IP address, or using the default keyboard shortcut Ctrl/CMD+Shift+E combination, or searching for a specific IP address in the Quick Launcher.

    To change the default keyboard shortcut, select SettingsConfigurationsGeneral Server SettingsKeyboard Shortcuts. The shortcut value must be a keyboard letter, A through Z, and cannot be the same as the Quick Launcher defined shortcut.

  2. Review the overview for the IP address.

    The overview displays network operations, incidents, actions, and threat intelligence information relating to a specific IP address and provides a summary of the network operations and processes related to the IP address.

    1. Review the auto-generated summary of the number of network operations and processes related to the IP that occurred over the past 7 days.

    2. Add an Alias or Comment to the IP address.

    3. Review the location of the IP address. By default, Cortex XDR displays information on whether the IP address is an internal or external IP address.

      • ExternalConnection Type: Incoming displaying IP address is located outside of your organization. Displays the country flag if the location information is available.

      • InternalConnection Type: Outgoing displaying IP address is from within your organization. The XDR Agent icon is displayed if the corresponding endpoint identified by the IP address has an agent is installed at that point in time.

    4. Identify the IOC severity.

      The color of the IP address value is color-coded to indicate the IOC severity.

      • Low—Blue

      • Medium—Yellow

      • High—Red

      • Critical—Red

    5. Review any available threat intelligence for the IP address.

      Depending on the threat intelligence sources that you integrate with Cortex XDR, you can review any of the following threat intelligence.

      • Virus Total score and report

        Note

        Requires a license key. Select SettingsConfigurationsIntegrations Threat Intelligence.

      • Whois identification data for the specific IP address.

      • IOC Rule, if applicable, includes the IOC Severity, Number of hits, and Source.

      • EDL IP address if the IP address was added to an EDL.

    6. Review any related incidents:

      Related Incidents lists the most recent incidents that contain the specific IP address as part of the incident Key Artifacts according to the Last Updated timestamp. If the IP address belongs to an endpoint with a Cortex XDR agent installed, the incidents are displayed according to the host name rather than the IP address. To dive deeper into specific incidents, select the Incident ID. To view all the related incidents, select View All. Cortex XDR displays Recently Updated Incidents which filters incidents for those that contain the IP address.

  3. Filter the IP address information you want to visualize.

    Select from the following criteria to refine the scope of the IP address information you want visualized. Each selection aggregates the displayed data.

    Filter

    Description

    Type

    The type of information you want to display.

    • Host Insights—Pivot to the Asset View of the host associated with the IP address.

    • Network Connections—Display the IP View of the network connections made with the IP address.

    Primary

    The main set of values you want to display. The values depend on the selected Connection Type.

    • All Aggregations—Summary of all the related IP address data.

    • Destination/Source Country

    • Destination/Source Port

    • Destination/Source IP

    • Destination/Source Process

    • App-ID

    Secondary

    The set of values you want to apply as the secondary set of aggregations. Must differ from your Primary selection:

    • Destination Country

    • Destination/Source Port

    • Destination/Source IP

    • Destination/Source Process

    • App-ID

    Node Size

    The node size displays the type of values.

    • Number of Connections

    • Total Traffic

    • Total Download

    • Total Upload

    Showing

    The number of the Primary and Secondary aggregated connections.

    • Top 5

    • Top 3

    • Bottom 5

    • Bottom 3

    Connection Type

    Type of connection you want to display your defined set of values.

    • Incoming

    • Outgoing

    Timeframe

    Time period over which to display your defined set of values.

    • 24 Hours

    • 7 Days

    Select ip-view-cluster-enter.png to apply your selections and update the information displayed in the visualization pane. If necessary, Refresh to retrieve data.

  4. Review the selected data.

    • Select each node for additional information.

    • Select Recent Outgoing Connections to view the most recent connections made by this IP address. Search all Outgoing Connections to run a Network Connections query on all the connections made by this IP address.

  5. After reviewing the available information for the IP address, take action if desired:

    Depending on the current IOC and EDL status, select Actions to:

    • Edit Rule

    • Disable Rule

    • Delete Rule

    • Add to EDL