Filtering data in IP Address view

IP Address view enables you to investigate whether or not specific IP addresses are present within your enterprise and what impact they might have had on your assets.

Chronicle enables you to investigate specific IP addresses to determine if any are present within your enterprise and what impact these outside systems might have had on your assets. IP Address view is derived from the same security information and data that you have forwarded to Chronicle from your enterprise and can also examine using Asset view.

From Asset view, you begin your investigation from within your enterprise and look outward. From IP Address view, you begin your investigation from outside your enterprise and look in.

To access IP Address view in Chronicle, complete the following steps:

  1. Enter the IP address you need to investigate in the search bar at the top of the Chronicle user interface. Click SEARCH.

    Search for an IP address Search for an IP Address from the landing page

  2. Select the IP address from the DESTINATIONS IPS drop-down menu.

    IP address search autodetect menu Chronicle search autodetect menu

  3. IP Address view is displayed.

    IP address view IP Address view

  4. Click the Filtering Icon icon in the top right corner of the Chronicle user interface. The Procedural Filtering menu opens as shown in the following figure. Procedural Filtering enables you to further filter information pertaining to an asset, including by event type, log source, network connection status, and Top Level Domain (TLD).

    Domain view filtering menu Filtering Menu

    The following Procedural Filtering options are available in IP Address view:

    • EVENT TYPE
    • LOG SOURCE
    • NETWORK CONNECTION STATUS
    • TLD

    IP Address view filtering menu options Filter options