Filtering data in IP Address view
IP Address view enables you to investigate whether or not specific IP addresses are present within your enterprise and what impact they might have had on your assets.
Chronicle enables you to investigate specific IP addresses to determine if any are present within your enterprise and what impact these outside systems might have had on your assets. IP Address view is derived from the same security information and data that you have forwarded to Chronicle from your enterprise and can also examine using Asset view.
From Asset view, you begin your investigation from within your enterprise and look outward. From IP Address view, you begin your investigation from outside your enterprise and look in.
To access IP Address view in Chronicle, complete the following steps:
Enter the IP address you need to investigate in the search bar at the top of the Chronicle user interface. Click SEARCH.
Search for an IP Address from the landing page
Select the IP address from the DESTINATIONS IPS drop-down menu.
Chronicle search autodetect menu
IP Address view is displayed.
IP Address view
Click the icon in the top right corner of the Chronicle user interface. The Procedural Filtering menu opens as shown in the following figure. Procedural Filtering enables you to further filter information pertaining to an asset, including by event type, log source, network connection status, and Top Level Domain (TLD).
The following Procedural Filtering options are available in IP Address view:
- EVENT TYPE
- LOG SOURCE
- NETWORK CONNECTION STATUS