Investigating an IP address

Chronicle enables you to investigate specific IP addresses to determine if any are present within your enterprise and what impact these outside systems might have had on your assets. The Chronicle IP Address view is derived from the same security information and data forwarded from your enterprise and can examine using Asset view. Make sure you are ingesting and normalizing data from devices on your network, such as EDR, firewall, web proxy, etc.

From Asset view, you begin your investigation from within your enterprise and look outward. From IP Address view, you begin your investigation from outside your enterprise and look in.

To access IP Address view in Chronicle, complete the following steps:

  1. Enter the IP address you need to investigate in the search bar at the top of the Chronicle user interface.
  2. Click SEARCH. You are taken to IP Address view.

IP Address context

IP Address View IP Address view

1 Assets

Displays the unique assets within your enterprise that have connected to a particular IP address, including a summary of the first time the asset accessed the domain and the last time.

2 Prevalence

Chronicle provides a graphical representation of the historical prevalence of a given IP address. This graph can be used to determine whether the IP address has been accessed from within the enterprise before, and can provide an indication of whether the IP address is associated with a particular campaign targeting the enterprise.

Typically, less prevalent IP addresses, ones that fewer assets have connected to, might represent a greater threat to your enterprise. Unlike the Prevalence graph in Asset view, the graph this figure shows a high prevalence access at the top of the graph, and low prevalence access at the bottom.

3 IP Address insights

IP address insights provide you with more context about the IP address under investigation. You can use them to determine whether an IP address is benign or malicious. They also provide you with the ability to further investigate an indicator to determine if there is a broader compromise.

  • VirusTotal Insights: Summary of contextual information from VirusTotal

  • ET Intelligence Rep List: Checks against ProofPoint's Emerging Threats (ET) Intelligence Rep List. Lists known threats tied to specific IP addresses and domains.

  • ESET Threat Intelligence: Checks against ESET's threat intelligence service.