Google Security Operations enables you to investigate specific IP addresses to determineif any are present within your enterprise and what impact these outside systemsmight have had on your assets. The Google Security Operations IP address view is derivedfrom the same security information and data forwarded from your enterprise andcan examine using Asset view. Make sure you are ingesting and normalizing datafrom devices on your network, such as EDR, firewall, web proxy, etc.
From Asset view, you begin your investigation from within your enterprise andlook outward. From IP address view, you begin your investigation from outsideyour enterprise and look in.
To access IP address view in Google Security Operations, complete the following steps:
- On the Google Security Operations landing page, enter the IP address in the search bar. Click Search.
- Click the IP address in the results to open IP address view.
IP Address context
IP Address view
1 Prevalence
Google Security Operations provides a graphical representation of the historicalprevalence of a given IP address. This graph can be used to determine whetherthe IP address has been accessed from within the enterprise before, and canprovide an indication of whether the IP address is associated with a particularcampaign targeting the enterprise.
Typically, less prevalent IP addresses, ones that fewer assets have connectedto, might represent a greater threat to your enterprise. Unlike the Prevalencegraph in Asset view, the graph this figure shows a high prevalence access at thetop of the graph, and low prevalence access at the bottom.
When you hold the pointer over a bar in the Prevalence graph, the graphlists the assets that accessed the IP address. Due to the high prevalence of DNSservers, they aren't listed. If all of the assets are DNS servers, no assets arelisted.
2 Slider for Prevalence graph
Adjust the slider to focus on events tied to a specific range of dates as shownin the Prevalence graph.
3 IP Address insights
IP address insights provide you with more context about the IP address underinvestigation. You can use them to determine whether an IP address is benign ormalicious. They also provide you with the ability to further investigate anindicator to determine if there is a broader compromise.
ET Intelligence Rep List: Checks against ProofPoint's Emerging Threats (ET)Intelligence Rep List. Lists known threats tied to specific IP addresses anddomains.
ESET ThreatIntelligence:Checks against ESET's threat intelligence service.
4 VT Context
Click VT Context to view the VirusTotal information available for this IPaddress.
Considerations
IP address view has the following limitations:
- You can only filter events that are displayed in this view.
- Only DNS, EDR, Webproxy event types are populated in this view. The firstseen and last seen information populated in this view is also limitedto these event types.
- Generic events don't appear in any of the curated views. They appear only inraw log and UDM searches.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-04-24 UTC.
[{ "type": "thumb-down", "id": "hardToUnderstand", "label":"Hard to understand" },{ "type": "thumb-down", "id": "incorrectInformationOrSampleCode", "label":"Incorrect information or sample code" },{ "type": "thumb-down", "id": "missingTheInformationSamplesINeed", "label":"Missing the information/samples I need" },{ "type": "thumb-down", "id": "otherDown", "label":"Other" }] [{ "type": "thumb-up", "id": "easyToUnderstand", "label":"Easy to understand" },{ "type": "thumb-up", "id": "solvedMyProblem", "label":"Solved my problem" },{ "type": "thumb-up", "id": "otherUp", "label":"Other" }]
