Skip to main content

How can we help you?

Search

IP Geolocation Information and Threat Score

Not yet followed by anyone
Updated: Michael Garrett Edited:

Our IP address Geolocation information includes a series of fields that help indicate the history for that address or a group of addresses. 

When looking at an alert in the Realtime Alerts for example, clicking on the IP address will bring up additional information:

mceclip0.png

 

The Threat Score is based on historical data where attacks or malicious events have previously originated from this address.

The Trust Score is also based on periods of time where nothing malicious originated from this address.

Occasionally a "datacenter" field may be present and show as a threat.  In this case, a low trust rating may be present and is related to neighboring IPs on the same network that may have been reported as VPN or proxy or in a blocklist. 

 
For context, the scores are meant to be an extension/extrapolation of our threat intelligence. So you might see an IP with no threat flags (which are based on static blocklists) but a low trust score based on observations of the network/surrounding IPs as generated by our model.
 
Please bear in mind that just because an IP address shows up red or yellow does not mean that the alert it is associated with has elevated severity. As previously mentioned this data is gathered over time and based on historical instances from that IP. The threat score is a reference that an alert may be worth an extra look due to the history from that IP.
 
IP Geolocation is about 60 - 80% accurate and can vary widely between geolocation providers. The more granular (down to states and cities) a whitelist entry, the more the accuracy will decrease. This variance is why we suggest whitelisting mainly by country as this has the highest accuracy possibility for geolocation data.
The highest accuracy that can be achieved is using IP addresses or IP ranges.
 

Additional Note: IP color is black with no details:


TOR Browser - IP Anonymization: When you use a TOR browser, your IP address (the one assigned to you by your internet service provider) is masked. Websites you visit through TOR will see the IP address of a TOR exit node, not your actual IP address. This helps in preserving your anonymity online.
Due to this when a TOR Browser is used, on the event level we are not provided with any IP data points except for the exit node IP address. Without this data there is no indicator for us to apply any color coding. This is working as expected given our logic for highlighting IP Addresses.

Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.