Our IP address Geolocation information includes a series of fields that help indicate the history for that address or a group of addresses.
When looking at an alert in the Realtime Alerts for example, clicking on the IP address will bring up additional information:
The Threat Score is based on historical data where attacks or malicious events have previously originated from this address.
The Trust Score is also based on periods of time where nothing malicious originated from this address.
Occasionally a "datacenter" field may be present and show as a threat. In this case, a low trust rating may be present and is related to neighboring IPs on the same network that may have been reported as VPN or proxy or in a blocklist.
For context, the scores are meant to be an extension/extrapolation of our threat intelligence. So you might see an IP with no threat flags (which are based on static blocklists) but a low trust score based on observations of the network/surrounding IPs as generated by our model.
Please sign in to leave a comment.