Our IP address Geolocation information includes a series of fields that help indicate the history for that address or a group of addresses.
When looking at an alert in the Realtime Alerts for example, clicking on the IP address will bring up additional information:
The Threat Score is based on historical data where attacks or malicious events have previously originated from this address.
The Trust Score is also based on periods of time where nothing malicious originated from this address.
Occasionally a "datacenter" field may be present and show as a threat. In this case, a low trust rating may be present and is related to neighboring IPs on the same network that may have been reported as VPN or proxy or in a blocklist.
For context, the scores are meant to be an extension/extrapolation of our threat intelligence. So you might see an IP with no threat flags (which are based on static blocklists) but a low trust score based on observations of the network/surrounding IPs as generated by our model.
Please bear in mind that just because an IP address shows up red or yellow does not mean that the alert it is associated with has elevated severity. As previously mentioned this data is gathered over time and based on historical instances from that IP. The threat score is a reference that an alert may be worth an extra look due to the history from that IP.
IP Geolocation is about 60 - 80% accurate and can vary widely between geolocation providers. The more granular (down to states and cities) a whitelist entry, the more the accuracy will decrease. This variance is why we suggest whitelisting mainly by country as this has the highest accuracy possibility for geolocation data.
The highest accuracy that can be achieved is using IP addresses or IP ranges.
The highest accuracy that can be achieved is using IP addresses or IP ranges.
Comments
0 comments
Please sign in to leave a comment.