IP Addresses

When InsightIDR attributes data to an account and an asset, it also captures the asset's IP address. Therefore, there are several IP Address settings you should configure in order to more accurately attribute data to your users and assets.

Static IP Addresses

Static IP Ranges are assets that do not receive IP addresses through DHCP. Most commonly, these are servers and any other assets who have a statically assigned IP.

To add a static IP range:

  1. Click the Add IP Range button.
  2. Enter the name for the range in the "Zone Name" field.
  3. Enter the range in the "IP Range" field. The format is xxx.xxx.xxx.xxx/xx where the values before the slash (/) describe the IPv4 network, and the value after the slash is the CIDR notation, which denotes the number of subnets and usable host addresses.
    • For example, the range 192.168.1.0/24 defines a single subnet, with a usable host address range of 192.168.1.1, up to 192.168.1.254.
  4. Click the checkmark icon.

Edit a Static IP range

To edit a static IP range:

  1. Click on the pencil icon to the right of the range that you want to edit.
  2. Make the required edits.
  3. Click the checkmark icon to save.

Unmanaged IP ranges

You should indicate to InsightIDR which IP range you do not manage outside of your corporate network. That way, InsightIDR will ignore that range.

To add an unmanaged IP range:

  1. Click the Add IP Range button.
  2. Enter the name for the range in the "Zone Name" field.
  3. Enter the range in the "IP Range" field. The format is xxx.xxx.xxx.xxx/xx where the values before the slash (/) describe the IPv4 network, and the value after the slash is the CIDR notation, which denotes the number of subnets and usable host addresses.
    • For example, the range 192.168.1.0/24 defines a single subnet, with a usable host address range of 192.168.1.1, up to 192.168.1.254.
  4. Click the checkmark icon.

Unknown IP Addresses

Knowing the unknown is a constant challenge for security practitioners, especially when it comes to knowing the various devices on the corporate network. InsightIDR tracks all IP addresses it receives from DHCP and VPN assignments, but sometimes logs come in from other event source with IPs that have never been seen by your DHCP or VPN event sources.

InsightIDR, therefore, reports unknown IP addresses originating from other event sources. This helps you see if you are missing a DHCP or VPN event source in your environment that needs to be hooked up to a Collector.

Some might be related to DHCP servers or VPN servers that you haven't configured yet, or some might be static IP ranges or unmanaged.

To manage your unknown IP addresses:

  1. Select Settings on the left-hand menu from the InsightIDR homepage.
  2. Select Unknown IP Addresses from the menu.
  3. Any unknown IP ranges will appear in the bubbles. Select a bubble and the list of IPs will populate below.
  4. Select a range bubble and select a resolution option. Bubbles will be larger if InsightIDR detects more IP addresses within that range.

Public IP Ranges

Rapid7 recommends leaving this setting blank, unless your network overrides a public IP address.

If you have any publicly addressable IP addresses for your internal network, you need to specify these in InsightIDR. To specify your public IP addresses:

  1. Select Settings on the lefthand menu from the InsightIDR homepage
  2. Select Public IP Ranges from the menu.
  3. Enter one or more IP address ranges on separate lines.
  4. Click Save All Local IP Ranges to save.