IP Addresses
InsightIDR can accurately attribute many types of activity to assets and users. To do so, InsightIDR needs to understand the relationship between the IP addresses on your network and the assets using those IP addresses.
InsightIDR gathers this information by using DHCP and VPN event sources, as well as the Insight Agent. You can manually sort different IP Addresses in Settings to attribute data to your users and assets with more precision. You will find options for:
- Unknown IP Addresses
- Static IP Addresses
- Unmanaged IP ranges
- Public IP Ranges (this setting is rarely used)
This documentation has a definition for each option. You will also find information about when to use them, how they work in detail and how to specify them in Settings.
Unknown IP Addresses
Unknown IP addresses are IPs that InsightIDR has observed in logs (like Firewall, DNS or Web Proxy logs), but cannot tell which asset is using that IP address. These IPs are displayed in Settings so you can have visibility and take action.
How many IP ranges should be listed under Unknown IP Addresses Settings?
Ideally, you should be able to get the unknown IPs down to zero by:
- Setting DHCP and VPN event sources,
- Installing the Insight Agent on the assets,
- Using the Insight Network Sensor to observe DHCP activity, or
- Marking IP ranges as unmanaged or static.
How unknown IP addresses work
Knowing the unknown is a constant challenge for security practitioners, especially when it comes to knowing the various devices on the corporate network.
InsightIDR tracks all IP addresses it receives from DHCP and VPN assignments. However, sometimes logs come in from other event sources, and those logs come with IPs that have never been seen by your DHCP or VPN event sources.
For most IPs, DHCP will allow InsightIDR to match the IP with a hostname. IP address ranges that are not part of the DHCP scope can be listed in the Static IP Ranges section, so that a reverse DNS lookup will be done to map the IP address to a hostname.
In addition, sometimes the IP addresses are assigned to users when they establish a connection to a VPN server. Adding a VPN event source to capture the logs will allow InsightIDR to associate the activity performed by the IP address with the user on the VPN connection.
Therefore, InsightIDR reports unknown IP addresses originating from other event sources. This helps you see if you are missing a DHCP or VPN event source in your environment that needs to be hooked up to a Collector.
Some might be related to DHCP servers or VPN servers that you haven't configured yet, or some might be static IP ranges or unmanaged.
Tip: Use the Unknown IP Addresses settings to identify rogue wireless routers
Unknown IP Addresses is also a good place to find rogue wireless routers, as they will be using an IP address range outside of the normal, corporate IP ranges.
When to take action from unknown IP settings
InsightIDR uses this setting to list any IP ranges in your network that are unknown. This means that InsightIDR could not determine a hostname to map those IPs back to. You can use this setting to review those ranges and take proper action.
There are different actions that you can take based on the information provided in this section of Settings:
- Mark IP ranges as static
- Mark IP ranges as unmanaged
- Add additional DHCP or VPN Event Sources to cover those areas of your network
- Check the configuration of your existing DHCP event sources
- Check the configuration of your existing VPN event sources
To manage your unknown IP addresses:
- Navigate to Settings > Unknown IP Ranges.
- Any unknown IP ranges will appear in the table. Go through the ranges displayed and analyze what’s the most suitable action:
If you see IP ranges managed by your organization and that are expected to be seen in your network, you should set DHCP or VPN event sources up to capture them. You can configure event sources from Data Collection by clicking the Setup Event Source dropdown menu and selecting Add Event Source.
If you see IP ranges managed by your organization and that are expected to be seen in your network, and you have already set DHCP or VPN event sources up, you should check the configuration from Data Collection > Event Sources.
If you see host servers and any other assets who have a statically assigned IP managed by your organization and that are expected to be seen in your network, click the Add to Static IP Ranges option.
If you see IP ranges that your organization does not manage and is not responsible for but are expected in your network (like a client using your Guest network), click the Add to Unmanaged IP Ranges option.
Static IP Addresses
Static IP addresses are assigned to assets that do not receive IP addresses through DHCP event sources. You should add these assets to your static IP ranges in Settings to ensure InsightIDR can correctly attribute activity to the proper asset. These assets are typically host servers who have a statically assigned IP address, but can be any statically assigned asset.
You can specify a maximum of 65,535 static IP addresses in InsightIDR.
How static IP addresses work
InsightIDR aims to map all activity back to a particular user or asset. So whenever an IP address is present in a log, instead of in a hostname, InsightIDR will try to correlate this IP back to the host or asset it belongs to.
To do this correlation, the DHCP logs are fed into InsightIDR. With this, InsightIDR can identify what IP address has been given to each asset.
When InsightIDR sees an IP address but cannot map it back to a host, it will not track information for that IP (that activity observed with this IP address will not be attributed to the proper asset and user).
This is why you should specify the IP ranges in Settings for the assets that have static IPs. With this, InsightIDR instructs every collector you've deployed to perform a reverse DNS query and tries to determine the hostname/asset associated with every observed IP address in the range. With every successful reverse DNS response, InsightIDR attributes the IP address to the corresponding asset.
This means that:
- IP ranges set as static will not be marked as unattributed IP ranges.
- Any unknown IPs in these ranges we observe in the attribution process will be sent down to the collectors. The collectors will perform a reverse DNS query to discover the asset name holding that static IP.
- Static IP ranges are populated in log search under the host to IP observations logset, with the "Collector Name - DNS Resolver" as the log name.
Tip: Define Static IP ranges as narrowly as possible
This avoids unnecessary burdens on the collectors and your DNS servers to query unnecessary IP addresses.
When to add IP addresses to your static IP range
You should use this setting when you have host servers and any other assets who have statically assigned IP addresses.
Specify static IPs so that InsightIDR can gather domain machine names
InsightIDR does not get domain machine names from servers that don’t have a statically assigned IP address. This means that you need to specify static IP addresses in your settings so that the Collector can do a reverse search and gather the domain machine name from those static IP addresses.
To add a static IP range:
You can manually specify these IP ranges, go through Unknown IPs and review if any ranges displayed there should be marked as static.
To manually specify static IPs:
Navigate to Settings > Static IP Ranges.
Click the Add Static IP Range button.
Enter a name for the range in the "Name" field.
Enter the range in the "Range" field. The format is xxx.xxx.xxx.xxx/xx:
- The values before the slash (/) describe the IPv4 network.
- The value after the slash is the CIDR notation, which denotes the number of subnets and usable host addresses. For example, the range 192.168.1.0/24 defines a single subnet, with a usable host address range of 192.168.1.1, up to 192.168.1.254.
- You can specify a maximum of 65,535 static IP addresses in InsightIDR.
Click the Save button.
To mark an unknown IP range as static:
- Navigate to Settings > Unknown IP Ranges.
- Unknown IP ranges will appear in the table.
- You can click the Add to Static IP Ranges options for IP ranges listed there to mark them as static.
To edit a static IP range:
- Navigate to Settings > Static IP Ranges.
- Click on the pencil icon to the right of the range that you want to edit.
- Make the required edits.
- Click the Save button.
Unmanaged IP ranges
Unmanaged IP ranges are IP ranges in your network that your organization does not manage DHCP or VPN servers for. These IP ranges should be marked as Unmanaged IP ranges, causing them to be removed from the Unknown IP Addresses settings page. An example of IP addresses that should be marked Unmanaged are IP addresses from customers or vendors that log onto your guest network while your organization's office. Once you have added an Unmanaged IP Range you can navigate to the Unmanaged IP Ranges settings page to see your newly added IP range.
How unmanaged IP addresses work
InsightIDR has different sources of IP address-to-asset relationships, like DHCP, VPN, the Insight Agent, and authentication logs. InsightIDR monitors these events and maps IP addresses back to hostnames in your environment. The Unmanaged IP Ranges settings page is used to mark those IP addresses or IP address ranges for which InsightIDR will not be performing user attribution. Examples of IP addresses that you might add to Unmanaged IP Ranges page are IP addresses associated with phones, guest wifi networks, printers, and similar devices.
The Unmanaged IP Ranges settings page allows you to sort through any unknown IP addresses and add them to your static IP address range, or mark them as Unknown IP addresses.
When to add IP addresses to your unmanaged IP range
You should use mark an IP address as Unmanaged if it is not the IP address for a workstation or server in your network. Transitioning an IP address from Unknown to Unmanaged will effectively remove it from the Unknown IP Ranges Page. By correctly labeling your network's IP addresses, you can better identify rogue networks that have been added to your environment.
Specify Unmanaged IP ranges so that InsightIDR doesn't expect to attribute log activity to them
Unmanaged IP addresses are not distributed by the DHCP servers in your network, or part of your static IP ranges. When you list them as Unmanaged in Settings, InsightIDR ignores those IP addresses and doesn't attempt to attribute their activity to assets.
To add an unmanaged IP range:
You can manually specify these IP ranges, go through Unknown IPs and review if any ranges displayed there should be marked as unmanaged.
To manually specify unmanaged IPs:
Navigate to Settings > Unmanaged IP Ranges.
Click the Add Unmanaged IP Range button.
Enter the name for the range in the "Name" field.
Enter the range in the "Range" field. The format is xxx.xxx.xxx.xxx/xx:
- The values before the slash (/) describe the IPv4 network.
- The value after the slash is the CIDR notation, which denotes the number of subnets and usable host addresses.
For example, the range 192.168.1.0/24 defines a single subnet, with a usable host address range of 192.168.1.1, up to 192.168.1.254.
Click the Save button.
To mark unmanaged IPs from unknown IPs:
- Navigate to Settings > Unknown IP Ranges.
- Any unknown IP ranges will appear in the table.
- You can click the Add Unmanaged IP Range options for IP ranges listed there.
To edit an unmanaged IP range:
- Navigate to Settings > Unmanaged IP Ranges.
- Click on the pencil icon to the right of the range that you want to edit.
- Make the required edits.
- Click the Save button.
Public IP Ranges
The Public IP settings help InsightIDR differentiate the network traffic that comes from the public Internet, and the traffic originating from internal assets on your network.
If your internal network assets make use of publicly routable IP addresses (rather than private IP addresses), you can specify that in Settings. This will inform InsightIDR that these systems are not on the public Internet.
Carefully read the information in this section to analyze if any action is necessary
This setting is not often used and can be left empty. You should only use this setting if the assets in your internal network leverage IP addresses in public IP ranges, rather than addresses in the private IP ranges.
Below you will find:
When to specify public IP ranges
You should only use this setting if your internal network assets make use of publicly routable IP addresses, rather than private IP addresses. InsightIDR uses the public IP ranges listed in this setting to understand that these systems are not on the public Internet.
When you add public IP ranges using this setting, you specify Public IPs that are in use for internal assets. This can be a rare case, as most organizations don't use Public IPs for their internal assets, they use Private IPs.
You don’t have to specify Private IPs in Settings in InsightIDR
Private addresses (also referred as “internal”) are not publicly routable from the Internet. They are only supposed to work within your local network. IPs listed in these ranges are private:
10.0.0.0 – 10.255.255.255 172.16.0.0 – 172.31.255.255 192.168.0.0 – 192.168.255.255
How public IP addresses work
Most organizations use private IPs for their internal assets. It’s not usual that internal networks bridge to the public internet. Therefore, it’s common to leave this setting empty in InsightIDR.
This setting is used to inform InsightIDR about any public IPs used for internal assets. This setting should not be used for external systems on the public Internet.
Since most organizations use only private IP ranges internally, if an IP address is public, InsightIDR will assume that IP is not used internally.
So, overriding Public IPs allows you to specify that you are using those public IPs internally. This prevents InsightIDR from confusing those IPs as external to your organization.
To specify that you are using public IPs in your network:
- Navigate to Settings > Public IP Ranges.
- Enter one or more IP address ranges on separate lines.
- Click Save All Local IP Ranges to save.