IP address classfication

This article addresses the queries related to IP-Address-Classification setting available in Vectra Quadrant and Respond UX.

This article covers the details of the settings available under Data Sources > Network > Brain Setup > IP Address Classification, you can specify one or more network ranges to fall in this category:

Internal IP Addresses (CIDR) –

Internal IP addresses are those designated within your network's internal range.
For proper algorithm operation and recognition of traffic directional within Stream or Recall metadata it is important to accurately identify internal vs external IP space.
By default, all RFC-1918 IP space is considered “internal”.

Excluded Subnet Of Internal IP Addresses (CIDR) –

Use this setting if you have a subset of internal IP addresses listed above you want to be considered external to your network.
As an example, if you were going to simulate Command and Control behaviour from an internal lab, you would want to configure the lab IP space as external (excluded in the middle section). This will allow Detect models to properly identify the behaviour.

Dropped IP Addresses (CIDR) –

IP addresses or CIDR blocks entered here will be ignored
Any traffic to or from these addresses will not be analysed by Cognito
Ignoring traffic by VLAN is supported at the CLI using the “set capture-vlan” command

Internal VPN IP Addresses (CIDR) –

The setting is to help customers by providing full coverage for Recon and Lateral (E-W) activity originating from users connected via VPN, indicative of attackers attempting to move into the data centre, cloud, or IoT for persistent access to the enterprise environment.
Remote workers connecting on VPN en-masse present increased security risks to the organization:
Split-tunnel and sometimes-connected systems have less preventive security coverage and a higher chance of compromise
Increased authorized VPN usage makes it harder to identify malicious activity coming through the VPN
More details regarding this can be found here - KB-VS-1229.

Static IP Addresses (CIDR) -

Setting the IP ranges as static should help maintain host container consistency.
Once a range is configured as static, all future behaviour will be attributed to the STATIC-X.X.X.X container in the Vectra UI, and new containers should not be created.
These hosts will have full support for learning and all Detections and features.
Static hosts will not change name based on observed artifacts; they will remain static until they are no longer configured as such.
You are free to rename statically assigned hosts as you wish.

This configuration may be completed via CLI commands as "vectra" user on the Brain:

set capture-network [ networks ] < ( internal | external | drop ) >

where networks should be provided in the CIDR format with:

internal: Networks where hosts should be treated as internal hosts. For IPv4
  RFC1918 addresses are included by default. For IPv6 ULA addresses are
  included by default.

  external: Hosts classified as external are treated as external hosts even if
  they reside in RFC1918 address space. The external classification takes
  precedence over the fact that RFC1918 addresses default to being internal.

  drop: Traffic coming from or going to these networks are dropped.

**Some more articles related to IP Address Classification you may find helpful - **

Optimizing Vectra for use with VPN clients - KB-VS-1229 Understanding How Excluded, Dropped, and Internal IP Settings Interact - KB-VS-1794 How do I exclude subnets and VLANs from detections and host counts? - KB-VS-1041

Support

For more information, please contact support at [email protected]

PreviousBrain Setup NextEDRs

Last updated 17 days ago

Was this helpful?

Good evening

hashtagInternal IP Addresses (CIDR) –

hashtagExcluded Subnet Of Internal IP Addresses (CIDR) –

hashtagDropped IP Addresses (CIDR) –

hashtagInternal VPN IP Addresses (CIDR) –

hashtagStatic IP Addresses (CIDR) -

hashtagSupport