Analyze IP Address Details

The IP Addresses icon in an investigation shows how many IP addresses were found in a message header. (This count excludes all internal IP addresses, and that exclusion includes the IP addresses of internal MTAs.)

An investigation with one or more IP addresses considered malicious will display a count of both the total number of IP addresses found to be malicious and the total number of IP addresses found, and the IP Addresses icon will have a red background:

If you hover over an IP Addresses icon with a red background, you will see a summary of the first two malicious issues found:

If you hover over a IP Addresses icon with a red background in a selected investigation, it will turn a darker red, and you can click on the darker red IP Addresses icon to view details of the IP addresses found in the investigation:

An IP address is considered malicious when its IP address reputation score is too low. The IP address reputation score is a determination of the riskiness of an IP address found in message headers. It is generated by Cisco Talos Intelligence. Each URL is evaluated by Cisco Talos Intelligence on a scale of -10 to 10 on blacklist existence, known threat profile, whitelist existence, known malware, and known spam.

To analyze IP address details

1. Click on an investigation to select it.
2. Click on the IP Addresses icon in the selected investigation. You will see the investigation details page with the IPs tab selected. (If it is not selected, click the IPs tab.) The IPs tab lists all IP addresses found in all the messages in an investigation.
3. Click the IP address to view more information about that IP address. The details panel for a selected IP address shows:
   • The full IP address that you can select and copy.
   • The score.
   • The date and time that the IP address was scored.
   • The location of the IP address.
   • The WHOIS record for the IP address.