🛂Importing Known IP Address Lists

Overview

Identity Intelligence has the ability to ingest known IP address lists that it then leverages to provide visibility into, and easily distinguish between, user activity stemming from those known locations or unknown network activity. There are two ways that Identity Intelligence ingests this information:

Customer uploaded IP CIDR list
Automatically via Entra Named Locations (if configured)

Both methods can be used simultaneously. Identity Intelligence will then display this information as tags in the User 360 Activity and Network logs.

If desired, this IP information can also be leveraged across several threat detection checks, via the custom detection settings, specifically to automatically exclude any events originating from trusted locations from the detection logic used to trigger check failures.

In this article, you will find information on how to manually upload an IP CIDR list to Identity Intelligence.

If you plan to manually upload an IP CIDR list to Identity Intelligence to use with custom detection settings, only include trusted networks. Do NOT include known malicious networks or they will also be automatically excluded from the detection logic on any checks where the custom detection setting to ignore good known IPs is enabled.

IP Address CIDR Format

For the file upload, the IP addresses and corresponding location descriptions or tags need to be in CIDR format as a JSON file. The structure of the file needs to be as follows, with one location and description pair per line -

{"key":"Ashburn DC","value":["206.71.192.0/24"]}
{"key":"Brno","value":["85.71.228.64/28","85.93.123.96/28"]}
{"key":"Eschborn","value":["193.37.158.0/24”]}

An example JSON file can be downloaded here and modified with your known IP addresses and location tags. The platform expects a file where every line is a valid JSON representing a single record, e.g.

{"key": "US office", value:["1.1.1.1","2.2.2.2"]}
{"key": "EU office", value:["3.3.3.3"]}

NOTE - the platform does NOT support a JSON array format, such as this:

[
 {
    "key": "US office",
    "value": [
        "1.1.1.1",
        "2.2.2.2"
    ]
  },
  {
    "key": "EU office",
    "value": [
        "3.3.3.3"
    ]
  }
]

Uploading the IP Address File

Once the file has been created with the correct structure and desired IP addresses and locations, follow these steps to upload the file to your Identity Intelligence tenant.

Select Integrations from the left hand menu bar. Then select the Add Integration button.
Select Manual Uploads
Provide a name, description, and date for the file upload
Select the IP CIDR List option and either drag & drop the file to the upload area, or select the upload area to add the desired file. Make sure you did not select Users or the upload won't work
Once you have added the correct file, select Upload File
Once done, the file will be listed under the Manual Uploads section of the Integration page and in the status widget

Updating the existing file

To update an existing IP Address file:

Select the Integrations menu item within Identity Intelligence
Find the Manual Upload file that you want to update and select the three-dot button on the right-hand side of the corresponding row
After selecting the three-dot button, a drop down menu will appear with a few options. Select Upload new file version
Upload the new file following Steps 4 and 5 in the section above

PreviousCan Identity Intelligence analyze behavior and fail checks more frequently?NextNetworks Tab & User Investigations

Last updated 3 months ago