🛂Importing Known IP Address Lists

12/2024

Overview

Identity Intelligence's platform has the ability to ingest known IP address lists in CIDR format and then tag User activity with those known locations.

This helps by providing visibility into user activity and easily distinguishing between known locations and unknown network activity.

Additionally, if desired, the IP CIDR list(s) information can be leveraged across several threat detection checks, via the custom detection settings, specifically to exclude events originating at these known locations from the detection logic used to trigger check failures.

IP Address CIDR Format

For the file upload, the IP addresses and corresponding location descriptions or tags need to be in CIDR format as a JSON file. The structure of the file needs to be as follows, with one location and description pair per line -

{"key":"Ashburn DC","value":["206.71.192.0/24"]}
{"key":"Brno","value":["85.71.228.64/28","85.93.123.96/28"]}
{"key":"Eschborn","value":["193.37.158.0/24”]}

An example JSON file can be downloaded here and modified with your known IP addresses and location tags.

NOTE - the platform does NOT support a JSON array format, such as this:

[
 {
    "key": "US office",
    "value": [
        "1.1.1.1",
        "2.2.2.2"
    ]
  },
  {
    "key": "EU office",
    "value": [
        "3.3.3.3"
    ]
  }
]

The platform expects a file where every line is a valid JSON representing a single record, e.g.

{"key": "US office", value:["1.1.1.1","2.2.2.2"]}
{"key": "EU office", value:["3.3.3.3"]}

Uploading the IP Address File

Once the file has been created with the correct structure and desired IP addresses and locations, follow these steps to upload the file to your Identity Intelligence tenant.

  1. Select the Integrations main tab and then click Add Integration.

  2. Select Manual Uploads

  3. Provide a name, description, and date for the file upload

  4. Select the IP CIDR List option and either drag & drop the file to the upload area, or click the upload area to select the desired file. Make sure you did not select Users or it will not work

  5. Once you have added the correct file, click Upload File

  6. Once done, the file will be listed under the Manual Uploads section of the Integration status dashboard

Updating the existing file

To update an existing IP Address file, go to the Integrations page and simply click the three dots at the right side of the Manual Upload for that file, and select Upload new file version. Then upload the new file following the steps above

PreviousAccessing and Securing your Cisco Identity Intelligence TenantNextNetworks Tab & User Investigations

Last updated