Back to Website
  1. Knowledge Base
  2. Surface Monitoring
  3. Attack Surface Insights

The IP addresses view

Alexander Matsson
Modified on: Fri, 8 Sep, 2023 at 4:09 PM

Introduction

The IP addresses page is the place for being able to understand which IPs you have on your attack surface but more importantly, it tells you in what country those are hosted in, who the hosting provider is, and what the ASN is. being able to find outliers in this data is crucial for finding shadow IT such as legacy web apps, unapproved testing sites, or any assets that are not in your official inventory.


Each observation will have a state saying if that is still active on your attack surface or whether it is inactive. There will also be a date saying when it was first found and a disappeared timestamp, if it is no longer active on the surface.

Visualisation

This section allows you to quickly get a glimpse of your IP distribution with an emphasis on trying to help you to find outliers in the long-tail of your hosting providers and geolocation. It also shows the distribution of active and inactive IPs on your surface currently. The providers and locations that you typically use for your hosting will be sorted to the left in each bar chart which means that the long-tail and potential unwanted findings can be found to the right.



If you find something that stands out that you want to investigate further, these charts can be used to filter the detailed data in the table below. Simply zoom in in the bar chart by clicking and dragging over what you want to look at and it will also filter the table. Clicking a specific finding (bar or section of the donut chart) will also filter the table so that you can see all observations that match that finding.

Grouping the table data

In order to allow you to look at this data on any level of detail, the table can be grouped on some key dimensions.

Group by None

This is the most detailed level of the IP data. It shows each domain and each IP that they point to as unique observations. The status shows whether this connection still exist on your attack surface or whether that connection is currently inactive. The dates show when the domain-ip relationship was first established or when it was lost.



Group by IP

With this grouping each row is a unique IP and the domains connected to it are shown as the count of number of assets. Clicking that count will show you those domains and allow you to go directly to the asset details page for that domain. The status shows whether that particular IP is currently resolving from one of your DNS records and the timestamps show when it was first found and when it disappeared (if applicable).

© 2023 detectify | Go hack yourself.