Skip to main content

IP detail page

The IP detail page is reachable from any search result, by visiting /dashboard/cti/ip/{IP} directly, or by clicking an IP anywhere in the platform. It is also the page the TAXII connector links back to from every indicator's external_references.

The page has two tabs.

The header is fixed and shows:

  • The IP address (with a one-click Copy IP button)
  • A quick-look badge row: Seen / Not seen, Spoofable / Non-spoofable, classification (promiscuous, malicious, benign, unknown)
  • First observation date, Last observation date

Overview tab

A grid of cards, each covering one facet of the enrichment.

Source Location

Country flag, country name, and city for the source IP. Click the country chip to pivot the search to all IPs from that country.

Network

ASN (AS10439, click to filter by ASN) and the ASN organisation name (CARINET - CariNet, Inc., US). Total port count - the number of distinct ports the IP was observed contacting.

MITRE ATT&CK

Every tactic, technique, and sub-technique mapped to this IP. Each badge is clickable and pivots the search to other IPs with that mapping. Toggle Show grouped by tactic to see techniques grouped under their parent tactic instead of flat.

CVEs

Every CVE the IP was observed exploiting (or attempting to exploit). Each badge shows the CVSS score and severity colour. Clicking a CVE deep-links to the NVD record and pivots the search to other IPs hitting the same CVE.

Hostname (RDNS)

The reverse DNS hostname of the IP, e.g. burger.census.shodan.io. Useful for attribution: clicking pivots the search to similar RDNS patterns.

Tags

The intelligence tags that apply to the IP - for example Palo Alto GlobalProtect Scanner, Favicon Scanner, Web Scrapers. The full catalogue is at Tags.

Actors

Known scanners and research organisations attributed to the IP - for example Shodan, Censys, Shadowserver. Backed by the same dataset that drives the RECON Lists in Blocklist Automation.

Port Activity

Every port the IP touched, split into:

  • Non-Spoofable Ports - ports where ELLIO confirmed a TCP handshake. Trust these.
  • Spoofable Ports - ports where the source IP was not verified. Treat as advisory.

Within each section, ports are grouped by purpose:

  • Web - 80, 443, 3000, 8000, 8080, 8443, 8888…
  • Mail - 25, 110, 143, 465, 587, 993, 995…
  • Database - 1433, 3306, 5432, 6379, 27017…
  • File - 21, 22, 23, 445…
  • Remote - 3389, 5900, 5901…
  • Other - everything else

Each port is clickable and pivots the search to the corresponding network.port filter.

HTTP Activity

A two-tab pane:

  • Paths - every HTTP path the IP requested, grouped into API Endpoints, Static Resources, Authentication Routes, and Other Routes.
  • User Agents - every unique User-Agent string the IP presented.

This is one of the strongest fingerprints for tooling, malware, and crawlers - useful for proactive hunting independent of the source IP.

Destination geography

A panel showing where the sensors that observed the IP were located, with country flags and city names. A summary line such as "IP has 91 distinct destinations across 44 countries" calls out wide-distribution scanning.

Fingerprint Analysis

Two tabs - TCP (MuonFP) and TLS (JA3 / JA4 / JA4+). Each fingerprint shows:

  • The raw fingerprint string (e.g. 1781:2:1460: for MuonFP)
  • A Breakdown panel that splits the fingerprint into its components (TCP Window, Options, MSS, Window Scale)
  • A meanings legend ("MSS - Maximum segment size") for newcomers

A search box above the lists lets you filter fingerprints by substring or wildcard.

Timelines tab (preview)

Visual heat-map style timelines of observation frequency across six axes:

  • Unified - every observation from every axis, stacked, colour-coded by feature (HTTP / User Agent / MuonFP / Geography / JA3 / JA4 / Port / Port (spoofable)).
  • Ports - frequency per port over time.
  • Fingerprints - frequency per fingerprint over time.
  • Geography - frequency per destination country over time.
  • HTTP Paths - frequency per requested path over time.
  • User Agents - frequency per User-Agent string over time.

Each axis is sortable by frequency and exportable from the top-right Download button. Exports land in Exports.

Where each panel's data comes from

Most panels are backed by the CTI API, but a few - MITRE ATT&CK, CVEs, ASN - only reach you through the TAXII / STIX feed or the dashboard itself.

Available via the CTI API

PanelEndpointField(s)
Header (First, Last, classification, spoofable)lookupfirst_seen, last_seen, classification, spoofable
Hostname (RDNS)lookuprdns
Tagslookuptags, tag_ids
Actorlookupactor
Source Locationextended_lookupsrc.geo.country, src.geo.continent
Destination Geographyextended_lookupdst.geo.country, dst.geo.continent
Port Activityextended_lookupnetwork.ports, network.spoofable_ports, network.non_spoofable_ports
HTTP Activityextended_lookuphttp.path, http.user_agent
Fingerprint Analysisextended_lookupfingerprints.ja3, fingerprints.ja4, fingerprints.muonfp

lookup returns the basic fields; extended_lookup returns those plus the nested objects above.

Available via the TAXII / STIX feed only

PanelSTIX field
MITRE ATT&CKkill_chain_phases[] and external_references[] (entries with source_name: mitre-attack)
CVEsexternal_references[] (entries with source_name: cve)

See the STIX data model for the exact shape.

Dashboard-only

A few details surface in the UI but aren't in any API response:

  • Network → ASN (number and name). Searchable via search syntax (src.asn.number, src.asn.name), but not returned in lookup or extended_lookup responses.
  • Timelines tab (preview). Heat-map visualisations exported via the dashboard.
  • Attributed actors beyond the single actor field (e.g. multi-actor attribution shown in the UI).
Last updated on