Skip to main content
Skip table of contents

Known Host and Network Search Algorithm

Search for a Known Host

When searching for a Known Host based on available identifiers parsed or resolved from the log, the search always follows the same pattern. For all identifiers:

  • Search in the Entity containing the Log Source Host
  • Search in the Root Entity of the Log Source Host Entity
  • Search in all other Child Entities of the Root Entity of the Log Source Host Entity
  • Search in all Root Entities (Root Entities only; no Child Entities are searched)
  • Search in the Global Entity (Global Entity cannot have Child Entities)

When searching for a Host, search by each identifier—if available—in the following order, according to the algorithm above.

  • Search by FQDN
  • Search by IP

If Known Host is Not Found

If a Known Host is not found, or the found Known Host has no value set (value = 0), then search for a defined network the parsed or resolved IP is contained within. A similar search algorithm for Hosts is leveraged. For any IP:

  • Search in the Entity associated with the Log Source Host
  • Search in the Root Entity of the Log Source Host Entity
  • Search in all other Children of the Root Entity of the Log Source Host Entity
  • Search in all Root Entities (Root Entities only; no Child Entities are searched)
  • Search in the Global Entity (Global Entity cannot have Children)

If Network is Not Found

If a Network is not found, or the found network has no value set, assign DRL or STL based on default settings assigned at the Global level. Two settings will be supported based on the inferred context of whether the host is internal or external.

  • If a Known Host, use the zone value to set the DRL or STL
    • Internal/DMZ: Use internal default
    • External: Use external default

  • If an Unknown Host, use the IP address to determine whether it is internal or external:

Inferred Internal Host

This is a host that is inferred to be an internal host based on the following characteristics:

    • A Known Host was found where the host was configured as Internal or DMZ

    • A Network was found where the network was configured as Internal or DMZ

    • The IP is Private (the IP is in one of these ranges):

      • 10.0.0.0–10.255.255.255

      • 172.16.0.0–172.31.255.255

      • 192.168.0.0–192.168.255.255

Inferred External Host

This is a host that is inferred to be an external host based on the following characteristics:

    • A Known Host was found where the host was configured as External
    • A Network was found where the network was configured as External
    • The IP is Public (the IP is not in one of these ranges):
      • 10.0.0.0–10.255.255.255
      • 172.16.0.0–172.31.255.255
      • 192.168.0.0–192.168.255.255

Example DRL Determination

An AIE Rule is grouped by destination IP. That IP is an identifier in a Known Host record and in an entity network.

If the Host record’s threat level is greater than 0, use that value for DRL.

If the Host record’s threat level is 0, assume it is not set and check the threat level on the network range.

  • If the network range threat level is greater than 0, use that value for DRL.
  • If the network range threat level is 0, assume it is not set and use the default value for DRL (3).
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close