SIEM – The Importance of Displaying Contextual Information with an IP address

Posted on: April 29th, 2010 by AccelOps

In any Security Information and Event Management (SIEM) product, in order to get the full details about an incident or event, showing contextual information about the IP address is crucial. The event or incident will include a source or destination IP, but the admin needs to know more: the hostname, OS information, version, owner, and if it’s a known server or client machine in the network.

In AccelOps‘s integrated data center monitoring solution, we provide this extended information with a single click wherever IP address information is presented in the UI.

It’s also beneficial to know about the performance of the server (such as CPU, Memory) etc with a single click so that it’s easy to figure out whether it’s a performance or availability issue.

For an external IP address, it may be crucial to get contextual information such as “whois information”, geographical location, whether it’s a part of already known spam databases, etc.

When the user clicks on the “Geo location” it brings up a browser window and will locate the geographical location of the external ip and provide a Google Map using the website

  • Trace-route – will provide the trace route to the external IP from the client browser
  • SAN StormCenter – will look up this IP information in SANS Internet Storm Center
  • SenderBase Reputation – will look up the ip information in the Cisco Senderbase database
  • HoneyPot – will lookup the IP information in the Project HoneyPot database at

The bottom part of the dialog box shows the identity and location information about a given ip address by constantly tracking the user and IP address in the network. User identity and location involves associating a network identity (e.g. IP address, MAC address) to a user identity (e.g. user name, computer name, domain), and the location (e.g. wired switch port, wireless LAN controller and VPN gateway).

The association is obtained by combining Windows Active Directory events, DHCP events, WLAN and VPN logon events with AccelOps Discovery results.

You can read more on the next generation SIEM functionality here or look for Cisco MARS upgrade package benefits here.

  • Bookmark on Delicious
  • Digg this
  • Recommend on Facebook
  • Share on Reddit
  • Tweet this

Comments are closed.