EDR: What do the interface_ip and comms_ip fields represent in a process document?
search cancel

EDR: What do the interface_ip and comms_ip fields represent in a process document?


Article ID: 290689


Updated On:


Carbon Black EDR (formerly Cb Response)


What do the interface_ip and comms_ip fields represent in a process document?


  • EDR: All Versions


  • interface_ip is the IP address of the endpoint as the sensor sees it
  • comms_ipĀ is the IP address as the server sees it come in. This could be the same as the endpoint IP address or address of a NAT device if present

Additional Information

  • If in an internal network (both server and sensor) then it is likely the two IPs will match as the packet to send to the server will not go through network address translation
  • If cloud based or customer is setup to have endpoints still reach out even when remote (and not VPN in) then the Interface IP will always be a private IP and server comms will always be a public IP address