EDR: What do the interface_ip and comms_ip fields represent in a process document?
book
Article ID: 290689
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
What do the interface_ip and comms_ip fields represent in a process document?
Environment
EDR: All Versions
Resolution
interface_ip is the IP address of the endpoint as the sensor sees it
comms_ipĀ is the IP address as the server sees it come in. This could be the same as the endpoint IP address or address of a NAT device if present
Additional Information
If in an internal network (both server and sensor) then it is likely the two IPs will match as the packet to send to the server will not go through network address translation
If cloud based or customer is setup to have endpoints still reach out even when remote (and not VPN in) then the Interface IP will always be a private IP and server comms will always be a public IP address