EDR: What do the interface_ip and comms_ip fields represent in a process document?
search cancel

EDR: What do the interface_ip and comms_ip fields represent in a process document?

book

Article ID: 290689

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

What do the interface_ip and comms_ip fields represent in a process document?

Environment

  • EDR: All Versions

Resolution

  • interface_ip is the IP address of the endpoint as the sensor sees it
  • comms_ipĀ is the IP address as the server sees it come in. This could be the same as the endpoint IP address or address of a NAT device if present

Additional Information

  • If in an internal network (both server and sensor) then it is likely the two IPs will match as the packet to send to the server will not go through network address translation
  • If cloud based or customer is setup to have endpoints still reach out even when remote (and not VPN in) then the Interface IP will always be a private IP and server comms will always be a public IP address