logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: What do the interface_ip and comms_ip fields represent in a process document?

EDR: What do the interface_ip and comms_ip fields represent in a process document?

Environment

  • EDR: All Versions

Question

What do the interface_ip and comms_ip fields represent in a process document?

Answer

  • interface_ip is the IP address of the endpoint as the sensor sees it
  • comms_ip is the IP address as the server sees it come in. This could be the same as the endpoint IP address or address of a NAT device if present

Additional Notes

  • If in an internal network (both server and sensor) then it is likely the two IPs will match as the packet to send to the server will not go through network address translation
  • If cloud based or customer is setup to have endpoints still reach out even when remote (and not VPN in) then the Interface IP will always be a private IP and server comms will always be a public IP address

Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎11-17-2020
Views:
999
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.