IP Management

IP Management

Manage IP policy in your organization with blacklists, whitelists (trusted hosts) and source names. Users with Organization Admin and Rules Admin permissions can go to the user menu > Policy Management > IP Management tab to create and manage your preferences.

  • IP Blacklists allow you to put rules in place to distrust IP addresses, which are then considered to be unacceptable. This is appropriate for immediate triage until you can put a more permanent Protect policy in place or conduct an investigation.
  • IP Whitelists let you mark trusted hosts conducting internal vulnerability scans as safe to avoid polluting Contrast with non-attack data. This disables Protect features of Contrast for this IP (or range), including blocking and reporting. Assess features remain unaffected, and continue to function as normal. Data for whitelisted IP addresses does not appear in the Contrast UI.
  • Source Names allow you to label attack events caused by known sources, such as pen testers, based on one or more IP addresses or subnet masks. When you view attacks in the Attacks > Monitor and Attack Details pages, Contrast displays the source name instead of the attacker's IP information. This allows you to quickly identify and differentiate expected events from attack events that need your attention.

Source Names

Use source names to quickly identify non-threatening internal traffic and testing while monitoring attack events in your organization.

About Source Names

Source names allow you to label one or more IP addresses and/or subnet masks with a display name of your choice. To create a source name, all you need is the IP information you want to mark and a unique name you'll recognize in the Contrast UI. Once the source name is saved, Contrast displays it in the Attacks > Monitor page as well as the Attacks Details page instead of the user's IP information. You and other users in your organization can then quickly identify the named attacker as a known source when assessing attack events.

Create Source Names

To set up source names, go to the user menu > Policy Management > IP Management page, and select the Source Names tab. Click the button to Add Source Name. In the Add Source Name form, complete the following fields:

  • Enter the Name by which you want to identify one or more IP addresses.
  • Add the IP Address/Subnet Mask to identify by this source name. Use the link to Add more IP addresses or subnet masks to the group, if necessary.
  • Use the dropdown menus to select the Start and End dates and times for the source name. You may choose to create a custom time span that starts on a past date; in this case, the source name applies retroactively to any attack events.
  • Once the fields are completed, click Add to save the source name.

View Attackers by Source Name

Once a source name is added in your organization, it appears in the grid in the Source Names tab. Use the search field above the grid to find a grouping by source name or IP address.

For more information about using source names to view attackers and attack events, see Monitor Attacks.

Edit and Delete Names

Edit an existing name

To edit a source name, click on the name in the Source Names grid. Use the Edit Source Name form to update the necessary fields. Once you're finished making changes, select the Save button.

When a source name is updated, the UI reflects the changes for all applicable attack events. If you change the IP information or time criteria for the name, and some events no longer qualify, the name is removed from the events and replaced with the IP information.

Permanently delete a source name

To delete a source name, you can select the source name, and click on the trashcan icon below the Edit Source Name form. You can also select the trashcan icon in the Source Names grid.

Once the name is deleted, all references to the name are replaced with the IP information in the UI.

Name Conflicts

If the data reported for an attack event matches more than one source name, Contrast applies the name that you updated most recently.