4.9 Interpret common artifact elements from an event to identify an alert
📘Cisco Certified CyberOps Associate (200-201 CBROPS)
1. What is an IP address?
- IP address = Internet Protocol address.
- It is like a unique identifier for devices on a network. Every computer, server, or device that connects to a network has an IP address.
- There are two main types:
- IPv4: Uses numbers in the format
192.168.1.10- 32-bit number (allows ~4 billion addresses)
- IPv6: Uses a longer format like
2001:0db8:85a3:0000:0000:8a2e:0370:7334- 128-bit number (almost unlimited addresses)
- IPv4: Uses numbers in the format
Tip for the exam: Most questions will focus on IPv4 addresses, but understanding IPv6 exists is important.
2. Source IP Address vs Destination IP Address
When you see network traffic in a security event or alert, it usually shows two key IP addresses:
- Source IP Address
- Where the traffic originated from.
- Example in IT: If a user logs in to a server, their laptop’s IP is the source IP.
- In an alert: If an alert shows a suspicious connection from
10.10.10.5, that is the attacker or client device in this scenario.
- Destination IP Address
- Where the traffic is going to.
- Example in IT: The server that the laptop is trying to access.
- In an alert: If an alert shows traffic to
192.168.1.100, that is the targeted server or resource.
Exam tip: Always remember:
Source = OriginDestination = Target
3. Why IP addresses matter in alerts
IP addresses help analysts identify malicious or unusual activity. Here’s how:
- Suspicious Source IPs
- Alerts often highlight connections from IP addresses that are unusual for the network.
- Example: An external IP (
203.0.113.55) trying to access internal servers.
- Destination IPs in Critical Systems
- Alerts might focus on traffic going to sensitive servers, like a database server or domain controller.
- Internal vs External IPs
- Internal IPs (Private) – like
10.x.x.x,192.168.x.x– used within your network. - External IPs (Public) – reachable from the internet.
- Alerts often indicate external attacks when source IPs are public.
- Internal IPs (Private) – like
4. How IP addresses are shown in alerts
In a typical SIEM (Security Information and Event Management) alert:
| Field | Example IP | Description |
|---|---|---|
| Source IP | 203.0.113.55 | The system trying to connect to your network. |
| Source Port | 443 | The port on the source device. |
| Destination IP | 192.168.1.10 | The system being targeted. |
| Destination Port | 22 | The service being accessed (SSH, HTTP, etc.) |
| Protocol | TCP | The protocol used in the traffic. |
Exam tip: You need to identify suspicious patterns like a strange source IP connecting to critical internal servers.
5. Common scenarios to understand for the exam
- Unusual external access:
- Alert shows external IP trying to access internal IP on an unusual port (e.g., RDP on 3389).
- Internal reconnaissance:
- Alert shows one internal IP scanning multiple destination IPs inside your network.
- Malware communication:
- Alert shows an internal device (source) communicating with known malicious IP (destination).
- Multiple alerts from same IP:
- Source IP repeatedly accessing different destinations may indicate a persistent attacker or malware spreading.
6. Key points to remember for the exam
- Source IP = origin of traffic
- Destination IP = target of traffic
- Internal vs external matters: private IPs are internal; public IPs are external.
- IP addresses in alerts help identify suspicious or malicious activity.
- You may need to match IP addresses to devices in a network to understand alerts.
- Often combined with ports, protocols, and timestamps to fully analyze an event.
✅ Quick Memory Tip for the Exam
Think of Source → Destination as “Who is doing it → Who is being affected.”
