Skip to main content

Getting Started with Illumio Insights

Malicious IP Traffic

The Malicious IP Traffic dashboard helps you identify activity between known malicious IPs and your environment. It shows the top talkers, maps the worldwide locations of malicious IPs, and identifies the specific accounts, workloads, and protocols attackers target.

Important

Switching between flows and bytes may change your displayed results. For example, if a resource with denied traffic has a large number of flows but zero bytes, switching the displayed results from flows to bytes removes the resource from a Top 10 list due to the low byte count, replacing it with another resource that has a higher byte count.

How to Use Malicious IP Traffic Widgets

The widgets help you understand where Malicious IP Traffic are concentrated and how they change over time.

Note

Data shown in all widgets reflects the selected date range and any applied page-level filters.

Widget

Use Cases

Top 10 Malicious IPs

Identify the most active malicious IPs communicating with your environment and determine if their activity is increasing.

  • Toggle between Flows and Bytes views using the toggle buttons in the widget header.

  • Hover over the protocol listing next to a malicious IP to see its protocols and ports, and copy them to the clipboard for use in other tools.

  • Use the flow/byte delta values (the ↑ indicators) to spot IPs with rapidly increasing activity.

Global Threat Map

Visualize the geographic origin of malicious IP activity and determine which countries pose the greatest volume of threat.

  • Hover over a location marker to see Now and Previous traffic data (number of flows and bytes), along with risk scores.

  • Click the Expand to full screen icon (visible in the top-right of the widget) to enlarge the map for better visualization of smaller or clustered locations.

  • Toggle between Flows and Bytes views.

Top 10 Tenants with Malicious IP Flows

Scope the organizational impact of malicious IP activity by identifying which cloud subscriptions or tenants are most exposed to malicious IP communications.

  • Toggle between Flows and Bytes views.

  • Group results by subscription or tenant using the grouping control (labeled as "Tenants" with a dropdown).

  • Hover over entries to see detailed counts.

Top Roles

Identify which types of workloads (by role label) are most involved in malicious IP communications.

  • Hover on a role segment to see its flow numbers, byte counts, and deltas.

  • Toggle between Flows and Bytes views.

Top 10 Services Used in Malicious IP Communication

Reveal which network services and protocols are being used in communications with malicious IPs, and spot whether any are showing abnormal traffic increases.

  • Toggle between Flows and Bytes views.

  • Look for services with large delta values (the ↑ numbers) indicating unusual increases in traffic.

  • Investigate UNKNOWN service entries, which may indicate non-standard or evasive protocols.

Traffic Table

View flow, IP, and resource details using slide-outs

Slide-outs provide additional information about specific flows, IP addresses, and resources. Click each to launch a slide-out and view additional details.