https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/extremeanalytics-quot-suspicious-ip-et-quot/m-p/84684#M9225 Hi,<BR /> <BR /> Have an entry in ExtremeManagement alarms that states the following:<BR /> <BR /> <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">Alert Name:<BR />Suspicious IP-ET<BR /><BR />Seen Count:<BR />85563<BR /> <BR />ThreatType:IP,ThreatSubType:,ThreatSeverity:Warning,ThreatSource:ET,ThreatInitiator: 222.222.222.222, ThreatInitiatorPort: 35596, ThreatTarget: 111.111.111.111, ThreatTargetPort: 80, Value: Suspicious IP: 222.222.222.222<BR /></PRE></DIV><BR /> <BR /> I've changed the IP address to what's actually in the log.<BR /> <BR /> Seems to suggest something untoward is happing to the customers IP on port 80, but not sure exactly what and how Analytics is identifying it as suspicious.<BR /> <BR /> Any ideas?<BR /> <BR /> Many thanks Sun, 03 Mar 2019 06:29:47 GMT Anonymous 2019-03-03T06:29:47Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/extremeanalytics-quot-suspicious-ip-et-quot/m-p/84684#M9225 Hi,<BR /> <BR /> Have an entry in ExtremeManagement alarms that states the following:<BR /> <BR /> <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">Alert Name:<BR />Suspicious IP-ET<BR /><BR />Seen Count:<BR />85563<BR /> <BR />ThreatType:IP,ThreatSubType:,ThreatSeverity:Warning,ThreatSource:ET,ThreatInitiator: 222.222.222.222, ThreatInitiatorPort: 35596, ThreatTarget: 111.111.111.111, ThreatTargetPort: 80, Value: Suspicious IP: 222.222.222.222<BR /></PRE></DIV><BR /> <BR /> I've changed the IP address to what's actually in the log.<BR /> <BR /> Seems to suggest something untoward is happing to the customers IP on port 80, but not sure exactly what and how Analytics is identifying it as suspicious.<BR /> <BR /> Any ideas?<BR /> <BR /> Many thanks Sun, 03 Mar 2019 06:29:47 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/extremeanalytics-quot-suspicious-ip-et-quot/m-p/84684#M9225 Anonymous 2019-03-03T06:29:47Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/extremeanalytics-quot-suspicious-ip-et-quot/m-p/84685#M9226 Hi Martin,<BR /> <BR /> if you check the alarm config you'd see that the alarm is triggered by "reputation threat detected".<BR /> <BR /> A search in the XMC online help (put in the XMC IP) brings you to the "IP Reputation Dashboard" section.<BR /> <BR /> https://:8443/Clients/help/content/oneview/docs/analytics/analytics_tab/dashboard/c_pur_analytics_tab_dashboard.htm?#IPRep<BR /> <BR /> <BR /> <P class="fancybox-image"><span class="lia-inline-image-display-wrapper" image-alt="9b2654a7cf2449f7ac5e6c5731f80f7f_6603803b-05fc-4faa-a4f0-5746feb76833.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/681i88CDEA7316A75B9D/image-size/large?v=v2&amp;px=999" role="button" title="9b2654a7cf2449f7ac5e6c5731f80f7f_6603803b-05fc-4faa-a4f0-5746feb76833.png" alt="9b2654a7cf2449f7ac5e6c5731f80f7f_6603803b-05fc-4faa-a4f0-5746feb76833.png" /></span></P><BR /> For me it looks like that the 222.222.222.222 is on the list of untrusted IPs (because it's from China ?).<BR /> <BR /> What I don't get is how I'd acceess this IP Reputation Dashboard because I don't see it on my XMC.<BR /> <BR /> -Ron Mon, 04 Mar 2019 20:11:57 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/extremeanalytics-quot-suspicious-ip-et-quot/m-p/84685#M9226 Ronald_Dvorak 2019-03-04T20:11:57Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/extremeanalytics-quot-suspicious-ip-et-quot/m-p/84686#M9227 Hi Ron,<BR /> <BR /> Sorry, didn't get back you to say thanks for the reply... Thanks <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /> <BR /> Did you have any luck finding the dashboard? I'm running version 8.2.4.42 and still can't see it?<BR /> <BR /> Perhaps its due in a later release?<BR /> <BR /> Thanks Thu, 28 Mar 2019 20:58:11 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/extremeanalytics-quot-suspicious-ip-et-quot/m-p/84686#M9227 Anonymous 2019-03-28T20:58:11Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/extremeanalytics-quot-suspicious-ip-et-quot/m-p/84687#M9228 Added this another post, but just repeating here for consistency:<BR /> <BR /> <A href="https://extreme.connectedcommunity.org/communities/community-home/digestviewer/view-question?ContributedContentKey=7b213efe-e79e-4cb3-9497-a94e15f5a9b0&amp;CommunityKey=d4b57428-7c7e-4bce-886a-356352ffa2c0&amp;tab=digestviewer" target="_blank" rel="nofollow noreferrer noopener">https://community.extremenetworks.com/extrememanagement-230297/manage-suspicious-ip-et-continuous-events-7823245</A><BR /> <BR /> I've created this dashboard through the report designer, which I believe gives me the detail in what the Suspicious IP-ET events are:<BR /> <BR /> <P class="fancybox-image"><span class="lia-inline-image-display-wrapper" image-alt="763085125f3e425a8facac07c0c4475a_03897870-906a-42bd-8816-94a3d5b345a2.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/1075i23A037213276DF55/image-size/large?v=v2&amp;px=999" role="button" title="763085125f3e425a8facac07c0c4475a_03897870-906a-42bd-8816-94a3d5b345a2.png" alt="763085125f3e425a8facac07c0c4475a_03897870-906a-42bd-8816-94a3d5b345a2.png" /></span></P><BR /> And pre-built one:<BR /> <BR /> <P class="fancybox-image"><span class="lia-inline-image-display-wrapper" image-alt="763085125f3e425a8facac07c0c4475a_cd3afc1d-c59a-441f-abda-ca6cb8cabb30.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/1576i97A492E38946FF43/image-size/large?v=v2&amp;px=999" role="button" title="763085125f3e425a8facac07c0c4475a_cd3afc1d-c59a-441f-abda-ca6cb8cabb30.png" alt="763085125f3e425a8facac07c0c4475a_cd3afc1d-c59a-441f-abda-ca6cb8cabb30.png" /></span></P> Tue, 09 Apr 2019 20:35:48 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/extremeanalytics-quot-suspicious-ip-et-quot/m-p/84687#M9228 Anonymous 2019-04-09T20:35:48Z