IP geolocation information and threat score

The SaaS Alerts IP address geolocation information includes a series of fields that help indicate the history for that address or a group of addresses.

When looking at an alert in Realtime Alerts, for example, clicking on the IP address will show additional information:

The Threat Score is based on historical data where attacks or malicious events have previously originated from this address.

The Trust Score is also based on periods of time where nothing malicious originated from this address.

Occasionally, a datacenter field may be present and show as a threat. In this case, a low trust rating may be present and is related to neighboring IPs on the same network that may have been reported as VPN or proxy or in a blocklist.

For context, the scores are meant to be an extension/extrapolation of our threat intelligence. So, you might see an IP with no threat flags (which are based on static blocklists) but a low trust score based on observations of the network/surrounding IPs as generated by our model.

Just because an IP address shows up red or yellow does not mean that the alert it is associated with has elevated severity. As previously mentioned, this data is gathered over time and based on historical instances from that IP. The threat score is a reference that an alert may be worth extra attention due to the history from that IP.

IP geolocation is about 60 to 80% accurate and can vary widely between geolocation providers. The more granular (down to states and cities) an allowlist entry, the more the accuracy will decrease. This variance is why we suggest allowlisting mainly by country, which will produce the highest accuracy for geolocation data.

The highest accuracy that can be achieved is using IP addresses or IP ranges.

NOTE IP color is black with no details.

TOR browser - IP anonymization

When you use a TOR browser, your IP address (the one assigned to you by your internet service provider) is masked. Websites you visit through TOR will see the IP address of a TOR exit node, not your actual IP address. This helps in preserving your anonymity online.
Due to this, when a TOR Browser is used, we are not provided with any IP data points on the event level except for the exit node IP address. Without this data, there is no indicator for us to apply any color coding. This is working as expected given our logic for highlighting IP addresses.

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.