IP Suppression Groups

Some users may want to suppress Dragnet alerts if they come from certain IP addresses. Unlike Notification Groups, an IP Suppression Groups are optional when creating a New Token.

Use Cases

For Email Based Tokens

Email-based tokens which are sent to end users might produce a lot of false positives. To reduce false positives, a company could add their public corporate IP address the IP Suppression Group.

However, it is important to consider the details of the environment in which the email token is deployed. It is only appropriate if it is your judgement a threat actor is unlikely to access email via the corporate network. For many organizations, the more likely threat vector is web mail.

For Sensitive Documents

Dragnet can be used to set off an alarm if a PDF or Word document is opened outside the corporate network. This is useful if there are documents you expect to be opened from inside the corporate network only.

Create

To create an IP Suppression Group, click on New IP Suppression Group on the left menu. Enter a Name, add at least one IP address, and click to Create IP Suppression Group. Dragnet can accept IPv4 and IPv6 addresses.

Edit

To edit an IP Suppression Group, navigate from the left menu to the Edit IP Suppression Group interface. When you select the IP Suppression Group you want to edit, the interface presents options to edit the group. It is functionally the same as the interface to create a new group. Edit the values as necessary and save your changes.

Limitations

We do not recommend using IP Suppression Groups with tokens that use DNS technology (DNS and Windows Folder tokens). This is due to the nature of DNS queries. DNS queries from a computer are sent to a DNS Resolver server, and the DNS Resolver forwards the query to the Dragnet nameservers. As a result, the IP address Dragnet sees is that of the DNS Resolver, not the originating computer.