Address Group

Overview

Address Groups let you organize IP addresses into groups by purpose. Under Policies > Address Groups, security analysts can consolidate addresses of a similar nature—such as attacker IPs, IPs subject to blocking, or IPs excluded from detection—into a single group.

Registered address groups can be used with stream rules, batch rules, pivots, blocking integrations, the matchblackip command, and the matchblackip() function. All users, including administrators, can view address groups and the IP addresses inside them, but only administrators can add, edit, or delete address groups and IP addresses.

View/search address groups

You can view or search the address group list under Policies > Address Groups.

Address group list

  • Name: Name of the address group.
  • Description: Description of the address group.
  • Count: Number of IP addresses currently in the group.
  • Created At: Date and time the address group was first created.
  • Modified At: Date and time the address group was last modified.

To find a specific group in the list, use the search tool in the toolbar. The search tool finds address groups whose Name or Description contains the entered keyword.

Download list

To save the address group list to your local PC, click Download in the toolbar.

Refresh list

To reload the address group list with the latest data, click Refresh in the toolbar.

Add an address group

To create a new address group for use in detection scenarios or blocking integrations, follow these steps.

  1. Under Policies > Address Groups, click Add in the toolbar.

  2. On the Add Address Group screen, enter the group information.

    Add address group

    • Name: Name of the address group (required, up to 50 characters).
    • Description: Description of the address group (up to 2,000 characters).

  3. Review the information and click Save.

Note
You cannot save an address group if one with the same name already exists.

Edit an address group

To change the name or description of an existing address group, follow these steps.

  1. Click the row of the address group you want to edit in the list.
  2. On the Edit Address Group screen, change the group information and click Save.
Note
You can also review the list of IP addresses belonging to the same group on the edit screen.
View/search IP addresses

To review or manage the IP addresses in an address group, check the IP address list at the bottom of the edit screen.

Edit address group and IP address list

  • IP Address: IPv4 address registered in the group.
  • Country: Country information based on GeoIP. If a country code is available, the flag and country name are displayed together.
  • Description: Description for the IP address.
  • Created At: Date and time the IP address was first registered in the group.
  • Modified At: Date and time the IP address information was last updated.
  • Expires At: Scheduled deletion time if a retention period is set. Displayed as Unlimited if there is no retention period.
  • Count: Number of times the same IP address has been re-registered.

To find a specific entry in the IP address list, use the search tool. The search tool finds entries whose IP Address or Description contains the entered keyword.

Add an IP address

To register a detected threat IP or an IP to exclude directly into the group, follow these steps.

  1. Click the row of the address group you want to edit in the list.

  2. In the IP address list toolbar on the edit screen, click Add IP Address.

  3. In the Add IP Address dialog, enter the details.

    Add IP address to address group

    • IP Address: IPv4 address to register in the group (required).
    • Description: Description of the IP address (up to 255 characters).
    • Retention (min.): Duration to keep the IP address in the group, in minutes (range: 1–52,560,000). Leave blank to keep it indefinitely.

  4. Review the information and click Save.

Note
If an already registered IP address is added again, the count of the existing entry increases instead of creating a new one, and the description and retention period are updated with the latest input.
Bulk upload IP addresses

To register multiple IP addresses at once using a CSV file, follow these steps.

  1. Click the row of the address group you want to edit in the list.

  2. In the IP address list toolbar on the edit screen, click Upload.

  3. In the Upload IP Addresses dialog, select the file and encoding to upload.

    Bulk upload IP addresses to address group

    • File Upload: Only .csv files can be uploaded (required, up to 10 MB).
    • File Encoding: Choose from UTF-8, UTF-16, or MS949 (default: UTF-8).

  4. Click Upload.

  5. After the upload is complete, check the success or failure results.

Note
If any rows have an incorrect format during upload, the row number, IP address, retention period, description, and error reason are displayed.
Delete an IP address

To remove an IP address you no longer want to manage from the group, follow these steps.

  1. Click the row of the address group you want to edit in the list.
  2. Select the entries to delete in the IP address list on the edit screen.
  3. Click the delete icon in the toolbar.
  4. In the Delete IP Address dialog, confirm the entries to delete and click Delete.

Use address groups

Registered address groups can be used in the following ways.

Manage IP addresses in detection scenarios

In stream rules and batch rules, you can configure IP addresses extracted from events to be automatically added to a specific address group. This lets you accumulate detected attacker IPs in a dedicated group or operate them so they are automatically removed after a set period.

Selecting an address group in a stream rule scenario

Selecting an address group in a batch rule scenario

Compare address groups in the scenario builder

In the scenario builder for stream rules, you can use conditions to check whether an IP address in an input field is included in a specific address group. This is useful for comparing known threat IP lists against the source or destination IP of an event.

Using an address group condition in the scenario builder

Compare address groups in pivots and queries

In pivots, you can use an address group filter to show or exclude only the IP addresses included in a specific group. In queries, use the matchblackip command and the matchblackip() function to determine whether the IP address in an input field is included in a specific address group.

Use with blocking integrations

Using an address group as the blocklist in a blocking integration lets you reflect the IP addresses registered in the group into blocking policies through integration with external security appliances.

Selecting an address group in a blocking integration

Delete an address group

To clean up address groups that are no longer in use, follow these steps.

  1. Select the checkbox on the row of the address group to delete in the list.
  2. Click Delete in the toolbar.
  3. In the Delete Address Group dialog, confirm the groups to delete and click Delete.
Caution
Deleting an address group also deletes all IP addresses in the group. If stream rules, batch rules, pivot filters, queries, or blocking integrations reference this group, they may not work as intended, so verify usage before deleting.