Incident Response IP Triage: A Fast Checklist
A practical checklist for investigating suspicious IP addresses during security incidents.
Capture the basics
Record the IP address, timestamp, timezone, endpoint, account, user agent, request ID, and observed behavior.
Preserve raw logs before enrichment so the original evidence stays intact.
Enrich the IP
Check geolocation, ASN, ISP, reverse DNS, fraud score, proxy indicators, and whether the IP appears in previous incidents.
Look for clusters: same ASN, same country, same endpoint, same payload, or repeated account targeting.
Choose action
Possible actions include no action, monitor, challenge, block one IP, block a narrow range, tune WAF rules, or escalate to legal or abuse reporting.
Crafzo IP Lookup helps speed up the enrichment step during a live incident.
Frequently Asked Questions
What should I save before blocking?
Save timestamps, logs, request details, and the reason for the action.
Should I block during an active attack?
Yes when needed, but prefer narrow and reversible controls when evidence is still developing.
Check an IP Address Now
Use the free Crafzo IP Lookup tool to check IP location, risk score, and AI-powered IP health.
Open IP lookup