# Cybermap

The cybermap allows the visualization of the origin of the public IP addresses having communicated on the network.

![Device cybermap](https://3649415055-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FWc1Xp1HIov409xra1MoW%2Fuploads%2FmZYFneKrcPwWh67uR4Yb%2Fimage.png?alt=media\&token=6f3ae0c4-421b-4144-9f71-6a61fefd8852)

{% hint style="danger" %}
**The flows displayed are grouped by public IP address.**\
The volume is therefore the sum total of the incoming and outgoing volume for each flow to this IP address.
{% endhint %}

{% hint style="info" %}
The **View affected endpoints** link allows you to access the [table of endpoints](https://docs.serenicity.fr/control/english/devices/dashboard-dun-appareil/peripheriques) with the same date selected in the card selector.
{% endhint %}

### Selector

The selector allows you to change the sorting of the IP addresses and the direction of the flows.

The different sorting of IP addresses are as follows:

* **By threats**: The flows will be sorted by decreasing order of [danger of the threats](https://docs.serenicity.fr/control/english/guides/glossaire#dangerousness-of-the-threats) represented by the public IP addresses.
* **By flow volume**: IP addresses will be sorted in descending order of the total volume (sum of incoming and outgoing volume) of flows grouped by public IP address.
* **By flow count**: IP addresses will be sorted by flow count to the public IP address.

The flow direction allows you to filter on **OUT** flows only, **IN** flows only, or both.

The selection of non-open hours only allows you to retrieve only the flows that have transited during the [non-working hours of the device](https://docs.serenicity.fr/control/english/devices/dashboard-dun-appareil/parametres).

### Legend

On the map, the [icons of the IP address threats](https://docs.serenicity.fr/control/english/guides/glossaire#dangerousness-of-the-threats) are displayed.

If the IP address cannot be represented by an icon, then the flag of the country of origin is displayed.

{% hint style="warning" %}
The location of IP addresses is retrieved from [ipdata](https://ipdata.co/).

**It is possible that the location is only accurate to one country. In this case, the marker will be displayed in the center of the country in question.**
{% endhint %}

If several IP addresses are on the same point on the map, then a flashing cluster with the country flag is displayed. If the cluster contains a qualified threat (e.g. Trojan horse), then the following icon appears:

<div align="center"><img src="https://3649415055-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FWc1Xp1HIov409xra1MoW%2Fuploads%2FjYmVoVbJMONnv9aUlx4c%2Fcritical.png?alt=media&#x26;token=38abf0f9-cef6-4fce-ade0-e919197a2416" alt="Cluster containing multiple threats"></div>

The color of the flows to each IP address is determined by the directions of the flows:

* If the IP address is **toxic and at least one flow is OUT**, then it will be displayed in <mark style="color:red;">**red**</mark>.
* If the IP address is **toxic and all flows are IN**, then it will be displayed in <mark style="color:orange;">**orange**</mark>.
* If the IP address is **not toxic**, then it will be displayed in <mark style="color:green;">**green**</mark>.