This tutorial is how to find the specific subscriber who is reported abuse.
The abuse email usually contains a global address from a NAT pool. We need to understand which of the subscribers went to the resource where the virus activity was detected at a known time behind this NAT-pool.
We need to perform two steps — find the necessary information in the abuse email and use it to identify the subscriber in the GUI of the Stingray.

1. The address from your NAT pool (source IP).
2. Address of the attacked resource (destination IP)
3. Activity time on the attacked resource (considering the time zones!)

• Example 1.
  

• Example 2.
  

More can be found useful in the email:

1. Reason of abuse
   
2. History of abuse (if the activity was repeated)
   

This can help you understand the scope of the problem and identify similar problems on your network.

The task is to determine from the logs which subscriber behind the NAT-pool (source IP) specified in the letter was accessing the destination IP at that time.

Before you start the search it is worth checking two facts:

1. The NAT pool in question is set to CG-NAT in Stingray.
   
2. The NAT log storage time captures the time of activity. View and configure
   

Then in the GUI you need to open the section NAT flow, select a period, enter the source and destination IP.