Managed Sentinel – Alert 046

Alert IDMS-A046
Alert NameHigh Value Servers communicating with Known Malicious IP/Domains (Threat Intelligence)
DescriptionThis alert triggers when an internal critical machine successfully connect to a malicious IP address or domain based on Managed Sentinel Threat Intelligence list.

Customer to provide a list of critical servers.
Severity LevelMedium
Threat IndicatorCompromised Host
MITRE ATT&CK TacticsExecution
Command and Control
Log sourcesFirewalls
False PositiveBrowsers Adware
Incorrect Threat Intelligence feed
RecommendationsInvestigate the type of traffic allowed to the malicious IP address (e.g web, dns, smtp). Manually perform a validation of the malicious IP address on external Threat Intelligence sources (e.g
Also the volume of requests within a specific period of time could be an solid indicator of a compromised host.