Managed Sentinel – Alert 046

Alert IDMS-A046
Alert NameOutbound traffic to known bad IPs (Managed Sentinel Threat Intelligence)
DescriptionManaged Sentinel tracks a significant number of threat actors/malware/botnets etc so as to protect its products and services. The query shows traffic to known malicious IPs associated with various spam campaigns, botnets , virus etc. Examining traffic to these known malicious IPs is a potential avenue to discover attacks in your environment.
Severity LevelLow
Threat IndicatorCompromised Host
MITRE ATT&CK TacticsPersistence
Command and Control
Exfiltration
Log sourcesFirewalls
False PositiveBrowsers Adware
Incorrect Threat Intelligence feed
Recommendations1. Investigate the type of traffic allowed to the malicious IP address (e.g web, dns, smtp).
2. Manually perform a validation of the malicious IP address on external Threat Intell sources (e.g www.abuseIPdb.com).
3. Identify the number of requests within a specific period of time which could be an solid indicator of a compromised host.
4. Perform a AV/AM scan for the affected internal machine