Managed Sentinel – Alert 065
|Alert Name||Multiple Internal assets connecting to same malicious destinations within predefined timeframe (Threat Intelligence)|
|Description||This alert triggers when multiple internal systems are successfully connecting to the same malicious IP address or URL domain based on Managed Sentinel Threat Intelligence list.|
Customer to provide a list of critical servers.
|Threat Indicator||Compromised Host|
|MITRE ATT&CK Tactics||Execution|
Command and Control
|False Positive||Browsers Adware|
Incorrect Threat Intelligence feed
|Recommendations||Investigate the type of traffic allowed to the malicious IP address (e.g web, dns, smtp). Manually perform a validation of the malicious IP address on external Threat Intelligence sources (e.g www.abuseIPdb.com).|
Also the volume of requests within a specific period of time could be a solid indicator of a compromised host.