Managed Sentinel – Alert 065

Alert IDMS-A065
Alert NameMultiple Internal assets connecting to same malicious destinations within predefined timeframe (Threat Intelligence)
DescriptionThis alert triggers when multiple internal systems are successfully connecting to the same malicious IP address or URL domain based on Managed Sentinel Threat Intelligence list.

Customer to provide a list of critical servers.
Severity LevelMedium
Threat IndicatorCompromised Host
MITRE ATT&CK TacticsExecution
Command and Control
Exfiltration
Log sourcesFirewalls
False PositiveBrowsers Adware
Incorrect Threat Intelligence feed
RecommendationsInvestigate the type of traffic allowed to the malicious IP address (e.g web, dns, smtp). Manually perform a validation of the malicious IP address on external Threat Intelligence sources (e.g www.abuseIPdb.com).
Also the volume of requests within a specific period of time could be a solid indicator of a compromised host.