Outbound traffic to known bad Ips (Microsoft Security Graph)
Microsoft tracks a significant number of threat actors/malware/botnets etc so as to protect its products and services. The query shows traffic to known malicious IPs associated with various spam campaigns, botnets , virus etc. Examining traffic to these known malicious IPs is a potential avenue to discover attacks in your environment.
1. Investigate the type of traffic allowed to the malicious IP address (e.g web, dns, smtp).
2. Manually perform a validation of the malicious IP address on external Threat Intell sources (e.g www.abuseIPdb.com).
3. Identify the number of requests within a specific period of time which could be an solid indicator of a compromised host.
4. Perform a AV/AM scan for the affected internal machine