Managed Sentinel – Alert 111

Alert IDMS-A111
Alert NameTraffic allowed to known bad IP addresses (Threat Intelligence)
DescriptionThis alert triggers when an internal machine successfully connect to a malicious IP address from Managed Sentinel Threat Intelligence list.
Severity LevelLow
Threat IndicatorCompromised Host
MITRE ATT&CK TacticsCommand and Control
Exfiltration
Log sourcesFirewalls
False PositiveBrowsers Adware
Incorrect Threat Intelligence feed
RecommendationsInvestigate the type of traffic allowed to the malicious IP address (e.g web, dns, smtp). Manually perform a validation of the malicious IP address on external Threat Intell sources (e.g www.abuseIPdb.com).
Also the volume of requests within a specific period of time could be an solid indicator of a compromised host.