Blocked outbound traffic to blacklisted IPs or domains (Threat Intelligence)
This alert triggers when an internal critical machine successfully connect to a malicious IP address or domain based on Managed Sentinel Threat Intelligence list.
Customer to provide a list of critical servers.
MITRE ATT&CK Tactics
Incorrect Threat Intelligence feed
Investigate the type of traffic allowed to the malicious IP address (e.g web, dns, smtp). Manually perform a validation of the malicious IP address on external Threat Intelligence sources (e.g www.abuseIPdb.com).
Also the volume of requests within a specific period of time could be an solid indicator of a compromised host.