Managed Sentinel – Alert 146

Alert IDMS-A146
Alert NameCOVIT-19 IP address IOC detected - SigninLogs
DescriptionThis alert triggers when an connection to an IP address related to COVID-19 malware is detected in SigninLogs.
Severity LevelMedium
Threat IndicatorCompromised Host
MITRE ATT&CK TacticsPersistence
Command and Control
Exfiltration
Log sourcesAzureAD
False PositiveBrowsers Adware
Incorrect Threat Intelligence feed
Recommendations1. Investigate the type of traffic allowed to the malicious IP address (e.g web, dns, smtp).
2. Manually perform a validation of the malicious IP address on external Threat Intell sources (e.g www.abuseIPdb.com, virustotal.com).
3. Identify the number of requests within a specific period of time which could be an solid indicator of a compromised host.
4. Perform a AV/AM scan for the affected internal machine