Managed Sentinel – Alert 230

Alert IDMS-A230
Alert NameCisco Umbrella - Connections to malicious domains
DescriptionThis alert identifies Umbrella log entries matching domains in ThreatIntelligenceIndicator
Severity LevelLow
Threat IndicatorCompromised Host
MITRE ATT&CK TacticsPriviledge Escalation
Lateral Movement
Credential Access
Log sourcesDNS
False PositiveBrowsers Adware
Incorrect Threat Intelligence feed
Recommendations1. Investigate the type of traffic allowed to the malicious IP address
2. Manually perform a validation of the malicious IP address on external Threat Intell sources (e.g www.abuseIPdb.com, virustotal.com).
3. Identify the number of requests within a specific period of time which could be an solid indicator of a compromised host.
4. Perform a AV/AM scan for the affected internal machine
5. Complete a Sentinel investigation for the same entity (IP address or user account) to understand if any other lateral attacks were completed