Managed Sentinel – Alert 241

Alert IDMS-A241
Alert NameVPN connections from IP addresses matching Firegen Threat Intelligence feed
DescriptionThis alert will trigger when a successful VPN connection is established from an external IP address listed on Firegen Threat Intelligence feed, regardless of the Risk score associated.
Severity LevelMedium
Threat IndicatorCompromised Host
MITRE ATT&CK TacticsInitial Access
Log sourcesVPN
False PositiveBrowsers Adware
Incorrect Threat Intelligence feed
Recommendations1. Investigate the type of traffic allowed to the malicious IP address (e.g web, dns, smtp).
2. Manually perform a validation of the malicious IP address on external Threat Intell sources (e.g www.abuseIPdb.com).
3. Identify the number of requests within a specific period of time which could be an solid indicator of a compromised host.
4. Perform a AV/AM scan for the affected machine connecting via VPN (applicable to Corporate assets)
5. If required deactivate the VPN account(s)
6. Complete a Sentinel investigation for the same entity (IP address or user account) to understand if any other lateral attacks were completed while connecting to VPN to corporate network