Managed Sentinel – Alert 065
| Alert ID | MS-A065 |
| Alert Name | Multiple Internal assets connecting to same malicious destinations within predefined timeframe (Threat Intelligence) |
| Description | This alert triggers when multiple internal systems are successfully connecting to the same malicious IP address or URL domain based on Managed Sentinel Threat Intelligence list. Customer to provide a list of critical servers. |
| Severity Level | Medium |
| Threat Indicator | Compromised Host |
| MITRE ATT&CK Tactics | Execution Command and Control Exfiltration |
| Log sources | Firewalls |
| False Positive | Browsers Adware Incorrect Threat Intelligence feed |
| Recommendations | Investigate the type of traffic allowed to the malicious IP address (e.g web, dns, smtp). Manually perform a validation of the malicious IP address on external Threat Intelligence sources (e.g www.abuseIPdb.com). Also the volume of requests within a specific period of time could be a solid indicator of a compromised host. |