Managed Sentinel – Alert 111
| Alert ID | MS-A111 | 
| Alert Name | Outbound traffic to known bad Ips (Microsoft Security Graph) | 
| Description | Microsoft tracks a significant number of threat actors/malware/botnets etc so as to protect its products and services. The query shows traffic to known malicious IPs associated with various spam campaigns, botnets , virus etc. Examining traffic to these known malicious IPs is a potential avenue to discover attacks in your environment. | 
| Severity Level | Low | 
| Threat Indicator | Compromised Host | 
| MITRE ATT&CK Tactics | Persistence Command and Control Exfiltration | 
| Log sources | Firewalls | 
| False Positive | Browsers Adware Incorrect Threat Intelligence feed | 
| Recommendations | 1. Investigate the type of traffic allowed to the malicious IP address (e.g web, dns, smtp). 2. Manually perform a validation of the malicious IP address on external Threat Intell sources (e.g www.abuseIPdb.com). 3. Identify the number of requests within a specific period of time which could be an solid indicator of a compromised host. 4. Perform a AV/AM scan for the affected internal machine | 
