Managed Sentinel – Alert 146
Alert ID | MS-A146 |
Alert Name | COVIT-19 IP address IOC detected - SigninLogs |
Description | This alert triggers when an connection to an IP address related to COVID-19 malware is detected in SigninLogs. |
Severity Level | Medium |
Threat Indicator | Compromised Host |
MITRE ATT&CK Tactics | Persistence Command and Control Exfiltration |
Log sources | AzureAD |
False Positive | Browsers Adware Incorrect Threat Intelligence feed |
Recommendations | 1. Investigate the type of traffic allowed to the malicious IP address (e.g web, dns, smtp). 2. Manually perform a validation of the malicious IP address on external Threat Intell sources (e.g www.abuseIPdb.com, virustotal.com). 3. Identify the number of requests within a specific period of time which could be an solid indicator of a compromised host. 4. Perform a AV/AM scan for the affected internal machine |