Managed Sentinel – Alert 230
| Alert ID | MS-A230 |
| Alert Name | Cisco Umbrella - Connections to malicious domains |
| Description | This alert identifies Umbrella log entries matching domains in ThreatIntelligenceIndicator |
| Severity Level | Low |
| Threat Indicator | Compromised Host |
| MITRE ATT&CK Tactics | Priviledge Escalation Lateral Movement Credential Access |
| Log sources | DNS |
| False Positive | Browsers Adware Incorrect Threat Intelligence feed |
| Recommendations | 1. Investigate the type of traffic allowed to the malicious IP address 2. Manually perform a validation of the malicious IP address on external Threat Intell sources (e.g www.abuseIPdb.com, virustotal.com). 3. Identify the number of requests within a specific period of time which could be an solid indicator of a compromised host. 4. Perform a AV/AM scan for the affected internal machine 5. Complete a Sentinel investigation for the same entity (IP address or user account) to understand if any other lateral attacks were completed |