Managed Sentinel – Alert 047
| Alert ID | MS-A047 |
| Alert Name | Outbound traffic to known bad IPs (Managed Sentinel Threat Intel) - Cisco ASA |
| Description | Managed Sentinel tracks a significant number of threat actors/malware/botnets etc so as to protect its products and services. The query shows traffic to known malicious IPs associated with various spam campaigns; botnets ; virus etc. Examining traffic to these known malicious IPs is a potential avenue to discover attacks in your environment. The entities included in the notification indicate the internal hosts that accessed remote IPs identified as malicious. Review the incident in Azure Sentinel for full details including; source; destination IP; destination country; protocol; bytes transfered; type of threat and confidence. |
| Severity Level | Medium |
| Threat Indicator | Compromised Host |
| MITRE ATT&CK Tactics | Lateral Movement Credential Access Priviledge Escalation |
| Log sources | Firewalls |
| False Positive | Browsers Adware Incorrect Threat Intelligence feed |
| Recommendations | 1. Investigate the type of traffic allowed to the malicious IP address (e.g web, dns, smtp). 2. Manually perform a validation of the malicious IP address on external Threat Intell sources (e.g www.abuseIPdb.com, virustotal.com). 3. Identify the number of requests within a specific period of time which could be an solid indicator of a compromised host. 4. Perform a AV/AM scan for the affected internal machine |