Managed Sentinel – Alert 112
| Alert ID | MS-A112 |
| Alert Name | Blocked outbound traffic to blacklisted IPs or domains (Threat Intelligence) |
| Description | This alert triggers when an internal critical machine successfully connect to a malicious IP address or domain based on Managed Sentinel Threat Intelligence list. Customer to provide a list of critical servers. |
| Severity Level | Low |
| Threat Indicator | Compromised Host |
| MITRE ATT&CK Tactics | Initial Access Defense Evasion |
| Log sources | Firewalls |
| False Positive | Incorrect Threat Intelligence feed |
| Recommendations | Investigate the type of traffic allowed to the malicious IP address (e.g web, dns, smtp). Manually perform a validation of the malicious IP address on external Threat Intelligence sources (e.g www.abuseIPdb.com). Also the volume of requests within a specific period of time could be an solid indicator of a compromised host. |