Activity observed from malicious IP

This rule is part of a beta feature. To learn more, contact Support.

Classification:

threat-intel

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect activity from a malicious IP address based on Datadog threat intelligence feeds.

Strategy

This rule lets you monitor events where the @evt.outcome is successful and the @network.client.ip value has been categorized as malicious.

Triage and response

  1. Determine if the source IP {{@network.client.ip}} is anomalous within the organization:
    • Is the geo-location, ASN, or domain uncommon for the organization?
    • Use the Cloud SIEM - IP Investigation dashboard to see if the IP address has taken other actions.
  2. Investigate the @evt.name field to determine the actions taken and potential severity of a compromise.
  3. If the IP is deemed malicious:
    • Confirm that no successful authentication attempts have been made.
    • If a successful authentication attempt is observed, begin your company’s incident response process.