Network Traffic observed associated with a malicious IP Address identified by Recorded Future

This rule is part of a beta feature. To learn more, contact Support.
recorded-future

Classification:

threat-intel

Tactic:

TA0011-command-and-control

Technique:

T1566-phishing

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Goal

Detect network traffic to or from IP addresses identified as malicious by Recorded Future threat intelligence.

Strategy

This rule monitors network activity logs (authentication, network activity, and web activity events) enriched with Recorded Future threat intelligence. It triggers when a host successfully communicates with an IP address flagged by malicious by Recorded Future

Triage & Response

  1. Identify the source host {{@ocsf.src_endpoint.ip}} involved in the suspicious communication.
  2. Investigate whether the host is actively communicating with a known C2 IP. Isolate the host immediately and begin incident response procedures.
  3. Review the full network activity from the affected host for evidence of lateral movement, data exfiltration, or additional C2 channels.