Network Traffic observed associated with a malicious IP Address identified by Recorded Future

This rule is part of a beta feature. To learn more, contact Support.
recorded-future

Classification:

threat-intel

Tactic:

TA0011-command-and-control

Technique:

T1566-phishing

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect network traffic to or from IP addresses identified as malicious by Recorded Future threat intelligence.

Strategy

This rule monitors network activity logs (authentication, network activity, and web activity events) enriched with Recorded Future threat intelligence. It triggers when a host successfully communicates with an IP address flagged by malicious by Recorded Future

Triage & Response

  1. Identify the source host {{@ocsf.src_endpoint.ip}} involved in the suspicious communication.
  2. Investigate whether the host is actively communicating with a known C2 IP. Isolate the host immediately and begin incident response procedures.
  3. Review the full network activity from the affected host for evidence of lateral movement, data exfiltration, or additional C2 channels.