Activity observed from malicious IP

This rule is part of a beta feature. To learn more, contact Support.

Classification:

threat-intel

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect activity from a malicious IP address based on Datadog threat intelligence feeds.

Strategy

This rule lets you monitor events where the @evt.outcome is successful and the @network.client.ip value has been categorized as malicious.

Triage and response

  1. Determine if the source IP {{@network.client.ip}} is anomalous within the organization:
    • Is the geo-location, ASN, or domain uncommon for the organization?
    • Use the Cloud SIEM - IP Investigation dashboard to see if the IP address has taken other actions.
  2. Investigate the @evt.name field to determine the actions taken and potential severity of a compromise.
  3. If the IP is deemed malicious:
    • Confirm that no successful authentication attempts have been made.
    • If a successful authentication attempt is observed, begin your company’s incident response process.