Network Traffic observed associated with a malicious IP Address identified by Recorded Future

This rule is part of a beta feature. To learn more, contact Support.
recorded-future

Classification:

threat-intel

Tactic:

TA0011-command-and-control

Technique:

T1566-phishing

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect network traffic to or from IP addresses identified as malicious by Recorded Future threat intelligence.

Strategy

This rule monitors network activity logs (authentication, network activity, and web activity events) enriched with Recorded Future threat intelligence. It triggers when a host successfully communicates with an IP address flagged by malicious by Recorded Future

Triage & Response

  1. Identify the source host {{@ocsf.src_endpoint.ip}} involved in the suspicious communication.
  2. Investigate whether the host is actively communicating with a known C2 IP. Isolate the host immediately and begin incident response procedures.
  3. Review the full network activity from the affected host for evidence of lateral movement, data exfiltration, or additional C2 channels.