Activity observed from malicious IP

This rule is part of a beta feature. To learn more, contact Support.

Classification:

threat-intel

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect activity from a malicious IP address based on Datadog threat intelligence feeds.

Strategy

This rule lets you monitor events where the @evt.outcome is successful and the @network.client.ip value has been categorized as malicious.

Triage and response

  1. Determine if the source IP {{@network.client.ip}} is anomalous within the organization:
    • Is the geo-location, ASN, or domain uncommon for the organization?
    • Use the Cloud SIEM - IP Investigation dashboard to see if the IP address has taken other actions.
  2. Investigate the @evt.name field to determine the actions taken and potential severity of a compromise.
  3. If the IP is deemed malicious:
    • Confirm that no successful authentication attempts have been made.
    • If a successful authentication attempt is observed, begin your company’s incident response process.