Activity observed from malicious IP

This rule is part of a beta feature. To learn more, contact Support.

Classification:

threat-intel

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

Goal

Detect activity from a malicious IP address based on Datadog threat intelligence feeds.

Strategy

This rule lets you monitor events where the @evt.outcome is successful and the @network.client.ip value has been categorized as malicious.

Triage and response

  1. Determine if the source IP {{@network.client.ip}} is anomalous within the organization:
    • Is the geo-location, ASN, or domain uncommon for the organization?
    • Use the Cloud SIEM - IP Investigation dashboard to see if the IP address has taken other actions.
  2. Investigate the @evt.name field to determine the actions taken and potential severity of a compromise.
  3. If the IP is deemed malicious:
    • Confirm that no successful authentication attempts have been made.
    • If a successful authentication attempt is observed, begin your company’s incident response process.