Forum Discussion
Microsoft Threat Intelligence Analytics Alerts
Hi all,
We are receiving several 'The response 69.16.175.42 to DNS query matched an IoC' alerts in Sentinel however doing some research it looks like this IP could be used for Windows updates. Looking on some other forums it seems this alert could be a false positive, just wondering if anyone else has seen this alert?
1 Reply
- cyb3rmik3
Microsoft
jakem2046 I haven't seen this alert, however as the IP is part of a CDN network, it is highly unlikely that you would be able to correlate it as true positive IoC. Checking:
- Microsoft Defender Threat Intelligence (approx. 1.000 resolutions the last 14 days)
- Reverse IP lookup for 69.16.175.42 - SecurityTrails (over 10.000 resolutions in Security Trails history)
As it is highly unlikely that one would block CloudFlare for example, I would look into the DNS requests made to make sure no suspicious domain was requested and dismiss the alerts as false positive.
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like
