Forum Discussion
Microsoft Threat Intelligence Article Not Found
Hello,
I got a hit in Sentinel on the rule "TI map IP entity to Network Session Events (ASIM Network Session schema)" for a network session that is going to IP address 54.161.241.46.
The reasoning for the hit appears to be that this IP address is on TI watchlist.
But searching a bit around on the internet, it does not look malicious at first glance.
Searching around the IP address I do not see it as malicious right away.
In the description field of the log, it refers to an article for more information on this threat.
The article: https://ti.defender.microsoft.com/article/0792a99c
But when I try to access the article, it says it does not exist.
Should I just ignore those rule hits as the article no longer exists? Has anyone any experience with this alert?
Best,
Tobias
The premium license is defo not cheap, and whether it's worth it or not is entirely depending on the size of your org, use cases, the actual need for TI-related info and feeds etc.
MS do a 90 days free trial and I'd encourage anyone to just try it out for yourself here: Defender Threat Intelligence TrialYou get a couple of licenses so you can assign them as you see fit. And it's enough time to allow you to form an opinion of your own, taking into account your and your org's specific requirements, expectations etc.
3 Replies
- What MDTI license have you got? This is a featured article from 14d ago called 'Ruby Sleet targeting government and defense entities with job description-themed lures and malicious .scr files'. Chances are its behind a paywall.
- Thanks for the quick response! AFAIK it is the free license. I figured it might have been behind a paywall, but as I understood things articles gets "released" to free after a while. Can I ask you, if the premium license is worth it? I had a look at it, and the monthly cost seemed relatively high to what you get vs the free license.
The premium license is defo not cheap, and whether it's worth it or not is entirely depending on the size of your org, use cases, the actual need for TI-related info and feeds etc.
MS do a 90 days free trial and I'd encourage anyone to just try it out for yourself here: Defender Threat Intelligence TrialYou get a couple of licenses so you can assign them as you see fit. And it's enough time to allow you to form an opinion of your own, taking into account your and your org's specific requirements, expectations etc.
