TI map IP entity to Network Session Events (ASIM Network Session schema) - InboundConnectionAccepted

Copper Contributor

Many alerts have been observed from the Analytics rule "TI map IP entity to Network Event events (ASIM Network Session schema)". All connections originate from malicious external IP addresses based on the poor reputation of MSTIC.

ConfidenceScore 100
ThreatType  Botnet
Description  MSTIC HoneyPot: An attacker used a brute force attack to gain access to a service or device.
Reviewing the base events, I only noticed Defender XDR DeviceNetworkEvents with ActionType "InboundConnectionAccepted". There is no other action type noticed.
This appears to be an FP alert from the XDR component, and there is no indication of successful connections, as there is no other Action Type such as "ConnectionSuccess" or "ConnectionFound".

If you encounter any such case, please let me know. Would it be appropriate to exclude the ActionType "InboundConnectionAccepted" from this rule.


0 Replies