SOLVED

Microsoft Threat Intelligence Article Not Found

Copper Contributor

Hello,

 

I got a hit in Sentinel on the rule "TI map IP entity to Network Session Events (ASIM Network Session schema)" for a network session that is going to IP address 54.161.241.46.

The reasoning for the hit appears to be that this IP address is on TI watchlist.

But searching a bit around on the internet, it does not look malicious at first glance.

Searching around the IP address I do not see it as malicious right away.

In the description field of the log, it refers to an article for more information on this threat.

The article: https://ti.defender.microsoft.com/article/0792a99c

But when I try to access the article, it says it does not exist.

Should I just ignore those rule hits as the article no longer exists? Has anyone any experience with this alert?

 

Best,

Tobias

3 Replies
What MDTI license have you got? This is a featured article from 14d ago called 'Ruby Sleet targeting government and defense entities with job description-themed lures and malicious .scr files'. Chances are its behind a paywall.
Thanks for the quick response! AFAIK it is the free license. I figured it might have been behind a paywall, but as I understood things articles gets "released" to free after a while. Can I ask you, if the premium license is worth it? I had a look at it, and the monthly cost seemed relatively high to what you get vs the free license.
best response confirmed by Tobias_Moe (Copper Contributor)
Solution

@Tobias_Moe 

The premium license is defo not cheap, and whether it's worth it or not is entirely depending on the size of your org, use cases, the actual need for TI-related info and feeds etc.
MS do a 90 days free trial and I'd encourage anyone to just try it out for yourself here: Defender Threat Intelligence Trial

You get a couple of licenses so you can assign them as you see fit. And it's enough time to allow you to form an opinion of your own, taking into account your and your org's specific requirements, expectations etc.

1 best response

Accepted Solutions
best response confirmed by Tobias_Moe (Copper Contributor)
Solution

@Tobias_Moe 

The premium license is defo not cheap, and whether it's worth it or not is entirely depending on the size of your org, use cases, the actual need for TI-related info and feeds etc.
MS do a 90 days free trial and I'd encourage anyone to just try it out for yourself here: Defender Threat Intelligence Trial

You get a couple of licenses so you can assign them as you see fit. And it's enough time to allow you to form an opinion of your own, taking into account your and your org's specific requirements, expectations etc.

View solution in original post