Microsoft Threat Intelligence Analytics Alerts

jakem2046 · ‎May 05 2023

Hi all,

We are receiving several 'The response 69.16.175.42 to DNS query matched an IoC' alerts in Sentinel however doing some research it looks like this IP could be used for Windows updates. Looking on some other forums it seems this alert could be a false positive, just wondering if anyone else has seen this alert?

cyb3rmik3 · ‎May 15 2023

@jakem2046 I haven't seen this alert, however as the IP is part of a CDN network, it is highly unlikely that you would be able to correlate it as true positive IoC. Checking:

Microsoft Defender Threat Intelligence (approx. 1.000 resolutions the last 14 days)
Reverse IP lookup for 69.16.175.42 - SecurityTrails (over 10.000 resolutions in Security Trails history)

As it is highly unlikely that one would block CloudFlare for example, I would look into the DNS requests made to make sure no suspicious domain was requested and dismiss the alerts as false positive.

If I have answered your question, please mark your post as Solved

If you like my response, please consider giving it a like

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Microsoft Threat Intelligence Analytics Alerts