🌙

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

IP Watchlist

detectors

The IP Watchlist Detector uses a Secureworks Counter Threat Unit™ (CTU) Threat Intelligence curated list of suspicious IP addresses and compares them to Netflow telemetry collected via supported endpoint and syslog data sources. When a suspicious IP is identified in tenant telemetry an alert is generated. The alert contains the list the suspicious IP was sourced from and the reason it is suspicious within the Alert Description.

Note

Taegis™ NDR automatically downloads the list of Secureworks malicious IP addresses and uses them within the reputation preprocessor to detect malicious traffic in real-time.

IP watchlist Alert

IP Watchlist Alert

Requirements

This detector requires the following data sources, integrations, or schemas:

Inputs

Detections are from the following normalized sources:

Outputs

Alerts from this detector are pushed to the XDR Alert Database and Alert Triage Dashboard.

Configuration Options

This detector is enabled by default when the required data sources or integrations are available in the tenant.

MITRE ATT&CK Category

This detector has no MITRE Mapping.

Detector Testing

This detector does have a supported testing method.

FROM alert WHERE metadata.creator.detector.detector_id='app:detect:threat-intel-enrichment-netflow'

See Detector Test Alerts - Netflow Threat Intel.

References

 

On this page: