This event occurs when a user is able to log in to a known internal host from an external IP address that has been flagged as malicious by intelligence sources.
Why this Event is Important
This event typically indicates that an IP address associated with various attacks has successfully accessed your infrastructure. Such an event should be investigated immediately. An example of this occurring is when an IP address is flagged for brute-forcing SSH and then successfully logs in to a host in your organization via SSH.
Determine what service the IP address successfully logged in to. Identify the account that was used and determine if the activity is known to the associated user. Investigate threat tags and any open source information to determine what activity the IP address has been associated with in the past. Examine the number of connections and size of data transfer for the connections to determine if meaningful data has been transferred.
If the IP address and login is confirmed to be malicious, isolate the host and search for signs of persistence. Reset credentials for the user account in question. Determine internal connection patterns and look for indicators of lateral movement. After performing local forensics, return the machine to its last known good state, which may require a reimage.