Team: Huntress Managed Identity Threat Detection and Response (ITDR, formerly MDR for Microsoft 365)
Environment: Unwanted Access
Summary: Different vendors (technologies) may review the same IP address and see a different geolocation or VPN associated with it. This is a known issue across different industry tool, and is not limited to Huntress.
What are we seeing?
Incident reports generated by Huntress for the ITDR tool will often include an IP address, as well as an associated geo-location and/or VPN for that IP. Some partners may report that within their own tools, the IP address appears to be associated with a different location or VPN tool. While this may lead to some questions about the authenticity of the report, it's important to understand that this is not a Huntress specific issue as this is something seen throughout the tech industry. Different vendors may label IP addresses with different geolocations or VPN names even when referring to the same IP address.
Why does this happen?
Ultimately, it comes down to two things: what tools a vendor uses and if information about that IP has changed recently. The tools that Huntress uses to audit IP addresses and associate it with a location or VPN provider may be different from the tools used by other vendors. Some vendors use in house or custom-built tools, and others will get information from third parties that already collect and update this information. Sometimes the information about a specific IP may change, so based on the tool the results may vary.
What does that mean for you?
If you've gotten information from us in an incident report, but are questioning the validity, be sure to reach out to the impacted user, and get an understanding of what was going on during the time that the report mentions the event occurred. Things like travel and even new or different applications or hardware being used for sign in can result in False Positives. If you're able to verify the event was in fact legitimate, be sure to REJECT the incident report remediation steps to let our SOC team know not to re-report on a previous alert. If you're not able to verify, or if you know it's not legitimate, it's better to assume compromise and perform the requested actions in the incident report.
Comments
0 comments
Please sign in to leave a comment.