10-08-2023 08:21 AM - edited 10-08-2023 08:22 AM
Hello,
A few days ago we started to get reports from users from different countries not being able to login to our systems any more.
In FMC I can see the IP addresses in the Security-Related Connection Events being IP blocked with the Security Intelligence category "Malware". When I right click on the IP address, I can look the address up on Talos and it confirms that the IP address has been blocked due to malware.
I really don’t understand why this suddenly happened and I cannot find anything common with those IP addresses (they are all behind different ISP's and from different country’s, etc.)
Do anyone have any tips for troubleshooting why SI start blocking connections?
Thanks
/Chess
10-08-2023 08:38 AM
This could be based on the incident the TALOS automatically add the IP, if you think the IP is genuine as per your information, you can raise an ticket with Talos to unblock (again they will investigate the correct information and take action).
10-08-2023 11:49 AM
Thank you for the suggetion. I will create a ticket and hopefully they can investigate what happened. Is that a specific incident that you mention?
/Chess
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide