Details

EventID: 69
Event Time: Feb. 28, 2021, 7:57 p.m.
Rule: SOC133 - Suspicious Request to New Registered Domain
Level: Security Analyst
Source Address 172.16.15.78
Source Hostname KatharinePRD
Destination Address 23.227.38.71
Destination Hostname amesiana[.]com
Username Leo
Request URL https[:]//amesiana[.]com/
User Agent Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36
Device Action Allowed

playbook

Collection Data

Source Address
172.16.15.78
Destination Address
23.227.38.71
VirusTotal: https://www.virustotal.com/gui/ip-address/23.227.38.71
ip-sc: https://ip-sc.net/ja/r/23.227.38.71
AbuseIPDB: https://www.abuseipdb.com/check/23.227.38.71
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36

Search Log

#	DATE	TYPE	SOURCE ADDRESS	SOURCE PORT	DESTINATION ADDRESS	DESTINATION PORT
366	Feb, 28, 2021, 07:57	PM	Firewall	172.16.15.78	12332	23.227.38.71 \|443

Request URL: https[:]//amesiana[.]com/
Request Method: GET

Analyze URL Address

amesiana[.]com

VirusTotal: https://www.virustotal.com/gui/domain/amesiana.com
urlscan.io(11 month ago): https://urlscan.io/result/b1bd254b-8d27-44b2-808d-813a88401c44/
現在はshopifyでセットアップ中になっている模様である。AbuseIPDBでは攻撃に利用された等のレポートがあるため怪しいが、どれも今回のアラート以降の話だ。怪しいレポートがあるが今回の記録だけからはMaliciousではない。
Answer: Non-malicious