DEEP EVIDENCE COHORTS (high confidence, act first): - df_fp_behavior_pack | ip_count=7 | depth=DEEP | Prioritize review of this cohort due to high-confidence behavior-backed evidence. - df_fp_high_indicator_ips | ip_count=2 | depth=DEEP | Immediate attention for this deep cohort containing high-confidence hostile indicators. SHALLOW COHORTS (queue-level, review after): - df_fp_review_cohort (broad queue) | ip_count=282 | pct=100.0% | Review this cohort as it represents the broad FP queue. - df_fp_queue_trace | ip_count=223 | pct=79.08% | Consider reviewing this cohort due to a large number of IPs and shallow evidence. - df_fp_queue_low | ip_count=59 | pct=20.92% | Review this cohort as it contains a notable number of IPs with shallow evidence. - df_fp_queue_susp_low | ip_count=7 | pct=2.48% | Although small in size, prioritize review of this cohort due to its deep candidate subset status. WORKLOAD ESTIMATE: - Total IPs across all cohorts: 579 - Deep cohort IPs (immediate attention): 9 - Shallow queue IPs (triage/review): 470 REVIEW PRIORITY ORDER: 1. df_fp_behavior_pack — high-confidence behavior-backed evidence 2. df_fp_high_indicator_ips — contains high-confidence hostile indicators 3. df_fp_review_cohort (broad queue) — represents the broad FP queue 4. df_fp_queue_trace — large number of IPs with shallow evidence 5. df_fp_queue_low — notable number of IPs with shallow evidence 6. df_fp_queue_susp_low — deep candidate subset with a small size but high priority.
AVAILABLE ARTIFACTS (from index): - df_events | type=Dataframe | rows=5497 | Canonical evidence dataframe (windowed, normalized) - AUDIT_WINDOW | type=Contract | rows=null | Canonical time window contract - df_fp_review | type=Dataframe | rows=282 | FP review queue (broad) - df_fp_stratified | type=Dataframe | rows=282 | FP stratification categories (optional) - df_fp_queue_summary | type=Dataframe | rows=3 | FP triage queue summary (optional) - df_fp_queue_trace | type=Dataframe | rows=223 | Queue: TRACE-dominant (optional) - df_fp_queue_low | type=Dataframe | rows=59 | Queue: low-volume (optional) - df_fp_queue_susp_low | type=Dataframe | rows=7 | Queue: suspicious-low-volume (optional) - df_fp_behavior_pack | type=Dataframe | rows=26 | Behavior-compressed deep evidence pack - df_fp_taxonomy_summary | type=Dataframe | rows=2 | Behavior taxonomy summary (counts; optional) - df_fp_confidence_summary | type=Dataframe | rows=3 | Hostility confidence distribution (optional) - df_fp_high_indicator_ips | type=Dataframe | rows=2 | High-confidence IP list (deep cohort) - df_fp_cohort_scope | type=Dataframe | rows=6 | Cohort scope + evidence depth table - SOC_NARRATIVE_10B7 | type=Narrative | rows=null | Narrative: behavior taxonomy (10B.7) - SOC_NARRATIVE_10B8 | type=Narrative | rows=null | Narrative: hostility confidence triage (10B.8) - SOC_NARRATIVE_10B9 | type=Narrative | rows=null | Narrative: review cohorts framing (10B.9) - SOC_NARRATIVE_10B10 | type=Narrative | rows=null | Narrative: cohort scope + depth framing (10B.10) - df_ip_conf | type=Dataframe | rows=7 | Per-IP confidence rollup (optional) - df_fp_cohort_metrics | type=Dataframe | rows=2 | Cohort metrics table (optional) - df_ip_roll | type=Dataframe | rows=7 | Per-IP cohort rollup (optional) - df_top_indicators | type=Dataframe | rows=20 | Top indicators table (optional) - df_fp_taxonomy_ip_counts | type=Dataframe | rows=2 | Taxonomy unique-IP counts (optional) HIGH-VALUE ARTIFACTS (analyze first): - df_fp_high_indicator_ips | High-confidence IP list (deep cohort) - df_fp_behavior_pack | Behavior-compressed deep evidence pack EMPTY OR SPARSE ARTIFACTS: - AUDIT_WINDOW | Canonical time window contract (may need investigation) - SOC_NARRATIVE_10B7, SOC_NARRATIVE_10B8, SOC_NARRATIVE_10B9, SOC_NARRATIVE_10B10 | Narratives (may need investigation) RECOMMENDED ANALYSIS ORDER: 1. df_fp_high_indicator_ips — High-confidence IP list is crucial for threat analysis. 2. df_fp_behavior_pack — Behavior-compressed deep evidence pack provides valuable insights. 3. df_events, df_fp_review, df_fp_stratified, df_fp_queue_summary (optional), df_fp_queue_trace (optional), df_fp_queue_low (optional), df_fp_queue_susp_low (optional) — Analyze these artifacts to review and triage FPs. 4. df_fp_cohort_scope — Cohort scope + evidence depth table for understanding the context. 5. SOC_NARRATIVE_10B7, SOC_NARRATIVE_10B8, SOC_NARRATIVE_10B9, SOC_NARRATIVE_10B10 (optional) — Analyze these narratives for a better understanding of the findings. 6. df_ip_conf, df_fp_cohort_metrics, df_ip_roll, df_top_indicators, df_fp_taxonomy_ip_counts (optional) — Optional analysis based on requirements.
QUEUE SUMMARY: - TRACE-dominant | ip_count=223 | pct=79.08% | depth=DEEP | verdict=TRACE - Low-volume | ip_count=59 | pct=20.92% | depth=SHALLOW | verdict=TRACE - Suspicious-low-volume (SUSPICIOUS >= 3) | ip_count=7 | pct=2.48% | depth=DEEP | verdict=SUSPICIOUS HIGHEST PRIORITY QUES: - Suspicious-low-volume (SUSPICIOUS >= 3) — reason: DEEP evidence and SUSPICIOUS-dominant TRACE-DOMINANT QUEUES: - TRACE-dominant | count=223 — characterization: predominantly reconnaissance events - Low-volume | count=59 — characterization: lower volume of likely reconnaissance events RECOMMENDED REVIEW ORDER: 1. Suspicious-low-volume (SUSPICIOUS >= 3) 2. TRACE-dominant 3. Low-volume
TAXONOMY RANKINGS (from CSV only): Rank | Taxonomy Label | ip_count | event_count | pct 1 | Other Probing/Recon | 24 | 24 | 87.50% 2 | CMS Probing (WordPress) | 2 | 2 | 6.25% HIGH-SEVERITY TAXONOMY TYPES: - Other Probing/Recon — large number of unique IPs and events indicate potential network scanning or reconnaissance activities, which could be a precursor to more malicious actions like exploitation or data exfiltration. COMBINED-THREAT TAXONOMY (high IPs + high events): - Other Probing/Recon — widespread and active probing behavior indicates a significant risk. RECOMMENDED DEFENSIVE ACTIONS: - For Other Probing/Recon: Implement network monitoring solutions to detect and block potential scanning activities, configure firewalls to deny traffic from suspicious IP addresses, and apply security patches for known vulnerabilities.
HIGH HOSTILITY CONFIDENCE: - IP: 1 | events_in_pack=2 | pct=7.69% MEDIUM HOSTILITY CONFIDENCE: - IP: 1 | events_in_pack=22 | pct=84.62%, escalation to HIGH: not specified CONFIDENCE TRIAGE SUMMARY: - HIGH: 1 entries - MEDIUM: 1 entries - LOW: 1 entries ESCALATION CANDIDATES (MEDIUM→HIGH): - IP: 1 — reason: Not specified in the provided data. Further investigation is required.
IP CONFIDENCE RANKINGS (from CSV only): | Rank | IP | conf_rank | confidence | behaviors | events | first_seen | last_seen | action |------|---------|----------|-----------|----------|---------|------------|-------------|-----------| | 1 | 20.63.41.168 | 2 | HIGH | 5 | 5 | 2026-03-03 11:50:34+00:00 | 2026-03-03 11:50:35+00:00 | BLOCK | | 2 | 13.74.146.113 | 2 | HIGH | 5 | 5 | 2026-03-04 06:28:50+00:00 | 2026-03-04 06:28:52+00:00 | BLOCK | | 3 | 161.35.70.154 | 1 | MEDIUM | 5 | 5 | 2026-03-05 00:08:04+00:00 | 2026-03-05 00:08:04+00:00 | MONITOR | | 4 | 202.76.203.18 | 1 | MEDIUM | 4 | 4 | 2026-03-03 15:47:16+00:00 | 2026-03-04 17:28:32+00:00 | MONITOR | | 5 | 185.93.89.110 | 1 | MEDIUM | 1 | 1 | 2026-03-03 11:50:59+00:00 | 2026-03-03 11:50:59+00:00 | MONITOR | | 6 | 5.61.209.96 | 1 | MEDIUM | 1 | 1 | 2026-03-03 12:35:26+00:00 | 2026-03-03 12:35:26+00:00 | MONITOR | RECENT THREATS (last 24h activity): - 13.74.146.113 | last_seen=2026-03-04 06:28:52+00:00 | conf=2 - 20.63.41.168 | last_seen=2026-03-03 11:50:35+00:00 | conf=2 RECOMMENDED ACTIONS: - BLOCK: 13.74.146.113, 20.63.41.168 - MONITOR: 161.35.70.154, 202.76.203.18, 185.93.89.110, 5.61.209.96
PRIORITY BLOCK LIST (ranked, all IPs from CSV): Rank | IP | max_rank | high_events | behaviors | trace_ratio | recommendation ----|-----|----------|-------------|-----------|--------------|---------------- 1 | 13.74.146.113 | 2 | 1 | 5 | 0.0 | TBD 2 | 20.63.41.168 | 2 | 1 | 5 | 0.0 | TBD IMMEDIATE BLOCKS (high_events + high behaviors): - 13.74.146.113 — evidence: max_rank=2, high_events=1, behaviors=5 - 20.63.41.168 — evidence: max_rank=2, high_events=1, behaviors=5 MONITOR ONLY: (As no other IPs have high_events > 0 AND behaviors > 2) - None at this time.
SOPHISTICATED THREATS (high behavior diversity, from CSV only): - 13.74.146.113 | behaviors=5 | events=5 | trace_ratio=0.0 - 20.63.41.168 | behaviors=5 | events=5 | trace_ratio=0.0 AUTOMATION INDICATORS (high events, low diversity): - 185.93.89.110 | behaviors=1 | events=3 | interpretation: potential automated scanning - 206.189.21.90 | behaviors=1 | events=5 | interpretation: potential automated scanning or botnet activity BLOCKING RECOMMENDATIONS: - MONITOR: 161.35.70.154, 204.76.203.18, 5.61.209.96 - BLOCK NOW: 13.74.146.113, 20.63.41.168
ASN THREAT RANKINGS (from CSV only): Rank | ASN | Label/Provider | ip_count | pct | recommendation 1 | 8075 | MSFT | 2 | 50.0% | BLOCK ASN 2 | 14061 | DIGITALOCEAN-161-35-0-0,DIGITALOCEAN-206-189-0-0| 1 | 25.0% | MONITOR 3 | 206264 | AMARUTU-NL16 | 1 | 12.5% | MONITOR 4 | 213790 | AMWAJ | 1 | 12.5% | MONITOR 5 | 51396 | PFCLOUD-UG | 1 | 12.5% | MONITOR MULTI-IP THREAT ASNs (ip_count > 1): - ASN8075 (MSFT) | 2 IPs — BLOCK ASN SINGLE-IP ASNs (monitor): - ASN14061 (DIGITALOCEAN-161-35-0-0,DIGITALOCEAN-206-189-0-0) | 1 IP - ASN206264 (AMARUTU-NL16) | 1 IP - ASN213790 (AMWAJ) | 1 IP - ASN51396 (PFCLOUD-UG) | 1 IP RECOMMENDED ACTIONS: - BLOCK ASN: [8075] - MONITOR: [14061, 206264, 213790, 51396]
HIGH-CONFIDENCE ASN THREATS: Rank | ASN | Provider | ip_count | action ----|-----|----------|----------|-------- 1 | 8075 | MSFT | 2 | BLOCK ASN traffic Since the ASN with the highest IP count (8075, owned by MSFT) has a significant number of high-confidence threats, it is recommended to block traffic at the ASN level for this network. This action will help mitigate potential threats more effectively compared to IP-level monitoring. RECOMMENDED ACTIONS: - BLOCK ASN traffic: [8075] - IP-level monitoring: None (ASN-level block is recommended)
COUNTRY THREAT RANKINGS (from CSV only): Rank | Country | ip_count | pct | notes 1 | US | 4 | N/A | Noted for potential hosted infrastructure 2 | IR | 1 | N/A | Initial findings, further investigation required 3 | NL | 1 | N/A | Initial findings, further investigation required 4 | SC | 1 | N/A | Initial findings, further investigation required GEOGRAPHIC CLUSTERS (ip_count > 1): - No geographic clusters detected with ip_count > 1. RECOMMENDED ACTIONS: - Enhanced monitoring for: US, IR, NL, SC
Based on the input provided, there is only one data point for the country 'US' with an 'ip_count' of 2. However, to comply with your instructions, I will still format the output as requested: HIGH-CONFIDENCE COUNTRY DISTRIBUTION (from CSV only): - US | ip_count=2 | pct=100% | Note: High ip_count in US may reflect compromised hosting, not national actors.
HIGH-CONFIDENCE THREAT IPs (from CSV only): - 13.74.146.113 | conf=2 | hosting=Cloud Provider | ASN=8075 | country=US | BLOCK - 20.63.41.168 | conf=2 | hosting=Cloud Provider | ASN=8075 | country=US | BLOCK HOSTING TYPE DISTRIBUTION: - Cloud Provider: 2 IPs (40%) - VPS / Hosting Provider: 2 IPs (40%) - Unknown / Other: 2 IPs (40%) INFRASTRUCTURE NOTES: - VPN/Datacenter IPs: None — location masking not observed. - Residential IPs: None — may indicate botnet/compromised host not present. RECOMMENDED ACTIONS: - BLOCK: 13.74.146.113, 20.63.41.168 - MONITOR: None
HOSTING DISTRIBUTION SUMMARY: - Cloud Provider | high_conf_ips=2 | pct=100% - VPS / Hosting Provider | high_conf_ips=2 | pct=0% - Unknown / Other | high_conf_ips=0 | pct=0% DOMINANT HOSTING TYPE: Cloud Provider ATTRIBUTION IMPLICATIONS: All high-confidence IPs can be attributed to Cloud Provider services, making it crucial to focus on these providers for further investigation and potential blocking strategies.
COHOSTING THREAT CONTEXT (from CSV only): - 13.74.146.113 | conf=HIGH | cohosting=TRUE | domains=0 | ASN=MSFT - 20.63.41.168 | conf=HIGH | cohosting=TRUE | domains=0 | ASN=MSFT - 161.35.70.154 | conf=MEDIUM | cohosting=LOW_shared_infra_signal | domains=2 | ASN=DIGITALOCEAN-161-35-0-0 - 206.189.21.90 | conf=MEDIUM | cohosting=LOW_shared_infra_signal | domains=4 | ASN=DIGITALOCEAN-206-189-0-0 - 204.76.203.18 | conf=MEDIUM | cohosting=LOW_shared_infra_signal | domains=0 | ASN=PFCLOUD-UG - 185.93.89.110 | conf=MEDIUM | cohosting=FALSE | domains=0 | ASN=LIMITEDNETWORK-AS - 5.61.209.96 | conf=MEDIUM | cohosting=LOW_shared_infra_signal | domains=4 | ASN=AMARUTU-NL16 HIGH COHOSTING RISK IPs: - 13.74.146.113 — shared infra signal: TRUE - 20.63.41.168 — shared infra signal: TRUE DEDICATED INFRASTRUCTURE (zero domains): - 161.35.70.154 — no visible domains, possible dedicated attack host - 204.76.203.18 — no visible domains, possible dedicated attack host - 185.93.89.110 — no visible domains, possible dedicated attack host - 5.61.209.96 — no visible domains, possible dedicated attack host RECOMMENDED ACTIONS: - BLOCK: 13.74.146.113, 20.63.41.168 - INVESTIGATE INFRASTRUCTURE: 161.35.70.154, 204.76.203.18, 185.93.89.110, 5.61.209.96
DEEP-COHORT COHOSTING SUMMARY: - LOW_shared_infra_signal | ip_count=3 | high_conf_ips=0 | pct=42.86% - ZERO_domains_visible | ip_count=4 | high_conf_ips=2 | pct=57.14% DOMINANT SIGNAL: ZERO_domains_visible RISK IMPLICATION: A large portion of the deep-cohort IPs have no visible domains associated with them, which could indicate the use of darknet infrastructure or anonymizing services. This may pose a high risk as it can be used for malicious activities such as command and control channels or data exfiltration.
HIGH-CONF COHOSTING SUMMARY: - ZERO_domains_visible | ip_count=2 | pct=100.0% The dominant cohosting signal in this summary is "ZERO_domains_visible", which indicates that the IPs associated with this signal are not visible on each other's domains (no mutual linking). This could be an indicator of potential malicious activity, such as command and control communication or botnet activity. Further investigation would be required to confirm the nature of these connections.
DEEP-COHORT ASNs: - AS14061 (DIGITALOCEAN-ASN) | ip_count=2 | pct=28.57% | Block/Monitor - AS8075 (MICROSOFT-CORP-MSN-AS-BLOCK) | ip_count=2 | pct=28.57% | Block/Monitor - AS206264 (AMARUTU-TECHNOLOGY) | ip_count=1 | pct=14.29% | Monitor - AS213790 (LIMITEDNETWORK-AS) | ip_count=1 | pct=14.29% | Monitor - AS51396 (PFCLOUD Pfcloud UG) | ip_count=1 | pct=14.29% | Monitor Since all ASNs in the deep cohort have at least one IP, we flagged them for monitoring and some are also recommended to be blocked due to having more than one IP in the deep cohort.
HIGH-CONFIDENCE DEEP-COHORT ASNs: - AS8075 (Microsoft Corporation, US) | ip_count=2 | monitor This indicates that the ASN 8075, which belongs to Microsoft Corporation in the United States, has a high confidence and a significant number of IP addresses (2) associated with it. Therefore, it is recommended to monitor this ASN for further analysis.
DEEP-COHORT COUNTRY DISTRIBUTION: - US | ip_count=4 | pct=57.14% - IR | ip_count=1 | pct=14.29% - NL | ip_count=1 | pct=14.29% - SC | ip_count=1 | pct=14.29% GEOGRAPHIC NOTES: - High concentration in US (57.14%) compared to other countries, which may indicate geographic bias or a larger number of monitored entities based in the United States.
HIGH-CONFIDENCE DEEP-COHORT COUNTRIES: - US | ip_count=2
DEEP-COHORT NETWORKS: - MSFT | ip_count=2 | pct=28.57% | block - AMARUTU-NL16,AMWAJ,DIGITALOCEAN-161-35-0-0,DIGITALOCEAN-206-189-0-0,PFCLOUD-UG | ip_count=1 | pct=14.29% | monitor (no action taken for single IP networks)
HIGH-CONFIDENCE NETWORKS: - MSFT | ip_count=2 | block The network 'MSFT' has more than one high-confidence IP addresses and should be blocked or monitored closely due to its high-ip count.
TIER-1 THREATS (from CSV only): - 13.74.146.113 | Tier 1 | conf=HIGH | behaviors=5 | events=5 | ASN=8075 | country=US | net=MSFT - 20.63.41.168 | Tier 1 | conf=HIGH | behaviors=5 | events=5 | ASN=8075 | country=US | net=MSFT TIER-2/3 HIGH-CONFIDENCE: - 204.76.203.18 | Tier 2 | conf=MEDIUM | behaviors=4 | events=4 | ASN=51396 | country=NL | net=PFCLOUD-UG - 206.189.21.90 | Tier 2 | conf=MEDIUM | behaviors=5 | events=5 | ASN=14061 | country=US | net=DIGITALOCEAN-206-189-0-0 INFRASTRUCTURE CLUSTERS (repeated ASN/network): - ASN: 8075 — 2 IPs — Multi-signal (Microsoft Corporation, US) - ASN: 14061 — 2 IPs — Shared infrastructure (DigitalOcean, LLC, US) RECOMMENDED ACTIONS: - BLOCK: 13.74.146.113, 20.63.41.168 - MONITOR: 204.76.203.18, 206.189.21.90
TIER DISTRIBUTION SUMMARY: - Tier 1 - Multi-signal (high priority) | ip_count=2 | pct=100% - Tier 2 - Notable (monitor) | ip_count=3 | pct=0% - Tier 3 - Contextual | ip_count=2 | pct=0% WORKLOAD IMPLICATION: - Immediate action required (Tier-1): 2 IPs - Secondary review (Tier-2): 0 IPs - Contextual monitoring (Tier-3): 2 IPs ANOMALIES: - The Tier 1 population constitutes 100% of the cross-signal population, which may indicate an unusually large number of high priority signals.
TOP THREATS (Tier 1, from CSV only): - 13.74.146.113 | Tier 1 | conf=HIGH | behaviors=5 | events=5 | ASN=8075 | country=US | net=MSFT - 20.63.41.168 | Tier 1 | conf=HIGH | behaviors=5 | events=5 | ASN=8075 | country=US | net=MSFT SECONDARY THREATS (Tier 2/3 with HIGH confidence): - N/A (No Tier 2 or 3 IPs with HIGH confidence in the provided data) NETWORK PATTERNS (repeated ASNs/hosters): - ASN 8075 (Microsoft Corporation, US): appears 2 times — Multi-signal (high priority) - ASN 14061 (DigitalOcean, LLC, US): appears 2 times — Notable (monitor) RECOMMENDED BLOCKING DECISIONS: - BLOCK: [13.74.146.113, 20.63.41.168] — Multi-signal (high priority) - MONITOR: [161.35.70.154, 206.189.21.90, 204.76.203.18, 185.93.89.110, 5.61.209.96] — Various reasons from contextual to shared infrastructure signals
IMPMEDIATE THREATS (HIGH/Q1 IPs — from CSV only): - 13.74.146.113 | Q1 | conf=HIGH | behaviors=5 | 2026-03-04 06:28:50+00:00→2026-03-04 06:28:52+00:00 | BURST - 20.63.41.168 | Q1 | conf=HIGH | behaviors=5 | 2026-03-03 11:50:34+00:00→2026-03-03 11:50:35+00:00 | BURST SECONDARY THREATS (HIGH not Q1, or MEDIUM/Q1): - 161.35.70.154 | Q1 | conf=MEDIUM | behaviors=5 - 206.189.21.90 | Q1 | conf=MEDIUM | behaviors=5 ATTACK PATTERNS: - Burst (evidence-based only): 13.74.146.113, 20.63.41.168 - Persistent: All other HIGH and MEDIUM IPs - Behavior diversity summary: High for Q1 IPs, low for Q3 IPs RECOMMENDED ACTIONS: - BLOCK: 13.74.146.113, 20.63.41.168 - MONITOR: 161.35.70.154, 206.189.21.90 (and all other HIGH and MEDIUM IPs) - INVESTIGATE: All monitored IPs with further analysis of behavior patterns and potential connections to threats.
ENRICHED THREAT IPs: - 13.74.146.113 | conf=HIGH | in_high_conf=True | ASN=MSFT | net=MSFT-CORP-MSN-AS-BLOCK | 2026-03-04 06:28:50→2026-03-04 06:28:52 - 20.63.41.168 | conf=HIGH | in_high_conf=True | ASN=MSFT | net=MSFT-CORP-MSN-AS-BLOCK | 2026-03-03 11:50:34→2026-03-03 11:50:35 - 161.35.70.154 | conf=MEDIUM | in_high_conf=False | ASN=DIGITALOCEAN-ASN | net=DIGITALOCEAN-161-35-0-0 | 2026-03-05 00:08:04 - 206.189.21.90 | conf=MEDIUM | in_high_conf=False | ASN=DIGITALOCEAN-ASN | net=DIGITALOCEAN-206-189-0-0 | 2026-03-03 14:39:57 - 204.76.203.18 | conf=MEDIUM | in_high_conf=False | ASN=51396 | net=PFCLOUD-UG | 2026-03-03 15:47:16→2026-03-04 17:28:32 - 185.93.89.110 | conf=MEDIUM | in_high_conf=False | ASN=213790 | net=LIMITEDNETWORK-AS | 2026-03-03 11:50:59 - 5.61.209.96 | conf=MEDIUM | in_high_conf=False | ASN=206264 | net=AMARUTU-NL16 | 2026-03-03 12:35:26 NETWORK CONCENTRATION: - MSFT-CORP-MSN-AS-BLOCK: 2 IPs | BLOCK - DIGITALOCEAN-ASN: 2 IPs | MONITOR - PFCLOUD-UG: 1 IP | MONITOR - LIMITEDNETWORK-AS: 1 IP | MONITOR - AMARUTU-NL16: 1 IP | MONITOR RECOMMENDED ACTIONS: - BLOCK: MSFT-CORP-MSN-AS-BLOCK (2 IPs) - MONITOR: DIGITALOCEAN-ASN (2 IPs), PFCLOUD-UG (1 IP), LIMITEDNETWORK-AS (1 IP), AMARUTU-NL16 (1 IP)