IOC Radar
IPMediumSignal 53/100

205.210.31.17

Location
United StatesUnited States
Santa Clara, California
ASN
AS396982
Palo Alto Networks, Inc
First Seen
Apr 12, 2022
Last Seen
Jun 2, 2026
Apr 12
First Seen
1523d ago
Jun 2
Last Seen
12d ago
34
Reports
source reports
53%
Confidence
medium
Found in 34 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
53%
Signal Score
53 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

99 techniques

Network Information

CountryUSUnited States
RegionSanta Clara, California
ASNAS396982
OrganizationPalo Alto Networks, Inc

IP Category

Proxy
Proxy server

Feed Intelligence Summary

34 reports53% confidence
34
Source reports
53%
Confidence score
Category tags
abuseaccess controlaccount compromiseaccount securityack scanactive scanactive scanningadbadbhoney activityadbhoney honeypotadministrative accessagentalertandroid devicesanomalous network connectionsapplication layer protocolasiaattackattacker-ipaustraliaauthenticationauthentication attacksauthentication failureautomated attackautomated attacksautomated threatautomated threatsautomated-attackbad reputationbad web botbankingblacklist candidateblacklist ipblock listblock.txtblog spambotnetbotnet activitybotnet-activitybrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute-forcebrute-force attackbrute_forcec2c2 communicationc2 servercanadachinachina mobilecins activecisco attackcisco devicecisco device attackcisco device attackscisco device targetedcisco device targetingcisco exploit attemptcisco exploitationcisco exploitation attemptcisco exploitation attemptscisco ios attackcisco network devicescitrix exploitation attemptcitrix securitycloud environmentcloud infrastructurecloud infrastructure attackcloud servicescloud_infrastructurecode executioncolumnscommand & controlcommand and controlcommand executioncommand injectioncommon vulnerabilitiescommunication protocolcompany limitedcompromised credentialscompromised credentials attemptcompromised hostcompromised host detectioncompromised hostsconnected devicesconpot activityconpot exploitationconpot honeypotconpot ics attackscontainer securitycowriecowrie activitycowrie attackcowrie attackscowrie detectioncowrie honeypotcowrie interactionscowrie sshcowrie ssh attackcowrie ssh attackscowrie ssh honeypotcredential accesscredential attackcredential attackscredential brute forcecredential guessingcredential harvestingcredential stuffingcredential-bruteforcingcredential-stuffingcredential_accesscredit card servicesctacurldaily_sourcesdata encryptiondata exfiltrationdata exfiltration attemptdata store exposuredata theftdatabase attackdatabase attacksdatabase brute forcedatabase exploitation attemptsdatabase login attemptdatabase probingdatabase securitydatabase serversdatabase-serverdcerpcddosddos attackddos attack indicatorsddos attacksddos attemptddospotdecoy systemdenial of servicedenial-of-service attemptdevice managementdictionary attackdigital oceandionaeadionaea activitydionaea attackdionaea attacksdionaea capturedionaea detectiondionaea exploitsdionaea honeypotdionaea interactionsdionaea malware collectiondionaea malware samplesdionaea payloadsdistributed attackdistributed attacksdnp3dnsdns attackdockerdshield blockelasticpot dataelasticpot honeypotelasticsearchelasticsearch monitoringencryptionenterprise networkingenterprise securityenumerationet dropethernet/ipeuropeexecutable fileexfiltrationexim exploit attemptexploitexploit attemptexploit attemptsexploit kit activityexploit probingexploit public-facing applicationexploit targetingexploitationexploitation activityexploitation attemptexploitation attemptsexploited hostexternal access attemptsexternal network scanexternal_threatextortionfailed login attemptsfattfatt analysisfatt detectionsfatt signaturesfilefin port scanfin scanfinancefinancial servicesfinancial technologyfinlandfirewall detectionfrancefraud voipftpftp attacksftp brute forceftp brute-forcegalahgermanygluttongopothackinghellpotheralding activityhk abusehandlerhoneynet connecthoneytrap activityhoneytrap datahoneytrap detectionhoneytrap eventshoneytrap exploit attemptshoneytrap honeypothoneytrap interactionshong konghttp brute forcehttp probinghttp request anomalieshttp scannerhttp scanninghttp/shttpshttps scanninghurricane usicmpics securityics/scada systemsidentity & access exploitationidleimapimap brute forceinbound scanindicatorindicators of compromiseindustrial control systemsindustrial iotinformation gatheringinformation technologyinfrastructure acquisitionreconnaissanceinitial accessinitial_accessinjection activityinjection attacksinternet of thingsinternet-facinginternet-facing serviceintrusion detectioniociocsiot analyticsiot applicationsiot attackiot botnetiot device targetingiot platformsiot securityiot targetediot/ics attackip-address-iocip-addressesipphoney honeypotipv4ipv4_activityit infrastructurejsonkibanaknown malicious iplamplamp attacklamp exploit attemptlamp exploit attemptslamp exploitationlamp exploitation attemptlamp exploitation attemptslamp server attacklamp server targetinglamp stacklamp stack attacklamp stack exploitationlamp stack targetinglateral movementlcialinuxlinux malwarelinux serverslinux systemslinux-server-attacklinux-systemlinux_server_attackslisted sourcelog4potloginlogin attemptmail protocol abusemailoney activitymailoney detectionmailoney eventsmailoney honeypotmailoney interactionsmalaysiamalicious activitymalicious activity detectedmalicious file transfermalicious ip activitymalicious ip addressesmalicious ip detectedmalicious loginmalicious login attemptsmalicious network activitymalicious payloadmalicious payload detectionmalicious python scriptsmalicious scanmalicious script executionmalicious sftp activitymalicious softwaremalicious ssh activitymalicious trafficmalicious-login-attemptsmalicious_trafficmalwaremalware analysismalware behaviourmalware capturemalware deliverymalware delivery attemptmalware detectionmalware distributionmalware downloadmalware propagationmalware propagation attemptmalware_activitymanualmass scanningmasscanmedpotmirai botnetmobile threatmodbusmssqlmysql brute forcenetworknetwork activitynetwork attacksnetwork device probingnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork monitoringnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork securitynetwork service scanningnetwork servicesnetwork traffic analysisnetwork-based attack attemptsnetwork-devicenetwork-reconnaissancenetwork_discoverynetwork_intrusionnetwork_traffic_analysisnmapnorth americanull port scannull scanoceaniaopen port detectionopen port discoveryopen port enumerationopen portsopen proxyoperating systemoperating system securityopportunistic attackopportunistic-attackos credential dumpingp0fp0f network fingerprintingp0f os fingerprintingp0f signaturespaloaltonetwors_com-benignpassword attackpassword attackspassword sprayingpayment processingpgp signphishingphishing attackphishing trapphp exploitation attemptspingping of deathpolandpoor reputationportport-scanningportscanpossible botnet activitypossible exploit attemptpossible malware activitypossible malware distributionpossible malware dropperpossible malware probingpossible malware propagationpossible mirai variantpotential botnet activitypotential compromisepotential exploit activitypotential malwarepotential malware deploymentpotential vulnerability exploitationpotential vulnerability scanprivilege escalationprocess injectionprotoprotocol abuseprotocol exploitationprotocol-abuseproxyproxy accessproxy protocolransomwareransomware activityrdp attacksreconnaissancereconnaissance activityredis exploitationredis exploitation attemptredis exploitation attemptsredis honeypotredis honeypot activityredishoneypot activityremote accessremote access serviceremote service interactionremote servicesresearchedresource developmentresource hijackingscada/ics attacksscams & fraudscanscannerscannersscanning activityscripting attackssecurity eventsecurity operationssecurity policysensor-taggedsentrypeer activitysentrypeer botnetsentrypeer detectionsentrypeer eventssentrypeer interactionsserver exploitationservice discoveryservice enumerationservice probingservice scanservice scanningservice version detectionsftp access attemptsftp access attemptssftp activitysftp attacksftp attackssftp attemptsftp intrusion attemptsftp probingsftp scanningsftp-attackshell accessshell access attemptshellshock attemptsip attackssip brute forcesip scansip scanningsip vulnerability scansippsmart devicessmb attackssmb brute forcesmb scanningsmtpsmtp attackssmtp brute forcesmtp probingsmtp scanningsnaresocial engineeringsoftware developmentsoftware exploitationspamsql injectionsql injection attemptsql injection attemptssshssh attackssh attacksssh monitoringssh-brute-forcestealth scansuricata alertsuricata alertssynsyn port scansyn scansystem disruptiont-pott1005t1016t1016.001t1018t1020t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1021.006t1027t1040t1041t1046t1047t1048t1048.003t1053t1053.005t1055t1056t1059t1059.001t1059.003t1059.004t1059.005t1059.007t1065t1068t1069.001t1071t1071.001t1071.004t1076t1077t1078t1078.001t1078.002t1078.004t1083t1087t1088t1105t1110t1110.001t1110.002t1110.003t1110.004t1133t1187t1189t1190t1195t1199t1203t1204.002t1210t1486t1490t1496t1499.001t1499.002t1499.003t1505.002t1505.004t1550t1550.002t1550.003t1555t1555.003t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1572t1573t1573.001t1583t1587.001t1588t1588.002t1588.006t1589t1590t1590.001t1590.002t1590.004t1590.006t1592t1592.002t1595t1595.001t1595.002t1595.003tannertanner activitytanner eventstanner interactionstargeting databasetcp protocoltcp scantcp/3306tcp/80telecommunicationstelnet attackstelnet threattelnet-brute-forcetextthreat actorthreat actor activitythreat detectionthreat feedthreat intelligencethreat intelligence feedthreat preventiontimeouttop10.txttopips.txttor nodetpottsecudp port scanudp scanunattributed threat actorunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized loginunauthorized login attemptunauthorized login attemptsunauthorized probingunauthorized-access-attemptunited kingdomunited statesunited states of americaunknown threat actorusus abuseus noneverified-benignvnc protocolvoipvoip attackvoip systemsvulnerability scanvultrweak credentialswealth managementweb app attackweb application attackweb application attacksweb application scanningweb attackweb attacksweb exploitationweb login attemptweb scannerweb serverweb server attackweb server attacksweb serversweb service scanningweb shellweb shell detectionweb shell uploadweb shell uploadsweb spamweb trafficweb-application-attackweb-serverweb_attackwgetwordpotwordpress attackxmas port scanxmas scanzmap

Activity Timeline

1 total obs
Jun 2Jun 2

Threat Activity Heatmap

· Peak: 2026-06-02
Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Intelligence SummaryAI Generated

This Indicator of Compromise (IOC), an IPv4 address identified as 205.210.31.17, represents a significant and active threat that demands immediate attention. Its presence across numerous reputable threat intelligence feeds, including AbuseIPDB, AlienVault OTX, and various Blocklist.de categories, strongly suggests its involvement in malicious activities such as brute-force attacks, port scanning, and potential C2 infrastructure. If connections to this IP address are found within the organization…

Threat ScoreMedium Risk
53
SIGNAL
Signal Score
53%
Confidence
34
Reports
First seenApr 12, 2022
Last seenJun 2, 2026
GeolocationUS
CountryUnited States
LocationSanta Clara, California
ASNAS396982
OrgPalo Alto Networks, Inc
Coords37.3541, -121.9555
Proxy

VirusTotal

Not checked

WHOIS

description
IPv4 hosts detected port scanning Vultr Melbourne (Australia) honeypot
raw
NetRange: 205.210.31.0 - 205.210.31.255 CIDR: 205.210.31.0/24 NetName: PAN-22 NetHandle: NET-205-210-31-0-1 Parent: NET205 (NET-205-0-0-0-0) NetType: Direct Allocation OriginAS: Organization: Palo Alto Networks, Inc (PAN-22) RegDate: 2022-01-11 Updated: 2022-01-11 Ref: https://rdap.arin.net/registry/ip/205.210.31.0 OrgName: Palo Alto Networks, Inc OrgId: PAN-22 Address: Palo Alto Networks Address: 3000 Tannery Way Address: Santa Clara, CA 95054 City: Santa Clara StateProv: CA PostalCode: 95054 Country: US RegDate: 2017-11-22 Updated: 2024-11-25 Ref: https://rdap.arin.net/registry/entity/PAN-22 OrgAbuseHandle: IPABU42-ARIN OrgAbuseName: IP Abuse OrgAbusePhone: +1-408-753-4000 OrgAbuseEmail: [email protected] OrgAbuseRef: https://rdap.arin.net/registry/entity/IPABU42-ARIN OrgTechHandle: GNS20-ARIN OrgTechName: Global Network Services OrgTechPhone: +1-408-753-4000 OrgTechEmail: [email protected] OrgTechRef: https://rdap.arin.net/registry/entity/GNS20-ARIN

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 4 years ago · Last seen 12 days ago
Appeared in 34 threat reports