This detection rule is designed to alert when internal assets communicate with destinations that are sanctioned by the U.S., utilizing the Panther UDM for monitoring and integrating IPInfo for geographic and organizational insight. The rule captures events from Crowdstrike's FDREvent logs, specifically focusing on network connections from internal addresses to external sanctioned IP addresses. The detection leverages the enrichment functionalities of IPInfo to provide contextual information about the remote destination, such as its ownership and geographic location. Alerts will be generated when the internal asset makes an outbound connection to these sanctioned destinations, matching those specified in U.S. sanction lists. The rule is configured to deduplicate alerts over a period of one hour and has a low severity level. Each instance of detection uses a threshold of 1, meaning that any single connection attempt to a sanctioned IP will trigger an alert. The implementation includes verification tests to confirm that the alerts generated correspond with the expected result based on predefined criteria.